Trust Center
What is the Deckmetric Trust Center?
The Deckmetric Trust Center documents how your pitch deck data is processed, who the named sub-processors are, how long each category is retained, our AI training stance, your user rights under GDPR and CCPA, and how to permanently delete your account and all associated deck files in one click. Deckmetric is operated by Shepard&Young.
- Sub-processors
- 6 named providers
- Trains AI on your deck?
- No
- Self-service delete
- Yes, /account
Last updated: May 11, 2026
1. Data flow at a glance
Five steps from your upload to the analysis you receive.
- Upload. You send a pitch deck over TLS to Deckmetric's Express backend on Replit. Non-PDF formats are converted to PDF via headless LibreOffice.
- Store. The deck is written to private Google Cloud Storage and a metadata row is written to PostgreSQL.
- Score. Slide text and rendered slide images are sent to Anthropic (Claude API) for AI scoring. Inputs and outputs are not used to train Anthropic's general models under their commercial terms.
- Persist + notify. The structured analysis is written back to PostgreSQL and an analysis-ready email is sent to you via Resend.
- Bill (if Premium). Stripe holds the billing relationship for subscriptions and one-time kit purchases. Deckmetric never sees full card numbers.
2. Sub-processors
These are the third-party services Deckmetric uses to deliver the platform. Adding or removing a sub-processor is a material change to this list, see the changelog at the bottom of this page.
| Sub-processor | Purpose | Data received | Region |
|---|---|---|---|
| Replit | Application hosting and runtime infrastructure for deckmetric.com. | Encrypted application traffic, server logs, deployment metadata. | United States |
| Google Cloud Platform | Object storage for uploaded pitch decks and converted PDF artifacts. | Pitch deck files at rest (encrypted at rest by GCS). | United States |
| Anthropic | AI scoring of pitch deck content via the Claude API. | Slide text and rendered slide images at request time. Anthropic's commercial API terms prohibit using inputs or outputs to train their general models. | United States |
| Stripe | Payment processing for subscriptions and one-time kit purchases. | Billing email, payment instrument details (Deckmetric never sees full card numbers), invoice and subscription state. | United States |
| PostHog | Product analytics on how visitors and authenticated users interact with the platform. | Page views, feature interactions, anonymous device identifiers, opted-in user identifiers. | United States |
| Resend | Transactional and lifecycle email delivery (analysis-ready notifications, receipts, market digests). | Recipient email address, message content (subject, body, links). | United States |
3. Retention
| Data type | Retention window | Deletion trigger |
|---|---|---|
| Pending uploads (deck files not yet analyzed) | Up to 30 minutes | Auto-purged from object storage and database |
| Analyzed decks (file + scoring result) | Until you request deletion | "Delete my data" on /account, or email request |
| Account email + subscription state | While your account is active | Hard-deleted on account deletion |
| Stripe billing records | Per Stripe payments-compliance retention | Out of Deckmetric control after charge |
| Server logs (application + access) | 30 days rolling | Automatic log rotation |
| PostHog analytics events | PostHog default window | Cookie banner opt-out, or PostHog retention policy |
4. AI training stance
Deckmetric does not train any model on your deck content. The only AI provider that receives your deck is Anthropic, via the Claude API, and Anthropic's commercial API terms explicitly prohibit using API inputs or outputs to train their general models. We do not sell your data to third parties and we do not share your deck with any party other than the named sub-processors above.
5. Your rights
- Access: sign in to view every analysis tied to your account at /account.
- Delete: the "Delete my data" button on /account permanently purges your account, deck files, and analyses, and cancels any active Stripe subscription at the same time.
- Export: email hello@deckmetric.com for a copy of your data on file.
- Object / withdraw consent: reply to any marketing email or email the address above.
6. Security
- All traffic between your browser and Deckmetric is encrypted in transit (TLS).
- Pitch decks at rest in object storage are encrypted by GCS-managed keys.
- Database access is restricted to the application runtime and named operators. Admin access to user-attributable data is logged to an append-only audit table.
- Session cookies are HMAC-signed; the session secret is not shared with any third party.
7. Incident response
If we discover a security incident affecting your data we will notify affected account holders by email at the address on file, describe the scope and impact, and outline the remediation steps we have taken, within the timelines required by GDPR (72 hours to the lead supervisory authority where applicable) and equivalent regimes. Suspected vulnerabilities can be reported privately to hello@deckmetric.com.
8. Contact
Privacy and data questions: hello@deckmetric.com. Deckmetric is operated by Shepard&Young.
Changes to this page
Material changes, adding or removing a sub-processor, changing the retention window for any category above, or changing the AI training stance, are recorded here with the date of the change.
- 2026-05-11, Confirmed Resend's processing region as United States (us-east-1) per Resend's published Privacy Policy, DPA, and Regions documentation. Removed the "region pending verification" qualifier from the Resend sub-processor entry.
- 2026-05-11, Initial public version of the Trust Center. Sub-processor list, retention table, AI training stance, user rights, and the self-service delete flow on /account are published.