Privacy Policy
What we collect, how we use it, who else sees it, and how long we keep it.
Effective date: [DATE]
Version: [PRIVACY VERSION]
Controller: Dijin Teknoloji Limited Şirketi, Alsancak Mah. 2136 Cad. Damla Su Apt. No: 32 İç Kapı No: 3, Etimesgut / Ankara, Türkiye (Vergi Kimlik No 2951335557, Etimesgut Vergi Dairesi), trading as DurationX
Privacy contact: support@durationx.com (a dedicated privacy address may be assigned before go-live)
EU/UK representative or DPO: [IF APPLICABLE]
Section 1
Scope and roles
This Notice describes how DurationX processes personal data when you visit durationx.com, request qualification, purchase or receive an audit, submit project information, use an account, communicate with support, or act on behalf of a business customer.
DurationX generally acts as controller for website, qualification, account, security, support, report delivery, and service-administration data. Where a business customer includes personal data in project material and determines the purposes and means of that processing, DurationX may act as processor under a data processing agreement. Paddle separately acts as merchant of record and an independent controller for buyer/payment processing under Paddle’s own privacy notice and buyer terms. [OWNER/COUNSEL CONFIRM ROLE ALLOCATION]
Section 2
Data we collect
DurationX may process:
- identity and contact data: name, business email, company, role, account identifiers;
- qualification and transaction-reference data: segment, project summary, qualification decision, Paddle customer/transaction identifiers, payment status, currency and amount — DurationX does not need or store full payment-card data;
- project and technical data: project name/site, country, power, duration, use case, CAPEX assumptions, reliability, grid/interconnection, schedule, procurement, evidence and uploaded files;
- generated data: deterministic scores, scenario results, report content, compliance/reconciliation findings, version and provenance records, and signatures;
- authentication and security data: session identifiers, login events, IP address where logged, security/audit records, and rate-limit events;
- communications and service data: support messages, correction/deletion requests, email delivery events, and feedback;
- preferences and consent data: your optional model-learning opt-in and its withdrawal;
- essential browser storage: a Supabase authentication/session cookie and a local intake-wizard step index — see Cookie Notice.
DurationX does not intentionally request special-category/sensitive personal data, government identifiers, health data, credentials, payment-card numbers, or export-controlled material. Please do not submit such data to us.
Section 3
Where data comes from
Data comes from you or your organization, authorised representatives acting for your business, Paddle transaction events, our authentication/security systems, the providers listed in Section 8, and public or licensed benchmark sources. If you submit another person’s information, you are responsible for having the authority to do so and for giving that person any notice required.
Section 4
Purposes and legal bases
| Purpose | Typical data | Proposed legal basis |
|---|---|---|
| Qualification and pre-contract communication | contact, company, project summary | steps requested before contract; legitimate interests for B2B screening |
| Deliver the purchased audit | account, intake, evidence, report | contract; legitimate interests where the customer is a company and data concerns its representative |
| Payment / tax reconciliation | Paddle transaction reference, amount/status | contract; legal obligation; legitimate interests |
| Authentication and security | session, IP/security logs, audit trail | legitimate interests; legal obligation where applicable |
| Human QC, correction and support | report, compliance findings, communications | contract; legitimate interests in quality and dispute handling |
| Transactional email | address, service event, minimal project/report metadata | contract; legitimate interests; legal obligation where applicable |
| Optional minimized product learning | explicit opt-in and derived minimized features | consent, separately obtained and withdrawable |
| Legal claims, audit and compliance | relevant records | legal obligation; legitimate interests in establishing, exercising, or defending claims |
We do not rely on consent where service delivery is actually conditional on processing, and we do not bundle the optional learning opt-in into acceptance of our Terms of Service. [COUNSEL TO VALIDATE LEGAL BASES AGAINST OPERATOR AND MARKETS]
Section 5
AI-assisted processing and human involvement
DurationX sends a minimized deterministic result payload and draft report text to Anthropic’s commercial API to assist explanatory narrative drafting and compliance review. Raw identifiers and other unnecessary personal data are removed before transmission wherever possible. Anthropic states that standard commercial API inputs/outputs are normally deleted within 30 days, subject to safety, legal, or separately agreed retention, and are not used to train generative models unless the commercial customer explicitly opts in — VERIFY AGAINST ACTUAL ANTHROPIC ACCOUNT TERMS/DPA BEFORE PUBLISHING.
No solely automated decision producing legal or similarly significant effects is made about an individual. Numeric scoring concerns a project assumption set, not a person; a human reviewer controls report release before it reaches you. You and your advisers make all decisions about your project.
Section 6
Recipients and provider roles
The table below lists every provider category that touches your data and its role. This list does not itself enumerate every subprocessor those providers use; subprocessor lists are incorporated by reference from each provider’s own disclosures. [PUBLISH LIVE TABLE WITH LINKS AND LAST-REVIEWED DATES BEFORE GO-LIVE]
| Provider | Function | Role / location |
|---|---|---|
| Supabase | Database, authentication, private report storage, backups | Processor; primary region configured in the EU; subprocessors/transfer terms per executed DPA |
| Vercel | Website hosting, API execution, delivery/security logs | Processor for customer data; processing/subprocessors may be international under DPA |
| Hetzner | Analysis worker infrastructure | Processor; EU data-centre location; DPA on file |
| Anthropic | AI-assisted narrative drafting and compliance review (see Section 5) | Processor for commercial API content under commercial terms/DPA; standard retention and transfer terms disclosed |
| Resend | Transactional email and delivery events | Processor; email address/content/metadata and optional tracking data; DPA/SCCs/subprocessors disclosed |
| Paddle | Merchant of record — payment, tax, refund, fraud checks | Independent controller / authorised reseller; DurationX and Paddle share limited transaction data |
| Professional advisers / authorities | Legal, audit, security, insurance, lawful requests | Recipient only where necessary and subject to duties/law |
Section 7
International transfers
Primary project storage and worker hosting are configured in the EU, but the providers listed above — and their own subprocessors — may process data in the United States and other countries. This means not all data processing occurs in the EU: where a restricted transfer occurs from the EU/EEA/UK, DurationX relies on applicable adequacy decisions, the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, and supplementary measures documented in each provider’s data processing agreement or transfer assessment. [IF OPERATOR OR CUSTOMERS ARE IN JAPAN, COUNSEL MUST ALSO ASSESS APPI FOREIGN-TRANSFER OBLIGATIONS]
You may request information about the specific safeguards that apply to your data from support@durationx.com.
Section 8
How long we keep your data
| Data | Retention |
|---|---|
| Rejected/incomplete qualification | 12 months after final decision, unless dispute/security hold |
| Accepted qualification and order linkage | 24 months after delivery |
| Intake, uploaded evidence, score and report metadata | 24 months after delivery, or earlier on a verified deletion request subject to legal holds |
| Delivered PDF (private storage) | while your account is active; deleted after 24 months of inactivity with prior notice |
| Paddle webhook copy / transaction reference | 12 months (DurationX side); Paddle independently retains its own legal/tax records |
| Email delivery events | 12 months |
| Security/audit logs | 12–24 months, depending on event category |
| Opt-in learning features | until opt-in withdrawal, purpose expiry, or account deletion — whichever is first |
| Deletion audit trail | 24 months after execution, minimized to what is necessary |
| Backups | rolling expiration, [EXACT DAYS REQUIRED]; not restored except for disaster recovery, after which deletion is re-applied |
These are recommended production targets, not yet settled fact — final durations must match deployed deletion jobs and provider contracts and remain [OWNER/COUNSEL DECIDE — FINAL CONFIRMATION PENDING]. DurationX may retain narrowly required records for tax, fraud prevention, security, disputes, or legal obligations beyond these figures. A legal hold suspends deletion only for the affected records and is documented when applied.
Section 9
Security
DurationX uses access controls, row-level authorization, encryption in transit, private storage, short-lived signed download links, multi-factor authentication for administrators, credential separation, logging, backups, and integrity/signature checks. Report access requires authentication or a short-lived signed download link — a bare link never exposes a report that is not yours.
No system is guaranteed secure. Security incidents are handled under a written response plan, including any legally required controller/processor, regulator, and data-subject notifications.
Section 10
Your rights
Depending on your location and applicable law, you may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent, and you may complain to a supervisory authority. Send requests to support@durationx.com. We verify identity before acting on a request and normally respond within the legally applicable period. Where DurationX acts as processor for a business customer, we refer your request to the relevant customer/controller.
[COUNSEL: if GDPR applies, identify the competent supervisory authority; if CCPA/CPRA applies after a documented threshold assessment, add California categories, collection notice, rights, verification, authorised-agent, sale/share, sensitive-data, and non-discrimination sections — do not state “we do not sell/share” without checking analytics, advertising, email tracking, and provider contract definitions first]
Section 11
Deletion
You can request deletion of your account and project data at any time from your account page or by emailing support@durationx.com. Deletion removes or redacts your active customer, project, intake, and report data and uploaded files, queues deletion with our providers where available, and removes any optional derived learning features tied to you. We preserve only what we are legally required to keep — for example, payment records our merchant of record must retain for tax purposes — plus a minimized record that the deletion happened. We complete deletion requests within 30 days and confirm completion by email, identifying any material exceptions and backup-expiry timing rather than stating that all data is instantly gone.
Section 12
Cookies and browser storage
At launch, DurationX uses only strictly necessary authentication/session cookies and a non-sensitive local intake-wizard step index — no analytics, advertising, fingerprinting, or tracking technologies are enabled. See our Cookie Notice for the full inventory and posture.
Section 13
Business users and minors
DurationX is a business-to-business service and is not directed to children. Individuals using it must be at least 18 years old and authorised to act for a business. If we learn we collected a child’s data outside a lawful business context, we will delete it.
Section 14
Changes and contact
We publish the effective date and version at the top of this page. Material changes receive reasonable advance notice where required and do not retroactively authorize a new purpose for data we already hold. Contact support@durationx.com; postal address [ADDRESS]; representative/DPO [IF APPLICABLE]; supervisory authority [COUNSEL INSERT].