Privacy Policy

Last updated: January 31, 2026

Controller (Provider): [LEGAL NAME / BUSINESS NAME], Norway

Contact: [PRIVACY EMAIL]

1. Scope

This Privacy Policy explains how we process personal data when you use Dashduck, create an account, upload content, subscribe, or visit our website.

2. Roles (B2B vs B2C)

Business Customers: For personal data contained in uploaded spreadsheets and dashboards, you are typically the Controller, and Dashduck acts as your Processor under the DPA.

Consumers / individual users: Dashduck is typically the Controller for account and service delivery data.

3. Personal data we process

Account and access

  • email address
  • login events (timestamps)
  • team membership/invites

Customer Content

  • uploaded Excel/CSV files
  • extracted datasets derived from files
  • generated dashboards and settings (including public sharing status)

Billing

  • subscription status, invoices, transaction identifiers
  • payment is handled by Stripe; we typically do not store full card details.

Operational logs

  • service logs and diagnostics (may include IP addresses if enabled)
  • security-related logs

Cookies and analytics (if enabled)

  • necessary cookies for sessions/authentication
  • analytics cookies (e.g., GA4)
  • marketing cookies (if you enable ads/retargeting)

4. Purposes and legal bases

We process personal data to:

  • Provide the Service (contract performance)
  • Manage subscriptions and payments (contract; legal obligation for accounting)
  • Secure and maintain the Service (legitimate interests)
  • Improve the Service (legitimate interests; and/or consent for certain analytics depending on your setup)
  • Marketing communications and ads (consent where required)

5. Sharing and processors/sub-processors

We use service providers to operate the Service, such as:

  • Railway (infrastructure/database)
  • Vercel (frontend hosting)
  • Supabase (file storage, if used)
  • Clerk (authentication)
  • Stripe (payments)

We may add providers (email delivery, analytics, error monitoring). We will update this policy accordingly.

6. International transfers

Some providers may process data outside the EEA. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) provided through our agreements with those providers.

7. Data retention

We retain Customer Content while your account is active.

If you delete a dashboard, we delete the associated original file and extracted data within 24 hours (or after a 30-day recovery window if enabled).

After cancellation, we retain Customer Content for 30 days, then delete it.

Backups (when enabled) may retain data for up to 90 days on rotation.

8. Security

We use TLS encryption in transit. We apply access controls and take reasonable measures to protect data. (See our Security page for more detail.)

9. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, object, and portability. To exercise rights, contact us at [PRIVACY EMAIL]. You may also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).