Privacy Policy - Duetiful

Account Information:

• Full name
• Email address
• Password (encrypted — we never see your actual password)
• Phone number (optional)
• Organization/company name
• Job title
• Time zone and language preferences

Reminder & Deadline Information:

• Reminder titles and descriptions
• Due dates and deadlines
• Matter/client references (if you provide them)
• Assignee and Backstop Adviser assignments
• Notes and comments (visible to assigned team members)
• Custom reminder intervals and preferences
• Tags and categories

Support Communications:

• Messages you send to support@duetiful.com
• Feedback, feature requests, and bug reports
• Chat transcripts (if we add live chat)

Usage Data:

• Pages and features you access
• Reminders created, completed, or missed
• Time spent on platform
• Actions you take (creating, editing, deleting reminders)
• Search queries within the Service
• Login/logout times and frequency

Technical Data:

• IP address and approximate geolocation (city/region level)
• Browser type, version, and language
• Device type (desktop, mobile, tablet)
• Operating system and version
• Screen resolution
• Referral source (how you found Duetiful)
• User agent string

Performance Data:

• Page load times
• Error messages and crashes
• Feature usage patterns (aggregated)

Calendar Integration (When You Connect):

• Calendar access tokens
• Event metadata (to sync reminders)
• Calendar names and IDs

We do NOT access your entire calendar — only the events we sync with your permission.

Payment Information (via Lemon Squeezy):

• We do NOT collect or store payment information
• Lemon Squeezy (our Merchant of Record) handles all payment processing
• You'll see "LEMSQZY*Duetiful" on your credit card statement
• See Section 5.2 for details

Email Staging (Inbound Email Processing):

• Sender email address and IP address
• Email subject line and body content (encrypted at rest)
• Message metadata (timestamps, headers)
• Attachment count (attachments are NOT stored)

Email content is encrypted immediately upon receipt and automatically purged 24 hours after conversion to a reminder. Unconverted emails are deleted after 30 days.

What We Collect:

• Sender email address (to match to your account)
• Sender IP address (for security monitoring)
• Email subject (encrypted, used for reminder title)
• Email body (encrypted, parsed for dates and details)
• Attachment count only (attachments are never stored)

How We Process Emails:

• Emails are received via secure webhook (HMAC-verified)
• Content is immediately encrypted using XSalsa20-Poly1305
• Malicious content scanning occurs before storage
• Emails containing threats may be quarantined for review
• Rate limiting prevents abuse (max 10 emails/hour per user)

Retention & Deletion:

• Unconverted emails: Automatically deleted after 30 days
• Converted emails: Content purged 24 hours after conversion (metadata retained)
• Quarantined emails: Deleted after 7 days if not reviewed
• Security logs: Retained for 90 days for audit purposes

Security Measures:

• HMAC signature verification on all incoming webhooks
• IP whitelist/blocklist for sender verification
• Unknown sender tracking (max 3 attempts before blocking)
• Malicious content detection (XSS, SQL injection, command injection)
• Duplicate detection via message ID hashing

Your Rights:

• View all staged emails in your account
• Delete staged emails before conversion
• Opt-out of Email Staging entirely (don't use the feature)
• Request deletion of all staging data via privacy@duetiful.com

Provide the Service:

• Create and maintain your account
• Store and manage your reminders and deadlines
• Send reminder notifications via email and calendar
• Display deadline information to you and authorized team members
• Enable Backstop Adviser functionality
• Sync with your calendar (Outlook/Google)
• Process your subscription payments (via Lemon Squeezy)
• Provide customer support
• Monitor approaching deadlines through automated daily processing
• Send Backstop Adviser notifications at T-7 days and escalations at T-1 day before deadlines
• Display system health status transparently so you always know monitoring is operational

Communicate with You:

• Send deadline reminder notifications
• Respond to support requests and inquiries
• Send important Service updates and security alerts
• Notify you of changes to Terms of Service or Privacy Policy
• Send account-related emails (password resets, confirmations)

Ensure Security:

• Verify your identity when you log in
• Prevent fraud, abuse, and unauthorized access
• Detect and investigate suspicious activity
• Monitor for security threats
• Enforce our Terms of Service
• Comply with legal obligations

Improve the Service:

• Analyze usage patterns (aggregated and anonymized)
• Identify bugs, errors, and performance issues
• Test and develop new features
• Optimize user experience and interface
• Conduct internal research and analytics

Marketing Communications (Optional — You Can Opt Out):

• Send product updates and feature announcements
• Share tips and best practices for using Duetiful
• Conduct user satisfaction surveys
• Send occasional newsletters (no more than monthly)

Analytics:

• Understand how users interact with the Service
• Measure effectiveness of features
• Track conversion and retention metrics
• Google Analytics for usage analytics

Legal Compliance:

• Comply with Australian and international laws
• Respond to legal requests (subpoenas, court orders, warrants)
• Protect our rights under the Terms of Service
• Investigate suspected violations or illegal activity
• Cooperate with law enforcement when legally required

Team Members & Backstop Advisers:

• When you assign a Backstop Adviser to a reminder, that person can see the full reminder details, including:
  • Reminder title and description
  • Due date and deadlines
  • Matter/client information (if included)
  • All notes and comments
  • Assignment history
• Backstop Advisers receive email notifications about assigned reminders
• This is necessary for the backstop feature to work

Support Requests:

• When you activate "Request Support" on a matter, your assigned Backstop Adviser is notified via email
• The matter transitions to an assistance-requested status visible to you and your Backstop Adviser
• This action is logged in our audit trail for quality assurance
• No other team members or administrators are notified beyond the assigned Backstop Adviser

Organization Administrators & Team Leaders:

• Can view all reminders and data within the organization account, including:
  • All users' reminders and deadlines
  • Individual user activity and completion rates
  • Team performance metrics
  • Private notes added to reminders
  • Full audit logs of all actions
• This is necessary for team management and oversight

Legally Required:

• Court order, subpoena, or warrant
• Australian or foreign law requires disclosure
• Regulatory authority requests information

To Protect Rights:

• Investigating suspected fraud or Terms violations
• Protecting our legal rights or property
• Defending against legal claims

Public Safety:

• Preventing imminent harm to individuals
• Cooperating with law enforcement in urgent situations

Contractual Safeguards:

• Our Korean company commits to handling your information according to Australian Privacy Principles
• Internal data protection policies aligned with APP requirements
• Technical and organizational measures to protect your information

Data Storage Protections:

• Data remains in Australia (Supabase Sydney)
• Industry-standard encryption in transit (HTTPS/TLS) and at rest
• Access controls limiting who can access your information
• Audit logging of all data access

Your Rights:

• You retain all rights under the Australian Privacy Act
• You can complain to the Office of the Australian Information Commissioner (OAIC)
• We remain accountable for how your information is handled

Within Duetiful:

1. Go to Account Settings → Privacy
2. Click Cookie Preferences
3. Toggle categories on/off (except Necessary cookies)
4. Save your preferences

You'll see a cookie consent banner on your first visit where you can customize settings immediately.

In Your Browser:

You can also control cookies through your browser settings:

• Chrome: Settings → Privacy and Security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and site permissions → Manage and delete cookies

Warning: Disabling all cookies will prevent you from logging into Duetiful.

Encryption:

• In transit: All data transmitted over HTTPS/TLS 1.2+ encryption
• At rest: Industry-standard encryption via Supabase
• Passwords: Hashed using bcrypt with salt (we can never see your actual password)

Access Controls:

• Role-based access control (RBAC) — you only see what you're authorized to see
• Multi-factor authentication (MFA) available and recommended
• Strong password requirements (minimum 8 characters, complexity rules)
• Automatic session timeout after 30 minutes of inactivity
• API authentication tokens with limited scope

Monitoring & Logging:

• Audit logs of all data access and modifications
• Automated monitoring for suspicious activity
• Security alerts for unusual login patterns
• Error tracking and crash reporting (anonymized)

Infrastructure Security:

• Supabase Pro plan with daily backups (7-day retention)
• Database backups encrypted and stored securely
• Regular security updates and patches
• Network security (firewalls, DDoS protection)

Organizational Measures:

• Limited employee access to production data (need-to-know basis)
• Security awareness training (as team grows)
• Incident response procedures
• Regular security reviews