our privacy commitment
at decoy, we believe privacy is a fundamental human right. we've built our platform with privacy at its core, not as an afterthought. this means we collect only what we need, we don't track you, and we give you control over your information.
introduction
this privacy policy describes how WhosAt LLC, the company that operates Decoy ("Decoy," "we," "us," or "our"), handles your information when you use our privacy and identity platform, including the Decoy app, our website at decoys.me, and related services (collectively, the "services"). WhosAt LLC is the data controller responsible for your information.
privacy principles
our approach to privacy is guided by these core principles:
- minimal collection: we collect only the data necessary to provide our services
- no tracking: we don't track your behavior across the web or build advertising profiles
- no sale of data: we never sell your personal information to anyone
- user control: you decide what information to share and can delete it anytime
- transparency: we're clear about what we collect and how we use it
- security first: we protect your data with industry-leading security measures
what is personal data at decoy?
we treat any data that relates to an identified or identifiable individual as "personal data." this includes information that directly identifies you (like your email address) and information that could reasonably be used to identify you (like device identifiers). aggregated data that cannot identify you is considered non-personal data.
information we collect
we believe in transparency. here's exactly what we collect and why:
information you provide
account information
- email address (for account access and communications)
- username or display name (optional)
- authentication credentials (encrypted)
social media authorization (when you choose to connect accounts)
- social media user id
- access tokens (encrypted and stored securely)
- basic profile information needed for service functionality
preferences
- notification preferences
- communication preferences
information we collect automatically
technical information (essential for service operation)
- device type and operating system
- browser type
- ip address (for security and fraud prevention)
- general location (country/region only)
usage information (to improve our services)
- pages visited on our platform
- features used
- time spent on pages
- links clicked within our platform
important: we do not track you across other websites. we do not use this information to build advertising profiles. we do not share this information with advertisers or data brokers.
what we don't collect
to be clear about what we don't do:
- we don't collect browsing history outside our platform
- we don't collect sensitive personal information (health data, financial information, etc.)
- we don't use persistent identifiers to track you across websites
- we don't create user profiles for advertising purposes
how we use your information
we use your information only for these purposes:
to provide our services
- create and maintain your account
- provide customer support
to improve our services
- analyze how our platform is used (in aggregate)
- identify and fix technical issues
- develop new features
- conduct internal research and development
to communicate with you
- respond to your inquiries
- send important service notifications
- provide security alerts when necessary
for security and fraud prevention
- protect our platform from abuse
- detect and prevent fraud
- enforce our terms of service
- comply with legal obligations
we will never use your data for purposes beyond those described here without your explicit consent.
how we protect your information
security isn't just a feature—it's fundamental to how we operate.
technical safeguards
- end-to-end encryption for sensitive data in transit
- encryption at rest for stored data
- secure oauth 2.0 authentication
- regular security audits and penetration testing
- secure infrastructure with industry-standard protections
organizational safeguards
- strict access controls (employees access only what they need)
- regular security training for our team
- privacy-by-design in all development
- incident response procedures
- regular third-party security assessments
your role
- use strong, unique passwords
- enable two-factor authentication if available
- keep your login credentials confidential
- report suspicious activity immediately
data retention
we keep your information only as long as necessary:
- account data: while your account is active and for a reasonable period after deletion to prevent fraud
- usage data: typically 90 days, then aggregated or deleted
- support communications: as long as needed to resolve your issue
- legal requirements: as required by applicable law
when you delete your account, we delete or anonymize your personal information within 30 days, except where we must retain it for legal purposes.
sharing your information
we share your information only in these limited circumstances:
service providers
we work with trusted service providers who help us operate our platform (hosting, analytics, customer support). these providers:
- are contractually obligated to protect your data
- may only use your data to provide services to us
- cannot use your data for their own purposes
- must delete your data when no longer needed
legal requirements
we may disclose information when required by law, such as:
- in response to valid legal process (subpoenas, court orders)
- to protect rights, property, or safety
- to prevent fraud or abuse
- to comply with regulatory requirements
we will notify you of legal requests unless prohibited by law.
business transfers
if decoy is involved in a merger, acquisition, or sale of assets, your information may be transferred. we'll notify you and ensure the new entity honors this privacy policy.
we never:
- sell your personal information
- share your data with advertisers or data brokers
- provide your information to third parties for their marketing
- share your data without legal basis or your consent
cookies and tracking technologies
we use cookies and similar technologies, but we're thoughtful about it:
essential cookies
required for the platform to function (authentication, security, load balancing). these cannot be disabled.
functional cookies
remember your preferences and settings. you can disable these, but some features may not work properly.
analytics cookies
help us understand how the platform is used (in aggregate). these are optional and you can opt out.
we do not use:
- third-party advertising cookies
- cross-site tracking cookies
- cookies that build advertising profiles
you can manage cookie preferences in your browser settings or through our platform.
your privacy rights
you have control over your information. depending on your location, you may have additional rights under applicable law.
access your information
request a copy of the personal information we hold about you.
correct your information
update inaccurate or incomplete information through your account settings or by contacting us.
delete your information
request deletion of your account and personal information. we'll process this within 30 days.
export your information
download your data in a portable format.
opt out of communications
unsubscribe from marketing emails anytime (service emails may still be sent).
revoke permissions
disconnect social media accounts or revoke other permissions anytime.
object to processing
object to how we process your information for specific purposes.
lodge a complaint
contact your local data protection authority if you have concerns we haven't addressed.
to exercise your rights:
email us at [email protected] or use your account settings. we'll respond within 30 days and verify your identity to protect your information.
international data transfers
our services may involve transferring your data internationally. when we do:
- we use appropriate safeguards (standard contractual clauses, adequacy decisions)
- we ensure your data receives the same level of protection
- we comply with applicable data transfer regulations
children's privacy
our services are not directed to children under 13 (or the equivalent minimum age in your jurisdiction). we do not knowingly collect information from children. if we learn we've collected a child's information, we'll delete it immediately.
parents: if you believe your child has provided us with information, contact us immediately at [email protected].
california privacy rights
if you're a california resident, you have additional rights under the california consumer privacy act (ccpa):
right to know: what personal information we collect, use, and share
right to delete: request deletion of your personal information
right to opt-out: we don't sell personal information, so there's nothing to opt out of
right to non-discrimination: we won't discriminate against you for exercising your rights
european privacy rights
if you're in the european economic area, uk, or switzerland, you have rights under the gdpr:
- right to access, rectification, erasure, and data portability
- right to restrict or object to processing
- right to withdraw consent
- right to lodge a complaint with your supervisory authority
our legal basis for processing includes:
- performance of contract with you
- your consent (which you can withdraw)
- our legitimate interests (balanced against your rights)
- legal compliance
third-party services
our platform may link to or integrate with third-party services:
- social media platforms: tiktok, instagram, etc. (subject to their privacy policies)
- retail partners: subject to their privacy policies
- analytics providers: used only for service improvement (not advertising)
we don't control these third parties' practices. we encourage you to review their privacy policies.
changes to this privacy policy
we may update this privacy policy to reflect changes in our practices or for legal reasons. when we make material changes:
- we'll post the updated policy with a new effective date
- we'll notify you via email or platform notification
- for significant changes, we may require you to review and accept
- continued use after changes means you accept the updated policy
previous versions are archived and available upon request.
data breach notification
in the unlikely event of a data breach affecting your personal information:
- we'll notify you without undue delay
- we'll inform relevant authorities as required by law
- we'll provide details about what happened and what we're doing
- we'll advise you on protective steps to take
privacy by design
privacy isn't just a policy—it's how we build our platform:
- we consider privacy at every stage of development
- we collect only what we need (data minimization)
- we use privacy-preserving techniques (encryption, anonymization)
- we regularly review and improve our practices
- we train our team on privacy principles
contact us
for privacy inquiries:
- data controller: WhosAt LLC
- email: [email protected]
- website: https://www.decoys.me/privacy
we'll respond to privacy inquiries within 7 days and aim to resolve all issues within 30 days.
supervisory authorities
- eu/eea/uk: your local data protection authority
- switzerland: swiss federal data protection and information commissioner
- california: california attorney general's office
- canada: office of the privacy commissioner of canada
our commitment
privacy isn't just about compliance—it's about trust. we're committed to:
- being transparent about our practices
- giving you control over your information
- protecting your data with best-in-class security
- never selling or exploiting your information
- continuously improving our privacy practices
we believe you should be able to enjoy great deals without sacrificing your privacy. that's the decoy promise.
last updated: october 30, 2025
© 2025 decoy. all rights reserved.