Effective 1 May 2026

Privacy Policy

This policy explains what personal data DDI - TheDesignPhase LLC collects, how we use it, and your rights in relation to that data.

1. Introduction

DDI - TheDesignPhase LLC, a Wyoming limited liability company ("DDI", "we", "us", "our"), operates The Design Phase platform available at thedesignphase.app. We are the data controller for the personal data we collect about you as a user of our platform.

This Privacy Policy applies to all personal data processed in connection with your use of The Design Phase platform, our website, and any communications with us. It does not apply to data that customers upload about their own end users or project participants — customers are the data controllers for that data, and our Data Processing Agreement governs that relationship.

We are committed to protecting your personal data and handling it responsibly. Where applicable, we comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state privacy laws.

2. Information We Collect

Account information: When you register, we collect your name, work email address, and organisation name. If you are invited by another user, we collect these details when you accept the invitation.

Usage data: We collect information about how you interact with the platform, including pages visited, features used, session durations, and actions taken (such as creating sessions, logging decisions, or signing off on gates).

Session activity logs: The platform records design session activities including who attended, what decisions were captured, which register entries were created, and who provided sign-offs. This audit trail data is central to the platform's governance function.

Payment information: Payments are processed by Stripe, Inc. DDI does not store your card number, CVV, or full payment details. We receive a confirmation token and basic billing information (last 4 digits, expiry, billing name) from Stripe to manage your subscription.

Communications: If you contact us by email or through the demo request form, we collect the information you provide, including your name, email, company, and the content of your message.

3. How We Use Your Information

To provide and operate the platform: Your account data and usage data are necessary to authenticate you, enforce your subscription limits, and deliver the platform features.

To send notifications and digests: We may send you email notifications related to your account (e.g. session invites, sign-off requests, trial expiry reminders). You can manage notification preferences in your account settings.

To respond to demo and support requests: When you submit a demo request or contact support, we use your information solely to respond to your inquiry.

To improve the product: Aggregated and anonymised usage data helps us understand how the platform is used, prioritise features, and identify areas for improvement. We do not use individual Customer Data for product development without consent.

Legal compliance: We may process your data where required by applicable law, such as retaining billing records for tax purposes.

We do not sell your personal data to third parties. We do not use your personal data for advertising or build advertising profiles.

4. Data Sharing

We do not sell your personal data. We share your data only with the following sub-processors, who process data on our behalf under appropriate data processing agreements:

Supabase, Inc.: Our database and authentication provider. Your account data, project data, and session records are stored in Supabase infrastructure hosted on AWS.

Stripe, Inc.: Our payment processor (PCI DSS Level 1 certified). Stripe processes your payment information on our behalf.

Resend, Inc.: Our transactional email provider. Resend sends system emails on our behalf (e.g. verification emails, notifications, demo confirmations).

Vercel, Inc.: Our hosting and edge network provider. Your requests to the platform are processed through Vercel's infrastructure.

We may disclose your data if required by law, court order, or regulatory authority, or to protect the rights and safety of DDI - TheDesignPhase LLC, our users, or the public.

5. Data Retention

We retain your account and project data for as long as your Subscription is active. If you cancel your Subscription, your data is retained for 30 days to allow you to export it.

After the 30-day export window, your data is securely deleted from our systems. Anonymised aggregate data (e.g. usage statistics) may be retained indefinitely as it contains no personal information.

Billing records required for legal or tax compliance may be retained for up to 7 years in accordance with applicable law.

6. Security

We use industry-standard security measures to protect your data, including encryption at rest (AES-256) and in transit (TLS 1.2+), Row-Level Security on all database tables to prevent unauthorised cross-tenant data access, and role-based access controls within the platform.

Multi-factor authentication (MFA/TOTP) is available for all users and can be enforced at the workspace level by administrators.

Our infrastructure is built on Supabase and Vercel, both of which maintain SOC 2 Type II certifications.

While we take all reasonable precautions, no system is completely secure. You are responsible for maintaining the confidentiality of your credentials. DDI - TheDesignPhase LLC is not liable for any unauthorised access resulting from your failure to maintain the security of your account credentials.

7. Your Rights

Depending on your jurisdiction, you may have rights in relation to your personal data including: the right to access the personal data we hold about you; the right to rectification of inaccurate data; the right to erasure ("right to be forgotten") in certain circumstances; the right to data portability; the right to object to or restrict certain processing; and for US residents, the right to opt out of the sale of personal data (we do not sell personal data).

To exercise any of these rights, please contact us at support@thedesignphase.app. We will respond within 30 days. If you believe we have not adequately addressed your request, you have the right to lodge a complaint with your applicable data protection or privacy authority.

8. International Data Transfers

Your personal data may be processed in the United States or other countries by our sub-processors (Supabase, Stripe, Resend, Vercel). DDI - TheDesignPhase LLC is incorporated in Wyoming, USA.

For users located in the European Economic Area (EEA) or United Kingdom, where personal data is transferred to the US, we ensure that appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or equivalent mechanisms.

If you require information about specific transfer mechanisms, please contact support@thedesignphase.app.

9. Cookies

The Design Phase platform uses session cookies for authentication purposes only. We do not use analytics cookies, tracking cookies, or advertising cookies.

Please see our Cookie Policy at /cookies for full details of the cookies we use and how to manage them.

10. Children's Privacy

The Platform is intended for business use by adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us at support@thedesignphase.app and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or a prominent notice on the platform before the changes take effect.

Continued use of the Platform after the effective date of any changes constitutes acceptance of the revised Privacy Policy.

12. Contact

DDI - TheDesignPhase LLC

State of Incorporation: Wyoming, USA

Email: support@thedesignphase.app