duudi

Legal

Privacy Policy

Last updated: May 25, 2026

Duudi is a workspace for solo freelancers — your tasks, notes, invoices, and meetings, in one calm place. This page explains, in plain words, what we collect, what we don't, and what we do with it.

Who we are

Duudi (hello@duudi.app) is the entity responsible for the data described below. Any privacy question lands in that inbox and gets a real reply.

What we collect

  • Account info — your name, email, and either a password (hashed and never stored in plain text, if you sign up with email/password) or a Google account identifier (if you sign in with Google).
  • Workspace content — everything you create: tasks, notes, invoices, meetings, projects, clients. You own it; we store it so it survives across devices.
  • Technical signals — IP address and browser user-agent for rate limiting and bot prevention. We don't keep an analytics log of which pages you visit.

What we don't do

  • We don't sell your data.
  • We don't share it with third parties for advertising.
  • We don't use your notes, tasks, or invoices to train AI models.
  • We don't run third-party analytics, ad networks, or tracking pixels.
  • We don't email you marketing (we don't currently send email at all).

How we use your data

  • To provide the service: render your workspace, save your edits, generate your PDFs.
  • To keep you signed in: a single signed, httpOnly session cookie.
  • To prevent abuse: rate limiting, Cloudflare Turnstile on signup.
  • To respond to support requests when you email us.

Encryption and access

Your data is encrypted in transit (TLS) and at rest (Neon encrypts the underlying disks). Access to the production database is restricted to the operator. We don't read your notes, tasks, or invoices as part of normal operations, we don't analyse content in aggregate, and we don't use your workspace to train AI models. The only time anyone at Duudi opens your content is if you email us asking for help with a specific bug — and even then, only the smallest slice needed to fix it.

If you specifically need end-to-end encryption — where even the service operator cannot access the data — Duudi isn't built around that model. Apps designed for E2EE (Standard Notes, Obsidian Sync, Anytype) trade off features like server-side search, instant web access on any device, and shareable links to achieve it. Different tradeoffs, different products.

Service providers we use

  • Neon — managed PostgreSQL where your workspace data lives. Encrypted in transit (TLS) and at rest.
  • Cloudflare — hosts the application (Pages), the bot-check (Turnstile), and DNS. Cloudflare sees request metadata.
  • Google — only when you choose to sign in with Google. They confirm your identity to us; that's it.

Each of these has their own privacy policy worth reading if you care.

Cookies

One cookie: duudi-session, signed and httpOnly, used to keep you logged in. No analytics cookies, no third-party tracking cookies.

Public share links

When you click "Share" on a note, we generate a random token and your note becomes readable at /share/{'{'}token{'}'}. Anyone with that link can read the note — we don't further restrict who. You can revoke the link from the note's share menu, which immediately deletes the token.

Anyone — including non-users — can report a shared note via the "Report this content" link on the share page. Reports include the reporter's email, name (optional), the reason, and a free-text description. We keep these reports and our resolution notes even after the reported content is removed, as an audit trail required to defend takedown decisions. See the Terms of Service for the full takedown process.

Your rights

  • Access — everything we store about you is visible inside the app.
  • Export — notes export as Markdown; invoices export as PDF. A bulk export endpoint is on the roadmap.
  • Correction — edit it in the app.
  • Deletion — email hello@duudi.app and we'll permanently delete your account and content within 7 days.

Data retention

We keep your data as long as your account exists. When you delete your account, every row tied to your user_id is dropped from the database (via Postgres ON DELETE CASCADE). We don't keep "soft-deleted" copies.

Children

Duudi isn't intended for users under 16. Please don't sign up if you're younger than that.

Changes

If we change how we handle data, we'll update this page and the "Last updated" date. For material changes we'll surface a notice the next time you sign in.

Contact

Questions? hello@duudi.app. A real human will reply.

← Back to home