Data Protection & GDPR Compliance

Last Updated: October 12, 2025

This Data Protection Policy explains how DuoWeave complies with global data protection regulations, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable laws.

This policy supplements our Privacy Policy and provides additional details for users in regulated jurisdictions.

1. Who We Are

Data Controller: DuoWeave, Inc.
Address: [Your Company Address]
Email: dpo@duoweave.com

EU Representative: [EU Representative Name and Address] (if applicable)
UK Representative: [UK Representative Name and Address] (if applicable)

Data Protection Officer (DPO):
Email: dpo@duoweave.com

2. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Processing Activity	Legal Basis
Account creation and management	Performance of contract (GDPR Art. 6(1)(b))
Providing the Service	Performance of contract (GDPR Art. 6(1)(b))
Facial verification	Explicit consent (GDPR Art. 6(1)(a), Art. 9(2)(a) for biometric data)
Marketing communications	Consent (GDPR Art. 6(1)(a))
Analytics and improvements	Legitimate interests (GDPR Art. 6(1)(f))
Security and fraud prevention	Legitimate interests (GDPR Art. 6(1)(f))
Legal compliance	Legal obligation (GDPR Art. 6(1)(c))

3. Your Rights Under GDPR

If you are in the EU/EEA or UK, you have the following rights:

3.1 Right of Access (Art. 15)

You can request:

Confirmation of whether we process your personal data
A copy of your personal data
Information about how we use your data

3.2 Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

You can request deletion of your personal data if:

The data is no longer necessary
You withdraw consent
You object to processing
The data was unlawfully processed
Legal obligations require deletion

Exceptions: We may retain data if required for legal compliance, defense of legal claims, or other lawful grounds.

3.4 Right to Restriction of Processing (Art. 18)

You can request we limit how we use your data if:

You contest the accuracy of the data
Processing is unlawful but you prefer restriction over deletion
We no longer need the data but you need it for legal claims
You've objected to processing and verification is pending

3.5 Right to Data Portability (Art. 20)

You can request your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) to:

Keep for your own records
Transfer to another service provider

3.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests, including:

Direct marketing (we will stop immediately)
Profiling for marketing
Processing for research or statistics

3.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

DuoWeave's Use of Automation:

Facial Verification: Uses AI (DeepFace) to detect biological sex. This is a one-time verification with your explicit consent.
Fact-Checking: Uses AI to flag potential misinformation. Human review is available upon request.
Content Moderation: Uses AI to detect prohibited content. Users can appeal automated decisions.

3.8 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

3.9 Right to Lodge a Complaint (Art. 77)

You can file a complaint with your local data protection authority (DPA):

EU: Find your DPA at EDPB Members
UK: Information Commissioner's Office (ICO)

4. How to Exercise Your Rights

4.1 Self-Service

You can exercise some rights directly through the app:

Access: Settings → Account → Download My Data
Rectification: Settings → Profile → Edit Information
Erasure: Settings → Account → Delete Account
Marketing Opt-Out: Settings → Notifications → Email Preferences

4.2 Contact Us

For other requests, email our Data Protection Officer:

Email: dpo@duoweave.com
Subject: "GDPR Data Subject Request"

Include:
• Your full name
• Email address associated with your account
• Description of your request
• Proof of identity (if required)

4.3 Response Time

We will respond within 30 days (extendable to 60 days for complex requests)
We will inform you if we extend the deadline
Requests are free of charge (unless excessive or repetitive)

5. Data Transfers Outside the EU/UK

DuoWeave operates globally. Your data may be transferred to and processed in countries outside the EU/EEA/UK, including the United States.

5.1 Safeguards for International Transfers

We ensure adequate protection through:

EU-U.S. Data Privacy Framework

We comply with the EU-U.S. Data Privacy Framework (DPF) for transfers to the United States.

Standard Contractual Clauses (SCCs)

We use the European Commission's approved Standard Contractual Clauses (SCCs) with our service providers.

Adequacy Decisions

We transfer data to countries deemed "adequate" by the European Commission (e.g., Canada, Japan).

5.2 List of Countries Where Data is Processed

United States: Cloud hosting (MongoDB Atlas, Railway, Vercel), analytics (Google), email (Resend)
Other jurisdictions: As disclosed in our Privacy Policy

6. Special Categories of Data (Article 9)

GDPR defines "special categories" of sensitive personal data requiring extra protection, including biometric data.

6.1 Biometric Data (Facial Verification)

What we collect: Your facial photograph for one-time biological sex verification.

Legal basis: Explicit consent (GDPR Art. 9(2)(a))

How we process it:

You upload a photo during account setup
The photo is analyzed using AI (DeepFace) to detect biological sex characteristics
The analysis result determines your experience type
The photo is immediately and permanently deleted after processing—we do NOT store biometric data or templates

Your rights:

You can withdraw consent, but this will prevent you from using the Service
You can request information about how your data was processed

7. Data Retention

We retain personal data only as long as necessary for the purposes described in our Privacy Policy.

Data Type	Retention Period	Legal Basis
Account data	Until deletion + 30 days	Contract performance
Posts and content	Until deletion + 90 days	Contract performance
Transaction records	7 years	Legal obligation (tax/accounting)
Facial verification photo	Immediately deleted	Privacy by design
Server logs	90 days	Legitimate interest (security)
Marketing consent records	3 years after withdrawal	Legal obligation (proof of consent)

8. Children's Data

DuoWeave is not intended for users under 18. We do not knowingly process data of children under 16 (or the applicable age in your jurisdiction).

If we discover we have collected data from a child, we will delete it within 72 hours.

9. Data Breach Notification

In the event of a personal data breach, we will:

9.1 Notification to Supervisory Authority

Report the breach to the relevant DPA within 72 hours of becoming aware (GDPR Art. 33)
Include description of the breach, affected data, likely consequences, and remedial measures

9.2 Notification to Data Subjects

Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms (GDPR Art. 34)
Provide clear information in plain language about the breach and recommended actions

10. Privacy by Design and Default

We implement privacy principles throughout our Service:

10.1 Data Minimization

We only collect data necessary for the Service
Facial verification photos are immediately deleted—never stored

10.2 Purpose Limitation

We use data only for specified, legitimate purposes
We don't use your data in ways incompatible with the original purpose without your consent

10.3 Storage Limitation

We delete data when no longer necessary
Automated deletion processes for expired data

10.4 Security Measures

End-to-end encryption for messages
TLS/SSL encryption for data in transit
AES-256 encryption for data at rest
Regular security audits and penetration testing
Access controls and multi-factor authentication

10.5 Privacy by Default

Most privacy-friendly settings are default
You must opt-in for marketing communications
Granular privacy controls in settings

11. California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

11.1 Right to Know

You can request:

Categories of personal information we collect
Categories of sources
Business/commercial purposes for collection
Categories of third parties we share with
Specific pieces of personal information we hold

11.2 Right to Delete

You can request deletion of your personal information (subject to legal exceptions).

11.3 Right to Opt-Out of "Sale"

We do not sell your personal information. No opt-out is necessary.

11.4 Right to Correct

You can request correction of inaccurate personal information.

11.5 Right to Limit Use of Sensitive Personal Information

You can limit our use of sensitive data (e.g., biometric data) to purposes necessary to provide the Service.

11.6 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

11.7 How to Exercise CCPA Rights

Email: privacy@duoweave.com
Subject: "California Privacy Request"

12. Other Jurisdictions

12.1 Canada (PIPEDA)

We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

12.2 Brazil (LGPD)

We comply with Brazil's Lei Geral de Proteção de Dados (LGPD).

12.3 Other Regions

We respect applicable data protection laws in your region. Contact us if you have questions about compliance in your jurisdiction.

13. Data Protection Impact Assessment (DPIA)

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

Facial verification (biometric data processing)
Automated content moderation
Large-scale data analytics

14. Updates to This Policy

We may update this Data Protection Policy from time to time. Significant changes will be communicated via email and in-app notification.

15. Contact Us

Data Protection Officer:
Email: dpo@duoweave.com

EU Representative: [Name, Address, Email]

UK Representative: [Name, Address, Email]

General Privacy Inquiries:
Email: privacy@duoweave.com

DuoWeave is committed to protecting your privacy and complying with all applicable data protection laws. If you have concerns or questions, please don't hesitate to contact us.