Legal
Privacy Policy
Effective: May 10, 2026
Summary
We collect information needed to operate Accountmade, generate and share decks, administer accounts, process payments through Paddle, support customers, secure the Service, and comply with law. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use Customer Content or Customer Personal Data to train AI models.
This summary is not legally binding. The sections below are.
1. Who we are
Accountmade is operated by The Plain Works Co., Ltd. (주식회사 더플레인웍스), a Korean company. We operate accountmade.com, our shared-deck infrastructure, and related services.
For privacy questions, contact legal@accountmade.com.
2. Scope and roles
This Privacy Policy explains how we process personal information as a controller, including account information, billing metadata, product usage data, communications, and website data.
When we process personal data on behalf of a customer, the customer is usually the controller and Accountmade is usually the processor. That processing is governed by the Data Processing Agreement. Examples include CRM fields imported by the customer, prospect data used for personalized decks, personal data included in Customer Content, and shared-deck viewer analytics where the customer determines the purpose of tracking.
Paddle acts as an independent controller for payment information it collects as merchant of record. Customer-selected CRMs and other integrations may act as your own vendors or independent controllers depending on your relationship with them.
3. Information we collect
Account and workspace data
We collect information used to create and administer accounts and workspaces, such as name, email address, login method, password hash if password login is used, profile image if provided, workspace name, seat role, invitations, plan tier, settings, and authentication/session metadata.
Customer Content
We process Customer Content that you submit, generate, store, share, or export through Accountmade. This may include prompts, notes, briefs, source documents, URLs, transcripts, deck text, images, logos, brand kits, fonts, colors, personas, CRM fields, prospect data, generated decks, exports, and shared-deck content.
Customer Content may contain personal data if you or your integrations include it.
CRM and integration data
If you connect a CRM or other supported integration, we collect the fields, records, metadata, and tokens necessary to provide the configured integration. This may include prospect names, business email addresses, company names, job titles, CRM object identifiers, company logos, lifecycle stages, deal context, custom mapped fields, and sync status.
We process only the scopes and fields authorized or configured through the Service, subject to the capabilities of the integration provider.
Shared-deck viewer data
When someone views a deck through accountmade.com, a custom domain, or another Accountmade-hosted share page, we may collect viewer events and technical metadata, such as open events, slide progression, time on slide, approximate location inferred from IP address, user-agent data, referrer, device/browser type, timestamps, share-link identifier, and access-control events.
Where viewer analytics are enabled for a customer, the customer is responsible for providing required notices and having a lawful basis for tracking recipients.
Usage, device, and diagnostic data
We collect product usage and diagnostic data, such as pages visited, features used, generation and export events, errors, logs, performance metrics, API usage, browser type, device type, IP address, approximate location, and security events.
Payment and subscription metadata
Payments are processed by Paddle as merchant of record. We do not store full card numbers or bank details. We receive payment metadata such as transaction ID, order ID, subscription status, plan, billing cycle, tax jurisdiction, currency, renewal status, and limited billing contact information.
Communications and support data
When you contact us, respond to emails, use support chat, report abuse, submit legal requests, or provide feedback, we collect the contents of those communications and related contact information.
Cookies and similar technologies
We use cookies, localStorage, sessionStorage, pixels, and similar technologies as described in the Cookie Policy.
4. How we use information
We use personal information to:
- provide, operate, maintain, and secure Accountmade;
- create and administer accounts, workspaces, seats, and permissions;
- generate, edit, render, export, store, and share decks;
- process prompts, source documents, brand context, personas, and mapped CRM fields;
- provide shared-deck hosting, access controls, and viewer analytics;
- connect and maintain integrations authorized by customers;
- process subscriptions, billing, tax, refunds, fraud checks, and payment administration through Paddle;
- send transactional emails, service notices, security alerts, and billing notices;
- provide support, troubleshoot issues, and respond to requests;
- analyze product usage and improve reliability, performance, usability, and security;
- prevent abuse, enforce legal terms, investigate violations, and protect users and third parties;
- comply with legal, tax, accounting, sanctions, export-control, regulator, and law-enforcement obligations; and
- send marketing communications where permitted by law and your preferences.
5. Legal bases for EEA, UK, and Swiss users
Where GDPR, UK GDPR, or Swiss data protection law applies, we rely on the following legal bases:
- Contract performance: to provide the Service, administer accounts, process subscriptions, and deliver requested features.
- Legitimate interests: to secure and improve the Service, prevent fraud and abuse, understand product usage, provide customer support, send product updates, and protect legal rights.
- Consent: for non-essential cookies, certain marketing communications, and other processing where consent is required.
- Legal obligation: for tax, accounting, sanctions, regulatory, consumer-law, and law-enforcement compliance.
You may object to legitimate-interests processing where applicable by contacting legal@accountmade.com.
6. AI processing
When you use AI features, Accountmade may send relevant Customer Content to the AI providers listed on the Subprocessor List — currently OpenAI and Google (Gemini API) — such as prompts, source documents, brand context, personas, selected CRM fields, deck structure, and prior slide content. Requests may be routed to either provider for generation, ingestion, answerability judging, and text embeddings (including cross-provider fallback).
We do not intentionally send payment-card data, passwords, secret keys, or government identifiers to AI providers. You must not include those data types in prompts, source documents, CRM fields, or decks.
We do not use Customer Content or Customer Personal Data to train Accountmade's own models or third-party AI models. We configure commercial AI providers so that Customer Content is not used for model training where the provider supports that control. Provider retention, safety review, abuse monitoring, and zero-data-retention status are described in the Subprocessor List and may depend on the provider and plan.
AI output can be inaccurate, incomplete, non-unique, or unsuitable. You are responsible for reviewing output before using it.
7. How we share information
We share personal information only as described below.
Subprocessors and service providers
We use vendors to host infrastructure, store data, process AI requests, deliver email, provide analytics, monitor errors, secure the Service, process support requests, and operate related services. The current list is maintained at accountmade.com/legal/subprocessors.
Paddle
Paddle processes payments as merchant of record and independent controller. Paddle handles checkout, payment processing, invoices, taxes, refund administration, fraud screening, and related payment communications.
Customer-selected integrations
If you connect a CRM or other integration, we exchange data with that integration according to your configuration and authorization. The integration provider's terms and privacy notice may also apply.
Legal and safety disclosures
We may disclose information if required by law, court order, subpoena, regulator, law-enforcement request, sanctions/export-control requirement, or to protect rights, safety, security, users, the Service, or third parties. Where lawful and practicable, we will redirect requests to the customer or notify the affected customer before disclosure.
Business transfers
If we are involved in a merger, acquisition, financing, reorganization, asset sale, or similar transaction, information may be transferred as part of that transaction, subject to appropriate confidentiality and privacy protections.
Your instructions and sharing choices
We share information when you choose to publish or share a deck, export a file, invite a workspace member, connect an integration, send data to a recipient, or otherwise instruct us to disclose information.
8. No sale or cross-context behavioral advertising
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use third-party advertising cookies.
We honor Global Privacy Control signals as described in the Cookie Policy.
9. International transfers
We are based in Korea. Accountmade and its subprocessors may process information in Korea, the United States, the United Kingdom, the European Economic Area, and other countries where our vendors operate.
For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum or IDTA, Swiss adaptations, data processing agreements, and transfer risk assessments where required.
For Korean users, cross-border transfers are described in this Privacy Policy and the Subprocessor List. We will provide additional notices or obtain consent where required by PIPA.
10. Retention
We retain information only as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required by law, contract, dispute, security need, tax/accounting rule, or legal hold.
| Data category | Typical retention |
|---|---|
| Account and workspace data | While the account or workspace is active, plus up to 30 days after closure for account recovery and deletion processing |
| Customer Content, including decks, source documents, brand kits, personas, and exports | While stored by the customer, plus the deletion/export window and backup period |
| Deleted decks and deleted Customer Content | Removed from active systems after deletion processing; backup copies are purged on the backup cycle, typically within 35 days |
| CRM tokens and mapped CRM data | While the integration is connected or needed for configured features; deleted or disabled after disconnection, subject to backup cycles and legal retention |
| Personalized deck outputs created from CRM data | Retained as Customer Content until deleted by the customer or the workspace is closed |
| Shared-deck viewer analytics | Typically up to 24 months, then deleted or aggregated/anonymized |
| Usage and diagnostic data | Typically up to 24 months, unless needed longer for security, abuse prevention, or legal reasons |
| Server and security logs | Typically up to 90 days, unless needed longer for security, abuse prevention, or legal reasons |
| Support communications | Typically up to 36 months after the last interaction |
| Billing, transaction, tax, and accounting records | As required by applicable tax and accounting law, typically up to 7 years |
| Legal, abuse, and security records | As long as necessary to resolve, enforce, or document the matter |
Aggregated or anonymized information that no longer identifies a person may be retained indefinitely.
11. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, export, restrict, object to, or withdraw consent for certain processing of your personal information.
You can exercise rights by contacting legal@accountmade.com. We may need to verify your identity before processing a request.
If your data is processed by Accountmade on behalf of a customer, we may forward or refer your request to that customer because the customer controls the data.
12. EEA, UK, and Switzerland
Residents of the EEA, UK, and Switzerland may have rights to access, rectification, erasure, restriction, portability, objection, and complaint to a supervisory authority.
If GDPR Article 27 or UK GDPR Article 27 requires us to appoint a representative, we will identify that representative on this page or another clearly linked page.
13. California and other US state privacy notices
We do not sell personal information and do not share it for cross-context behavioral advertising. We will not discriminate against you for exercising privacy rights.
California residents may have rights to know, access, delete, correct, opt out of sale/share, limit use of sensitive personal information where applicable, and receive non-discriminatory treatment. Because we do not sell or share personal information for cross-context behavioral advertising, we do not provide a sale/share opt-out link beyond honoring Global Privacy Control and cookie preferences.
Where Accountmade acts as a service provider or contractor under the CCPA/CPRA, the DPA contains service-provider terms.
14. Korean PIPA notices
Accountmade is operated by a Korean company and is subject to the Korean Personal Information Protection Act where applicable.
Personal Information Protection Manager: Jinyong Kim (김진용) Contact: legal@accountmade.com
Korean residents may contact us to exercise rights under PIPA. Korean residents may also contact the Personal Information Protection Commission or the KISA Personal Information Infringement Report Center.
If a personal data breach involving Korean data subjects requires notification, we will notify the relevant authority and affected data subjects as required by PIPA.
15. Cookies
We use cookies and similar technologies for authentication, security, preferences, analytics, support, and shared-deck telemetry as described in the Cookie Policy.
16. Security
We use reasonable technical and organizational safeguards designed to protect information, including encryption in transit, access controls, logging, monitoring, backups, vulnerability management, and incident response procedures. More information is available in the Security Overview and the DPA.
No system is perfectly secure. You are responsible for safeguarding credentials, workspace access, integration scopes, shared links, source documents, and recipient communications.
17. Children
Accountmade is intended for business use by people 18 and older. We do not knowingly collect personal information from children. If you believe a child has provided personal information to Accountmade, contact legal@accountmade.com.
18. Changes
We may update this Privacy Policy from time to time. We will post the updated version and update the effective date. For material changes, we will provide at least 30 days' notice where practicable, unless the change is required sooner by law, security, or urgent operational need.
19. Contact
The Plain Works Co., Ltd. (주식회사 더플레인웍스)
Privacy, Legal: legal@accountmade.com Support: hello@accountmade.com