Privacy Policy
Last updated: April 21, 2026 · Version 1.3
Data Controller
QuReDec™ is operated by Advanced Binary Operations LLC ("ABO"), a California limited liability company (CA Entity No. B20260081616), registered at 13337 South St, PMB 716, Cerritos, CA 90703, United States. ABO is the data controller for personal information processed through this Service under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The corporate site is at advancedbinaryoperations.com.
Information We Collect
We collect the minimum information needed to run the Service. There are two data paths: account data (needed to operate your account) and optional analytics (used only if you opt in).
Account data (all registered users):
- Email address — required to create and recover your account
- Password — stored only as a one-way bcrypt hash; we cannot read it
- Account metadata — account creation date, last login, tier, credit balance
- Decision questions and briefs — the questions you submit and the briefs generated for you, stored privately in your account
- Payment metadata — purchase history + Stripe customer ID; full card numbers are never stored by us (Stripe handles that)
Anonymous analytics (opt-in only — off by default unless you accept the consent banner):
- Interaction signals — which buttons you click, which framing you select, how many clarification turns you take
- Session outcome — whether you completed a brief or left early
- Satisfaction signal — your optional "Was this helpful?" response
- Domain category — the general topic of your decision (e.g., "real estate", "technology") but NOT the specific question text
Technical data (automatic, for security and operation):
- IP address — logged by our hosting provider (Cloudflare + DigitalOcean) for security and abuse prevention; we do not use IP for marketing or profiling
- Browser user-agent and request metadata — standard server logs
What We Do NOT Collect
- Your full credit card number or CVV (Stripe processes payment directly)
- Your real name, postal address, or phone number (we do not ask for these)
- Cookies for advertising or cross-site tracking
- Data from other browser tabs, applications, or devices
- Biometric, genetic, or other sensitive-category data
How We Use It
Account data is used to:
- Operate your account, authenticate sessions, process payments, and deliver the Service
- Generate, store, and retrieve your decision briefs
- Send transactional emails (account verification, password reset, receipt, brief completion)
Anonymous analytics (opt-in only) is used to:
- Identify which clarification questions are most effective
- Learn which phrasings help users progress faster
- Detect which wordings cause confusion or abandonment
- Improve domain-specific coaching (e.g., fewer questions for familiar decision types)
Data is never sold, rented, shared with third parties for their own marketing, or used for advertising.
Cookies and Session Storage
QuReDec sets a minimal set of first-party cookies. We do not set advertising, tracking, or third-party marketing cookies.
| Session cookie | Keeps you logged in between page loads. HttpOnly, SameSite=Lax, Secure in production. Expires on sign-out or after a defined idle period. |
| CSRF token | Protects forms from cross-site request forgery. Scoped to your session. |
| Consent preference | Remembers whether you accepted or declined anonymous analytics. Stored as a preference in your browser's localStorage, not a cookie — purely local. |
We honor Global Privacy Control (GPC) and browser Do-Not-Track (DNT) signals where technically feasible as equivalent to declining the analytics opt-in.
Your Rights
| Right to decline | Click "Decline" on the consent banner. The Service works identically without analytics. |
| Right to withdraw consent | Uncheck the analytics toggle in your Account at any time. All future collection stops immediately. |
| Right to access / export | Click "Export my data" in your Account to download your account data (briefs, questions, signals) as JSON. For additional access or portability requests, email [email protected]. |
| Right to correction | Edit your account email from the Account page, or email us for help with other corrections. |
| Right to erasure | Click "Delete my data" in your Account, or email [email protected]. Your account, briefs, and analytics signals are deleted; payment records are retained for the period required by tax and accounting law, then deleted. |
| Right to restrict processing / object | Email [email protected] with the scope of restriction. We respond within the timeframe required by applicable law. |
| Right to non-discrimination | Exercising any right above does not affect the price or quality of the Service you receive. |
Data Storage and Retention
- Where: data is stored in our PostgreSQL database on a U.S.-region DigitalOcean server, fronted by Cloudflare.
- Account data (email, hashed password, tier, credit balance) — retained for as long as your account is active. Deleted on erasure request, subject to legal-retention exceptions below.
- Decision questions and briefs — retained with your account. Deleted on erasure request. Not shared or reused for training.
- Anonymous session signals (if you opted in) — retained for 90 days, then automatically purged.
- Aggregated domain knowledge (non-personal, no user identifiers) — retained indefinitely for product improvement.
- Consent records — retained for the period required for compliance audit (minimum 2 years, typically longer).
- Payment records (transaction IDs, timestamps, amounts, tier) — retained for 7 years to meet U.S. tax, accounting, and financial-audit obligations.
- Email correspondence (inbound support, outbound transactional) — retained as needed for support continuity, then archived or deleted.
- Server and security logs — retained for up to 90 days for abuse prevention and incident response.
Subprocessors
We use a small number of trusted third-party processors to operate the Service. Each is bound by its own data-protection obligations. Current subprocessors:
| DigitalOcean | Hosting (application server + Postgres database). U.S. region. Privacy policy. |
| Cloudflare | DNS, CDN, DDoS protection, SSL. Receives request metadata (IP, user-agent, URL). Privacy policy. |
| Stripe | Payment processing. Receives billing email and card data (which we never see or store). Privacy policy. |
| OpenAI | LLM API used to generate the decision brief. Receives the text of your decision question and retrieved evidence for synthesis. OpenAI's API terms prohibit training on inputs submitted via our account. Privacy policy. |
| Resend | Transactional email delivery (verification, receipts, brief completion). Receives your email address and the message body. Privacy policy. |
| Evidence APIs | Brave Search, Semantic Scholar, arXiv, Crossref, YouTube Data API, HackerNews — queried with keyword searches derived from your decision question. These services see only the search query, not your account identity. |
We will update this list when subprocessors change. Material additions are disclosed here and by email where reasonably required.
Data Breach Notification
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Article 33).
- We will notify affected users directly by email when a breach is likely to result in a high risk to their rights (GDPR Article 34; CCPA §1798.82 for California residents).
- Notices will describe the nature of the breach, the data categories affected, likely consequences, and the measures we have taken or propose to take.
Automated Decision-Making
QuReDec uses automated processing (large language models + a research pipeline) to generate decision briefs. The brief is advisory informational content, not a legally binding decision about you. You remain the decision-maker; the brief is an input. Under GDPR Article 22, you are not subject to a decision based solely on automated processing that produces legal or similarly significant effects — QuReDec does not produce such effects on your behalf.
If you believe an automated output affecting you requires human review, email [email protected].
Data Processing Agreement (DPA) for Business Customers
Business customers processing EU, UK, or other covered personal data through QuReDec can request our standard Data Processing Agreement by emailing [email protected]. The DPA incorporates the European Commission's Standard Contractual Clauses where applicable for international transfers.
International Transfers
The Service is operated from the United States. If you access QuReDec from outside the U.S., information processed about you is transferred to and stored in the United States under U.S. law. For transfers of EU, UK, or Swiss personal data to the U.S., we rely on Standard Contractual Clauses and, where our subprocessors are certified, the EU-U.S. Data Privacy Framework.
Children and Minors
QuReDec is an adult-oriented business-decision tool intended for users 18 and older. We do not knowingly collect personal information from children under 13 (COPPA, U.S.) or under 16 (GDPR Article 8, EU). We do not direct the Service to minors, do not advertise to minors, and do not sell or share minors' data.
If you are a parent or legal guardian and believe a child under 13 (or under 16, depending on your jurisdiction) has created an account or submitted personal information through the Service, contact us at [email protected] and we will delete the account and associated data within the timeframe required by applicable law.
If a brief is generated on a topic that affects a minor (for example, a decision about a child's education, healthcare, or finances), the brief's AI-generated content is informational only — it is not professional advice, and it is not a substitute for consultation with qualified professionals involved in the minor's care.
Compliance
This policy is designed to comply with:
- GDPR (EU General Data Protection Regulation) — Articles 6, 7, 8, 17, 20
- CCPA / CPRA (California Consumer Privacy Act, as amended) — Right to know, delete, correct, opt-out; minor opt-in protections
- COPPA (Children's Online Privacy Protection Act, U.S.) — no knowing collection from under-13s
- ePrivacy Directive — Cookie/tracking consent requirements
Contact
For privacy questions, access / export / deletion requests, or any matter under GDPR or CCPA, email [email protected]. We respond within the timeframe required by applicable law.
For formal legal notice, correspondence may also be sent to the controller's registered address:
Advanced Binary Operations LLC
13337 South St, PMB 716
Cerritos, CA 90703, United States
[email protected]
QuReDec™ — Research. Analyze. Decide — with evidence. A platform by Advanced Binary Operations LLC.