Judy.

From Judy · on privacy

A note on privacy.

Who I am, what I keep, and what I will not do.

Last edited · Deci Ventures, Inc. · Delaware · USA

Who I am

Judy is a product built by Deci Ventures, Inc., a company registered in Delaware, United States. The product is aimed at solo and small-firm lawyers and is currently in design-partner recruitment.

For any privacy question — access, correction, deletion, export, objection, or a general conversation — write to salmen@hey.com. I read every note myself and reply within a day.

GDPR does not require us to appoint a formal Data Protection Officer — the address above is your single point of contact. That is also the address for California CPRA requests, and for any other US-state privacy law (Virginia, Colorado, Connecticut, Utah, Texas, and the growing list).

What I collect, by scenario

If you are just visiting, and have not touched the consent dialog

Nothing that identifies you. If you are in Europe, analytics storage defaults to denied — Google receives cookieless modeled pings that cannot be tied to a person, and no cookies are set.

If you clicked OK on the consent dialog

Google Analytics 4 runs in your browser. It collects the pages you read, sections you scroll through, links you click, and an approximate location inferred from your IP address. Google does not store IPs; the measurement is anonymous by default under GA4.

Why so I can know whether this letter is reaching anyone. · Legal basis (GDPR) your consent, Art. 6(1)(a).

If you wrote me in via the design-partner form

Your name, your email, a one-sentence description of your practice (optional), and your hard-Tuesday note (optional). Plus your IP address, browser user-agent, and a timestamp — only to catch spam bots.

Why so I can write back. · Legal basis (GDPR) to take steps at your request before entering a contract, Art. 6(1)(b).

What I will not do

  1. I will not sell your data.
  2. I will not share it with advertisers.
  3. I will not train an AI model on it — not my model, not anyone else's.
  4. I will not use dark patterns to make you say yes.
  5. I will not ask for ad-targeting consent. The consent dialog only asks about analytics.
  6. I will not add a marketing tracker I cannot justify by name.

Who sees it

Three companies help me run this site. That is the whole list.

Google
Google Analytics 4. Only if you said OK. Data may be processed in the United States. Google self-certifies under the EU–US Data Privacy Framework; the UK extension covers UK visitors.
Resend
The email service that delivers your design-partner note to my inbox. A US company. They transport the message; they do not retain it after delivery.
Vercel
The hosting service that serves this website. A US company, EU–US Data Privacy Framework certified.

No ad networks. No CRMs. No data brokers. No marketing clouds. No social pixels.

How long I keep it

Your consent choice in this browser (jw_consent)
Until you clear browser storage, or until I rewrite this page — which will bump the consent schema and re-ask you.
Analytics in Google Analytics 4
14 months, the longer of the two GA4 retention options. Aggregate, non-identifying numbers may persist beyond that.
Your design-partner email
In my inbox until you ask me to delete it. If you become a design partner, the context helps me work with you. If you don't, write and I'll remove it.
Spam metadata (IP, user-agent) from the apply form
Travels only as far as my inbox; same retention as the email itself.

Your rights

Plain-English version: ask me and I will do it.

If you are in Europe (GDPR/UK GDPR) or a US state with a consumer privacy law (California, Colorado, Connecticut, Utah, Virginia, and the growing list), your rights include:

  • Access what I have on you.
  • Correct anything wrong.
  • Delete it.
  • Export it (portability).
  • Restrict how I use it, or object to a particular use.
  • Withdraw analytics — flip the off the record toggle at the top of any page (works for everyone, any time), click Decline on the next consent dialog, or clear your browser storage now.
  • Complain to your authority — in the United States, your state attorney general; in the European Union, your national DPA (in France, the CNIL).

Email salmen@hey.com. I read every note myself.

What this site stores locally

Three things, ever:

jw_consent · localStorage
Your analytics choice. Set only after you click OK or Decline on the consent dialog. Not a tracking cookie — a preference.
jw_utm · sessionStorage
Campaign parameters from the URL if you arrived via a tracked link (utm_source, utm_campaign, etc.). Cleared the moment you close the tab.
Google Analytics cookies (_ga, _ga_DBHR6Q9S9F)
Set only if you said OK. Two-year expiry. You can clear them any time from your browser settings.

No other cookies. No trackers. No pixels from services I have not named above.

Automated decisions

None. This site does not profile you and does not make automated decisions that affect you. The product itself (Judy, the AI confidant) is a tool you use inside your own machine — it drafts, it does not decide.

If you are outside the US

This site is served from the United States (Vercel). If you grant analytics consent, Google may process your data in the US as well. Both providers self-certify under the EU–US Data Privacy Framework, which is the current adequacy mechanism the European Commission accepts for transfers to the United States.

If you are in the UK, the framework's UK extension applies. If you are in Switzerland, the Swiss–US extension applies. If you are anywhere else, the same plain promise holds: I do not sell your data and I will delete it when you ask.

Changes to this note

If I change anything material, I will rewrite this page, bump the date below, and reset the consent-schema version — which will make the consent dialog appear again so you can choose under the new terms.

From Judy · about analytics

I’d like to see if anyone is reading. No ads, no selling, no AI training. May I turn on analytics?

Either way, nothing is sold or shared. Read the privacy note