DuelyNoted

GDPR

How DuelyNoted meets the EU/UK General Data Protection Regulation.

Roles

The operator of DuelyNoted is the data controller for account and app data. The services on the subprocessors page act as processors under their data processing agreements.

Data location and transfers

App data is stored in the EU (AWS eu-west-1, Ireland) via Supabase. The core service makes no transfers of your app content outside the EEA. The public website is served by Vercel's global CDN and stores no personal data. If payment features launch, Apple and Google process payments under their own controller responsibilities.

Lawful bases

ProcessingBasis
Storing and syncing the items, reminders and preferences you createContract — Art. 6(1)(b)
Security, abuse prevention, deletion audit trailLegitimate interests — Art. 6(1)(f)
Optional analytics or crash reporting (future, off by default in current version)Consent / disclosed legitimate interests — announced before activation

Your rights

RightHow to exercise it
Access & portability (Art. 15, 20)In-app: Settings → Privacy & data → Export my data (JSON)
Erasure (Art. 17)In-app: Settings → Account → Delete account, or see deletion page
Rectification (Art. 16)Edit anything in-app, or email us
Restriction & objection (Art. 18, 21)Email privacy@duelynoted.app
Complaint (Art. 77)Your local supervisory authority, at any time

We answer every request within 30 days. We do not use automated decision-making or profiling, and we never sell personal data.

Data minimisation in practice

GDPR compliance here is structural, not just written: no bank linking exists in the product, the app requests only notification permission, analytics are absent from the current version, the deletion audit record contains no personal data, and everything you store is exportable and erasable from inside the app.

Contact

Privacy contact: privacy@duelynoted.app. A formal Data Protection Officer is not required at our current scale; the privacy contact fulfils that role operationally.