Duuny.ai – Privacy Policy (GDPR)

1. Data Controller and Contact

The data controller is PMK Ultra Oy (Business ID 2812260-8), Juvantie 101, 77330 Virtasalmi, Finland ("Duuny").

Contact for all privacy matters: support@duuny.ai

2. Scope and Purpose of the Service

Duuny is a platform where businesses create profiles to present their services, and customers can find suitable service providers. Duuny is intended primarily for business use.

3. What Data We Collect

We focus on business-related information. However, some of this information may be personal data if it identifies an individual (e.g., a sole trader or contact person). We may process:

• Business profile data: business name, business description, services, pricing ranges, locations/areas of operation, images and other media uploaded by the business
• Contact data: business contact details such as email, phone, website (which may, in some cases, be personal data if linked to an individual)
• Location data: approximate service area and, if explicitly provided or allowed, location information
• Usage data: searches made in the Service, interactions with profiles, technical logs (such as IP address, timestamps, and technical identifiers)
• Payment-related metadata: information needed to link subscriptions and payments to accounts (all card/payment details are handled by Stripe)

Businesses may upload images or other content which can incidentally contain personal data (e.g., a person in a photo). The business is responsible for ensuring it has the right to upload such content.

4. Legal Bases for Processing

We process personal data under GDPR on the following legal bases:

• Contract (Art. 6(1)(b)): to create and maintain accounts, business profiles, and provide the Service as agreed
• Legitimate interests (Art. 6(1)(f)): to operate, develop, and secure the Service, provide search and matching, send essential communications, perform analytics, and use AI to improve recommendations and profile assistance
• Consent (Art. 6(1)(a)): where required for certain types of location data, marketing communications, or non-essential cookies/analytics

5. How We Use the Data

We use personal data to:

• create and manage business profiles and user accounts
• enable search, matching, and discovery of service providers
• display business information to users of the Service
• support AI-assisted profile writing, search, categorisation, and recommendations
• send onboarding, account, product update, and marketing communications (where permitted)
• provide customer support and handle user requests
• monitor usage and improve the Service's functionality and performance
• comply with legal obligations

6. AI Use

Duuny uses AI services (including models provided by third parties such as OpenAI) to:

• help businesses draft or improve profile texts
• interpret user search queries and improve matching
• suggest relevant service providers or profile improvements
• analyse and structure profile information

AI is used to assist; it does not make legally binding decisions. Humans (businesses and users) always keep control over which content is published and which service providers to contact.

7. Cookies and Similar Technologies

We may use cookies and similar technologies to:

• provide essential platform functionality (e.g., login sessions)
• perform basic analytics about how the Service is used
• support product improvements and usability

Where required by law, we will ask for your consent for non-essential cookies or analytics tools. You can manage your cookie preferences via your browser settings and, where available, our cookie controls.

8. Payment Processing

Paid features of Duuny are handled through Stripe. Stripe acts as an independent data controller or processor for payment details under its own terms and privacy policy.

Duuny does not store or process full payment card details. We may receive limited payment metadata from Stripe (e.g., transaction status, subscription status) to manage account access.

9. Data Sharing and Recipients

We may share personal data with:

• Hosting and infrastructure providers, such as AWS
• Email delivery services, such as SendGrid
• Payment processor, Stripe
• AI service providers, such as OpenAI
• Other carefully selected service providers acting as data processors

We may also share data:

• when required by law, regulation, or court order
• if necessary to investigate suspected fraud, abuse, or security incidents
• in connection with a merger, acquisition, or sale of part or all of our business

We may share aggregated or anonymised information that does not identify individuals with partners or third parties.

10. International Data Transfers

Some providers (e.g., AWS, Stripe, SendGrid, OpenAI or similar services) may process data outside the EU/EEA. In such cases, Duuny ensures appropriate safeguards, such as:

• an adequacy decision by the European Commission, or
• Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

We take reasonable steps to ensure that your data remains protected to a GDPR-equivalent level.

11. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. In general:

• Account and business profile data are stored as long as the account is active
• Search and usage logs are kept for a limited period (e.g., up to 24 months)
• Backups are retained for a limited time (e.g., 30–90 days)

More detailed retention times may be provided upon request.

12. User Deletion and Account Management

You can delete your account through the Service. When an account is deleted, we remove or anonymise associated personal data except where retention is required or permitted by law.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including at least:

• use of HTTPS for data transmission
• encrypted storage where applicable
• access controls and role-based access
• token-based authentication
• password hashing using industry-standard methods
• limitation of access to personnel who require it
• logging and monitoring of critical systems
• regular backups
• regular technical maintenance and updates

No online service can guarantee absolute security, but we strive to protect personal data using industry-standard safeguards.

14. Children

Duuny is not targeted at children and is intended for business use by adults or persons acting on behalf of a business. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will delete it.

15. Your Rights under GDPR

Depending on your situation, you have the right to:

• access your data
• correct inaccurate or incomplete data
• request deletion ("right to be forgotten")
• request restriction of processing
• request data portability
• object to processing based on legitimate interests, including profiling
• withdraw consent where applicable

Withdrawal does not affect the lawfulness of processing before withdrawal.

16. Exercising Your Rights

Contact support@duuny.ai to exercise your rights or ask questions. We may need to verify your identity before acting on your request.

17. Complaints

If you believe our processing violates GDPR, you may lodge a complaint with your local EU/EEA data protection authority, including the Finnish Data Protection Ombudsman.

18. Changes to This Privacy Policy

We may update this Policy periodically. The latest version is always available on our website. Significant changes may be communicated through the Service or by email. Continued use of the Service indicates acceptance of the updated Policy.

19. Contact

For all privacy-related questions, requests, or complaints:

• Email:support@duuny.ai
• Website:www.duuny.ai