Back to HomeGo to Login

Important Disclaimer: Duely is a personal utility app provided strictly on an “as-is” basis. The developer and all associated persons accept no responsibility or liability — direct or indirect — for any financial loss, data loss, missed payments, credit score impact, or any other damages arising from your use of, or inability to use, this application. You use Duely entirely at your own risk.

Privacy Policy

Last Updated: May 26, 2026

·

Version 2.0

1. Introduction

Welcome to Duely (“the App”, “we”, “us”). We are committed to protecting your personal information and your right to privacy. Because Duely is a financial utility, our architecture is built privacy-first — your sensitive vault data is end-to-end encrypted on your device before it ever reaches our servers.

This policy explains what information we collect, why we collect it, how it is stored, and what rights you have over it. If you do not agree with this policy, please do not use the App.

2. Information We Collect via Google OAuth

When you register or log in using Google OAuth, we collect the following limited profile information provided by your Google account:

  • Email Address: Used strictly to identify your account and synchronize your encrypted vault data across devices.
  • Basic Profile Information: Such as your display name or avatar, used solely to personalize your dashboard experience.

We do not access your Google Drive, Contacts, Gmail, Calendar, or any other sensitive Google services. Our OAuth scope is limited to basic profile information only.

3. Your Encrypted Financial Data

The credit card names, billing cycles, balances, and notes you enter into Duely are end-to-end encrypted locally on your device using AES-256-GCM authenticated encryption before being transmitted or stored. Our servers hold only the encrypted ciphertext blob. We do not hold decryption keys and are technically incapable of reading, analyzing, selling, or sharing your financial data.

This zero-knowledge model means that even in the event of a server breach, your financial data remains unreadable to any third party.

4. Third-Party Service Providers

To operate the App, we rely on the following third-party infrastructure providers. Each processes only the minimum data necessary:

  • Supabase (Database & Auth Infrastructure): Stores your encrypted vault blobs and manages authentication sessions. Supabase does not have access to your decrypted financial data. Their privacy policy is available at supabase.com/privacy.
  • Google OAuth (Authentication): Used solely for sign-in. We request only your basic profile scope. Google's privacy policy is available at policies.google.com/privacy.

We do not use any advertising networks, analytics trackers, or marketing platforms. No third party receives your personal data for commercial purposes.

5. Cookies & Session Data

Duely uses strictly necessary cookies to maintain your authenticated session via Supabase. These cookies are essential for the App to function and cannot be opted out of while using the service. We do not use any tracking cookies, advertising cookies, or third-party analytics cookies.

  • Session cookies: Set by Supabase to authenticate your requests. Cleared when you sign out.
  • Local rate-limit flags: Stored in your browser's localStorage to track failed PIN attempts and enforce lockout timers. Contain no personal data.

6. How We Use Your Information

The information we collect is used exclusively for the following purposes:

  • To facilitate account creation and the sign-in process securely via Google OAuth.
  • To synchronize your encrypted vault database across your authorized devices.
  • To send you essential system or security notifications when required (e.g., account deletion confirmation).

We do not use your data for advertising, profiling, analytics, machine learning, or any commercial purpose beyond operating the App.

7. Data Retention & Account Deletion

You have full control over your data at all times.

  • Active accounts: Your email and encrypted vault blobs are retained for as long as your account is active to enable cross-device sync.
  • Deletion requests: When you initiate account deletion from the App, your account is scheduled for permanent deletion after a 7-day grace period. During this window, your data still exists on our servers. If you log back in within 7 days, the deletion is automatically cancelled and your account is restored.
  • After deletion: Once the 7-day window passes, your email address and all associated encrypted vault blobs are permanently and irreversibly purged from our database. This cannot be undone.

You may also request immediate deletion by visiting our Contact page or contacting us at contact@duely.co.in.

8. Security & Data Breach Notification

We implement industry-standard security practices including TLS in transit, AES-256-GCM encryption at rest, and PBKDF2 key derivation. However, no system is completely immune to security incidents.

In the unlikely event of a data breach affecting your personal information, we will notify affected users via the email address associated with their account within a reasonable timeframe, in accordance with applicable laws. Because your financial vault data is end-to-end encrypted and we hold no decryption keys, any breach of our servers would not expose your financial information — only encrypted ciphertext.

9. Analytics & Server Logging

Duely does not use any third-party analytics services (e.g., Google Analytics, Mixpanel, Amplitude). We do not track your in-app behaviour, screen views, or feature usage.

Standard server-side access logs may be generated by our infrastructure provider (Supabase) as part of normal operations. These logs may contain IP addresses and request timestamps and are retained according to Supabase's own data retention policies. We do not actively access or analyze these logs except when investigating security incidents.

10. Children's Privacy

Duely is a financial utility intended for adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account, please visit our Contact page or email us immediately at contact@duely.co.in and we will promptly delete the account.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to access: Request a copy of the personal data we hold about you.
  • Right to deletion: Request that your account and all associated data be permanently deleted.
  • Right to portability: Export your encrypted vault at any time from the App settings as a .duely backup file.
  • Right to correction: Update your profile information via your Google account settings.

To exercise any of these rights, visit our Contact page or contact us at contact@duely.co.in. We will respond within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the App or applicable law. When we do, we will update the “Last Updated” date at the top of this page and increment the version number. For significant changes, we will make reasonable efforts to notify you via email or an in-app notice.

Continued use of the App after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out via our Contact page or email us directly:

Duely

Email: contact@duely.co.in

We aim to respond to all privacy-related inquiries within 30 days.

Terms of Service →Security Architecture →Contact →