--- title: "Privacy policy and data protection details" description: "Details Duale AI’s privacy policy, covering GDPR and CCPA compliance, data collection, storage location, retention periods, security measures, and user rights." lang: en lastUpdated: 2026-06-07 url: https://duale.ai/en/legal/privacy --- ## AI-generated summary This privacy policy explains how Duale AI collects, uses, stores, and protects personal data on its website and SaaS platform, outlines the legal bases, data recipient categories, retention periods, security measures, and the rights of users under GDPR and CCPA. - The policy specifies that Duale AI SAS in Paris is the data controller, with a DPO reachable at . - Collected data includes user‑provided information (name, email, company, payment, support messages) and automatically gathered details such as IP address, device data, and logs. - Data is processed for contract‑related purposes, security and improvement, marketing (with consent), and legal obligations, each with a defined legal basis. - Personal data is stored on Hetzner servers in Germany, protected by AES‑256 at rest and TLS 1.3 in transit, with breach notification to clients within 24 hours. - EEA residents may exercise GDPR rights (access, rectification, erasure, restriction, portability) and California residents may use CCPA rights (knowledge, deletion, opt‑out). Summaries were generated by AI. Generative AI is experimental. --- ## Introduction This policy describes how Duale AI collects, uses, and protects personal data. Applies to: website, SaaS platform, communications. Duale AI applies GDPR, CCPA, and applicable data protection requirements. See also: [Terms of Use for platform services](https://duale.ai/en/legal/cgu.md), [Terms and conditions for SaaS service](https://duale.ai/en/legal/cgv.md). ## Data Controller **DUALE AI SAS** — Share capital €10,000 — Paris Trade Registry 994 521 128 — 60 rue François 1er, 75008 Paris, France **DPO:** ## Data Collected **Data you provide:** name, email, company information, payment details, support messages. **Automatic collection:** IP address, device information, pages visited, logs. **AI Services:** prompts, documents, generated outputs, configurations. **Internal models:** Duale AI uses open-source models hosted on European infrastructure for document indexing and search result ranking. These processes remain on Duale AI infrastructure. If you submit third-party personal data to AI Agents, you are the data controller (Duale AI acts as data processor). ## Purposes of Processing | Purpose | Legal Basis | | --------------------------------- | ------------------- | | Account, billing, AI services | Contract | | Security, improvement, statistics | Legitimate interest | | Marketing | Your consent | | Legal obligations | Legal requirement | ## Data Recipients **Internal:** only authorized employees, following least-privilege principle. **Subprocessors:** [List of subprocessors handling personal data](https://duale.ai/en/legal/subprocessors.md). Any addition or replacement is notified 30 days before if the subprocessor is in the European Economic Area, or 90 days before if outside the European Economic Area. Objections: **Others:** competent authorities upon legal request, professional advisors (lawyers, auditors), acquirer in case of sale (prior notification). ## Data Location Application data is hosted by Hetzner in Germany. The website and network protection are provided through Cloudflare. **Transfers outside the European Economic Area:** Data Privacy Framework where it applies, or 2021 standard contractual clauses with supplementary measures where required. Details: [List of subprocessors handling personal data](https://duale.ai/en/legal/subprocessors.md) ## Retention Periods | Data | Duration | | --------------- | ---------------------------- | | Active account | Duration of contract | | Closed account | + 5 years | | Logs | 12 months | | Invoices | 10 years (legal requirement) | | AI content | Contract + 30 days | | Cookies consent | 6 months | After: deletion or anonymization. ## Security Encryption (AES-256 at rest, TLS 1.3 in transit), MFA recommended for all accounts (required for administrators), per-client data isolation, annual penetration testing. **In case of breach:** client notification within 24h, supervisory authority notification within 72h if personal data affected (GDPR Art. 33). Contact: ## Your Rights ### GDPR Rights (EEA residents) Under GDPR (Art. 15-21), you may: - **Access** your data (Art. 15) - **Rectify** inaccurate information (Art. 16) - **Erase** your data (Art. 17) - **Restrict** processing (Art. 18) - **Port** your data in structured format (Art. 20) - **Object** to processing (Art. 21) - **Withdraw consent** at any time without affecting prior processing (Art. 7.3) **Contact:** — response within one month (extendable by two months for complex requests). **Recourse:** complaint to your local Data Protection Authority (for France: CNIL, ) ### CCPA Rights (California residents) Under the California Consumer Privacy Act and CPRA, you have the right to: - **Know** what personal information we collect, use, and disclose - **Delete** your personal information - **Opt-out** of the sale or sharing of personal information (Note: Duale AI does not sell personal data) - **Non-discrimination** for exercising your privacy rights - **Correct** inaccurate personal information - **Limit** use of sensitive personal information **Categories collected:** identifiers, commercial information, internet activity, professional information, inferences. **No sale of data:** Duale AI does not sell personal information as defined under CCPA. **Contact:** — response within 45 days (extendable by 45 days if necessary). ## Cookies **Essential** (no consent required): functionality, authentication. **Optional** (your choice): analytics, marketing. Consent valid for 6 months. Cookie banner on first visit. Modify or withdraw consent in page footer. **Third parties:** Crisp (support), Cloudflare (website and network protection). Authentication is operated internally. ## Children's Privacy B2B platform. We do not knowingly collect data from children under 16. Report concerns: ## Automated Decisions and Artificial Intelligence Duale AI does not use your data for automated decisions producing legal effects concerning you (GDPR Art. 22). **AI Transparency (EU AI Act 2024/1689):** Platform AI Agents are artificial intelligence systems. You are informed of their nature during each interaction. See [Terms of Use for platform services](https://duale.ai/en/legal/cgu.md) for limitations and prohibited uses. AI Agents configured by Clients may process third-party data. In this case: - The Client is data controller (Duale AI = processor) - The Client is responsible for GDPR Art. 22 compliance if Agents make automated decisions affecting third parties ## Processing on Behalf of Clients When the Client uses the Platform to process third-party personal data, the Client is data controller and Duale AI acts as data processor (GDPR Art. 28). **Duale AI commitments:** processing on instruction only, confidentiality, security, incident notification within 24h, GDPR assistance, deletion at contract end. See [Terms and conditions for SaaS service](https://duale.ai/en/legal/cgv.md) for the complete data processing agreement. **Contact:** ## Do Not Track and Global Privacy Control **Global Privacy Control (GPC):** Duale AI honors GPC signals as valid opt-out requests under CCPA/CPRA. When GPC is enabled, we treat it as a request to opt out of the sale or sharing of personal information. **Do Not Track (DNT):** Duale AI also honors DNT browser signals by disabling optional tracking when DNT is enabled. ## Changes Substantial changes notified by email 30 days before taking effect. ## Contact - **Privacy:** - **DPO:** - **California requests:** (specify "California Privacy Request") ## Related content - [Terms of Use for platform services](https://duale.ai/en/legal/cgu.md) - [Terms and conditions for SaaS service](https://duale.ai/en/legal/cgv.md) - [List of subprocessors handling personal data](https://duale.ai/en/legal/subprocessors.md) - [Security Trust Center for production AI agents](https://duale.ai/en/product/security.md) - [Govern AI agents in production with shared operating signals](https://duale.ai/en/solutions/governance.md) - [Production runtime for durable AI agents](https://duale.ai/en/home.md) --- ## Sitemap See the full [Markdown sitemap](https://duale.ai/sitemap.md) for all pages.