We keep rooms private
Your room is for you and the partner you invite.
We use data to run Duoloft, keep it safe, prepare future billing, and help you. Details are below.
Your room is for you and the partner you invite.
Enough to run Duoloft, keep it safe, and help you.
We use trusted providers for hosting, email, analytics, and future billing.
Ask us to access, correct, export, delete, or opt out.
Duoloft (“Duoloft,” “we,” “us,” or “our”) operates the Duoloft service at duoloft.com and any related applications, subdomains, and features (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you visit our website, create an account, share a room with a partner, use early-access features, or otherwise interact with the Service.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will ask for your consent before processing certain categories of data or using certain technologies.
This policy applies to personal information processed by Duoloft in connection with the Service. It does not apply to third-party websites, applications, or services that we do not own or control, even when linked from the Service.
For users in the European Economic Area, the United Kingdom, and Switzerland, Duoloft acts as the “controller” of personal information processed through the Service. For users in California, Duoloft is the “business” that determines the purposes and means of processing.
When you create an account we collect identifiers from your sign-in provider (such as email address, name, and the provider user ID), and profile fields you choose to provide, including display name, date of birth, country, gender, and relationship details used to personalize the Service.
We collect information needed to operate shared rooms: room slugs, invite links, partner connections, room customizations, and content you and your partner create inside a room — such as prompts, gifts, drawings, photos, songs, pet activity, and other interactive elements. Content created jointly with a partner is, by design, accessible to that partner.
When you contact support, submit feedback, reply to an email, or otherwise communicate with us, we collect the contents of those communications and associated metadata.
Duoloft does not currently offer paid subscriptions in this launch build. If paid billing is introduced later, payments may be processed through Stripe on the web and through the Apple App Store or Google Play in native mobile apps, with RevenueCat helping us verify mobile subscription status. Payment providers would collect payment card, Apple ID, Google Play, or other payment instrument details directly. We would receive limited identifiers and subscription details such as customer or transaction IDs, billing country, subscription status, plan, renewal dates, and invoice or purchase history. We do not store full payment card numbers on our servers.
We automatically collect technical information when you use the Service, including IP address, approximate location derived from IP, browser type and version, operating system, device type and identifiers, language preference, referring and exit pages, timestamps, performance metrics (such as Web Vitals), and actions taken in the Service.
When you arrive from a marketing channel, we may collect attribution data such as UTM parameters, referrer URL, and ad-click identifiers passed by the originating platform, so we can understand which campaigns are effective.
If you choose to connect an optional third-party integration (for example, Spotify), we will receive the data you authorize that provider to share with us. You can disconnect those integrations at any time from your account settings.
We do not request government-issued ID, biometric identifiers, precise GPS location, contact lists, or health data. If you voluntarily place such information into free-form fields or uploads, it will be stored as content under your account.
We use personal information for the following purposes:
We do not use personal information to make decisions that produce legal or similarly significant effects about you without human involvement (see Automated decision-making).
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process personal information on one or more of the following legal bases under the GDPR / UK GDPR:
The following categories of providers receive personal information to help us run the Service. This list may change as the Service evolves; the categories below describe the function, not an exhaustive snapshot of any given day.
We require providers to use personal information only for the purposes for which we engaged them and to apply appropriate technical and organizational security measures.
We use a session-replay technology (rrweb, delivered through PostHog) to record interactions such as page navigations, clicks, scrolls, and viewport changes within the Service. This helps us reproduce bugs and improve usability. We configure session replay to mask text inputs by default and to avoid capturing payment fields, and we do not intentionally record payment details or full passwords. Replay data is retained for a limited period and used solely for product debugging and improvement. Where consent is required by local law, replay is activated only after consent is given.
We run marketing campaigns on platforms such as Google and Reddit. To measure whether those campaigns drive sign-ups and sign-ups and future subscriptions, we share limited information — such as hashed identifiers, event identifiers, conversion values, and technical metadata — with those platforms. Under some U.S. state laws (including California’s CPRA), this kind of cross-context advertising activity is treated as “sharing” even where no money changes hands.
You can opt out of cross-context advertising and sharing for targeted advertising as described in California (CCPA/CPRA) and Other U.S. states. We also honor recognized opt-out signals such as the Global Privacy Control (GPC) when transmitted by your browser.
Duoloft is operated from the United States, and our service providers may process personal information in the United States and other countries. When we transfer personal information from the EEA, the UK, or Switzerland to a country that has not been found to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum and the Swiss equivalent. You may contact us to request more information about these safeguards.
We keep personal information only as long as needed for the purposes described in this policy. Typical retention periods:
When information is no longer needed, we delete or aggregate it so it can no longer be associated with you.
We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, infrastructure provided by security-certified vendors, and continuous monitoring. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your sign-in credentials secure and notifying us promptly if you suspect unauthorized access to your account.
Subject to applicable law, you may:
To exercise any of these rights, email hello@duoloft.com from the address associated with your account, or use in-app controls where available. We will respond within the time required by applicable law. We may need to verify your identity before fulfilling certain requests. We will not discriminate against you for exercising your privacy rights.
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), provides you with the following rights:
Sale of personal information.We do not sell personal information for money. We do engage in “sharing” as defined by the CCPA when we use advertising and measurement partners that may process identifiers and interaction data for cross-context behavioral advertising. You can opt out of this sharing by emailing hello@duoloft.com with the subject line “Do Not Sell or Share,” or by sending a Global Privacy Control (GPC) signal from your browser, which we honor.
Categories collected. In the last 12 months we have collected the following CCPA categories of personal information: identifiers; customer records; commercial information (future subscription/purchase history if paid billing is enabled); internet or other network activity; geolocation (approximate, from IP); inferences drawn from the foregoing; and limited sensitive personal information that you choose to provide (such as date of birth). We obtain these categories from the sources listed in Sources of information and disclose them for the business purposes listed in How we use information.
Authorized agents. You may designate an authorized agent to submit CCPA requests on your behalf. We will require written authorization and may require you to verify your identity directly.
Shine the Light.California Civil Code § 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.
In addition to the rights described in Your rights, individuals in the EEA, UK, and Switzerland have the right to lodge a complaint with the data protection authority where they live or work, or where they believe an infringement has occurred. We encourage you to contact us first so we can address your concerns. We do not currently have an EU or UK representative under Article 27 GDPR given our scale; we will appoint one when required.
If you are a resident of a U.S. state that has enacted a comprehensive consumer privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, or Kentucky), you may have rights to access, correct, delete, obtain a portable copy of, and opt out of certain processing of your personal information, including targeted advertising and the sale of personal data. Nevada residents may submit a request that we not sell certain personal information under SB 220. You can exercise these rights by emailing hello@duoloft.com. If we deny your request, you may appeal by replying to our response with the word “Appeal.”
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Where local law sets a higher age of digital consent (for example, 16 in some EEA member states), the Service is correspondingly not directed to those under that age without verified parental consent. If you believe a child has provided personal information to us, please contact hello@duoloft.com and we will take steps to delete it.
We do not use personal information to make decisions based solely on automated processing that produce legal or similarly significant effects about you. We may use automated systems for fraud and abuse detection, but human review is available where an account-level action is taken.
We do not respond to legacy “Do Not Track” browser signals, because no common interpretation has been finalized. We do honor the Global Privacy Control (GPC) as a valid request to opt out of the sale or sharing of personal information under the CCPA and equivalent state laws.
The Service may contain links to third-party websites, integrations, or media (for example, Spotify embeds). Their privacy practices are governed by their own policies. We are not responsible for the content or practices of third parties.
We may update this policy from time to time. If we make material changes, we will notify you by updating the “effective” date at the top of this page and, where required by law, by providing additional notice (for example, by email or an in-app notice). Your continued use of the Service after an update constitutes acceptance of the revised policy.
Questions, requests, or complaints about this policy or our privacy practices can be sent to:
If you contact us about a privacy right or request, please tell us which jurisdiction’s law you are exercising rights under so we can route the request correctly.
This policy describes our current practices and is provided in good faith. It is not a substitute for legal advice. Before any broad public launch or material change to data processing, we recommend reviewing this policy with qualified counsel against your company structure, jurisdictions, and subscription flow.
You can delete your account from in-app settings, unsubscribe from marketing email, request a copy or correction of your data, or opt out of sharing for cross-context advertising by contacting us. We honor recognized opt-out signals such as Global Privacy Control.
Privacy requests → hello@duoloft.com