Privacy Policy
This Privacy Policy explains how Duple ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our Duple iOS application and website ("Services"). Please read this policy carefully. If you do not agree with its terms, please discontinue use of our Services.
Contents
- 01Who We Are
- 02Information We Collect
- 03How We Use Your Information
- 04AI Processing & Third-Party Services
- 05Data Sharing
- 06Data Retention
- 07Your Rights
- 08Children's Privacy & Age
- 09Data Security
- 10International Transfers
- 11EU / EEA & UK Users (GDPR)
- 12California Users (CCPA)
- 13Changes to This Policy
- 14Contact Us
Who We Are
Duple is an AI companion application that lets you create a personalised AI companion, chat with them in real time, and receive AI-generated images. The Services are operated by Duple ("we", "us", "our", "Duple").
For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller of your personal data. Our contact details are listed in Section 14.
Information We Collect
We collect the following categories of information:
Information We Do Not Collect
We do not continuously track your location or sell your personal data. We do not collect financial payment card details — all payments are processed by Apple's App Store.
How We Use Your Information
We use your information for the following purposes:
Service Delivery
To provide chat, AI image generation, user image attachments, profile photos, voice chat or transcription features, and all core app features. To authenticate you, manage your session, and remember your AI companion's attributes.
Personalisation & Memory
Your chat messages are processed by AI to extract facts, emotional moments, and preferences (stored as companion memories). These are converted into semantic embeddings (numerical vector representations) and stored in our database. When you chat, relevant memories are retrieved and used to make your companion feel contextually aware and consistent over time. You can reset or delete these memories at any time (see Section 7).
AI Image & Content Generation
Your chat messages, companion attributes, and context are sent to our AI image generation system to produce personalised images for your companion. These requests are processed via OpenAI image models, fal.ai, and related AI routing providers on our behalf. Generated images are stored on Bunny CDN under account or avatar-scoped paths and linked to your account.
User Images & Vision Processing
When you choose to send an image in chat, take a photo, select an image from your photo library, or set a profile picture, the image may be uploaded to Bunny CDN and linked to your account. Chat image attachments may be analysed by a vision model to create a compact visual description for your companion and to support moderation. For those attachments, we may store the image URL, thumbnail URL, mime type, dimensions, file size, vision processing status and model, compact chat context, structured visual output, moderation source, and moderation reason. We instruct the model not to identify people or infer sensitive traits from the image.
Safety & Moderation
We use automated content moderation to scan inputs and outputs for policy violations. Safety event logs are used internally to detect abuse patterns and protect the platform. These logs are not disclosed to other users.
Billing & Subscriptions
We process App Store transaction data to manage your subscription tier, allocate your recurring Doken allowance, verify StoreKit entitlements, and handle renewals, cancellations, billing issues, refunds, or revocations. This may include product IDs, transaction and original transaction identifiers, app account token values where Apple provides them, purchase, expiry, and revocation dates, renewal information, notification UUIDs, notification type and subtype, environment, and related signed App Store server notification metadata.
Service Improvement
Aggregated and de-identified usage data (e.g. session counts, error rates) may be used to improve the quality and reliability of our Services. We do not use your personal conversation content to train AI models without your explicit consent.
Legal Compliance
To comply with applicable laws, enforce our Terms, and respond to lawful requests from public authorities.
AI Processing & Third-Party Services
Duple relies on the following third-party services to operate. Before creating an account, we ask you to affirmatively agree to the Terms, this Privacy Policy, and the processing of your messages, images, and voice by these providers to deliver Duple. Each service is bound by its own privacy policy and our data processing agreements.
| Provider | Purpose | Data Sent |
|---|---|---|
| OpenAI | Image generation (GPT-Image-2), semantic embeddings (text-embedding-3-small), web search or Responses calls where configured, Realtime voice sessions, and some chat or transcription flows where configured | Chat messages, companion context, conversation history, image generation prompts, reference or source media URLs, embedding inputs, audio when voice or transcription is used, and search queries |
| OpenRouter / DeepSeek / Google Gemini | AI chat routing, including DeepSeek where configured; image prompt or template assistance; image attachment vision analysis and moderation using Google Gemini where configured; transcription, web search, or model calls where configured | Chat messages, companion context, conversation history, user-sent image URLs or image content, compact visual descriptions, structured image metadata, moderation outcomes, audio where transcription is used, and search queries where used |
| fal.ai | AI image generation infrastructure (runs OpenAI GPT-Image-2) | Image generation prompts, avatar reference URLs, source media URLs, and generation parameters |
| Supabase | Database, authentication, real-time messaging, Edge Functions (serverless backend) | All user data, messages, media metadata, billing state |
| Bunny CDN | Storage and delivery of AI-generated images, user-uploaded images, profile photos, avatar identity assets, outfit references, and video assets | Generated image files, uploaded image files, avatar and outfit reference files, account or avatar-scoped media URLs, and delivery metadata |
| ImgBB | Legacy or temporary hosting for reference photos if an older avatar-generation flow requires it | Reference photo(s) you voluntarily upload in that flow |
| Apple | Authentication (Sign in with Apple), in-app purchases & subscriptions, StoreKit entitlement validation, App Store server notifications, cancellation and refund handling | Apple-managed account and purchase information, app account token, transaction and original transaction identifiers, product identifiers, subscription status, renewal data, notification metadata, refund or revocation status |
AI Data Use: AI providers process your messages, media, prompts, audio, and related context only as needed to provide Duple features. Where OpenAI APIs are used, OpenAI's API usage policies govern how they handle this data. By default, OpenAI does not use API data to train models. You can review OpenAI's privacy policy at openai.com/policies/privacy-policy.
Data Sharing
We share your personal data only in the following circumstances:
Service Providers (Processors)
We share data with the third-party service providers listed in Section 4, who act as data processors under our instructions. They may only use your data to provide services to us, not for their own purposes.
Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Business Transfers
If Duple is involved in a merger, acquisition, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
No Sale of Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
Data Retention
We retain your data for as long as your account is active or as needed to provide Services:
Active Accounts
Chat messages, companion memories, generated media, uploaded media, and account data are retained while your account is active. You may reset or delete specific data at any time from within the app.
Account Deletion
When you delete your account (via Settings → Delete Account in the app, or by submitting a request to us), deletion of your Duple account and associated app data begins immediately. Because the request deletes your authenticated user record, related messages, companions, memories, generated media records, uploaded images, and billing state are removed through our account-linked deletion rules, except where we are required to retain certain information for legal compliance (for example, transaction records required under tax law or App Store dispute handling).
User Images & Generated Media
Images you upload and media generated for your companions are retained while your account or the relevant companion/chat remains active so the app can display them, reuse them as profile pictures, preserve conversation context, or support outfit and avatar identity features. These media files may be stored under account or avatar-scoped CDN paths. Deleting your account or companion, or clearing a companion's chat where supported, removes the related app records and media links subject to the exceptions above.
Safety & Moderation Logs
Safety event logs may be retained for up to 12 months for abuse detection and platform integrity purposes, even after account deletion.
Anonymised Data
Anonymised or aggregated data that cannot identify you may be retained indefinitely for analytics and service improvement.
Your Rights
You have the following rights regarding your personal data. To exercise any of these rights, contact us at keith@duple.chat.
- Access. Request a copy of the personal data we hold about you.
- Rectification. Request correction of inaccurate or incomplete personal data.
- Erasure ("Right to be Forgotten"). Request deletion of your personal data. You can also delete your account directly in the app.
- Data Portability. Request a machine-readable export of your personal data.
- Restriction. Request that we restrict processing of your personal data in certain circumstances.
- Objection. Object to processing based on legitimate interests, including profiling.
- Withdraw Consent. Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of prior processing.
- Reset Companion Memory. You can reset your AI companion's memory (chat history, facts, episodic memories) directly within the app at any time.
- Lodge a Complaint. EU/UK users have the right to lodge a complaint with their local data protection authority.
In-app controls: You can reset your companion's chat history and memories in the app settings at any time. This will erase all messages, memories, and media associated with that companion. You can also request full account deletion via Settings → Delete Account.
Children's Privacy & Age Requirements
Duple is rated 17+ on the Apple App Store and is intended solely for users aged 18 years or older. We do not knowingly collect personal information from individuals under 18.
Our AI companion system enforces a minimum age of 18 at the database level. All AI-generated companions are adults (age ≥ 18). If we become aware that a user under 18 has provided us with personal data, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has used Duple, please contact us at keith@duple.chat.
In jurisdictions requiring age verification (including Australia, Brazil, Singapore, and certain US states), Duple complies with applicable age assurance obligations.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:
- All data in transit is encrypted using TLS/HTTPS.
- Database access is controlled via Row Level Security (RLS) — each user can only access their own data.
- Authentication uses Supabase Auth with JWT tokens and Apple Sign-In.
- Generated and uploaded media are stored under account-linked paths and access is mediated by app account controls and backend ownership checks.
- Service-role database access is strictly restricted to our backend infrastructure.
- We employ automated content safety screening on all chat inputs and outputs.
While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
International Data Transfers
Your information may be transferred to and processed in countries other than the country in which you reside, including the United States and other countries where our service providers operate (including Supabase, OpenAI, fal.ai, OpenRouter, DeepSeek, and Google Gemini through OpenRouter where configured).
Where we transfer personal data of users in the European Economic Area (EEA), United Kingdom, or Switzerland to countries outside those regions, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognised transfer mechanisms.
EU / EEA & UK Users (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply under the General Data Protection Regulation (GDPR) and equivalent laws.
Legal Bases for Processing
We process your personal data under the following legal bases:
- Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the Services you signed up for — chat, image generation, user image attachments, account management, and billing.
- Legitimate Interests (Art. 6(1)(f)): Safety screening, fraud prevention, service improvement using aggregated data, and enforcing our Terms.
- Legal Obligation (Art. 6(1)(c)): Retaining transaction data as required by applicable tax or financial regulations.
- Consent (Art. 6(1)(a)): Where you have explicitly given us consent, such as location permission, camera or microphone access, photo library selection, or optional features that require consent. You may withdraw consent at any time.
Data Protection Officer
We do not currently have a mandatory obligation to appoint a Data Protection Officer (DPO). For privacy-related inquiries, please contact us using the details in Section 14.
Your GDPR Rights
In addition to the rights listed in Section 7, GDPR provides you the right to not be subject to solely automated decision-making (including profiling) that produces legal or similarly significant effects. Duple's companion relationship progression is automated, but it does not produce legal effects on you.
Supervisory Authority
You have the right to lodge a complaint with your local supervisory authority. A directory of EU data protection authorities is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO).
California Users (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:
- Right to Know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell your data).
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale / Sharing: We do not sell or share your personal information for cross-context behavioural advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us at keith@duple.chat. We will respond within 45 days as required by law.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where required by law or where the changes are significant, by sending an in-app notification or email.
Your continued use of Duple after the effective date of the revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.
Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have any other privacy-related concerns, please contact us:
Duple Privacy
Email: keith@duple.chat
Support: keith@duple.chat
Website: www.duple.chat
We aim to respond to all privacy requests within 30 days. For EU/EEA users, we will respond within 1 month as required by GDPR (Art. 12(3)).