Privacy Policy

1. Information We Collect

We collect the following types of information:

1.1. Account Information: When you register for an account or use our Service, you may provide us with personal information, including but not limited to your name, email address, organization name, and other contact details.

1.2. Your Content: Content you create, upload, store, or transmit through the Service, including code, files, applications, messages, AI prompts, and other materials created within your cloud workspace.

1.3. AI Interaction Data: When you use AI features, we process your prompts, code context, file contents, and other inputs necessary to generate AI outputs. See Section 3 for details on how this data is handled.

1.4. Automatically Collected Information: When you access the Service, certain information may be collected automatically, including your IP address, browser type, device type, operating system, and other technical information. We may also use cookies and similar tracking technologies to collect data about your interactions with our Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1. Providing the Service: We use your information to create and manage your account, operate your cloud workspace, deliver AI features, execute code, store files, and provide customer support.

2.2. Improving the Service: We analyze aggregated and anonymized usage data to improve our Service, develop new features, and enhance user experience. We do not use Your Content or AI interaction data for AI model training (see Section 3).

2.3. Communication: We may send you information about the Service, updates, and promotional materials. You can opt out of promotional communications at any time.

2.4. Legal Requirements: We may use your data to comply with applicable legal obligations, such as responding to legal requests and enforcing our Terms of Service.

3. AI Data Processing

When you use our AI features, portions of Your Content (such as prompts, code context, and file contents) are transmitted to third-party large language model (LLM) providers to generate outputs. Our current AI providers include Anthropic, OpenAI, and Google.

3.1. No Training on Your Data: We do not use Your Content or AI outputs to train, develop, or improve AI or machine learning models. We maintain data processing agreements with our third-party AI providers that prohibit them from using your data for model training.

3.2. Data Transmitted to Providers: Only the content necessary to fulfill your AI request is transmitted to providers. This typically includes your prompt, relevant code context, and file contents that you reference or that are needed for the AI to complete its task.

3.3. Provider Retention: Our AI providers may temporarily retain input and output data for a limited period (typically 30 days or less) solely for safety monitoring and abuse prevention, after which it is deleted. Providers do not use this data for model training.

4. Cloud Workspace Data

Each user or organization is provided with a persistent cloud server ("sandbox") as part of the Service. The following applies to data within your workspace:

4.1. Storage and Isolation: Your workspace data is stored on cloud infrastructure hosted in the United States. Each workspace is isolated from other users' workspaces.

4.2. Persistence: Files, code, and data within your workspace persist across sessions for the duration of your account. You are responsible for maintaining your own backups of critical data.

4.3. Deletion: Upon account termination, workspace data will be deleted immediately, except as required for backups or legal compliance.

4.4. Access: We may access workspace contents when necessary to provide support, ensure service integrity, investigate abuse, or comply with legal obligations. We do not access workspace contents for any other purpose.

5. Third-Party Integrations

The Service supports optional integrations with third-party services (such as Google, GitHub, Linear, Slack, and others provided through the Composio integration platform) to enhance functionality. These integrations are activated only at your direction.

5.1. Google User Data: If you choose to connect a Google account, we may access your name, email address, and data from Google services you authorize (such as Gmail or Google Calendar). This data is used exclusively to provide the features you enable. We strictly adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train AI or ML models.

5.2. Other Integrations: When you connect other third-party services, we access only the data necessary to deliver the functionality you request. You can disconnect any integration at any time, after which no new data will be accessed from that service.

5.3. AI Processing of Integration Data: When you instruct the AI to interact with connected services (e.g., reading emails, creating issues), the relevant data is transmitted to AI providers as described in Section 3. This occurs only in response to your explicit instructions.

6. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following circumstances:

6.1. Service Providers and Sub-Processors: We share information with third-party service providers who assist us in providing the Service, including cloud infrastructure providers, AI model providers, and analytics services.

6.2. Legal Requirements: We may share information in response to valid legal requests or to protect our rights, privacy, safety, or property.

6.3. Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of the transaction.

7. Data Retention

We retain your data for the following periods:

• Account information: For the duration of your account.
• Workspace data (code, files, applications): For the duration of your account. Deleted within 30 days of account termination.
• AI interaction logs: Retained for up to 30 days for safety monitoring, then deleted.
• Billing and payment records: Retained for 7 years as required by tax and accounting regulations.
• Server and access logs: Retained for up to 90 days for security monitoring.
• Aggregated and anonymized analytics: May be retained indefinitely as this data does not contain personal information.

You may request deletion of your data at any time by emailing team@duet.so.

8. Security Measures

We implement reasonable security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction, including encryption of data in transit and at rest. However, no method of data transmission over the Internet or electronic storage is entirely secure, and we cannot guarantee the absolute security of your information.

9. Your Rights and Choices

You have the following rights regarding your personal information:

9.1. Access and Update: You may access and update your account information at any time through the Service.

9.2. Data Export: You may export your workspace data at any time through the Service.

9.3. Deletion: You may request deletion of your personal data by contacting us. We will process your request in accordance with applicable law.

9.4. Communications: You can opt out of receiving promotional communications from us at any time.

9.5. Integration Control: You can connect or disconnect third-party integrations at any time through the Service settings.

9.6. Account Deactivation: You can deactivate your account at any time by contacting us.

10. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information as defined under the CCPA/CPRA.
• The right to non-discrimination for exercising your privacy rights.

To exercise these rights, please contact us at team@duet.so.

11. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy, regardless of where it is processed. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms as required by applicable law.

12. Children's Privacy

Our Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected personal information from a child, please contact us, and we will take appropriate action to delete such information.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy with an updated effective date on our website. Material changes will be communicated to you via email or through the Service.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at team@duet.so.

By using the Duet Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.