GDPR
Roles
The operator of DuelyNoted is the data controller for account and app data. The services on the subprocessors page act as processors under their data processing agreements.
Data location and transfers
App data is stored in the EU (AWS eu-west-1, Ireland) via Supabase. The core service makes no transfers of your app content outside the EEA. The public website is served by Vercel's global CDN and stores no personal data. If payment features launch, Apple and Google process payments under their own controller responsibilities.
Lawful bases
| Processing | Basis |
|---|---|
| Storing and syncing the items, reminders and preferences you create | Contract — Art. 6(1)(b) |
| Security, abuse prevention, deletion audit trail | Legitimate interests — Art. 6(1)(f) |
| Optional analytics or crash reporting (future, off by default in current version) | Consent / disclosed legitimate interests — announced before activation |
Your rights
| Right | How to exercise it |
|---|---|
| Access & portability (Art. 15, 20) | In-app: Settings → Privacy & data → Export my data (JSON) |
| Erasure (Art. 17) | In-app: Settings → Account → Delete account, or see deletion page |
| Rectification (Art. 16) | Edit anything in-app, or email us |
| Restriction & objection (Art. 18, 21) | Email privacy@duelynoted.app |
| Complaint (Art. 77) | Your local supervisory authority, at any time |
We answer every request within 30 days. We do not use automated decision-making or profiling, and we never sell personal data.
Data minimisation in practice
GDPR compliance here is structural, not just written: no bank linking exists in the product, the app requests only notification permission, analytics are absent from the current version, the deletion audit record contains no personal data, and everything you store is exportable and erasable from inside the app.
Contact
Privacy contact: privacy@duelynoted.app. A formal Data Protection Officer is not required at our current scale; the privacy contact fulfils that role operationally.