Privacy Policy

duun is a personal task app. We collect the information needed to create your account, keep your tasks available across devices, support sharing features you choose to use, process billing, connect optional integrations, secure the service, and respond to support requests.

Task titles, notes, comments, schedules, and related task content are encrypted before storage. Account, billing, security, device, support, and operational records may be stored separately so we can authenticate users, enforce plan limits, provide support, and maintain audit and abuse-prevention controls.

Account information. Name, email address, authentication provider identifiers, avatar URL, account role, plan, and account timestamps.

Task information. Tasks, notes, note edit timestamps, comments, task relationships, schedules, sharing settings, participants, task activity, and related product state.

Device and session information. Session tokens, active device records, device settings, QR login state, and security metadata needed to keep you signed in and manage device limits.

Billing information. Payment provider customer identifiers, checkout or portal session references, subscription status, plan state, and related billing events. We do not store full payment card numbers.

Calendar connection information. If you connect Google Calendar, we store authorization data, selected calendar IDs, sync settings, calendar event title display preferences, calendar event references, and availability information needed for the calendar features you enable. We may retrieve calendar list names and access roles so you can choose a writable calendar for sync. Synced calendar events may display a task title or a user-provided label depending on your connection settings.

AI and MCP integration information. If you connect an MCP client or a managed integration such as ChatGPT, we process access tokens, OAuth client and token records, requested scopes, tool calls, and tool results needed to complete the actions you authorize. Depending on the permissions granted, those integrations may read task data and may create, edit, move, complete, delete, share, schedule, or update notes on tasks.

Support and operational information. Support tickets, messages, audit events, request metadata, error logs, security events, and service diagnostics.

We do not sell your personal information. We share information only as needed to provide duun, comply with law, protect rights and safety, or complete actions you request.

Service providers may process information for hosting, database storage, authentication, billing, email delivery, calendar connectivity, analytics, logging, security, and support. When you share a task, invited people can see the task content and related activity made available through that sharing feature.

When you connect duun to an AI client or managed app, task titles, notes, schedules, sharing links, and other tool results may be sent to that client as needed to perform the action you requested. Those clients process the information under their own terms and privacy practices.

We keep account and task information while your account is active or as needed to provide duun. Deleted content may remain in backups, logs, or audit records for a limited period before it is removed according to operational retention schedules.

Billing, tax, legal, security, support, and abuse-prevention records may be retained longer where required or reasonably necessary to comply with law, resolve disputes, enforce agreements, or protect the service.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information. You may also withdraw consent where processing is based on consent.

You can update or delete task content in the app, disconnect optional integrations, control calendar sync settings where available, grant or revoke scoped MCP/agent access, and manage billing where available. To make a privacy request, contact us using the details below. We may need to verify your identity before acting on a request.

We use technical and organizational measures designed to protect personal information, including encryption for task content before storage, transport security, access controls, audit logging, and secrets management.

If a security incident affects personal information, we will investigate, mitigate harm, and notify regulators and affected people when required. Under POPIA, security compromises are reported to the Information Regulator and affected data subjects as soon as reasonably possible. Under GDPR, reportable personal data breaches are notified to the relevant supervisory authority without undue delay and, where required, within 72 hours.