Data Privacy
Decisio is committed to protecting your data and the privacy of your organization's decision-making processes. This documentation outlines our data handling practices and privacy controls.
Data hosting
Australian data residency
All Decisio data is hosted in Australia:
Primary region: Sydney (ap-southeast-2)
Provider: Supabase (PostgreSQL database)
Infrastructure: AWS Sydney data center
This means your data:
Remains within Australian jurisdiction
Is subject to Australian privacy laws
Does not transfer to overseas data centers during normal operations
Why Australian hosting matters
For Australian organizations, domestic data hosting:
Simplifies compliance with the Privacy Act 1988
Reduces complexity around cross-border data transfers
Provides clearer legal jurisdiction for data disputes
Meets requirements for government and regulated industries
Data architecture
Database security
Decisio uses Supabase PostgreSQL with:
Encryption at rest: All stored data is encrypted
Encryption in transit: TLS encryption for all connections
Row-level security: Database-enforced access controls
Regular backups: Automated backup and recovery procedures
Access controls
Data access is controlled through multiple layers:
Application
User authentication and role-based permissions
Database
Row-level security policies
Infrastructure
Network isolation and access logging
Administrative
Limited personnel access with audit logging
Data minimization
What we collect
Decisio collects only the data necessary to provide the service:
Account information
Email address
Display name
Authentication credentials (hashed)
Decision data
Issues, motions, and resolutions you create
Votes and comments you submit
Exhibits you upload
Timestamps and attribution
Usage data
Session information for authentication
Basic analytics for service improvement
What we don't collect
Payment card details (handled by Stripe)
Unnecessary personal information
Behavioral tracking across other sites
Data from connected services without explicit action
Participant privacy
Participant data handling
When you add participants to your workspace:
Only essential information is stored (name, email)
Participants control their own account settings
Voting records are attributed but can be viewed only by authorized users
Participants can be removed from workspaces by administrators
Visibility controls
Decisio provides controls over who can see what:
Workspace members see issues, motions, and resolutions within their workspace
Project access can be further restricted within workspaces
Vote visibility follows workspace settings (transparent or anonymous modes)
External parties cannot access workspace data without invitation
Account management
Account deletion
Users can request complete account deletion:
Contact support@decisio.com.au
Verify your identity
Receive confirmation of deletion scope
Account and personal data will be removed
Note on decision records: While your account and personal settings will be deleted, decision records may be retained in anonymized form to maintain the integrity of organizational audit trails. Votes and actions will be attributed to "Deleted User" rather than your name.
Data export
Before deletion or at any time, you can request:
Export of your personal data
Export of workspace data (for workspace administrators)
Summary of data we hold about you
Workspace data retention
Workspace data is retained according to your organization's subscription:
Active subscriptions: Data retained indefinitely
Cancelled subscriptions: Data retained for 90 days, then scheduled for deletion
Requested deletion: Processed within 30 days
Your rights
Under Australian privacy law
You have the right to:
Access your personal information
Correct inaccurate information
Request deletion of your data
Complain to the OAIC if you believe we've breached privacy laws
How to exercise your rights
Contact our privacy team:
Email: privacy@decisio.com.au
Response time: Within 30 days
Verification: We may need to verify your identity
Organizational controls
For workspace administrators
Administrators can:
Manage member access and permissions
Remove participants from workspaces
Configure workspace privacy settings
Request workspace data exports
For compliance officers
Decisio supports organizational compliance needs:
Clear data handling documentation
Defined retention periods
Audit trail for all data access
Support for data subject requests
Third-party data sharing
When we share data
Decisio shares data with third parties only when:
Payment processing
Stripe
Billing information
Email delivery
Email service provider
Email addresses, notification content
Error monitoring
Sentry
Technical error data (no decision content)
Infrastructure
AWS/Supabase
All data (encrypted, processed only)
We never sell data
Decisio does not sell, rent, or trade user data to third parties for marketing or any other purpose.
Security practices
Authentication
Secure password hashing (bcrypt)
Session management with secure tokens
Optional multi-factor authentication
Automatic session expiration
Application security
Regular security updates
Dependency vulnerability scanning
Code review requirements
Security testing
Incident response
In the event of a data breach:
Immediate containment and investigation
Notification to affected users within 72 hours
Notification to OAIC as required
Remediation and prevention measures
Compliance framework
Current compliance
Australian Privacy Principles (APP) compliant
GDPR principles followed (for international users)
Data encryption standards
Planned certifications
We are working toward:
SOC 2 Type II certification
ISO 27001 certification
IRAP assessment (for government customers)
Contact us for current compliance documentation and attestations.
Contact
For privacy-related inquiries:
Privacy team: privacy@decisio.com.au
General support: support@decisio.com.au
Data protection officer: dpo@decisio.com.au
Next steps
Audit Trail Overview - Understand what's recorded
Resolution Immutability - Learn about record protection
Export and Reporting - Access your data
Last updated