Privacy Policy

What we collect, how we use it, who else sees it, and how long we keep it.

Effective date: [DATE]

Version: [PRIVACY VERSION]

Controller: Dijin Teknoloji Limited Şirketi, Alsancak Mah. 2136 Cad. Damla Su Apt. No: 32 İç Kapı No: 3, Etimesgut / Ankara, Türkiye (Vergi Kimlik No 2951335557, Etimesgut Vergi Dairesi), trading as DurationX

Privacy contact: support@durationx.com (a dedicated privacy address may be assigned before go-live)

EU/UK representative or DPO: [IF APPLICABLE]

Section 1

Scope and roles

This Notice describes how DurationX processes personal data when you visit durationx.com, request qualification, purchase or receive an audit, submit project information, use an account, communicate with support, or act on behalf of a business customer.

DurationX generally acts as controller for website, qualification, account, security, support, report delivery, and service-administration data. Where a business customer includes personal data in project material and determines the purposes and means of that processing, DurationX may act as processor under a data processing agreement. Paddle separately acts as merchant of record and an independent controller for buyer/payment processing under Paddle’s own privacy notice and buyer terms. [OWNER/COUNSEL CONFIRM ROLE ALLOCATION]

Section 2

Data we collect

DurationX may process:

  • identity and contact data: name, business email, company, role, account identifiers;
  • qualification and transaction-reference data: segment, project summary, qualification decision, Paddle customer/transaction identifiers, payment status, currency and amount — DurationX does not need or store full payment-card data;
  • project and technical data: project name/site, country, power, duration, use case, CAPEX assumptions, reliability, grid/interconnection, schedule, procurement, evidence and uploaded files;
  • generated data: deterministic scores, scenario results, report content, compliance/reconciliation findings, version and provenance records, and signatures;
  • authentication and security data: session identifiers, login events, IP address where logged, security/audit records, and rate-limit events;
  • communications and service data: support messages, correction/deletion requests, email delivery events, and feedback;
  • preferences and consent data: your optional model-learning opt-in and its withdrawal;
  • essential browser storage: a Supabase authentication/session cookie and a local intake-wizard step index — see Cookie Notice.

DurationX does not intentionally request special-category/sensitive personal data, government identifiers, health data, credentials, payment-card numbers, or export-controlled material. Please do not submit such data to us.

Section 3

Where data comes from

Data comes from you or your organization, authorised representatives acting for your business, Paddle transaction events, our authentication/security systems, the providers listed in Section 8, and public or licensed benchmark sources. If you submit another person’s information, you are responsible for having the authority to do so and for giving that person any notice required.

Section 4

Purposes and legal bases

PurposeTypical dataProposed legal basis
Qualification and pre-contract communicationcontact, company, project summarysteps requested before contract; legitimate interests for B2B screening
Deliver the purchased auditaccount, intake, evidence, reportcontract; legitimate interests where the customer is a company and data concerns its representative
Payment / tax reconciliationPaddle transaction reference, amount/statuscontract; legal obligation; legitimate interests
Authentication and securitysession, IP/security logs, audit traillegitimate interests; legal obligation where applicable
Human QC, correction and supportreport, compliance findings, communicationscontract; legitimate interests in quality and dispute handling
Transactional emailaddress, service event, minimal project/report metadatacontract; legitimate interests; legal obligation where applicable
Optional minimized product learningexplicit opt-in and derived minimized featuresconsent, separately obtained and withdrawable
Legal claims, audit and compliancerelevant recordslegal obligation; legitimate interests in establishing, exercising, or defending claims

We do not rely on consent where service delivery is actually conditional on processing, and we do not bundle the optional learning opt-in into acceptance of our Terms of Service. [COUNSEL TO VALIDATE LEGAL BASES AGAINST OPERATOR AND MARKETS]

Section 5

AI-assisted processing and human involvement

DurationX sends a minimized deterministic result payload and draft report text to Anthropic’s commercial API to assist explanatory narrative drafting and compliance review. Raw identifiers and other unnecessary personal data are removed before transmission wherever possible. Anthropic states that standard commercial API inputs/outputs are normally deleted within 30 days, subject to safety, legal, or separately agreed retention, and are not used to train generative models unless the commercial customer explicitly opts in — VERIFY AGAINST ACTUAL ANTHROPIC ACCOUNT TERMS/DPA BEFORE PUBLISHING.

No solely automated decision producing legal or similarly significant effects is made about an individual. Numeric scoring concerns a project assumption set, not a person; a human reviewer controls report release before it reaches you. You and your advisers make all decisions about your project.

Section 6

Recipients and provider roles

The table below lists every provider category that touches your data and its role. This list does not itself enumerate every subprocessor those providers use; subprocessor lists are incorporated by reference from each provider’s own disclosures. [PUBLISH LIVE TABLE WITH LINKS AND LAST-REVIEWED DATES BEFORE GO-LIVE]

ProviderFunctionRole / location
SupabaseDatabase, authentication, private report storage, backupsProcessor; primary region configured in the EU; subprocessors/transfer terms per executed DPA
VercelWebsite hosting, API execution, delivery/security logsProcessor for customer data; processing/subprocessors may be international under DPA
HetznerAnalysis worker infrastructureProcessor; EU data-centre location; DPA on file
AnthropicAI-assisted narrative drafting and compliance review (see Section 5)Processor for commercial API content under commercial terms/DPA; standard retention and transfer terms disclosed
ResendTransactional email and delivery eventsProcessor; email address/content/metadata and optional tracking data; DPA/SCCs/subprocessors disclosed
PaddleMerchant of record — payment, tax, refund, fraud checksIndependent controller / authorised reseller; DurationX and Paddle share limited transaction data
Professional advisers / authoritiesLegal, audit, security, insurance, lawful requestsRecipient only where necessary and subject to duties/law

Section 7

International transfers

Primary project storage and worker hosting are configured in the EU, but the providers listed above — and their own subprocessors — may process data in the United States and other countries. This means not all data processing occurs in the EU: where a restricted transfer occurs from the EU/EEA/UK, DurationX relies on applicable adequacy decisions, the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, and supplementary measures documented in each provider’s data processing agreement or transfer assessment. [IF OPERATOR OR CUSTOMERS ARE IN JAPAN, COUNSEL MUST ALSO ASSESS APPI FOREIGN-TRANSFER OBLIGATIONS]

You may request information about the specific safeguards that apply to your data from support@durationx.com.

Section 8

How long we keep your data

DataRetention
Rejected/incomplete qualification12 months after final decision, unless dispute/security hold
Accepted qualification and order linkage24 months after delivery
Intake, uploaded evidence, score and report metadata24 months after delivery, or earlier on a verified deletion request subject to legal holds
Delivered PDF (private storage)while your account is active; deleted after 24 months of inactivity with prior notice
Paddle webhook copy / transaction reference12 months (DurationX side); Paddle independently retains its own legal/tax records
Email delivery events12 months
Security/audit logs12–24 months, depending on event category
Opt-in learning featuresuntil opt-in withdrawal, purpose expiry, or account deletion — whichever is first
Deletion audit trail24 months after execution, minimized to what is necessary
Backupsrolling expiration, [EXACT DAYS REQUIRED]; not restored except for disaster recovery, after which deletion is re-applied

These are recommended production targets, not yet settled fact — final durations must match deployed deletion jobs and provider contracts and remain [OWNER/COUNSEL DECIDE — FINAL CONFIRMATION PENDING]. DurationX may retain narrowly required records for tax, fraud prevention, security, disputes, or legal obligations beyond these figures. A legal hold suspends deletion only for the affected records and is documented when applied.

Section 9

Security

DurationX uses access controls, row-level authorization, encryption in transit, private storage, short-lived signed download links, multi-factor authentication for administrators, credential separation, logging, backups, and integrity/signature checks. Report access requires authentication or a short-lived signed download link — a bare link never exposes a report that is not yours.

No system is guaranteed secure. Security incidents are handled under a written response plan, including any legally required controller/processor, regulator, and data-subject notifications.

Section 10

Your rights

Depending on your location and applicable law, you may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent, and you may complain to a supervisory authority. Send requests to support@durationx.com. We verify identity before acting on a request and normally respond within the legally applicable period. Where DurationX acts as processor for a business customer, we refer your request to the relevant customer/controller.

[COUNSEL: if GDPR applies, identify the competent supervisory authority; if CCPA/CPRA applies after a documented threshold assessment, add California categories, collection notice, rights, verification, authorised-agent, sale/share, sensitive-data, and non-discrimination sections — do not state “we do not sell/share” without checking analytics, advertising, email tracking, and provider contract definitions first]

Section 11

Deletion

You can request deletion of your account and project data at any time from your account page or by emailing support@durationx.com. Deletion removes or redacts your active customer, project, intake, and report data and uploaded files, queues deletion with our providers where available, and removes any optional derived learning features tied to you. We preserve only what we are legally required to keep — for example, payment records our merchant of record must retain for tax purposes — plus a minimized record that the deletion happened. We complete deletion requests within 30 days and confirm completion by email, identifying any material exceptions and backup-expiry timing rather than stating that all data is instantly gone.

Section 12

Cookies and browser storage

At launch, DurationX uses only strictly necessary authentication/session cookies and a non-sensitive local intake-wizard step index — no analytics, advertising, fingerprinting, or tracking technologies are enabled. See our Cookie Notice for the full inventory and posture.

Section 13

Business users and minors

DurationX is a business-to-business service and is not directed to children. Individuals using it must be at least 18 years old and authorised to act for a business. If we learn we collected a child’s data outside a lawful business context, we will delete it.

Section 14

Changes and contact

We publish the effective date and version at the top of this page. Material changes receive reasonable advance notice where required and do not retroactively authorize a new purpose for data we already hold. Contact support@durationx.com; postal address [ADDRESS]; representative/DPO [IF APPLICABLE]; supervisory authority [COUNSEL INSERT].

This is a near-final, counsel-ready draft of our Privacy Policy, prepared following a 2026-07-06 legal and subject-matter-expert readiness review, and written to reflect exactly how the product works today. It is still pending legal counsel sign-off on the bracketed fields above (entity name and address, exact retention day-counts, supervisory authority, and related items); nothing here will become less protective of your data as those fields are finalized. See also our Terms of Service, Cookie Notice, and Methodology, or reach us at support@durationx.com.