Privacy Policy
Last updated: March 13, 2026
Resolve ("we," "our," or "us") operates the Resolve platform at resolve.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
1. Data Controller
Resolve is the data controller for personal data processed through the Service. For privacy inquiries, contact us at privacy@resolve.app.
2. Personal Data We Collect
2.1 Account Information
When you create an account (via Clerk authentication), we collect your name, email address, profile picture, and organization details. This data is necessary to provide the Service under our contractual relationship with you.
2.2 Decision and Workspace Data
Content you create within Resolve, including decision rooms, briefs, stakeholder inputs, consensus summaries, templates, and knowledge base documents. This data is processed to deliver the core functionality of the Service.
2.3 Integration Data
When you connect third-party integrations (Slack, Microsoft Teams, Jira, Notion, Google Calendar, Outlook), we access and process data from those services as authorized by you. We only access the specific scopes and permissions you grant. Integration credentials are encrypted using AES-256-GCM at rest.
2.4 Billing Information
Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We retain your Stripe customer ID, subscription status, and billing history for account management.
2.5 Usage Data
We collect technical information including IP addresses, browser type, device information, and interaction data to maintain and improve the Service. Error tracking is handled by Sentry for service reliability.
3. How We Use Your Data
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Provide and maintain the Service | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Generate AI-powered briefs and consensus summaries | Contract performance |
| Send transactional notifications (deadlines, invitations) | Contract performance |
| Error tracking and service reliability | Legitimate interest |
| Security monitoring and fraud prevention | Legitimate interest |
| Respond to support requests | Legitimate interest |
4. AI Processing and OpenAI
Resolve uses OpenAI's API (GPT-4.1-mini) to generate decision briefs and consensus summaries. When you use AI features, the content of your decision room (title, context, stakeholder inputs) is sent to OpenAI for processing.
- OpenAI does not use API data to train their models.
- API data is retained by OpenAI for up to 30 days for abuse monitoring, then deleted.
- AI-generated outputs are clearly labeled as such within the Service.
- We store vector embeddings derived from your content in our EU-hosted database for the Decision Memory feature.
5. Third-Party Integrations
When you enable integrations, the following data flows occur:
- Slack: We receive and send messages related to decision notifications and slash commands. We access only channels and conversations you explicitly authorize.
- Microsoft Teams: We send decision notifications to channels you configure. We access only the scopes granted during OAuth consent.
- Jira: We sync decision outcomes to Jira issues as configured by you.
- Notion: We export decision summaries to Notion pages you specify.
- Google Calendar / Outlook: We create calendar events for decision deadlines upon your request.
You can disconnect any integration at any time from your Settings page. Upon disconnection, we delete stored integration credentials and cease accessing that service.
6. Sub-processors
We use the following sub-processors to deliver the Service. A full list with details is available at Sub-processor List.
- Supabase — Database hosting (EU West, Ireland)
- Clerk — Authentication
- OpenAI — AI processing
- Stripe — Payment processing
- Vercel — Application hosting
- Sentry — Error tracking
- Resend — Transactional email
7. International Data Transfers
Your primary data is stored in Supabase's EU West (Ireland) region. However, some sub-processors (OpenAI, Clerk, Vercel, Stripe, Sentry) may process data in the United States. These transfers are protected by:
- EU-U.S. Data Privacy Framework certifications where applicable
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Additional technical and organizational safeguards including encryption in transit (TLS 1.2+) and at rest
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Decision and workspace data | Duration of account (exportable before deletion) |
| Billing records | 7 years (legal/tax obligations) |
| Integration credentials | Until integration is disconnected |
| Usage and error logs | 90 days |
| Vector embeddings | Duration of account |
9. Your Rights
GDPR Rights (EEA Residents)
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request restriction of processing.
- Portability: Receive your data in a machine-readable format (JSON/CSV).
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw at any time.
- Complaint: Lodge a complaint with your local supervisory authority.
CCPA Rights (California Residents)
- Right to Know: What personal information we collect, use, and disclose.
- Right to Delete: Request deletion of your personal information.
- Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
To exercise any of these rights, contact us at privacy@resolve.app. We will respond within 30 days (GDPR) or 45 days (CCPA).
10. Data Security
We implement appropriate technical and organizational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- AES-256-GCM encryption for integration credentials
- Role-based access controls and authentication via Clerk
- Content Security Policy, HSTS, and additional security headers
- Webhook signature verification for all inbound webhooks
- Regular security monitoring via Sentry
11. Children's Privacy
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@resolve.app.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice (such as an in-app notification or email).
13. Contact Us
For any privacy-related questions or requests, contact us at:
- Email: privacy@resolve.app
- General support: support@resolve.app