Last updated: November 20, 2025
Skylark Creations LLC (“Skylark,” “we,” “us,” or “our”) operates Decomposer, a SaaS web application that transforms user‑provided goals and documents into structured, actionable task plans using artificial intelligence (the “Service”).
Product domain: https://decomposer.io
Contact (privacy & support): hello@skylarkcreations.com
Postal address: 10717 Owens St, Westminster, CO 80021, USA
This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Service and associated websites. It does not apply to third‑party services that are governed by their own terms and policies.
Unless stated otherwise, Skylark Creations LLC is the data controller for personal information processed through the Service. When we process content solely on your behalf (e.g., plan content you store in your account), we act as a processor to the extent applicable under relevant laws.
We do not have an EU/EEA or UK establishment and do not appoint local representatives at this time. Privacy inquiries are handled at hello@skylarkcreations.com.
Account Information. Required: email address; system‑generated user ID. Optional: display name and organization name.
User Content. Goal text you submit, generated plan content, your edits to plans, and user‑defined assumptions/constraints.
File Uploads (Optional). We accept PDF/DOCX/TXT to help generate plans. Original files are discarded immediately after text extraction; only extracted text and limited metadata (e.g., filename, MIME type, word count) are stored with the plan.
Images (Optional). Images you upload are sent to our AI provider for analysis and not retained in our storage after processing.
Feedback & Communications. Emails to support, thumbs‑up/down, and other communications you send us.
Telemetry / Usage Metrics. Counts of plan generations, timestamps, feature usage events (e.g., “Plan Exported”), and automated quality scores.
Technical Metadata. IP address, browser user agent, device type, and performance metrics.
Error & System Logs. Application/runtime logs maintained by our hosting provider. We avoid logging plan text and sanitize where feasible.
Essential Authentication Cookies. Supabase Auth session cookies keep you signed in.
Local Storage. We store the last five plans for convenience and UI state preferences on your device.
We do not use your plan content to train our own models. We rely on an AI provider whose API terms state they do not use API‑submitted data to train their models (see §4).
We use information to:
Provide and operate the Service (generate/edit/store/share/export plans).
Process with AI to produce plan content, analyses, and quality evaluations.
Secure and support the Service (authentication, fraud/abuse prevention, debugging, and incident response).
Measure and improve product performance and quality (analytics and aggregated metrics).
Billing (subscription management via our payments processor).
Legal compliance (enforce terms, comply with law, protect rights).
We do not sell personal information. We do not share plan content with advertisers.
We share information with vendors who help us run the Service. Core processors and typical data handled are:
| Provider | Role | Data Categories | Region/Transfers |
|---|---|---|---|
| OpenAI (API) | AI processing for text and image analysis | Goal text, extracted text; image content for analysis | Processed in US regions; provider’s API terms state no training on API data |
| Supabase (Postgres + GoTrue) | Database & authentication | Account data; plan content and metadata | US regions; encryption at rest; RLS |
| Render | App hosting & logs | Runtime logs (sanitized), operational metrics | US regions |
| Redis/KV on Render | In‑memory cache & share links | Derived/partial plan data, link tokens | US regions |
| Stripe | Payments | Billing profile (e.g., email), customer ID, subscription status | US and global processing under SCCs; we do not store card numbers |
| PostHog | Product analytics | Pseudonymous IDs, usage events (with input masking); session recording enabled but anonymized | US/EU hosting options; masking enabled |
Other disclosures may occur:
For legal reasons (lawful requests, enforcing our terms, preventing harm), or
In a business transfer (e.g., merger or acquisition), subject to this Policy.
We maintain DPAs with major vendors and rely on Standard Contractual Clauses (SCCs) (and UK IDTA, where applicable) for international transfers.
Primary storage. Plan content and metadata are stored in Supabase (encrypted at rest). Retention: until you delete the plan or your account.
Cache. Redis/KV caching may store limited, derived data for performance and unlisted share links; no fixed TTL (entries may persist until evicted or manually cleared).
Logs. Hosting/runtime logs: provider default (approximately 7–30 days).
Backups. Database backups managed by Supabase (typically 7–30 days point‑in‑time recovery). Deleted data may remain in backups until they expire.
Images. Used transiently for analysis; not retained after processing.
Files. Original uploads are discarded immediately after extraction; only extracted text is stored.
Deletion controls. Account deletion and plan‑level deletion are currently available via support request to hello@skylarkcreations.com. We target responses within 30 days to data rights requests (see §7). Self‑service deletion is planned.
You may generate unlisted share links to view plans. We disallow indexing via robots.txt. Links have no default expiry and can be revoked by deleting the plan or toggling sharing off. Anyone with the link can access the shared plan; avoid including sensitive data in shared items.
Depending on your location, you may have rights to access, correct, delete, port, or object/restrict certain processing. You can also opt out of analytics (see §9). To exercise rights, contact hello@skylarkcreations.com. We aim to respond within 30 days.
We process data primarily in the United States. When transferring personal data internationally, we use appropriate safeguards such as SCCs and, where required, UK IDTA under our DPAs with vendors.
EU/UK visitors: We display a cookie/consent banner. Analytics is opt‑in.
Rest of world: Analytics is opt‑out.
GPC: We honor Global Privacy Control signals to disable analytics for that session/user where applicable.
PostHog configuration: Input masking enabled; session recording is enabled but anonymized to avoid capturing user content.
We implement administrative, technical, and organizational measures including:
TLS 1.2+ in transit; AES‑256 encryption at rest for database and cache.
Row‑Level Security (RLS) in Postgres to ensure tenant isolation.
Access controls, secret management, and monitoring.
Password policy enforced by Supabase Auth (minimum 6 characters). 2FA and SSO are not currently available.
No method of transmission or storage is 100% secure; we endeavor to protect your information but cannot guarantee absolute security.
The Service is intended for adults (18+). We do not knowingly collect personal information from children under 13. Do not use the Service if you are under 18.
Legal bases include contract (to provide the Service), legitimate interests (service improvement, security), and consent where required (non‑essential analytics/cookies).
Data subject rights include access, rectification, erasure, portability, restriction, and objection. You may lodge a complaint with a supervisory authority.
Breach notice. We endeavor to notify authorities and affected users without undue delay and, when required, within 72 hours of becoming aware of a qualifying breach.
Categories collected: Identifiers (email, user ID), commercial information (subscription status), internet activity (usage/telemetry), and inferences (quality scores/usage patterns).
No sale or sharing: We do not “sell” personal information and do not “share” it for cross‑context behavioral advertising.
Rights: Right to know, delete, and non‑discrimination. Authorized agent requests honored as required by law.
Essential cookies are required for authentication and core functionality.
Analytics cookies (PostHog) are used to improve the product; opt‑in in EU/UK, opt‑out elsewhere.
Local Storage holds recent plan history and UI preferences.
You can control cookies via your browser and our in‑product consent tools.
We may update this Policy from time to time. For material changes, we will provide 30 days’ advance notice (e.g., email and/or in‑product notice) where required. Your continued use after changes take effect constitutes acceptance.
Skylark Creations LLC
10717 Owens St, Westminster, CO 80021, USA
Email: hello@skylarkcreations.com
| Data Category | Retention | Notes |
|---|---|---|
| Plan content (text) | Until user or account deletion | Stored in Supabase; encrypted at rest |
| Extracted text from uploads | Until user or account deletion | Original files discarded immediately after extraction |
| Images (uploaded) | Processing‑only | Sent to AI for analysis; not retained |
| Redis/KV cache | No fixed TTL | Evicted LRU or manual cleanup |
| Auth/session cookies | Provider defaults | Supabase Auth |
| Logs (hosting/runtime) | ~7–30 days | Provider default retention; sanitized |
| Analytics events | Provider defaults | PostHog with masking; anonymized session recording |
OpenAI (API), Supabase (Postgres + GoTrue), Render (hosting & logs), Redis/KV on Render (cache), Stripe (payments), PostHog (analytics).