Last updated April 30, 2026 · Effective for all dekree.ai users
Dekree is a compliance operating system for Michigan local government. We handle data on behalf of public bodies (our customers) and process limited data about the residents and requesters who interact with those public bodies through our platform.
This policy describes what data we collect, how we use it, who we share it with, and what choices you have. It applies to dekree.ai and all customer-facing portals we host.
From customers (public bodies): organization information you provide during onboarding, user accounts and roles, your uploaded records, your meeting recordings and transcripts, FOIA workflow data, and standard service-operation telemetry (request logs, error events).
From residents and requesters: name and email address when submitting a public records request, the content of your request, and any optional attachments you choose to provide.
From all visitors: standard server logs (IP address, user agent, request path), cookies necessary for session management, and limited product analytics events.
To provide the service: drafting FOIA responses, generating meeting artifacts, indexing documents, surfacing deadlines, sending notifications, and supporting the audit trails required by Michigan public-records and open-meetings law.
To operate and improve the platform: monitoring uptime, debugging errors, tuning automation quality, and informing product decisions. We do not sell your data, and we do not use customer or resident data to train models that we sell to third parties.
Dekree uses a small set of trusted infrastructure providers to operate the service. These include Vercel (application hosting), Supabase (database and storage), Postmark (email delivery), Anthropic (model inference for automated drafting), Sentry (error monitoring), and Inngest (background jobs).
Each sub-processor handles only the data necessary for their function. Sensitive data is scrubbed from telemetry before it leaves our infrastructure. We maintain a current list of sub-processors and notify customers in advance of material changes.
Customer data is retained for the life of the subscription plus a 30-day grace window, after which it is purged unless legal hold applies. Public-records data within Dekree is also subject to whatever Michigan retention schedule applies to that record type.
Backups: encrypted, retained for up to 30 days, purged after a verified service deletion.
Telemetry: server logs retained 30 days, error events 90 days, with PII scrubbed at capture.
TLS in transit, AES-256 at rest, row-level security on every database table, append-only audit logs on customer actions, and Sentry hooks that strip personally identifiable information at capture.
For our full security posture, see dekree.ai/security.
Customers can export all data we hold on their organization at any time, in a portable format, with no clawback. Customers can delete their organization and all associated data on request.
Residents and requesters can request a copy of personal data Dekree holds about them. Email privacy@dekree.ai with the subject line "Data request" and we will respond within one business day.
Questions about this policy: privacy@dekree.ai
Security disclosures: security@dekree.ai
General contact: contact@dekree.ai
Mail: Dekree, c/o Warrior Web Co, Kalamazoo, Michigan