This Privacy Policy explains how Duo App Ltd ("we", "us") collects, uses, shares and protects personal data. We are the data controller for personal data collected through our website and the data processor for personal data you upload to the platform as a customer.
1. What we collect
Account information
Name, work email address, company name, phone number, billing address, payment details (handled by Stripe - we don't store full card numbers).
Usage data
Pages visited, features used, IP address, browser and device information, timestamps.
Customer data
Whatever you upload to the platform - projects, files, contacts, invoices. We process this on your behalf as a data processor.
2. How we use it
- To provide and improve the Service
- To process billing and handle support requests
- To send essential service communications
- With your consent, to send product updates and marketing
- To detect and prevent fraud or abuse
- To comply with legal obligations
3. Legal basis
We process personal data under the following bases (UK GDPR Art. 6): performance of a contract (account and billing), legitimate interests (service improvement, security), legal obligation (tax records), and consent (marketing).
4. Sharing
We share data with:
- Service providers - hosting (AWS London region), payment processing (Stripe), email delivery (Postmark), analytics (Plausible)
- Legal authorities - when required by law
- Acquirers - in the event of a sale of the business, subject to equivalent protections
We do not sell personal data.
5. International transfers
Customer Data is hosted in the UK. Some sub-processors are based outside the UK; in those cases we rely on UK International Data Transfer Agreements or adequacy decisions.
6. Retention
Account data is retained for the lifetime of your account plus 30 days. Customer Data is deleted within 30 days of account termination unless you request earlier deletion. Billing records are retained for 7 years for UK tax compliance.
7. Your rights
Under UK GDPR you have the right to access, correct, delete, or restrict processing of your personal data, plus the right to data portability and to object to processing. Contact privacy@duoapp.co.uk to exercise these rights. You can also complain to the ICO at ico.org.uk.
8. Security
We use TLS 1.3 in transit, AES-256 at rest, role-based access, audit logging, and regular third-party penetration testing. We are ISO 27001 certified.
9. Cookies
See our cookies policy.
10. Contact
Data Protection Lead, Duo App Ltd, 17 Old Dover Road, Canterbury, Kent, CT1 3JB. Email privacy@duoapp.co.uk.