Your data is yours.

• We only collect what Duuly needs to remember your tasks, appointments and documents.
• We never sell your data — not to advertisers, not to anyone.
• Your LINE chat stays between you and Duuly. We use it to run the features you ask for.
• You can delete your items any time — or email us to erase your whole account.
• We use standard security practices (encryption in transit and at rest).

The sections below explain each of these in more detail. If anything is unclear, email hello@duuly.app and a real person will get back to you.

Duuly (“we”, “us”) is a personal-assistant service that runs inside LINE and in a companion mini-app (LIFF). This Privacy Policy explains what we collect, why, how we use it, and your rights. It applies to everyone who adds Duuly as a friend on LINE or uses the mini-app.

The data controller is Invisibl Co., Ltd. (company registration no. 0105568075971), 6/41 Soi Sun Wichai, Bangkapi, Huai Kwang, Bangkok 10310, Thailand. You can reach us by phone at 093-996-9653 or by email at hello@duuly.app.

We collect the minimum needed to run the service:

• Account info from LINE — your LINE user ID, display name and profile photo, provided by the LINE Messaging API when you add Duuly as a friend.
• Content you send to Duuly — text messages, voice notes (transcribed) and photos you upload (warranties, receipts, etc.).
• Content Duuly creates on your behalf — tasks, reminders, commitments, packages, notes, lists and document metadata.
• Usage signals — which features you use, how often, error logs. Used to keep the service healthy.
• Billing info — if you subscribe, your payment is processed by Omise (Opn Payments). We never see or store your card number; we only receive a subscription status and a customer ID.

We use your data only to:

• Understand what you asked for (classify intent, extract dates, find the note you want).
• Deliver reminders at the right time.
• Show your stuff in the mini-app dashboard.
• Improve Duuly — e.g. fix bugs, improve how it understands messages. Aggregate, anonymous metrics only.
• Handle billing for paid plans (via Omise).

We do not use your data to train public AI models on your private content, sell it to advertisers, or share it with third parties except as described below.

Under Thailand’s PDPA and the EU GDPR, we process your personal data on these legal bases:

• To provide the service you asked for (performance of a contract) — running your tasks, reminders, lists, and the mini-app.
• Your consent — for optional features you switch on yourself, like the Google Calendar integration.
• Our legitimate interests — keeping Duuly secure, preventing abuse, and improving the product, balanced against your privacy.
• Legal obligations — for example, keeping invoice and tax records.

You can withdraw consent for any opt-in feature at any time, without affecting processing already carried out.

Duuly uses automated systems, including AI language models, to read your messages and turn them into tasks, reminders, dates, and answers. That’s how the core product works.

We do not use this to make decisions that produce legal or similarly significant effects on you (within the meaning of Article 22 GDPR). A person only reviews your content in limited cases — to fix a technical issue, respond to a support request, or comply with the law.

If you put another person’s details into Duuly — for example, adding a member or assigning a task to someone in a shared workspace — you confirm you have a lawful basis to share it. We process that data only to deliver the feature you asked for (such as notifying that person), never for our own purposes.

Only the service providers required to run Duuly, under strict data-processing terms:

• LINE Corporation — the messaging channel that delivers our responses to you.
• Supabase — our database and file storage provider.
• OpenAI — used to understand your messages and extract entities. Content is processed but not used to train their models for our workspace.
• Omise (Opn Payments) — handles card payments for paid plans.
• Google — only if you opt-in to the Google Calendar integration. See the dedicated section below for what we access and how it’s used.

Each of these providers processes your data only on our documented instructions, under a data-processing agreement, and may not use it for their own purposes.

We never sell your data. We never share it with advertisers.

The Google Calendar integration is opt-in — it’s off by default and you turn it on from the “Me” tab in the Duuly mini-app. When you connect, we request read-only access to your primary calendar (scope: https://www.googleapis.com/auth/calendar.readonly). We use this access solely to:

• Mirror upcoming and recent events into your Duuly dashboard.
• Include calendar events in your daily and weekly summaries.
• Answer natural-language questions like “when is my meeting with Anna?”.

What we store: event title, start and end time, location, attendee count, and a link back to the original event in Google Calendar. We do not store attendee personal data (email addresses, names beyond a count), meeting recordings, or message content.

Tokens: the access and refresh tokens Google issues to Duuly are encrypted at rest using Supabase Vault. They are never exposed in client code, logs, or analytics.

How long: cached events are kept while the integration is connected. When you disconnect (one tap in the Me tab), every cached event and both tokens are deleted from our servers within seconds.

What we don’t do: we never write back to Google Calendar — the integration is read-only. We don’t use your Google Calendar data to train AI models. We don’t share it with third parties or use it for advertising.

Duuly’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Some of our service providers (such as our database, AI, and calendar providers) process data on servers outside Thailand — for example, in the United States or the EU. When your data is transferred abroad, we rely on appropriate safeguards — such as the providers’ data-processing agreements and standard contractual clauses — to keep it protected to the standard required by the PDPA and GDPR.

Duuly’s website uses only strictly-necessary cookies — the ones needed to sign you in and keep you signed in:

• A session cookie that remembers your LINE login so you can reach the checkout and mini-app.
• A short-lived security cookie used during sign-in to prevent cross-site request forgery.

We do not use advertising or third-party analytics cookies, and we don’t track you across other websites. Because these cookies are essential to the service, they don’t require a consent banner — but you can clear them any time in your browser.

Your history retention depends on your plan:

• Free — 30 days.
• Basic — 180 days (6 months).
• Premium — 1,095 days (3 years).

Beyond that window, older history may no longer be shown in the app. If you ask us to delete your account, we erase your personal data within 90 days, except where we’re required to retain it for legal or accounting reasons (e.g. invoice records).

You can, at any time:

• See your data — everything you’ve created lives in the mini-app.
• Edit or delete items — say “delete that” in LINE, or tap delete in the mini-app.
• Get a copy of your data — email us and we’ll provide it.
• Delete your account — email us and we’ll erase all your data within 90 days.
• Withdraw consent — stop using Duuly and/or unfriend Duuly in LINE.

If you’re in a jurisdiction with specific data rights (GDPR, PDPA, etc.), those rights apply. Email hello@duuly.app to exercise them.

You also have the right to lodge a complaint with your data-protection authority — in Thailand, the Office of the Personal Data Protection Committee (PDPC); in the EU, your local supervisory authority.

We encrypt data in transit (TLS) and at rest (AES-256 on our storage provider). Access to production data is limited to the small engineering team on a need-to-know basis, with audit logs. No system is perfectly secure, but we take it seriously — if you believe you’ve found a vulnerability, please email hello@duuly.app.

If a data breach ever affects your personal data, we’ll notify you and the relevant authority without undue delay, as required by law.

Duuly is intended for people 13 and older (or the minimum age in your country). If we learn that a younger child has added Duuly, we’ll delete the account and data.

If we make meaningful changes to this policy, we’ll update the “last updated” date at the top and, for significant changes, notify you in LINE. Continued use after an update means you accept the new terms.

Questions, requests, or just want to say hi? Email hello@duuly.app or chat with Duuly directly on LINE.