Privacy Policy

Welcome to DuckDive AI. We are committed to protecting your privacy and handling your data with transparency and care. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketing analytics platform and services.

1. Information We Collect

1.1 Account Information

To use DuckDive AI, you authenticate through Google OAuth. We receive only:

• Google Account ID: A unique identifier to authenticate your account
• Email Address: Used solely for service communications and account recovery

We do not collect: Names, phone numbers, physical addresses, credit card information, or other personal details.

1.2 Analytics Platform Data (Not Direct Website Data)

Important Distinction: DuckDive AI does not collect data directly from your website or its visitors. Instead, we access aggregated analytics data that has already been collected by third-party platforms:

• Google Analytics: Aggregated website traffic, sessions, conversions, and performance metrics
• Google Ads: Campaign performance, ad spend, and keyword data
• Google Search Console: Search queries, impressions, clicks, and rankings
• Google Business Profile: Local listing performance and metrics

What this means: We only read analytics reports from these platforms—the same data you can already see in your Google Analytics dashboard. We don't track individual website visitors, place cookies on your website, or collect any data directly from end users.

1.3 Technical Information

We collect minimal technical data to operate the service:

• Session Data: Authentication tokens and session identifiers
• Usage Logs: Feature usage and error logs for service improvement
• Essential Cookies: Required for authentication and basic functionality only

We do not track: Your browsing behavior, IP addresses, device identifiers, or personal information.

2. How We Use Your Information

We use the collected information solely to provide and improve DuckDive AI:

2.1 Service Delivery

• Authenticate your account via Google OAuth
• Process and analyze your marketing data to generate insights
• Create visualizations, reports, and dashboards
• Provide AI-powered answers to your marketing questions

2.2 Service Communications

• Send essential service notifications (e.g., system updates, security alerts)
• Respond to support inquiries
• Provide onboarding assistance when requested

Note: We do not send marketing emails. All communications are service-related only.

2.3 Service Improvement

• Analyze aggregated usage patterns to improve features
• Troubleshoot technical issues and errors
• Develop new features based on common use cases

3. How We Share Your Information

We do not sell, rent, or share your data. Period. Your marketing data stays yours. We only share information in these limited cases:

3.1 Service Infrastructure

• Hosting Provider: We use Render for secure cloud hosting with encryption at rest and in transit
• Google APIs: We access your analytics data only through official Google APIs that you authorize
• Payment Processing: Stripe handles all payment processing (we never see your credit card details)

These service providers are contractually required to protect your data and use it only to provide their specific services.

3.2 Legal Requirements

We may disclose information only if required by law:

• Valid court orders or subpoenas
• Government investigations where legally required
• Protection of legal rights or safety

No third-party marketing, advertising, or data brokers. Ever.

4. Your Marketing Data: Our Commitments

Your marketing data is the core of what makes DuckDive AI valuable. We take our responsibility seriously:

4.1 Your Data Never Trains Our AI Models

We explicitly commit that your marketing data is never used to train, improve, or develop our AI models. Your Google Analytics data, campaign metrics, and business insights remain yours alone. Our AI models are trained on general datasets that do not include any customer data.

4.2 Data Isolation

Your data is logically isolated from other customers' data. We implement strict access controls to ensure your marketing data is never mixed with or exposed to other users.

4.3 Data Retention

We retain your marketing data only as long as necessary to provide our services:

• While your account is active, we store your connected marketing data
• If you disconnect a data source, we stop accessing new data immediately
• If you delete your account, we delete your marketing data within 30 days
• We may retain aggregated, anonymized data for analytical purposes

4.4 Data Portability

You can export your data, reports, and insights at any time in standard formats (PDF, CSV, Excel).

5. Data Security

We implement industry-leading security measures to protect your information:

5.1 Encryption

• Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Data at Rest: All stored data is encrypted using AES-256 encryption
• Database Encryption: Database-level encryption for all sensitive information

5.2 Access Controls

• Multi-factor authentication (MFA) available for all accounts
• Role-based access controls for team accounts
• Strict internal access policies limiting employee access to customer data
• Regular access audits and monitoring

5.3 Infrastructure Security

• Hosting on SOC 2 Type II certified infrastructure
• Regular security assessments and penetration testing
• Automated vulnerability scanning and patching
• DDoS protection and network security measures
• Regular backups with encrypted storage

5.4 Security Incident Response

In the event of a data breach affecting your information, we will notify you within 72 hours and provide details about the incident and steps we're taking to address it.

6. Cookies and Tracking

We use minimal cookies, only what's essential:

6.1 Essential Cookies Only

• Authentication: Session cookies to keep you logged in
• Security: CSRF tokens to protect against attacks
• Preferences: Remember your dashboard settings

We do not use: Tracking cookies, advertising cookies, third-party analytics cookies, or any cross-site tracking technologies.

7. Your Privacy Rights

You have complete control over your data:

7.1 Access and Export

• Export your reports and insights anytime (PDF, CSV, Excel)
• View all connected data sources in your account settings

7.2 Disconnect and Delete

• Disconnect any data source instantly from your dashboard
• Delete your account anytime—we'll remove your data within 30 days

7.3 Data Portability

• Download all your generated reports and insights
• Your source data remains in your Google accounts (we never store it permanently)

To exercise these rights, email us at hello@duckdive.ai or manage directly in your account settings.

8. International Data Transfers

DuckDive AI is hosted on Render's infrastructure in the United States. If you're outside the US, your analytics data may be processed in the United States. We ensure appropriate safeguards through:

• Encryption of all data in transit and at rest
• Compliance with GDPR for European users
• Standard security practices for international data transfers

9. Children's Privacy

DuckDive AI is a business tool not intended for children under 16. We do not knowingly collect information from children. Since we only access business analytics data (not website visitor data), we don't collect data from end users of any age.

10. Third-Party Integrations

We Access Analytics Data, Not Your Website Visitors:

When you connect platforms like Google Analytics to DuckDive AI:

• You authorize us to read analytics reports from those platforms
• We access only aggregated data that those platforms have already collected
• We do not place any tracking code, cookies, or scripts on your website
• We are not responsible for how those platforms collect data from your website visitors
• You can revoke our access anytime through your DuckDive AI settings or Google's security settings

Important: The privacy policies of Google Analytics, Google Ads, etc. govern how they collect data from your website visitors. DuckDive AI only reads the reports those platforms generate—we never interact with your website visitors directly.

11. California Privacy Rights (CCPA)

California residents: Since we don't collect PII, most CCPA requirements don't apply. However:

• We do not sell personal information (we don't collect it in the first place)
• Right to Delete: You can delete your account anytime
• Right to Know: This policy explains everything we collect

12. European Privacy Rights (GDPR)

For EU/UK users:

• Legal Basis: We process data based on your consent (Google OAuth authorization)
• Data Minimization: We collect only what's necessary to provide the service
• Right to Withdraw: Disconnect your account anytime

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you via email or through the platform
• For significant changes, we may require you to review and accept the new policy

Your continued use of DuckDive AI after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

15. Security & Compliance

DuckDive AI is committed to security best practices:

• Hosting: Secure hosting on Render with enterprise-grade infrastructure
• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Google OAuth: Secure authentication through Google's trusted infrastructure
• Limited Access: We access only the analytics data you explicitly authorize
• No Direct Tracking: We never place tracking code on your website or collect visitor data
• Regular Updates: Security patches and vulnerability assessments

This Privacy Policy is effective as of December 13, 2025. By using DuckDive AI, you acknowledge that you have read and understood this Privacy Policy.