DeckPilot

Privacy Policy

Last updated: March 18, 2026

Overview

DeckPilot ("we," "our," or "us") provides an adaptive control surface platform that turns your iPhone and iPad into intelligent, app-aware touch interfaces for your Mac via a proprietary secure communication layer. We are committed to maintaining the highest standards of data protection and operational transparency in accordance with applicable regulations.

Information We Collect

Registration & Communication Data

When you create an account, we collect your email address and display name. We use your email for account authentication, product lifecycle communications (feature announcements, service updates), onboarding guidance emails, retention and re-engagement emails, and billing notifications. You may unsubscribe from marketing emails at any time.

Application Analytics & Diagnostics

DeckPilot uses privacy-focused analytics and diagnostics services to improve the app experience. We do not collect or transmit any of the following:

  • Input command sequences or macro configurations
  • User-defined layout schemas or control surface configurations
  • Display buffer contents or screen capture data
  • Network topology data, packet inspection, or traffic metadata

We do collect the following anonymized and aggregated data:

  • Usage analytics: App launches, feature usage signals, pairing events, and authentication events via TelemetryDeck — a privacy-focused analytics service that hashes all user identifiers and does not collect personally identifiable information
  • Crash reports & performance data: Stack traces, app hang detection, and launch performance metrics via Sentry — used to identify and fix bugs. Crash data is not linked to your identity.
  • Activity statistics: Aggregate command counts, time saved estimates, and productivity scores — synced to your account for your personal activity dashboard. This data is visible to you in the app.

Account & Authentication Data

When you create a DeckPilot account, we collect your email address and an encrypted password hash. If you sign in with Apple, we receive a unique identifier and, optionally, your name and email relay address as provided by Apple's Sign in with Apple service. We do not receive or store your Apple ID password.

Feedback & Support Data

When you submit feedback through the in-app form, we collect the message content, feedback category, your email address (if signed in), device model, operating system version, and app version. This data is used to respond to your feedback and improve the app. Feedback is stored in our Supabase database and associated with your account.

Payment Information

Subscription purchases on iOS are processed entirely by Apple through StoreKit and the App Store. We receive transaction receipts and subscription status but never your payment card details. On macOS, purchases are processed by a PCI-compliant third-party payment processor that receives your payment information directly — we never see or store your full card number. We receive only a customer identifier, subscription status, and billing cycle dates.

Website Analytics & Advertising

Our marketing website uses Google Analytics (by Google LLC), Plausible Analytics (by Plausible Insights OÜ), and Meta Pixel with server-side Conversions API (by Meta Platforms Inc.) to evaluate traffic patterns, measure advertising effectiveness, and optimize campaigns. Plausible is a privacy-focused, cookie-free analytics service that does not collect personal data. Google Analytics processes anonymized interaction data subject to Google's Privacy Policy. Meta Pixel tracks website conversion events (page views, downloads, purchases) for Facebook and Instagram ad measurement. You may opt out via standard browser privacy mechanisms, Do Not Track headers, the Google Analytics Opt-out Browser Add-on, or Facebook Ad Settings. None of these website tracking services are present in the iOS or macOS apps.

Device Pairing & Connection Data

To enable automatic pairing between your Mac and iPhone or iPad, we collect and store the following device-level identifiers in our Supabase database, associated with your account:

  • Device names, public keys, and Bonjour service names
  • This data is used solely for connecting your devices and is not shared with third parties
  • You can delete your pairing data at any time by removing devices from your account or by deleting your account entirely
  • Connection between devices occurs over your local network (Wi-Fi or USB) using encrypted WebSocket connections
  • We use .local (mDNS) hostnames for local network discovery — command and layout data stays on your local network

Communication Architecture & Data Isolation

DeckPilot utilizes a proprietary transport protocol engineered for local-area network-confined operation. The communication subsystem implements the following privacy-preserving properties:

  • Network-boundary isolation: All inter-device signaling is constrained to your local subnet. No payload data traverses external gateways, relay servers, or cloud-based intermediary infrastructure.
  • Asymmetric key negotiation: Device pairing employs elliptic-curve Diffie-Hellman ephemeral key agreement over a 256-bit curve, establishing forward-secret session keys that are never persisted in plaintext.
  • Message authentication: All transmitted frames are authenticated via keyed-hash message authentication codes to ensure integrity and prevent replay or tampering attacks across the transport layer.
  • Cloud-separated command path: Real-time commands and control traffic never leave your local network. DeckPilot does use cloud services (Supabase) for account authentication, subscription management, device registration, and aggregate usage statistics, but these are fully separated from the command transport layer. Your button layouts, macro configurations, and the specific apps you control are stored locally and are never uploaded.
  • Ephemeral session management: Authenticated sessions are subject to time-bounded validity with automatic credential rotation. Pairing tokens implement strict attempt-limiting and temporal expiry to mitigate brute-force enumeration.

Device Permissions & On-Device Access

DeckPilot requests a limited set of system-level permissions on your iOS/iPadOS device, each scoped to a specific operational function. These permissions are governed by the host operating system's authorization framework and may be revoked at any time via your device's privacy settings.

  • Camera access: The companion app requests one-time access to your device camera solely for the purpose of scanning a cryptographic pairing code during initial device enrollment. No images, video frames, or visual data are captured, stored, transmitted, or processed beyond the real-time decoding of the pairing payload. Camera access is not required for PIN-based pairing and can be denied without loss of core functionality.
  • Local network access: The companion app requests permission to discover and communicate with devices on your local network. This is required for the zero-configuration device discovery protocol that enables automatic detection of your Mac host within the same network segment. All discovery traffic is confined to multicast DNS resolution on your local subnet and does not interact with external DNS infrastructure, wide-area networks, or internet-facing endpoints. No information about your network topology, connected devices, or routing configuration is collected or transmitted off-device.

Data Persistence & Storage

  • Client-side storage: User configurations, cryptographic key material, layout data, and application preferences are stored within platform-native secure enclaves and sandboxed application containers on your devices.
  • Server-side storage: The following data is stored on SOC 2-compliant infrastructure (Supabase): account credentials, user profiles, subscription status, device pairing records, IAP receipts, activity statistics, feedback submissions, and onboarding email tracking. Button commands and layout configurations are not stored server-side — they remain on your devices.

Third-Party Data Processors

We engage a limited number of vetted third-party data processors to facilitate service operations. These processors are contractually bound by data processing agreements and are prohibited from using your data for purposes beyond the scope of their engagement:

  • Supabase (Supabase Inc.) — Authentication, account data, device pairing records, and subscription status. Hosted on SOC 2 Type II compliant infrastructure.
  • Stripe (Stripe Inc.) — Payment processing for macOS subscriptions. Processes payment card data directly; we receive only transaction metadata.
  • Apple (Apple Inc.) — In-app purchase processing for iOS subscriptions via StoreKit, and Sign in with Apple identity verification.
  • Google Analytics (Google LLC) — Anonymized website traffic analytics.
  • Plausible Analytics (Plausible Insights OÜ) — Privacy-focused, cookie-free website analytics.
  • Crisp (Crisp IM SAS) — Live chat support widget on the marketing website.
  • Meta (Meta Platforms Inc.) — Website conversion tracking via Meta Pixel and server-side Conversions API. Used to measure the effectiveness of advertising campaigns on Facebook and Instagram. Tracks website events such as page views, downloads, and purchases. No Meta tracking is present in the iOS or macOS apps. You can opt out of Meta's data collection via your Facebook Ad Settings.
  • TelemetryDeck (TelemetryDeck GmbH) — Privacy-focused app analytics in the iOS and macOS apps. All user identifiers are cryptographically hashed before transmission. No personally identifiable information is collected. TelemetryDeck does not sell data or use it for advertising.
  • Sentry (Functional Software Inc.) — Crash reporting and performance monitoring in the iOS and macOS apps. Collects crash logs, stack traces, and app performance metrics. Crash data is not linked to your identity.
  • Resend (Resend Inc.) — Transactional and lifecycle email delivery for onboarding, retention, and billing notifications.

The DeckPilot desktop and mobile applications do not integrate with any advertising networks or ad-tracking services. We do not use the Apple advertising identifier (IDFA) or any equivalent tracking technology.

Your Data Rights

In accordance with applicable data protection regulations, you retain the following rights:

  • Right to erasure of your registration data from our systems — you can delete your account and all associated data directly from the DeckPilot iOS app (Account > Delete Account) or by contacting us
  • Right to withdraw consent for marketing communications
  • Right to request a portable copy of data we hold pertaining to you
  • Right to data elimination via application uninstallation (removes all locally-stored data) or via in-app account deletion (removes all server-side data including authentication records, subscription data, device pairings, and purchase receipts)

Children's Privacy

DeckPilot is not directed at individuals under the age of 13. We do not knowingly solicit or collect personally identifiable information from minors. If we become aware of inadvertent collection from a minor, we will expeditiously purge such data from our systems.

Policy Amendments

We reserve the right to amend this policy to reflect changes in our data practices, regulatory requirements, or operational procedures. Material amendments will be communicated via this page with an updated revision date. Continued use of the Service following such amendments constitutes acceptance.

Contact

For inquiries regarding this privacy policy, data subject access requests, or data deletion requests, contact us at [email protected].