Dueit Privacy Policy

Last updated: January 17, 2025

Summary (not a substitute for the full policy): Dueit is a social productivity and habit-tracking app operated by Tfozo Inc. for global use. We collect account identifiers, profile details, dueit membership, and user-generated content (events, memos, habits), along with device and analytics data to operate the service. We use Google Firebase as our core infrastructure, Google Vertex AI for our AI-powered import features, and Google Mobile Ads to support the free version of our app. We do not sell your personal information.

1) Who we are and scope

Controller: Tfozo Inc. (“Tfozo”, “we”, “our”, “us”) operates the Dueit mobile and web applications (“Dueit” or the “Service”).

• Apps & platforms: Android, iOS, and web (web version coming soon).
• Audience & territory: Available worldwide. Some rights and disclosures vary by where you live (see §13).

Contact details appear in §16. By using the Service, you agree that your personal information will be handled as described in this Privacy Policy.

2) Personal information we collect

We collect the categories of information below. Some data is required to create an account or use core features; other data is optional or depends on the features you use.

A. Account & identifiers

• Firebase UID (required); email; email verification status.
• Third‑party sign‑in identifiers/tokens (Google, Apple) via Firebase Authentication.

B. Profile

• First and last name.
• Phone number with country code. (Optional)
• Gender (Male/Female/Other).
• Age.
• Optional: bio, profile photo URL.
• Subscription status (e.g., Grace Member).

C. Dueit membership & content (user‑generated content)

• Dueits you create or join (IDs, roles, admin flags); slug handle; privacy setting (public/private); join codes (code, expiry, active state).
• Member records (name, admin flag, timestamps, per‑dueit notification settings, optional FCM token).
• Memos (Announcements): message, type, images, timestamps, creator, likes, and replies.
• Dues (Events): title, description, images, start/end time, duration, recurrence, category, weight, and location.
• Moderation: per‑post reports (reason keys/text, reporter UID) and aggregated moderation records.
• Bookmarks: saved posts per user.

D. Habits & logs (personal)

• Habit configuration (name; tracking type task/amount/time; targets; schedule; archived/includeInStats; streaks; lastCompletionDate; recentBitmap).
• Habit logs by date (logged amounts/seconds; pause state; timer metadata).

E. User-Uploaded Content for AI Processing

• Content: Files you provide for the “Import Dues” feature, such as images, PDFs, or text files (e.g., course outlines, event posters).
• Purpose: This content is sent to our servers for AI-based analysis (via Google Vertex AI) to extract schedule information and automatically create events in your app.
• Retention: Immediate Deletion. We do not store these files. Once the AI extraction is complete and the data is returned to your device, the uploaded file is immediately and permanently deleted from our processing memory and temporary storage. We do not use this content to train AI models.

F. Device & telemetry

• Identifiers & Connectivity: FCM push token(s); timezone; app links for deep linking.
• Local Storage: We use local storage (e.g., SharedPreferences) for essential app functions such as “remember-me” authentication, last reminder resync, and saved timezone settings.
• Service Logs: Notification delivery logs (success/fail) and Cloud Functions execution logs used for troubleshooting and system health.
• Analytics:
  • Firebase Analytics: Standard events (where enabled) to track app performance and stability.
  • PostHog Analytics: We use PostHog to collect data on user interactions (e.g., button clicks, feature usage). This data is used exclusively in-house by Tfozo Inc. to improve the user experience and interface. We do not share this behavioral data with third-party advertisers.

G. Purchase Information

• Transaction Processing: Subscriptions and purchase history are managed through RevenueCat, linked to your anonymized user ID. We do not directly see or store your payment card details; all financial transactions are handled securely by the Apple App Store or Google Play Store.
• Refund Policy:
  • App Store (iOS): Apple manages all refund requests directly. To request a refund, please visit reportaproblem.apple.com.
  • Google Play (Android): Refunds are handled according to Google Play’s policies. You can request a refund through the Google Play website within 48 hours of purchase. For requests after 48 hours, please contact us at support@dueit.app
• Cancellations: You may cancel your subscription at any time through your device’s subscription management settings. Upon cancellation, you will retain access to premium features until the end of your current billing period.

3) Sources of information

We collect personal information from the following sources:

• Directly from You: Information you provide when you create an account, complete your profile, or upload files (images, PDFs, text) for AI processing.
• Automatically from Your Device: We collect technical data through your use of the Service, including device identifiers (FCM tokens), timezone settings, and app interaction logs.
• Service Providers:
  • Google Firebase: Provides authentication status, database records, and crash reports.
  • PostHog: Provides in-house behavioral analytics about how you interact with app features.
  • RevenueCat: Provides subscription status and entitlement data.
• Third-Party Platforms: We receive confirmation of successful purchases and subscription renewals from the Apple App Store and Google Play Store.

4) How we use your information

We use your information to:

1. Provide and maintain the Service: Including authentication, user profiles, managing “dueits,” memos, dues, moderation, habit tracking, bookmarks, and deep links.
2. Process Subscriptions: Managing your subscription status (e.g., “Grace Member”) and ensuring access to premium features via RevenueCat.
3. AI Feature Processing: Analyzing files you upload (e.g., syllabi, posters) using Google Vertex AI to automatically extract and create dues in your calendar. As noted in Section 2(E), these files are processed ephemerally and deleted immediately after extraction.
4. Communicate with you: Sending push notifications for dueit updates, local notifications for reminders/timers, and essential account emails (e.g., verification and service updates).
5. Safety and moderation: Receiving and processing reports, allowing admins to review and remove content, and maintaining moderation and audit logs to keep the community safe.
6. Advertising: Showing relevant advertisements through partners (e.g., Google AdMob) to support the free version of the Service.
7. Security and abuse prevention: Utilizing Firebase App Check, token management, rate limiting, and threat detection to protect your account and our infrastructure.
8. Improvement and Analytics: Using aggregated usage metrics and diagnostics to understand feature performance. This includes the use of PostHog to analyze in-app interactions for the purpose of improving the user interface and overall experience.

We may de‑identify or aggregate information for analytics and measurement purposes.

5) Legal bases (EEA/UK and similar jurisdictions)

Where applicable, we process personal data on these bases:

• Contract: To provide the Service you request, including managing your account, “dueits,” notifications, habit tracking, and processing your “Grace Member” subscription via RevenueCat.
• Legitimate Interests: To secure and improve Dueit; prevent abuse and fraud; moderate community content; serve advertisements to support the free version of the Service; and perform internal analytics via PostHog to improve our user interface. We balance these interests against your individual privacy rights.
• Consent: For optional features, certain marketing communications, and the use of non-essential analytics where required by local law.
• Legal Obligation: To comply with applicable laws, respond to valid legal requests, and enforce our Terms of Service.
• Vital Interests: In rare cases where we reasonably believe processing is necessary to prevent serious harm or protect a user’s life.

6) Authentication, cookies & local storage

• Firebase Authentication: We use Firebase Authentication to secure your account. You can sign in using email/password, Google, or Apple. To ensure account security, email verification is enforced for all email-based accounts.
• Web Storage: On the web version of Dueit, we use essential cookies and local storage to maintain your active session (authentication tokens) and remember your basic preferences.
• Mobile Local Storage: Our mobile applications use local storage (such as SharedPreferences on Android and NSUserDefaults on iOS) to store:
  • Authentication: To keep you signed in between sessions.
  • App Settings: Your theme preferences, notification toggles, and timezone.
  • Functionality: Caching for “dueits” and reminders to ensure the app remains responsive and works offline where possible.
• Analytics Storage: PostHog and Firebase Analytics may use persistent identifiers to help us understand app performance and usage patterns as described in Section 2(F).

7) Sharing and disclosures

We share personal information only as described below. We do not sell your personal information.

• Within Dueits: Content such as memos and dues, along with your profile name, are visible to other members of a “dueit” based on that group’s specific privacy settings and your assigned role.
• Service Providers (Processors): We use trusted third-party vendors to perform essential services. These providers are contractually obligated to protect your data and only use it for the tasks we assign them:
  • Google Firebase: Hosts our backend infrastructure, including Auth, Firestore, and Cloud Functions.
  • Google Vertex AI: Processes uploaded files for the “Import Dues” feature. As noted in Section 2(E), these files are deleted immediately after processing and are not used to train AI models.
  • RevenueCat: Manages your subscription status and processes digital receipts.
  • PostHog: Processes behavioral data to help us understand how you use the app. This is for our internal product improvement only.
• Advertising Partners: We use Google AdMob to serve ads in the free version of Dueit. These partners may collect device identifiers (like your IDFA or Android Ad ID) and location data to show personalized ads. You can opt-out of this tracking through your device’s system settings.
• Push Delivery: Firebase Cloud Messaging (FCM) receives device tokens to deliver your reminders and notifications.
• Legal and Safety: We may disclose information if required by law (e.g., a subpoena) or if we reasonably believe it is necessary to protect the safety of our users, the public, or the rights and property of Tfozo Inc…
• Business Transfers: In the event of a merger, acquisition, or sale of assets involving Tfozo Inc., user data may be transferred as a business asset. We will notify you of any such change in ownership.

8) International transfers

Dueit is operated from Canada, but our service providers (Google Firebase and Google Vertex AI) may store and process your personal information in the United States and other countries.

• Safeguards: When we transfer data outside of Canada or the European Economic Area (EEA), we ensure it receives a comparable level of protection. This is achieved through:
  • Standard Contractual Clauses (SCCs): We rely on the European Commission’s approved model clauses (and the UK Addendum where applicable) to bind our providers to strict data protection standards.
  • Data Residency: Where possible, we configure our services to store data “at-rest” in specific regions to minimize cross-border exposure.
• AI Processing: While your files for AI import may be processed in global data centers, they are processed ephemerally and deleted immediately, as detailed in Section 2(E).
• Legal Compliance: These transfers are conducted in compliance with PIPEDA and GDPR requirements to ensure your privacy rights remain enforceable regardless of where your data is processed.

9) Your choices & controls

• Email Verification: To maintain the security of your account and the community, email verification is mandatory to access and use the Service.
• Profile Management: You can view and update your profile information at any time through the app settings. Certain fields (e.g., name, gender, age) are required to maintain your eligibility for specific app features.
• Notifications: You have full control over how you receive updates. You can toggle per-“dueit” push notifications within the app or manage system-level permissions for pushes and alarms in your device settings.
• Dueits & Membership: You can request to join private “dueits” or leave any group at any time. Admins retain the right to manage membership, including banning or unbanning users and assigning roles.
• Moderation Tools: Users can report content that violates our community standards. Admins have the authority to review and remove reported posts or dues.
• Analytics Opt-Out: You can opt-out of behavioral tracking by PostHog at any time via the in-app privacy settings. This will stop the collection of interaction data for that device.
• Advertising Controls: You can opt-out of personalized advertising by managing your device’s privacy settings:
  • iOS: Go to Settings > Privacy & Security > Apple Advertising and toggle off “Personalized Ads”.
  • Android: Go to Settings > Google > Ads and select “Delete advertising ID” or “Opt out of Ads Personalization” depending on your OS version.
• Data Access & Deletion: You have the right to request a copy of the personal information we hold about you or to request its deletion. You can initiate an account deletion directly within the app, which will remove your profile and personal data as described in Section 10.

10) Retention

We keep personal information only as long as necessary to fulfill the purposes outlined in this policy or to comply with legal, tax, or regulatory requirements.

• Account & Profile: Retained for as long as your account is active. If you delete your account, we will delete or de-identify your personal data within 30 days, unless a longer retention period is required by law (e.g., for financial records related to your “Grace Member” subscription).
• Dueit Content: Memos, dues, and shared content are retained until you or an authorized admin delete them, or until the “dueit” group itself is deactivated.
• AI Processing Files: As detailed in Section 2(E), files uploaded for schedule extraction are deleted immediately after the AI processing is complete. We do not store these files in our databases.
• Join Codes: Active join codes are purged from our system once they expire or are used, typically on a rolling 30-day schedule.
• Habit Logs: Your personal habit data persists until you manually delete the log or close your account.
• Analytics & Logs:
  • PostHog Data: Interaction data is kept for as long as necessary to analyze feature performance, typically up to 14 months.
  • Server Logs: System logs used for security and troubleshooting are generally retained for 90 days before being purged.
• Backup Data: Residual copies of your data may persist in our encrypted backups for up to 60 days after deletion as part of our disaster recovery protocol.

11) Security

At Tfozo Inc., we take the security of your data seriously and implement a “defense-in-depth” strategy:

• Access Controls & Authorization: We use Firebase Security Rules to enforce granular, server-side access control. This ensures that users can only access their own personal data and the specific “dueit” content they are authorized to see.
• Client Verification: We use Firebase App Check to verify that requests coming to our backend are from legitimate, untampered versions of the Dueit app, helping to prevent unauthorized API access and abuse.
• Encryption: All data is encrypted in transit using industry-standard TLS/SSL protocols and is encrypted at rest within Google’s secure infrastructure.
• User Responsibility: No system is 100% secure. We encourage you to use unique passwords and keep your device’s operating system updated.
• Breach Notification: If we discover a security incident that affects your personal information, we will notify you and the relevant authorities as required by law (such as PIPEDA in Canada or the GDPR in Europe).

12) Your privacy rights

Your rights depend on where you live. Subject to legal limits, you have the following rights regarding your personal information:

• Access & Portability: You have the right to request a copy of the personal information we hold about you. While we do not currently offer an automated “Download My Data” tool, you may request a manual export of your data by contacting us at privacy@dueit.app. We will respond to valid requests within 30 days.
• Correction: You can view and edit most of your profile information directly within the app settings.
• Deletion (Right to be Forgotten): You can initiate the deletion of your account and all associated personal data directly within the App Settings. Once confirmed, your data will be removed as described in Section 10.
• Withdraw Consent: Where we rely on your consent (such as for optional analytics), you can withdraw it at any time through the app’s privacy toggles.
• EEA/UK: You have the right to lodge a complaint with your local data protection authority.
• California (CCPA/CPRA): While we do not “sell” personal information, our use of advertising partners (AdMob) may be considered “sharing” under California law. You can opt-out of this sharing through your device’s “Limit Ad Tracking” settings.

To exercise these rights, please contact us via email. For your protection, we may require you to verify your identity (e.g., by sending the request from the verified email associated with your account) before we fulfill the request.

13) Children

Dueit is a general audience service and is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13.

• Under 13: If we discover that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will delete that information immediately as required by the Children’s Online Privacy Protection Act (COPPA).
• Minors (13–17): In certain jurisdictions (such as California, Texas, and the EEA), additional protections apply to minors.
  • Age Assurance: In compliance with 2026 app store requirements, we may receive anonymous “age signals” from the Apple App Store or Google Play Store to verify your age bracket.
  • Consent for Teens: In the EEA and UK, the age of consent for data processing varies between 13 and 16. If you are under the legal age of consent in your country, you must have a parent or guardian’s permission to use Dueit.
  • Opt-In for “Sharing”: For users in California under 16, we do not “sell” or “share” your personal information for behavioral advertising unless you (or your parent, if you are under 13) provide affirmative authorization.

If you believe we have collected data from a child under 13, please contact us at privacy@dueit.app so we can take swift action.

14) Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations.

• Notice of Updates: When we make changes, we will update the “Last updated” date at the top of this policy.
• Material Changes: If we make significant changes to how we handle your personal information (e.g., changing our data selling policy or adding a major new third-party processor), we will provide a more prominent notice. This may include an in-app popup notification or an email sent to your registered address.
• Continued Use: Your continued use of Dueit after an update constitutes your acknowledgment of the revised Privacy Policy.

15) Contact us

Tfozo Inc. is the controller of your personal information. If you have any questions about this Privacy Policy, your rights, or our data practices, please contact our Privacy Officer:

• Organization: Tfozo Inc.
• Privacy Officer: Abenezer Erkalo
• Registered Office: 11 Falchurch Rd NE, Calgary, Alberta T3J 1G6, Canada
• Corporate Registration Number: 1734544-5
• Privacy Requests: privacy@dueit.app
• General Support: support@dueit.app

For Users in the EEA or UK:
While we are based in Canada, we take the privacy of our European users seriously. If you are located in the European Economic Area (EEA) or the United Kingdom, you may contact us directly via the email above for any GDPR-related inquiries. If required by future growth, we will appoint a dedicated regional representative and update this section accordingly.

16) Region-specific disclosures

A. Canada (PIPEDA)

As a Canadian corporation based in Calgary, Tfozo Inc. complies with the 10 Fair Information Principles set out in the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Accountability: We have designated a Privacy Officer to oversee our compliance.
• Identifying Purposes: We clearly state why we collect data (e.g., for AI scheduling or habit tracking) at or before the time of collection.
• Consent: We obtain your consent for data processing, which you can withdraw at any time.
• Limiting Collection: We only collect the data necessary for the features you use.
• Individual Access: You have the right to access and challenge the accuracy of your personal information by contacting us at privacy@dueit.app.

B. United States (State Privacy Laws)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws (including new 2026 laws in Indiana and Kentucky), the following applies:

• Notice at Collection: We collect categories of information including identifiers (email, name), commercial information (subscription status), and internet/network activity (PostHog interactions).
• “Selling” vs. “Sharing”: We do not sell your personal information for money. However, our use of Google AdMob to show ads in the free version of Dueit may be classified as “sharing” for cross-context behavioral advertising under California law.
• Your Rights: You have the right to:
  • Know/Access what data we have collected about you since January 1, 2022.
  • Delete your personal information.
  • Opt-out of the “sharing” of your data for targeted advertising through your device settings (see Section 9).
• No Discrimination: We will not deny you service or provide a different quality of service (aside from showing ads in the free tier) if you exercise your privacy rights.