Introduction
This policy describes how Duale AI collects, uses, and protects personal data.
Applies to: website, SaaS platform, communications.
Compliant with GDPR, CCPA, and applicable data protection laws. See also: Terms of Use, Terms and Conditions.
Data Controller
DUALE AI SAS — Share capital €10,000 — Paris Trade Registry 994 521 128 — 60 rue François 1er, 75008 Paris, France
DPO: contact+dpo@mail.duale.ai
Data Collected
Data you provide: name, email, company information, payment details, support messages.
Automatic collection: IP address, device information, pages visited, logs.
AI Services: prompts, documents, generated outputs, configurations.
Internal models: Duale AI uses open-source models hosted on European infrastructure for document indexing and search result ranking. These processes remain on Duale AI infrastructure.
If you submit third-party personal data to AI Agents, you are the data controller (Duale AI acts as data processor).
Purposes of Processing
Data Recipients
Internal: only authorized employees, following least-privilege principle.
Subprocessors: List of Subprocessors (all bound by DPA). New subprocessor = notification 30 days before (EU) or 90 days before (non-EU). Right to object: contact+legal@mail.duale.ai
Others: competent authorities upon legal request, professional advisors (lawyers, auditors), acquirer in case of sale (prior notification).
Data Location
Data hosted in the European Union (Hetzner, Germany).
International transfers: governed by EU Standard Contractual Clauses (SCCs, 2021). For US transfers, the EU-US Data Privacy Framework (DPF) also applies. If DPF is invalidated, SCCs remain applicable with supplementary measures.
Details: List of Subprocessors
Retention Periods
After: deletion or anonymization.
Security
Encryption (AES-256 at rest, TLS 1.3 in transit), MFA recommended for all accounts (required for administrators), per-client data isolation, annual penetration testing.
In case of breach: client notification within 24h, supervisory authority notification within 72h if personal data affected (GDPR Art. 33).
Contact: contact+security@mail.duale.ai
Your Rights
GDPR Rights (EEA residents)
Under GDPR (Art. 15-21), you may:
- Access your data (Art. 15)
- Rectify inaccurate information (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Port your data in structured format (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time without affecting prior processing (Art. 7.3)
Contact: contact+privacy@mail.duale.ai — response within one month (extendable by two months for complex requests).
Recourse: complaint to your local Data Protection Authority (for France: CNIL, https://www.cnil.fr)
CCPA Rights (California residents)
Under the California Consumer Privacy Act and CPRA, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt-out of the sale or sharing of personal information (Note: Duale AI does not sell personal data)
- Non-discrimination for exercising your privacy rights
- Correct inaccurate personal information
- Limit use of sensitive personal information
Categories collected: identifiers, commercial information, internet activity, professional information, inferences.
No sale of data: Duale AI does not sell personal information as defined under CCPA.
Contact: contact+privacy@mail.duale.ai — response within 45 days (extendable by 45 days if necessary).
Cookies
Essential (no consent required): functionality, authentication.
Optional (your choice): analytics, marketing. Consent valid for 6 months.
Cookie banner on first visit. Modify or withdraw consent in page footer.
Third parties: Crisp (support), Auth0 (auth).
Children’s Privacy
B2B platform. We do not knowingly collect data from children under 16. Report concerns: contact+privacy@mail.duale.ai
Automated Decisions and Artificial Intelligence
Duale AI does not use your data for automated decisions producing legal effects concerning you (GDPR Art. 22).
AI Transparency (EU AI Act 2024/1689): Platform AI Agents are artificial intelligence systems. You are informed of their nature during each interaction. See Terms of Use for limitations and prohibited uses.
AI Agents configured by Clients may process third-party data. In this case:
- The Client is data controller (Duale AI = processor)
- The Client is responsible for GDPR Art. 22 compliance if Agents make automated decisions affecting third parties
Processing on Behalf of Clients
When the Client uses the Platform to process third-party personal data, the Client is data controller and Duale AI acts as data processor (GDPR Art. 28).
Duale AI commitments: processing on instruction only, confidentiality, security, incident notification within 24h, GDPR assistance, deletion at contract end. See Terms and Conditions for complete DPA.
Contact: contact+legal@mail.duale.ai
Do Not Track and Global Privacy Control
Global Privacy Control (GPC): Duale AI honors GPC signals as valid opt-out requests under CCPA/CPRA. When GPC is enabled, we treat it as a request to opt out of the sale or sharing of personal information.
Do Not Track (DNT): Duale AI also honors DNT browser signals by disabling optional tracking when DNT is enabled.
Changes
Substantial changes notified by email 30 days before taking effect.
Contact
- Privacy: contact+privacy@mail.duale.ai
- DPO: contact+dpo@mail.duale.ai
- California requests: contact+privacy@mail.duale.ai (specify “California Privacy Request”)