---
title: "Privacy policy governing data collection and use"
description: "Details Duale AI's privacy policy, covering data collection, processing purposes, legal bases, retention, security, GDPR and CCPA rights, subprocessor handling, contact channels."
lang: en
lastUpdated: 2026-05-29
url: https://dev.duale.ai/en/legal/privacy
---

## AI-generated summary

Describes Duale AI’s privacy practices for its website and SaaS platform, including data collected, legal bases, storage locations, retention periods, security safeguards, third‑party sharing, and the GDPR and CCPA rights and procedures for users to access, correct, delete, or object to their personal data.

- Collects user‑provided data (name, email, company, payment), automatically collected IP, device info and logs, and AI‑service content such as prompts, documents and outputs.
- Processes data under contract for account and billing, legitimate interest for security improvements, user consent for marketing, and legal obligations as required.
- Hosts data on Hetzner servers in Germany, protects the website with Cloudflare, and transfers data outside the EEA using the EU‑US Data Privacy Framework or contractual clauses.
- Retention periods: active accounts for contract term, closed accounts five years, logs twelve months, invoices ten years, AI content thirty days, cookie consent six months.
- Provides GDPR and CCPA rights, with <contact+privacy@mail.duale.ai> for requests; GDPR responses within one month, CCPA within 45 days.

Summaries were generated by AI. Generative AI is experimental.

---

## Introduction

This policy describes how Duale AI collects, uses, and protects personal data.

Applies to: website, SaaS platform, communications.

Duale AI applies GDPR, CCPA, and applicable data protection requirements. See also: [Terms of Use for AI Agent Platform Services](https://dev.duale.ai/en/legal/cgu.md), [Legal terms and conditions for SaaS platform and credits](https://dev.duale.ai/en/legal/cgv.md).

## Data Controller

**DUALE AI SAS** — Share capital €10,000 — Paris Trade Registry 994 521 128 — 60 rue François 1er, 75008 Paris, France

**DPO:** [<contact+dpo@mail.duale>.ai](mailto:<contact+dpo@mail.duale.ai>)

## Data Collected

**Data you provide:** name, email, company information, payment details, support messages.

**Automatic collection:** IP address, device information, pages visited, logs.

**AI Services:** prompts, documents, generated outputs, configurations.

**Internal models:** Duale AI uses open-source models hosted on European infrastructure for document indexing and search result ranking. These processes remain on Duale AI infrastructure.

If you submit third-party personal data to AI Agents, you are the data controller (Duale AI acts as data processor).

## Purposes of Processing

| Purpose                           | Legal Basis         |
| --------------------------------- | ------------------- |
| Account, billing, AI services     | Contract            |
| Security, improvement, statistics | Legitimate interest |
| Marketing                         | Your consent        |
| Legal obligations                 | Legal requirement   |

## Data Recipients

**Internal:** only authorized employees, following least-privilege principle.

**Subprocessors:** [Review subprocessors and transfer safeguards](https://dev.duale.ai/en/legal/subprocessors.md). Any addition or replacement is notified 30 days before if the subprocessor is in the European Economic Area, or 90 days before if outside the European Economic Area. Objections: [<contact+legal@mail.duale>.ai](mailto:<contact+legal@mail.duale.ai>)

**Others:** competent authorities upon legal request, professional advisors (lawyers, auditors), acquirer in case of sale (prior notification).

## Data Location

Application data is hosted by Hetzner in Germany. The website and network protection are provided through Cloudflare.

**Transfers outside the European Economic Area:** Data Privacy Framework where it applies, or 2021 standard contractual clauses with supplementary measures where required.

Details: [Review subprocessors and transfer safeguards](https://dev.duale.ai/en/legal/subprocessors.md)

## Retention Periods

| Data            | Duration                     |
| --------------- | ---------------------------- |
| Active account  | Duration of contract         |
| Closed account  | + 5 years                    |
| Logs            | 12 months                    |
| Invoices        | 10 years (legal requirement) |
| AI content      | Contract + 30 days           |
| Cookies consent | 6 months                     |

After: deletion or anonymization.

## Security

Encryption (AES-256 at rest, TLS 1.3 in transit), MFA recommended for all accounts (required for administrators), per-client data isolation, annual penetration testing.

**In case of breach:** client notification within 24h, supervisory authority notification within 72h if personal data affected (GDPR Art. 33).

Contact: [<contact+security@mail.duale>.ai](mailto:<contact+security@mail.duale.ai>)

## Your Rights

### GDPR Rights (EEA residents)

Under GDPR (Art. 15-21), you may:

- **Access** your data (Art. 15)
- **Rectify** inaccurate information (Art. 16)
- **Erase** your data (Art. 17)
- **Restrict** processing (Art. 18)
- **Port** your data in structured format (Art. 20)
- **Object** to processing (Art. 21)
- **Withdraw consent** at any time without affecting prior processing (Art. 7.3)

**Contact:** [<contact+privacy@mail.duale>.ai](mailto:<contact+privacy@mail.duale.ai>) — response within one month (extendable by two months for complex requests).

**Recourse:** complaint to your local Data Protection Authority (for France: CNIL, [<https://www.cnil.fr](https://www.cnil.fr>))

### CCPA Rights (California residents)

Under the California Consumer Privacy Act and CPRA, you have the right to:

- **Know** what personal information we collect, use, and disclose
- **Delete** your personal information
- **Opt-out** of the sale or sharing of personal information (Note: Duale AI does not sell personal data)
- **Non-discrimination** for exercising your privacy rights
- **Correct** inaccurate personal information
- **Limit** use of sensitive personal information

**Categories collected:** identifiers, commercial information, internet activity, professional information, inferences.

**No sale of data:** Duale AI does not sell personal information as defined under CCPA.

**Contact:** [<contact+privacy@mail.duale>.ai](mailto:<contact+privacy@mail.duale.ai>) — response within 45 days (extendable by 45 days if necessary).

## Cookies

**Essential** (no consent required): functionality, authentication.

**Optional** (your choice): analytics, marketing. Consent valid for 6 months.

Cookie banner on first visit. Modify or withdraw consent in page footer.

**Third parties:** Crisp (support), Cloudflare (website and network protection). Authentication is operated internally.

## Children's Privacy

B2B platform. We do not knowingly collect data from children under 16. Report concerns: [<contact+privacy@mail.duale>.ai](mailto:<contact+privacy@mail.duale.ai>)

## Automated Decisions and Artificial Intelligence

Duale AI does not use your data for automated decisions producing legal effects concerning you (GDPR Art. 22).

**AI Transparency (EU AI Act 2024/1689):** Platform AI Agents are artificial intelligence systems. You are informed of their nature during each interaction. See [Terms of Use for AI Agent Platform Services](https://dev.duale.ai/en/legal/cgu.md) for limitations and prohibited uses.

AI Agents configured by Clients may process third-party data. In this case:

- The Client is data controller (Duale AI = processor)
- The Client is responsible for GDPR Art. 22 compliance if Agents make automated decisions affecting third parties

## Processing on Behalf of Clients

When the Client uses the Platform to process third-party personal data, the Client is data controller and Duale AI acts as data processor (GDPR Art. 28).

**Duale AI commitments:** processing on instruction only, confidentiality, security, incident notification within 24h, GDPR assistance, deletion at contract end. See [Legal terms and conditions for SaaS platform and credits](https://dev.duale.ai/en/legal/cgv.md) for the complete data processing agreement.

**Contact:** [<contact+legal@mail.duale>.ai](mailto:<contact+legal@mail.duale.ai>)

## Do Not Track and Global Privacy Control

**Global Privacy Control (GPC):** Duale AI honors GPC signals as valid opt-out requests under CCPA/CPRA. When GPC is enabled, we treat it as a request to opt out of the sale or sharing of personal information.

**Do Not Track (DNT):** Duale AI also honors DNT browser signals by disabling optional tracking when DNT is enabled.

## Changes

Substantial changes notified by email 30 days before taking effect.

## Contact

- **Privacy:** [<contact+privacy@mail.duale>.ai](mailto:<contact+privacy@mail.duale.ai>)
- **DPO:** [<contact+dpo@mail.duale>.ai](mailto:<contact+dpo@mail.duale.ai>)
- **California requests:** [<contact+privacy@mail.duale>.ai](mailto:<contact+privacy@mail.duale.ai>) (specify "California Privacy Request")

## Related content

- [Terms of Use for AI Agent Platform Services](https://dev.duale.ai/en/legal/cgu.md)
- [Legal terms and conditions for SaaS platform and credits](https://dev.duale.ai/en/legal/cgv.md)
- [Govern AI agents with shared operating model for compliance](https://dev.duale.ai/en/solutions/governance.md)
- [Review security posture for production AI agents](https://dev.duale.ai/en/product/security.md)
- [Review subprocessors and transfer safeguards](https://dev.duale.ai/en/legal/subprocessors.md)
- [Deploy durable AI agents with stable contracts and routing](https://dev.duale.ai/en/home.md)

---

## Sitemap

See the full [Markdown sitemap](https://dev.duale.ai/sitemap.md) for all pages.
