DUVIS Privacy Policy

Privacy Policy

DUVIS processes only the personal information needed to connect purpose, goals, tasks, habits, time blocks, retros, notes, and AI reports in one self-management flow. This policy is organized so you can quickly see what we process, why we process it, and how you can exercise your rights.

Effective date

2026-06-17

Current policy

2026.06.17

Previous policies

No previous public policy

1. Information We Process and Why

The information we process depends on how you use DUVIS and which optional features you enable. Optional feature data is processed when you actively connect, request, upload, issue, or enable that feature.

Category	Purpose	Information	Retention
Account	Create accounts, keep users signed in, verify emails, reset passwords, prevent abuse	Email address, display name, password hash, verification/reset tokens, login session data	Until account deletion. Verification/reset tokens are deleted after expiry
Profile and settings	Personalized screens, notifications, language settings	Avatar image, language setting, notification preference, mascot settings	Until account deletion or user deletion/change
Growth data	Goals, tasks, habits, time, retros, notes, documents, reports	Purpose, core values, goals, milestones, tasks, habits and check-ins, time blocks, timer records, retros, daily notes, documents, mandalarts, weekly reports	Until account deletion or user deletion
AI features	AI coaching, planning, retro summaries, weekly reports, memory suggestions	Coaching conversations, messages, context needed for reports, memories and memory candidates, model/token usage	Until account deletion or conversation/memory deletion. Usage records are retained for billing and operations
Google integration	Google sign-in, read-only Google Calendar sync, busy-time display	Google identifier, connected email, granted scope, encrypted refresh token, event title and start/end time	Until integration disconnection or account deletion
Security and operations	Security monitoring, incident response, access limits, MCP token management	IP address, sign-in/sign-up/verification attempts, email domain, hashed MCP access tokens and usage history, error logs and access logs	Deleted after security or operational purpose is fulfilled, unless legal retention is required

Google Calendar, AI generation, avatar upload, MCP token issuance, and notifications are optional. Public pages remain available without enabling them, but the related feature may be limited.

2. Third-Party Sharing

DUVIS does not sell personal information. Data may be transferred to external services only where required by law or necessary for features the user chooses.

Recipient	Purpose	Information and retention
AI model providers such as OpenAI	AI coaching, summaries, reports, planning results	User requests, conversations, and context needed for generation. Subject to provider policy and contract scope
Google	Google sign-in and read-only Google Calendar integration	Google account identifiers, Calendar API permissions, and information needed to retrieve events
Search tools such as Tavily	Search-backed AI planning or information enrichment	Search query and necessary context, only when the user runs the feature

3. Processors

Some processing is performed through infrastructure and operational tools. DUVIS limits processor use to what is needed to provide and operate the service.

Processor	Work	Note
Infrastructure providers such as AWS and Amplify	Application hosting, database, file storage, backups	Service infrastructure
Email delivery services	Verification, password reset, and notification emails	Email address and delivery logs
Cloudflare Turnstile	Prevent automated sign-up and sign-in attempts	Security check
Sentry	Error monitoring and incident analysis	Configured to limit default personal data collection
Slack	Operational alerts and sign-up notifications	Used only when configured

4. Retention and Deletion

Personal information is deleted without undue delay after the purpose is fulfilled, the account is deleted, or consent is withdrawn. Data needed for legal obligations, disputes, security audits, or backup recovery may be retained separately for the necessary period.

Category	Deletion trigger	Deletion method
Account and user data	Account deletion or user deletion	Deleted from the database or irreversibly de-identified
Google Calendar integration	Integration disconnection or account deletion	Stored connection tokens and synced data are deleted or disabled
Avatars and files	Replacement, deletion, or account deletion	Storage objects are deleted. Cache or backups may retain copies for a limited period
Access and security logs	After security and operational purposes are fulfilled	Deleted or aggregated according to log retention policy

5. Cookies and Automatic Collection

DUVIS uses cookies and browser storage to maintain sign-in, language, and device-level UI preferences.

Item	Purpose	How to manage
Authentication cookie	Keep users signed in	Stored as an HTTP-only cookie and expires on logout
Language cookie	Store selected ko or en language	Managed by clearing browser cookies or changing language settings
Local storage	Device-level UI settings such as theme, sidebar state, time-planner tips, and desktop app token	Managed by clearing browser storage or changing app settings

6. Your Rights

You may exercise privacy rights at any time. For requests that cannot be completed directly in the service, contact us by email.

Request access, correction, deletion, or suspension of processing
Withdraw consent, disconnect Google integrations, or change notification preferences
Revoke and reissue MCP access tokens
Request account deletion and deletion of service usage records
Exercise rights through a legal representative. We may request identity verification when necessary

7. Security Measures

DUVIS applies safeguards to protect personal information from loss, theft, leakage, falsification, alteration, or damage.

Technical measures

Password hashing, refresh token encryption, no plaintext MCP token storage, encrypted transmission

Administrative measures

Admin access limits, operational access control, security attempt logs, incident response

Physical and infrastructure measures

Cloud infrastructure access control, backup and storage permission management

8. Privacy Contact

Send requests for access, correction, deletion, suspension, withdrawal of consent, complaints, or remedies to the contact below.

Category	Contact	Scope
Privacy contact	admin@dododot.net	Privacy requests for DUVIS
Service operations	admin@dododot.net	Account, billing, integration, and incident inquiries

9. Addendum

This Privacy Policy takes effect on June 17, 2026.
If this policy changes, we will disclose the effective date, changes, and reason on this page.
Material changes will be announced through the service, email, or another reasonable method.