EU + UK ยท Cybersecurity career platform
GDPR compliance
DecipherU is a cybersecurity career intelligence platform operated by Bespoke Intermedia LLC. This page documents how the platform meets EU GDPR (Regulation (EU) 2016/679) and UK GDPR (UK Data Protection Act 2018) obligations for EU, EEA, and UK data subjects.
Controller status
Bespoke Intermedia LLC, operating DecipherU at decipheru.com, is the data controller for personal data processed through the cybersecurity career platform. The founder serves as the privacy contact until subscriber volume justifies a dedicated DPO appointment.
Privacy contact: privacy@decipheru.com. Replies within five business days, faster on rights requests.
Lawful basis for processing
DecipherU processes personal data under three lawful bases:
- Contract performance (Article 6(1)(b)) โ paid subscribers, course buyers, coaching clients, and employer/talent network participants. We process the data necessary to deliver the contracted service.
- Legitimate interest (Article 6(1)(f)) โ analytics, fraud prevention, content recommendation. Balanced against data subject rights via the analytics consent banner and per-event opt-out.
- Consent (Article 6(1)(a)) โ newsletter signup, customer development interview recordings, optional account features, marketing communications.
Categories of personal data
- Identity: name, email, optional phone number, Clerk user ID
- Account: subscription tier, billing history, password hash (handled by Clerk, not stored on DecipherU)
- Career profile: assessment responses, AI-Disruption risk score result, Compass dashboard inputs, target roles, salary expectations, location preferences (talent network)
- Course progress: course enrollment status, lesson completion, quiz scores, Range scenario attempts and credentials
- Behavioral: page views, click events, search queries (PostHog)
- Sensitive: not collected. DecipherU does not collect special-category data per Article 9 (race, ethnicity, political opinions, health data, etc.).
Data subject rights
EU and UK data subjects have the following GDPR rights:
- Right of access (Article 15) โ copy of personal data DecipherU holds about you. Use /data-request with type="access". Returned within 30 days.
- Right to rectification (Article 16) โ corrections to inaccurate or incomplete data. Most fields are self-service in account settings; non-self-service via /data-request type="rectification".
- Right to erasure / right to be forgotten (Article 17) โ deletion of personal data. Use /data-request type="erasure". Some fields are retained where required by law (billing records for tax compliance, financial transactions for anti-fraud).
- Right to restriction (Article 18) โ pause processing while a complaint is investigated.
- Right to data portability (Article 20) โ export of personal data in machine-readable format (JSON). Use /data-request type="portability".
- Right to object (Article 21) โ object to processing on legitimate interest grounds. Marketing opt-out is one click in any email; broader objection via /data-request type="objection".
- Right to lodge a complaint (Article 77) โ supervisory authority complaint. EU residents may complain to their national DPA; UK residents may complain to the ICO at ico.org.uk.
Sub-processors
DecipherU uses the following sub-processors. Standard Contractual Clauses (SCCs) are in place for sub-processors that transfer data outside the EU/EEA or UK. We notify subscribers before adding new sub-processors that materially change the data flow.
| Processor | Role | Region |
|---|---|---|
| Vercel | Hosting and edge compute | United States |
| Supabase | Postgres database hosting | United States (eu-central available on request) |
| Clerk | Authentication and identity | United States |
| Stripe | Payment processing | United States with EU sub-processing |
| Resend | Transactional email delivery | United States |
| Anthropic | AI inference for AI Coach and Range AI adversary | United States |
| PostHog | Product analytics | United States with EU hosting available |
| Sentry | Error monitoring | United States |
| Tavily | Search-grounded retrieval for AI Coach | United States |
| Sentino | Psychometric assessment scoring | United States |
Cross-border transfers
Personal data may be transferred to the United States via Vercel hosting, Supabase, Stripe, Clerk, Resend, Anthropic, and the other US-based sub-processors listed above. DecipherU relies on:
- EU Standard Contractual Clauses (Module 2 โ controller to processor) where applicable
- UK International Data Transfer Addendum to the SCCs
- Sub-processor data processing agreements
- Vendor adherence to the EU-US Data Privacy Framework where the vendor self-certifies
EU-hosted alternatives are available on request for Supabase Postgres (eu-central region) and PostHog (EU hosting). Contact privacy@decipheru.com if you require an EU-resident-only data path.
Retention schedule
- Active subscriber data: retained for the life of the subscription
- Cancelled subscriber data: retained for 24 months after cancellation, then deleted unless required for legal hold
- Billing records: 7 years for tax compliance per applicable jurisdictions
- Customer development interview recordings: 12 months from recording, then deleted
- Behavioral analytics events: 24 months
- Email logs: 12 months
- Refund and dispute records: 7 years per anti-fraud and tax compliance
- Talent network reveals: retained for the duration of the candidate's active marketplace participation; redacted on candidate erasure request
Children's data
DecipherU is not directed at children under 16. Account creation requires affirmation of legal age in the user's jurisdiction. If you believe a minor has created an account, contact privacy@decipheru.com and the account will be deleted promptly.
Make a request
For all GDPR data subject rights requests, use the structured intake at /data-request. The form routes to the privacy review queue and creates an audit record. Response within 30 days per GDPR Article 12(3).
For complaints, you may contact your national EU supervisory authority or the UK ICO directly. DecipherU cooperates fully with regulator inquiries.