Privacy Policy

Last updated: February 2026

1. Introduction

Decimly ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our marketing analytics platform at www.decimly.com (the "Service"). We operate in compliance with the General Data Protection Regulation (GDPR), applicable French data protection laws, and Google API Services User Data Policy, including the Limited Use requirements.

2. Data Controller

Decimly is operated by an individual auto-entrepreneur registered in France. For any privacy-related inquiries, please contact us at support@decimly.com

3. Google Sign-In & Authentication

Decimly uses Google OAuth 2.0 (Google Sign-In) as one of its authentication methods to allow you to create an account and log in to the Service. When you choose to sign in with Google, we receive the following information from your Google account:

  • Email address: Used as your account identifier and for service-related communications
  • Full name (first and last name): Used to personalize your account and dashboard
  • Profile picture (if available): Displayed in the application interface for your convenience

3.1 How We Use Google Sign-In Data

The data obtained through Google Sign-In is used exclusively for:

  • Account creation and authentication: To create your Decimly account and verify your identity each time you log in
  • Account management: To display your name and profile information within the application
  • Service communications: To send you essential service notifications (password resets, billing updates, security alerts)

3.2 What We Do NOT Do with Google Sign-In Data

  • We do not sell, rent, or trade your Google account information to any third party
  • We do not use your Google email for unsolicited marketing or advertising purposes
  • We do not share your Google profile data with advertisers or data brokers
  • We do not store your Google password — authentication is handled entirely by Google's secure OAuth flow

Note: Google Sign-In is separate from the Google Analytics and Google Ads integrations described in Section 5. Signing in with Google does not automatically grant Decimly access to your Google Analytics or Google Ads data. Those integrations require separate, explicit authorization.

4. Data We Collect

We collect the following categories of personal data:

  • Account Information: Email address, first name, last name, and profile picture obtained via Google Sign-In or manual registration
  • Payment Data: Processed securely by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe may share with us your card's last four digits, expiration date, and billing address for display and invoicing purposes.
  • Campaign Data: Marketing metrics, descriptions, and performance data you enter manually into the platform
  • Google API Data: Analytics metrics and Ads performance data accessed via Google APIs when you explicitly connect these integrations (see Section 5)
  • Usage Data: How you interact with our Service, including pages visited, features used, and session duration
  • Technical Data: IP address, browser type, device information, operating system, and referral URLs

5. Google API Data Access (Analytics & Ads)

When you connect your Google accounts to Decimly, we access specific data through Google APIs. This section details exactly what data we access, how we use it, and how we protect it. This access is separate from the Google Sign-In described in Section 3 and requires your explicit consent.

5.1 Google Analytics Data

When you connect Google Analytics, we request read-only access to:

  • Session counts and user metrics for your selected properties
  • Traffic source data (organic, paid, direct, referral)
  • Campaign performance metrics linked to UTM parameters
  • Conversion data and goal completions

Scope used: analytics.readonly

5.2 Google Ads Data

When you connect Google Ads, we request read-only access to:

  • Campaign names, IDs, and status
  • Impressions, clicks, and click-through rates
  • Cost data and average CPC
  • Conversion metrics reported by Google Ads

Scope used: https://www.googleapis.com/auth/adwords

Important: While the Google Ads API scope technically allows write access, Decimly only performs read operations. We never create, modify, pause, or delete any campaigns, ads, or settings in your Google Ads account. Decimly is an analysis tool, not an ad management platform.

5.3 How We Use Google API Data

We use data from Google APIs exclusively for the following purposes:

  • Cross-platform comparison: We compare Google Ads metrics with Google Analytics data to calculate data reliability levels
  • AI-powered analysis: When you request it, our AI analyzes discrepancies between platforms to provide actionable insights
  • Performance visualization: We display your campaign metrics in a unified dashboard

We do not use Google data for advertising, sell it to third parties, or use it for any purpose other than providing you with the Decimly service. Decimly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.4 Google Data Storage

Google data is handled as follows:

  • OAuth tokens: Encrypted and stored securely in our database (Supabase). Refresh tokens allow continued access without requiring you to reconnect.
  • Metrics data: Campaign metrics are fetched in real-time when you view your dashboard. We cache metrics temporarily (up to 24 hours) to improve performance.
  • Data retention: When you disconnect a Google integration, we immediately delete all associated OAuth tokens and cached data.

5.5 Revoking Google Access

You can revoke Decimly's access to your Google accounts at any time:

  • From Decimly: Go to Settings → Integrations and click "Disconnect" next to Google Analytics or Google Ads
  • From Google: Visit myaccount.google.com/permissions and remove Decimly from the list of connected apps

Upon revocation, we will delete all stored tokens and cached Google data within 24 hours.

6. How We Use Your Data

We use your personal data for the following purposes:

  • Authentication: To create and manage your account via Google Sign-In or email registration
  • Service Delivery: To provide and maintain our marketing analytics platform
  • Cross-Platform Analysis: To compare data between ad platforms and analytics tools
  • AI Analysis: To generate insights and recommendations when you explicitly request them
  • Account Management: To manage your subscription, billing, and account preferences
  • Customer Support: To respond to your inquiries and provide assistance
  • Product Improvement: To analyze usage patterns and improve our Service
  • Communication: To send service-related notifications and updates (not marketing emails without consent)

7. Legal Basis for Processing

We process your personal data based on:

  • Contract Performance: Processing necessary to provide our Service (account creation, service delivery, subscription management)
  • Consent: For Google API data access (Analytics & Ads), analytics cookies, and marketing communications. You can withdraw consent at any time.
  • Legitimate Interests: For product improvement, security monitoring, and fraud prevention
  • Legal Obligations: To comply with applicable laws, including tax and accounting requirements

8. Third-Party Services & Data Sharing

We share data with the following third-party service providers, strictly as necessary to operate the Service:

  • Supabase (Database & Authentication): Hosts our database and handles authentication infrastructure. Your account data and encrypted OAuth tokens are stored on Supabase servers. Data is encrypted at rest (AES-256).
  • Stripe (Payment Processing): Processes all subscription payments. Stripe is PCI-DSS Level 1 compliant. We never store full card details on our servers.
  • Google (OAuth & APIs): Provides sign-in authentication and API access to Google Analytics and Google Ads data.
  • Anthropic (AI Analysis): Powers our AI-driven campaign analysis feature. Campaign data sent to Anthropic is anonymized before processing and is not used to train AI models.
  • Vercel (Hosting): Hosts and serves the Decimly web application. SOC 2 compliant infrastructure.

These providers process data on our behalf and are contractually bound to protect your data. We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers, data brokers, or any parties not listed above.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our Service:

  • Account data: Retained while your account is active and for up to 30 days after deletion
  • Campaign data: Retained while your account is active, deleted upon account deletion
  • Google API tokens: Deleted immediately upon disconnection or account deletion
  • Cached metrics: Automatically purged after 24 hours
  • Billing records: Retained as required by French tax law (up to 10 years for invoices)

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records for tax compliance) or to resolve pending disputes.

10. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation of data processing in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time, including for Google API access

To exercise any of these rights, contact us at support@decimly.com. We will respond to your request within 30 days, as required by the GDPR.

11. Account Deletion

You can request the deletion of your Decimly account and all associated personal data at any time. Here is the procedure:

  1. Send an email to support@decimly.com from the email address associated with your account, with the subject line "Account Deletion Request"
  2. We will verify your identity and confirm receipt of your request within 48 hours
  3. Upon confirmation, we will:
    • Delete your account and profile information
    • Delete all your campaign data and saved analyses
    • Immediately revoke and delete all Google OAuth tokens
    • Cancel any active subscription (no further charges will occur)
    • Delete all cached data
  4. Complete deletion is performed within 30 days of the confirmed request

Note: Certain data may be retained beyond 30 days only if required by law (e.g., billing records for French tax compliance). Such data will be anonymized where possible and retained only for the minimum period required.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in transit: All data is encrypted using TLS 1.3 for all communications
  • Encryption at rest: All stored data is encrypted using AES-256
  • OAuth tokens: Stored encrypted with industry-standard encryption in our database
  • Access controls: Strict role-based access to production systems and databases
  • Secure authentication: Google OAuth 2.0 and Supabase Auth ensure your credentials are never exposed
  • Regular audits: Security practices reviewed regularly

However, no method of transmission over the Internet is 100% secure. If you believe your account has been compromised, contact us immediately at support@decimly.com.

13. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where our service providers Supabase, Vercel, Stripe, and Anthropic operate). When this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's adherence to adequacy frameworks.

14. Cookies

Decimly uses essential cookies required for authentication and session management. For full details on our cookie usage, please refer to our Cookie Policy.

15. Children's Privacy

Our Service is not intended for users under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at support@decimly.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date at the top of this page. For significant changes, we will also notify you via email. We encourage you to review this policy periodically.

17. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr.

18. Contact Us

If you have any questions about this Privacy Policy, our data practices, or if you wish to exercise your rights, please contact us at: