Privacy policy and data protection details
Details Duale AI’s privacy policy, covering GDPR and CCPA compliance, data collection, storage location, retention periods, security measures, and user rights.
This privacy policy explains how Duale AI collects, uses, stores, and protects personal data on its website and SaaS platform, outlines the legal bases, data recipient categories, retention periods, security measures, and the rights of users under GDPR and CCPA.
- The policy specifies that Duale AI SAS in Paris is the data controller, with a DPO reachable at contact+dpo@mail.duale.ai.
- Collected data includes user‑provided information (name, email, company, payment, support messages) and automatically gathered details such as IP address, device data, and logs.
- Data is processed for contract‑related purposes, security and improvement, marketing (with consent), and legal obligations, each with a defined legal basis.
- Personal data is stored on Hetzner servers in Germany, protected by AES‑256 at rest and TLS 1.3 in transit, with breach notification to clients within 24 hours.
- EEA residents may exercise GDPR rights (access, rectification, erasure, restriction, portability) and California residents may use CCPA rights (knowledge, deletion, opt‑out).
Summaries were generated by AI. Generative AI is experimental.
Introduction
This policy describes how Duale AI collects, uses, and protects personal data.
Applies to: website, SaaS platform, communications.
Duale AI applies GDPR, CCPA, and applicable data protection requirements. See also: Terms of Use for platform services, Terms and conditions for SaaS service.
Data Controller
DUALE AI SAS — Share capital €10,000 — Paris Trade Registry 994 521 128 — 60 rue François 1er, 75008 Paris, France
DPO: contact+dpo@mail.duale.ai
Data Collected
Data you provide: name, email, company information, payment details, support messages.
Automatic collection: IP address, device information, pages visited, logs.
AI Services: prompts, documents, generated outputs, configurations.
Internal models: Duale AI uses open-source models hosted on European infrastructure for document indexing and search result ranking. These processes remain on Duale AI infrastructure.
If you submit third-party personal data to AI Agents, you are the data controller (Duale AI acts as data processor).
Purposes of Processing
- Purpose
- Account, billing, AI services
- Legal Basis
- Contract
- Purpose
- Security, improvement, statistics
- Legal Basis
- Legitimate interest
- Purpose
- Marketing
- Legal Basis
- Your consent
- Purpose
- Legal obligations
- Legal Basis
- Legal requirement
Data Recipients
Internal: only authorized employees, following least-privilege principle.
Subprocessors: List of subprocessors handling personal data. Any addition or replacement is notified 30 days before if the subprocessor is in the European Economic Area, or 90 days before if outside the European Economic Area. Objections: contact+legal@mail.duale.ai
Others: competent authorities upon legal request, professional advisors (lawyers, auditors), acquirer in case of sale (prior notification).
Data Location
Application data is hosted by Hetzner in Germany. The website and network protection are provided through Cloudflare.
Transfers outside the European Economic Area: Data Privacy Framework where it applies, or 2021 standard contractual clauses with supplementary measures where required.
Details: List of subprocessors handling personal data
Retention Periods
- Data
- Active account
- Duration
- Duration of contract
- Data
- Closed account
- Duration
- + 5 years
- Data
- Logs
- Duration
- 12 months
- Data
- Invoices
- Duration
- 10 years (legal requirement)
- Data
- AI content
- Duration
- Contract + 30 days
- Data
- Cookies consent
- Duration
- 6 months
After: deletion or anonymization.
Security
Encryption (AES-256 at rest, TLS 1.3 in transit), MFA recommended for all accounts (required for administrators), per-client data isolation, annual penetration testing.
In case of breach: client notification within 24h, supervisory authority notification within 72h if personal data affected (GDPR Art. 33).
Contact: contact+security@mail.duale.ai
Your Rights
GDPR Rights (EEA residents)
Under GDPR (Art. 15-21), you may:
- Access your data (Art. 15)
- Rectify inaccurate information (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Port your data in structured format (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time without affecting prior processing (Art. 7.3)
Contact: contact+privacy@mail.duale.ai — response within one month (extendable by two months for complex requests).
Recourse: complaint to your local Data Protection Authority (for France: CNIL, https://www.cnil.fr)
CCPA Rights (California residents)
Under the California Consumer Privacy Act and CPRA, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt-out of the sale or sharing of personal information (Note: Duale AI does not sell personal data)
- Non-discrimination for exercising your privacy rights
- Correct inaccurate personal information
- Limit use of sensitive personal information
Categories collected: identifiers, commercial information, internet activity, professional information, inferences.
No sale of data: Duale AI does not sell personal information as defined under CCPA.
Contact: contact+privacy@mail.duale.ai — response within 45 days (extendable by 45 days if necessary).
Cookies
Essential (no consent required): functionality, authentication.
Optional (your choice): analytics, marketing. Consent valid for 6 months.
Cookie banner on first visit. Modify or withdraw consent in page footer.
Third parties: Crisp (support), Cloudflare (website and network protection). Authentication is operated internally.
Children’s Privacy
B2B platform. We do not knowingly collect data from children under 16. Report concerns: contact+privacy@mail.duale.ai
Automated Decisions and Artificial Intelligence
Duale AI does not use your data for automated decisions producing legal effects concerning you (GDPR Art. 22).
AI Transparency (EU AI Act 2024/1689): Platform AI Agents are artificial intelligence systems. You are informed of their nature during each interaction. See Terms of Use for platform services for limitations and prohibited uses.
AI Agents configured by Clients may process third-party data. In this case:
- The Client is data controller (Duale AI = processor)
- The Client is responsible for GDPR Art. 22 compliance if Agents make automated decisions affecting third parties
Processing on Behalf of Clients
When the Client uses the Platform to process third-party personal data, the Client is data controller and Duale AI acts as data processor (GDPR Art. 28).
Duale AI commitments: processing on instruction only, confidentiality, security, incident notification within 24h, GDPR assistance, deletion at contract end. See Terms and conditions for SaaS service for the complete data processing agreement.
Contact: contact+legal@mail.duale.ai
Do Not Track and Global Privacy Control
Global Privacy Control (GPC): Duale AI honors GPC signals as valid opt-out requests under CCPA/CPRA. When GPC is enabled, we treat it as a request to opt out of the sale or sharing of personal information.
Do Not Track (DNT): Duale AI also honors DNT browser signals by disabling optional tracking when DNT is enabled.
Changes
Substantial changes notified by email 30 days before taking effect.
Contact
- Privacy: contact+privacy@mail.duale.ai
- DPO: contact+dpo@mail.duale.ai
- California requests: contact+privacy@mail.duale.ai (specify “California Privacy Request”)