Decades
PrivacyTermsDPDP

Privacy notice

Last updated: 20 May 2026.

Decades is an educational health record built by a doctor. This page is our straight-talk explanation of what information we collect from you, what we do with it, and what choices you have. We've tried to write it in plain English instead of legal-speak. The short version: we collect only what we need to make the app actually useful for you, we don't sell anything to advertisers, and you can delete everything at any time.

Decades is not a medical device. It does not diagnose any disease, prescribe any medicine, or replace your doctor.

What we collect from you

  • Basic account information: your name, email, date of birth, sex (which we call gender in the app) and country.
  • Health information you give us: the answers you type during onboarding and as you keep using the app — your habits, screenings, mood and sleep logs, lab values and any reports you upload.
  • Health information we calculate for you: risk scores we compute from what you typed in — your heart-risk number (called ASCVD), diabetes-risk number (called FINDRISC), depression and anxiety check-in scores (called PHQ-9 and GAD-7), and the overall Decades score.
  • Technical bits: the minimum logs needed to keep the service running — timestamps of your requests and any error traces. We do not run advertising trackers.

What we do with it

  • Show you your own health record, risk scores, screening calendar, library and personalised daily action.
  • Run the Decades AI Coach and the Lab Decoder when you ask them to. To do this we send the text or image you submit to Google's Gemini API, which is the smart language model we use behind the scenes. The Indian privacy law (DPDP Act 2023) requires us to tell you this clearly — see the “Who we share with” section below for the full list.
  • Send service emails (login confirmations, password resets). We send marketing emails only if you opt in, and you can stop them in one click.

Where your data lives

  • Your data is stored on Supabase (a managed Postgres database) in the AWS Mumbai region — physically in India.
  • Everything is encrypted both while sitting on disk and while travelling over the network.
  • We use row-level security, which is a fancy way of saying: even other Decades users cannot read your rows.
  • Lab report files live in private storage and only you can open them.

Who we share with

  • The companies that help us run the service (the law calls them “sub-processors”):
    • Supabase — they host the database, the auth and the file storage.
    • Vercel — they host the website itself.
    • Google's Gemini API — when you actually use an AI feature, your input is sent to Google's smart language model to generate a reply. Outside of AI features, your data does not go to Google.
    • Razorpay — only if you pay for our one-off doctor review service (Decades Care). They handle the payment.
  • We do not sell your data. We do not share it with advertisers. We are not interested in advertising.
  • We may share data only if a court orders us to. When the law permits, we will tell you that this happened.

Your rights

  • See your data: download a full copy of your record any time from Settings → Export.
  • Fix your data: edit your inputs directly inside the app.
  • Delete your data: delete your account from Settings → Danger zone. Backups are wiped within 30 days.
  • Change your mind: turn off marketing emails in Settings, or stop using the AI features at any time.

Children

Decades is for adults — 18 and older. We do not knowingly collect information from anyone under 18. If you believe a minor has signed up, please email us and we will delete the account.

Talk to us

For any privacy question or to use any of the rights listed above, email privacy@decades.app.