Privacy Policy - Duus.ai

Last updated: January 18, 2026

1. Data Controller

The data controller for the processing of your personal data is:

Codebit

CVR number: DK31845548

Vigerslev Allé 67, 1 tv.

2500 Valby, Denmark

Email: support@duus.ai

2. Scope and Roles

This privacy policy describes how we collect and process personal data when you use the Duus.ai service.

Codebit acts as:

• Data controller for account information, billing, and customer support

• Data processor for content you upload to the Service (documents, conversations, knowledge base)

If you need a Data Processing Agreement (DPA), please contact us at support@duus.ai.

3. What Data We Collect

Account Information

• Name and email address

• Password (encrypted)

• Organization name and billing address

• Language preference

Usage Data

• Websites you add to the Service

• Documents and content you upload

• Conversations between your chatbot and your visitors

• Widget configuration and settings

Technical Data

• IP address

• Browser type and device information

• Access and usage timestamps

Billing Data

• Payment information (processed by Stripe)

• Billing history

• Subscription information

Support Data

• Email correspondence

• Support requests and feedback

4. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

• Contract performance (Article 6(1)(b)): To provide the Service to you

• Legal obligation (Article 6(1)(c)): To comply with accounting and tax laws

• Legitimate interests (Article 6(1)(f)): To improve the Service and prevent abuse

• Consent (Article 6(1)(a)): For marketing communications, where applicable

5. Third-Party Services

We use third-party providers to deliver the Service. These fall into the following categories:

• Hosting and infrastructure providers: To host the Service and store data. Our primary database is located in the EU.

• Payment providers: To process payments and billing. Our payment provider is PCI DSS certified.

• Email services: To send transactional emails such as confirmations and notifications.

• AI services: To generate chatbot responses. Conversations are processed to provide responses but are not permanently stored by the AI provider.

• Website crawling services: To index websites for the knowledge base.

We have entered into data processing agreements with relevant providers where required by GDPR.

6. International Transfers

Some of our third-party providers may process data outside the EU/EEA. In such cases, we ensure appropriate safeguards through:

• EU Commission Standard Contractual Clauses (SCCs)

• Provider certification under relevant frameworks

Our primary database (Supabase) is located in the EU.

7. Retention Period

We retain your data for as long as necessary to fulfill the purposes described in this policy:

• Account data: As long as your account is active, plus a reasonable period thereafter

• Billing data: 5 years in accordance with Danish bookkeeping law

• Conversations: As long as you keep them, or until you delete them

• Technical logs: Up to 90 days

When you request deletion of your account, we delete your data within 30 days, unless we are legally required to retain it.

8. Your Rights

Under GDPR, you have the following rights:

• Right of access: You can request a copy of your personal data

• Right to rectification: You can request correction of inaccurate data

• Right to erasure: You can request deletion of your data

• Right to restriction: You can request restriction of processing

• Right to data portability: You can request to receive your data in a structured format

• Right to object: You can object to processing based on legitimate interests

• Right to withdraw consent: Where processing is based on consent

• Right to complain: You can file a complaint with the Danish Data Protection Agency (datatilsynet.dk)

To exercise your rights, contact us at support@duus.ai.

9. Cookies

We use cookies and similar technologies to:

• Keep you logged in (necessary cookies)

• Remember your preferences (functional cookies)

Necessary cookies do not require consent as they are essential for the Service to function. We do not use third-party tracking or advertising cookies.

See our Cookie Policy for more details.

10. Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS/HTTPS)

• Encryption of sensitive data at rest

• Access control and authentication

• Regular security updates

• Data backups

No online service can guarantee absolute security. If you discover a security vulnerability, please contact us immediately.

11. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you via email or a notice in the Service.

Your continued use of the Service after the changes constitutes acceptance of the updated policy.

13. Contact

If you have questions about this privacy policy or wish to exercise your rights, you can contact us at:

Codebit

Vigerslev Allé 67, 1 tv.

2500 Valby, Denmark

Email: support@duus.ai