Privacy Policy
for the PowerPoint Add-in “Decky AI”
Last updated: February 2026
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Maven Labs UG (haftungsbeschränkt) Represented by the Managing Director: Maximilian Nitsche Baaderstraße 17 80469 Munich Germany
Court of registration: Amtsgericht München (Munich Local Court) Commercial register number: HRB 308823
Email: hello@decky-ai.com
A Data Protection Officer has not been appointed, as there is no legal obligation to do so (Section 38 BDSG).
2. Scope and Definitions
2.1 Scope
This Privacy Policy applies to:
- the PowerPoint Add-in “Decky AI” (hereinafter the “Service”),
- the associated backend and API services required to deliver the Service’s functionality,
- the associated website at decky-ai.com (hereinafter the “Website”).
The Add-in is intended for both consumers (B2C) and businesses and enterprise customers (B2B).
2.2 Definitions
| Term | Definition |
|---|---|
| Inputs | All content provided by the user, including chat commands, presentation content, uploaded documents, and other data submitted for AI-assisted processing. |
| Outputs | All results generated by the Service, including edited slides, generated text, images, or layout modifications. |
| User Content | Collective term for Inputs and Outputs together. |
| Technical Data | Automatically collected operational data such as IP address, timestamps, and device/browser information. |
3. Collection of Personal Data
3.1 Data You Provide Directly
a) Account Data
A user account is required to use the Service. Authentication is handled via Microsoft Entra External ID (formerly Azure AD CIAM). The following data is processed:
- Email address
- First and last name
- Company (if provided)
- Phone number (if provided)
- Internal user ID (OpenID claims:
oid,sub) - Timestamps of registration and login
b) Inputs and Outputs
When using the Service, users may enter or upload the following content:
- Text and chat commands
- PowerPoint presentations and slide content (in Office Open XML format)
- Images (e.g., PNG, JPEG) and documents (e.g., PDF)
- Other content for AI-assisted processing
This content may contain personal data as well as corporate or confidential business information. The decision about which content to submit lies solely with the user.
c) Payment Information
When you subscribe to a paid plan, payment information is processed by our payment service provider Stripe. Maven Labs does not store credit card numbers or bank details. We only receive a customer ID, subscription status, and payment history (amounts and timestamps) from Stripe.
d) Feedback
If you use feedback features (e.g., thumbs-up/thumbs-down functions), the feedback is stored together with the associated conversation history to improve the quality of the Service.
e) Communications
When you contact us by email or support form, we process your name, email address, and the content of your message to handle your inquiry.
3.2 Automatically Collected Data
The following Technical Data is automatically collected when using the Service:
- Connection data: IP address, timestamps, HTTP status codes
- Usage data: Number of requests, quota consumed, subscription status
- Error and crash reports: Error messages, exceptions, affected functional areas
- Telemetry: Operation names, response times, system status (no personal data)
This data is used exclusively to ensure technical operation, security, and troubleshooting.
3.3 Necessity of Data Provision
The provision of the account data described in Section 3.1 a) is a contractual requirement for using the Service. Without this data, no user account can be created and the Service cannot be provided. The provision of Inputs (Section 3.1 b) is voluntary; however, without them, the AI-assisted features cannot be executed.
3.4 Data from Third Parties
We generally do not receive personal data about you from third parties, unless you authenticate via Microsoft Entra External ID, in which case we receive the data described in Section 3.1 a).
4. Purposes and Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Provision and operation of the Service, including AI-assisted content creation, media search, authentication, and payment processing | Art. 6(1)(b) GDPR (performance of a contract) |
| Operational security, quality assurance, and abuse prevention, monitoring, error analysis, LLM tracing (opt-out available) | Art. 6(1)(f) GDPR (legitimate interest) |
| Communication and support | Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest) |
The categories of data processed for each purpose are set out in Sections 3 and 5.
5. AI Processing and External Service Providers (Data Processors)
5.1 Principles of AI Processing
To provide the Service, Inputs are transmitted to external AI services. The following principles apply:
- Processing is carried out solely to execute the respective user request.
- No use of User Content for training or improving AI models. None of the AI providers used process data submitted through the Service to train their own models. Certain providers (e.g., Anthropic) may temporarily store Inputs for up to 30 days for safety and abuse review. For Enterprise-tier users, we additionally implement contractual agreements that completely exclude any intermediate storage on the provider side (so-called Zero Data Retention).
- Inputs are only processed temporarily by providers and are not stored permanently.
5.2 List of Data Processors and Third-Party Providers
The following tables provide a complete list of external services used in the operation of the Service:
AI Model Providers
| Provider | Location | Data Processed | Purpose | GDPR Safeguard |
|---|---|---|---|---|
| Microsoft (Azure OpenAI Service) | EU / USA | Presentation content, Inputs, conversation history | LLM inference (primary), embeddings, AI image generation | Data Processing Agreement (DPA), EU data processing, EU-US Data Privacy Framework |
| Anthropic | USA | Inputs, conversation history | LLM inference | Standard Contractual Clauses (SCCs), Data Processing Addendum |
Web Research
| Provider | Location | Data Processed | Purpose | GDPR Safeguard |
|---|---|---|---|---|
| Tavily (tavily.com) | USA | Search queries, URLs | Automated web search upon user request | Standard Contractual Clauses (SCCs) |
| Exa AI (exa.ai) | USA | Search queries, category filters | In-depth research (companies, people, expert sources) | Standard Contractual Clauses (SCCs) |
Image and Media Providers
| Provider | Location | Data Processed | Purpose | GDPR Safeguard |
|---|---|---|---|---|
| Unsplash (unsplash.com) | USA / Canada | Search queries | Stock photo search for slides | Standard Contractual Clauses (SCCs) |
| Pixabay (pixabay.com) | Germany | Search queries | Stock photo and illustration search | DPA (processing in the EU) |
| Hunter.io (Logo API) | France | Company names, domains | Retrieval of company logos | Standard Contractual Clauses (SCCs) |
Authentication, Payment, and Infrastructure
| Provider | Location | Data Processed | Purpose | GDPR Safeguard |
|---|---|---|---|---|
| Microsoft (Entra External ID) | EU | Email, profile, OpenID claims | User authentication | DPA, EU data processing |
| Stripe (stripe.com) | USA / EU (Ireland) | User ID (metadata), subscription/payment information | Payment processing and subscription management | Standard Contractual Clauses (SCCs), PCI DSS certification |
| Microsoft Azure (Cloud Infrastructure) | EU (Germany West Central) | Application data, telemetry, logs | Hosting, monitoring, error analysis | DPA, EU data processing |
| LangSmith (LangChain) (smith.langchain.com) | USA | LLM interaction data (unless disabled by user), feedback | Quality assurance, user feedback | Standard Contractual Clauses (SCCs) |
Note: The transmission of LLM interaction data to LangSmith occurs by default for quality assurance purposes. Users may disable this data transmission at any time in their account settings (opt-out).
6. Disclosure of Personal Data
Personal data is disclosed exclusively:
- To the data processors and third-party providers listed in Section 5.2, insofar as necessary to provide the Service.
- To payment service providers (Stripe) to process payment transactions.
- Upon legal order to competent authorities, insofar as we are legally obligated to do so (e.g., in response to law enforcement requests).
- To enforce our rights, insofar as necessary to establish, exercise, or defend legal claims.
- In the context of a corporate transaction (e.g., merger, sale, or transfer of business units), whereby the acquirer remains bound by this Privacy Policy.
No sale of personal data takes place.
Maven Labs does not create user profiles for marketing purposes and does not share data with advertisers.
7. International Data Transfers (Third-Country Transfers)
7.1 Processing Locations
Processing takes place predominantly within the European Union (Germany West Central region). Due to the global AI infrastructure, processing in the United States may also occur, particularly when using the AI model providers listed in Section 5.2.
Where possible, we use AI providers with EU data residency (e.g., AWS Bedrock in the eu-central-1/Frankfurt region).
7.2 Safeguards for Third-Country Transfers
For transfers to third countries, we rely on the following safeguards pursuant to Art. 44 et seq. GDPR:
- Adequacy decisions of the European Commission, where available (e.g., EU-US Data Privacy Framework pursuant to Implementing Decision (EU) 2023/1795 for certified US companies such as Microsoft).
- Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914, supplemented by a Transfer Impact Assessment (TIA), for providers without an adequacy decision.
- Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR with all data processors.
8. Storage and Deletion
| Data Type | Retention Period | Deletion |
|---|---|---|
| Account data | As long as the user account exists, plus statutory retention periods (up to 10 years for tax-relevant data pursuant to Section 147 AO) | Upon account deletion and expiry of statutory periods |
| Inputs and Outputs | Temporarily during the session; with LLM tracing enabled, up to 90 days in filtered form | Automatic deletion upon expiry |
| Conversation state | For the duration of the usage session, up to 30 days for session resumption where applicable | Automatic cleanup |
| Usage data and telemetry | Up to 90 days | Automatic rotation and deletion |
| Payment data (at Stripe) | In accordance with Stripe’s privacy policy; tax-relevant data up to 10 years | In accordance with Stripe’s privacy policy |
| Error and crash reports | Up to 90 days | Automatic deletion |
| Feedback | Until revoked or until account deletion | Upon request or account deletion |
No permanent archiving of User Content takes place. Data is deleted or anonymized as soon as the respective processing purpose ceases, unless a statutory retention obligation applies.
9. Cookies and Similar Technologies
9.1 Add-in
The Add-in itself does not set any cookies. Technically necessary session data is stored in the browser for authentication purposes. This does not constitute tracking.
9.2 Website
On the associated website (decky-ai.com), technically necessary cookies may be used. Non-essential cookies (e.g., for analytics) are only used with explicit consent in accordance with applicable law.
10. Security Measures (Technical and Organizational Measures)
We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. These include in particular:
- Encryption: All data transmissions are encrypted (TLS). Stored data is encrypted at rest.
- Network isolation: The backend infrastructure uses isolated networks with private endpoints for sensitive services.
- Access control: Token-based authentication and role-based access control for all system components.
- Abuse protection: Rate limiting and automated detection of abusive usage.
- Regular updates: Timely installation of security updates for all system components.
- Monitoring: Real-time monitoring for early detection of anomalies and security incidents.
11. Rights of Data Subjects
As a data subject, you are entitled to the following rights. To exercise your rights, please contact us at hello@decky-ai.com.
| Right | Legal Basis | Description |
|---|---|---|
| Access | Art. 15 GDPR | You have the right to request information about the personal data we process about you. |
| Rectification | Art. 16 GDPR | You may request the correction of inaccurate data or the completion of incomplete data. |
| Erasure | Art. 17 GDPR | You may request the deletion of your data, provided no statutory retention obligations apply. |
| Restriction of processing | Art. 18 GDPR | Under certain conditions, you may request the restriction of processing. |
| Data portability | Art. 20 GDPR | You have the right to receive the data concerning you in a structured, commonly used, and machine-readable format. |
| Objection | Art. 21 GDPR | You may object at any time to the processing of your data based on Art. 6(1)(f) GDPR. We will then cease processing unless we can demonstrate compelling legitimate grounds. |
| Withdrawal of consent | Art. 7(3) GDPR | If you have given consent, you may withdraw it at any time with effect for the future. |
Automated Decision-Making
No automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you. The Service uses AI models solely to generate content at your request; no automated decisions are made about your person, creditworthiness, suitability, or similar matters.
Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with the competent data protection supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) (Bavarian State Office for Data Protection Supervision) Promenade 18 91522 Ansbach Germany Website: www.lda.bayern.de
12. Children and Minors
The Service is not intended for persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete it without undue delay. Please contact us at hello@decky-ai.com if you become aware of such a case.
13. User Responsibility and Disclaimer
13.1 Sole Responsibility of the User for Content
Responsibility for the lawfulness, admissibility, accuracy, and confidentiality of all data and content provided by the user through the Service lies solely and entirely with the user.
The user warrants that:
- they are authorized to process the content they submit through the Service;
- the submission of content does not infringe any third-party rights (in particular copyrights, trademark rights, personality rights, or trade secrets);
- the content does not violate applicable law;
- if the content contains personal data of third parties, they have a sufficient legal basis for its processing (e.g., consent or legitimate interest).
13.2 No Review Obligation by Maven Labs
Maven Labs:
- does not review User Content for substance, legality, or accuracy,
- has no knowledge of the nature, content, or permissibility of submitted data,
- does not moderate User Content,
- processes content solely for the technical execution of the function initiated by the user.
Maven Labs is therefore not a content provider within the meaning of the German Digital Services Act (DDG) and does not make any independent editorial decisions regarding User Content.
13.3 Special Categories of Data (Art. 9 GDPR)
The Service is not designed for the processing of special categories of personal data (e.g., health data, data concerning racial or ethnic origin, political opinions, religious beliefs, biometric or genetic data). If the user nevertheless submits such data, this is done at their own responsibility and risk. Maven Labs assumes no liability in this regard.
13.4 Use at Own Risk
The Service is provided on an “as-is” basis. To the maximum extent permitted by law, Maven Labs makes no warranties or representations regarding:
- the uninterrupted availability of the Service,
- the fitness of the Service for a particular purpose,
- the error-free operation or security of the Service.
13.5 Indemnification
The user shall indemnify and hold harmless Maven Labs, its managing directors, employees, and agents from and against all third-party claims arising out of or in connection with:
- content submitted by the user,
- a breach of this Privacy Policy or the Terms of Service by the user, or
- an infringement of third-party rights by the user,
including reasonable legal fees. This does not apply to the extent the user is not responsible for the infringement.
13.6 Limitation of Liability
- Maven Labs’ liability for damages is limited, to the extent permitted by law, to the amount of fees actually paid by the user in the 12 months preceding the event giving rise to the damage.
- Maven Labs shall not be liable for indirect damages, consequential damages, lost profits, data loss, or damages arising from business interruption, to the extent permitted by law.
- Unaffected are liability for intent and gross negligence (Section 276 BGB), liability for breach of material contractual obligations (cardinal obligations), liability under the German Product Liability Act, and liability for damages to life, body, or health.
14. AI Outputs, Transparency and Disclaimer
14.1 Notice Regarding AI-Generated Content
The Service uses Artificial Intelligence (AI) to generate, edit, and structure content. All Outputs produced by the Service (including text, layouts, images, and structural suggestions) are generated in whole or in part by AI models. Users are hereby expressly informed that when using the Service, they are interacting with an AI system and that the generated Outputs are machine-generated.
14.2 No Guarantee of Accuracy
AI-generated Outputs may be inaccurate, incomplete, outdated, or misleading. Maven Labs assumes no liability for:
- the factual accuracy or completeness of the Outputs,
- the legal permissibility of the Outputs (in particular with respect to copyright, trademark, or other intellectual property rights),
- the suitability of the Outputs for any particular purpose.
14.3 User’s Duty to Verify
The user is obligated to independently review all AI-generated Outputs before using, publishing, or relying on them. This applies in particular to:
- business decisions,
- legal, medical, or financial matters,
- public presentations and publications.
14.4 No Professional Advice
The Service does not constitute legal, tax, medical, financial, or any other professional advice. The use of the Service does not replace consultation with qualified professionals.
14.5 Disclaimer for Decisions
Maven Labs assumes no liability for decisions made by the user based on AI-generated Outputs, or for damages arising from the use of such Outputs. This applies regardless of whether the Outputs were erroneous, incomplete, or misleading.
15. Microsoft Office Store
When distributed through the Microsoft Office Store (Microsoft AppSource), the privacy policies of Microsoft (Microsoft Privacy Statement) additionally apply. This Privacy Policy is linked accordingly in the Store.
Installation through the Microsoft Office Store is subject to Microsoft’s Terms of Use. Maven Labs has no influence over data processing by Microsoft within the scope of the Store.
16. Changes to This Privacy Policy
Maven Labs may update this Privacy Policy in the event of legal, technical, or organizational changes. In the case of material changes, we will notify you in an appropriate manner (e.g., by email or through a notice in the Service).
The current version is available at decky-ai.com/add-in-privacy-policy. The date of the last update can be found at the beginning of this policy.
By continuing to use the Service after a change, you agree to the updated Privacy Policy.
17. Contact
If you have questions about this Privacy Policy or wish to exercise your rights as a data subject, please contact:
Maven Labs UG (haftungsbeschränkt) Baaderstraße 17 80469 Munich Germany
Email: hello@decky-ai.com