Privacy Policy

Last updated: February 13, 2026

1. What we collect

When you create an account, we collect your email address and a hashed password. When you use the API, we log request timestamps and endpoint paths for rate limiting. We don't collect names, addresses, or payment details directly (payments are processed by Stripe).

2. How we use your data

Your email is used for account authentication, password resets, and service-related notifications (tariff change alerts if you've opted in). API logs are used to enforce rate limits and debug issues. That's it.

3. What we don't do

We don't sell your data. We don't share it with advertisers. We don't use third-party tracking scripts. We don't run retargeting pixels. We don't profile your browsing behavior beyond basic analytics (page views, referrers).

4. Cookies

We use a session cookie to keep you logged in. No advertising cookies, no cross-site tracking cookies. If you use the site without an account, no cookies are set at all.

5. Third parties

We use Supabase for authentication and database hosting, Stripe for payment processing, and Vercel for application hosting. Each has its own privacy policy. We don't share your data with anyone beyond what's needed to run the service.

6. Data retention

Your account data exists as long as your account is active. If you delete your account, we remove your email, API keys, and associated data within 30 days. API logs are retained for 90 days, then purged.

7. Your rights

You can export or delete your account data at any time from the account settings page. If you need help, contact us at hello@dutydesk.app.

8. Changes

We may update this policy. We'll note the date at the top. If changes are significant, we'll notify account holders by email.