Privacy policy
Last Updated: [1/30/2026]
WeDecide Ltd ("WeDecide", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and platform (collectively, the "Service"). This policy applies to users in the European Union, European Economic Area, United Kingdom, United States, and all other jurisdictions where we operate.
Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not access or use the Service.
1. Data Controller
The data controller responsible for your personal data is:
WeDecide Ltd (OÜ)
[Registered Address], Tallinn, Estonia
Email: privacy@wedecide.com
2. Information We Collect
2.1 Information You Provide Directly
• Account Information: Email address, password (encrypted), district/constituency, country.
• Profile Information: User type (citizen or institutional), role, civic interests and priorities.
• Story Submissions: Text narratives and/or voice recordings you submit about your civic experiences. These may be submitted anonymously.
• Survey Responses: Responses to SenseMaker surveys including narrative text and self-interpretation data.
• Messages: Communications you send to elected representatives through the platform.
• Waitlist Information: Email, country, district, top concerns, and civic engagement level.
• Communications: Emails, support requests, and feedback you send to us.
2.2 Information Collected Automatically
• Device Information: IP address, browser type, operating system, device identifiers.
• Usage Data: Pages visited, features used, time spent on platform, click patterns.
• Location Data: Approximate location derived from IP address for regional routing. We do not collect precise GPS location.
• Cookies and Similar Technologies: See Section 9 (Cookies) below.
2.3 Information from Third Parties
• Authentication Providers: If you sign in via Google or Apple, we receive your email address and basic profile information.
• Public Data Sources: We aggregate publicly available government data, public records, and service metrics. This does not include personal data about you.
3. How We Use Your Information
We use your information for the following purposes:
• To provide the Service: Creating your account, enabling story submissions, facilitating messages to representatives, displaying district analytics.
• To generate collective intelligence: Anonymizing and aggregating stories to surface community patterns and calculate Humanity Scores.
• To improve the Service: Analysing usage patterns, fixing bugs, developing new features.
• To communicate with you: Sending service updates, responding to enquiries, notifying you of relevant legislative activity.
• To ensure security: Detecting fraud, preventing abuse, protecting user safety.
• To comply with legal obligations: Responding to lawful requests from authorities, maintaining required records.
4. Legal Basis for Processing (EEA/UK Users)
Under the General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data based on the following legal grounds:
Processing Activity
Legal Basis
Explanation
Account creation and service delivery
Contract
Necessary to provide the service you requested
Story aggregation and analytics
Legitimate Interest
Generating civic intelligence while protecting individual privacy
Marketing communications
Consent
Only with your explicit opt-in
Security and fraud prevention
Legitimate Interest
Protecting users and platform integrity
Legal compliance
Legal Obligation
Required by law
Where we rely on legitimate interest, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You may request details of this assessment by contacting privacy@wedecide.com.
5. How We Protect Anonymous Submissions
When you submit a story anonymously:
• No user ID is stored with the submission.
• IP addresses are not logged for anonymous submissions.
• The submission is associated only with a district/constituency, not an individual.
• Voice recordings are transcribed and may be stripped of identifying metadata.
• We cannot retrieve, modify, or delete anonymous submissions on your behalf because we cannot identify them as yours.
6. Data Sharing and Disclosure
We do not sell your personal data. We may share information in the following circumstances:
• Aggregated Data: Anonymized, aggregated patterns are displayed publicly on district dashboards and may be shared with researchers, governments, and civil society organisations. This data cannot identify individuals.
• Service Providers: We use third-party processors for hosting (Vercel), database (Supabase/PostgreSQL), email (Resend), analytics (privacy-focused), and payment processing (Stripe). All processors are bound by data processing agreements.
• Representatives: If you send a message to an elected official, your message content (and identity if you choose to include it) is delivered to them.
• Legal Requirements: We may disclose information if required by law, court order, or government request, or to protect rights, safety, or property.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.
7. International Data Transfers
WeDecide is established in Estonia (EU). Your data may be processed in the European Economic Area, United Kingdom, and United States. When we transfer data outside the EEA/UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or your explicit consent.
8. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
• Account data: Retained while your account is active and for 30 days after deletion request.
• Story submissions (attributed): Retained until you delete them or your account.
• Story submissions (anonymous): Retained indefinitely as they cannot be linked to individuals.
• Waitlist data: Retained until you are converted to a full user or request deletion.
• Usage logs: Retained for 12 months for security and analytics purposes.
• Legal records: Retained as required by applicable law.
9. Cookies and Similar Technologies
We use cookies and similar technologies as follows:
Cookie Type
Purpose
Duration
Strictly Necessary
Authentication, security, load balancing
Session / 7 days
Functional
Remembering preferences, region selection
1 year
Analytics
Understanding usage patterns (privacy-focused, no cross-site tracking)
1 year
We do not use advertising cookies or sell data to advertisers. You can manage cookie preferences through our cookie banner or your browser settings. Note that disabling strictly necessary cookies may prevent the Service from functioning properly.
10. Your Rights
10.1 Rights for EEA/UK Residents (GDPR)
You have the following rights:
• Right of Access: Obtain confirmation of whether we process your data and request a copy.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data ("right to be forgotten").
• Right to Restrict Processing: Limit how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw at any time.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority.
10.2 Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights:
• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect.
• Right to Delete: Request deletion of your personal information.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioural advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary.
10.3 Rights for Other US States
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights. Please contact privacy@wedecide.com to exercise your rights.
10.4 How to Exercise Your Rights
To exercise any of these rights:
• Email: privacy@wedecide.com
• Use our online Opt-Out/Data Request Form at wedecide.com/opt-out
We will respond within one month (GDPR) or 45 days (CCPA). We may need to verify your identity before fulfilling your request.
11. Children's Privacy
The Service is not intended for children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@wedecide.com and we will delete it promptly.
12. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and secure development practices. However, no system is completely secure. If you believe your account has been compromised, contact support@wedecide.com immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we will provide additional notice (such as email notification). Your continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related enquiries:
Email: privacy@wedecide.com
WeDecide Ltd, [Address], Tallinn, Estonia
UK residents may also contact our UK Representative at: [UK Representative Address]
15. Supervisory Authorities
• Estonia: Andmekaitse Inspektsioon (Data Protection Inspectorate) - www.aki.ee
• UK: Information Commissioner's Office (ICO) - www.ico.org.uk
• EU: Your local data protection authority
