Skip to content
    Duffle

    Privacy Policy

    Last updated: March 30, 2026

    Privacy at a Glance

    Do we sell your data?No, never.
    Is your data used to train AI models?No.
    Do we store biometric data?No — processed on your device only.
    Are sensitive fields encrypted?Yes — passports, travel IDs, and more.
    Can you delete your account?Yes, at any time.
    Are lifestyle and travel fields required?No — entirely optional.
    ComplianceGDPR, CCPA/CPRA, COPPA, SOC 2 Type II

    1. Introduction

    Duffle Inc. ("Duffle," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

    We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.

    2. Information We Collect

    Personal Information You Provide

    We collect personal information that you voluntarily provide when you register for an account, use our services, or contact us. The categories of personal information we have collected in the preceding 12 months include:

    • Identifiers: Name, email address, phone number, date of birth, gender, profile image
    • Professional information: Job title, department, organization, commission rates, representation agreements
    • Contact and address data: Shipping addresses, home address, hometown, current location
    • Financial information: Payment methods (processed by Stripe), contract values, transaction records
    • Athletic and physical data (optional): Sport affiliation, team, height, weight, body measurements, clothing and shoe sizes — provided at your discretion to support talent management workflows
    • Lifestyle and preferences (optional): Dietary restrictions, food allergies, travel preferences, car preferences, style notes — populated by you or your representative for convenience in travel and event coordination
    • Travel and identification documents (optional): Passport number, TSA PreCheck number, Global Entry number, frequent flyer numbers, hotel loyalty memberships — provided only when needed for travel booking and stored with field-level encryption
    • Family and inner circle: Names, relationships, birthdays, contact information, and preferences for family members and close contacts that you choose to provide
    • Social media handles: Instagram, Twitter/X, LinkedIn, Facebook, TikTok, YouTube, Snapchat, personal website
    • Calendar data: Event details, availability, and attendee information when you connect Google Calendar, Microsoft Outlook, or Apple Calendar
    • Documents and files: Contracts, legal documents, profile images, and other files you upload
    • Representative contacts: Agent, manager, publicist, assistant, and other representative contact details
    • Communications: Messages, notes, and other content you create within the platform

    Sensitive Personal Information

    We collect and process certain categories of sensitive personal information as defined under CCPA/CPRA. These include:

    • Government-issued identification: Passport numbers, TSA PreCheck numbers, and Global Entry numbers — encrypted at rest
    • Biometric information: Fingerprint and facial recognition data used for authentication on mobile devices. This data is processed entirely by your device's operating system. Duffle never receives, transmits, or stores the actual fingerprint or facial geometry data — we only receive a pass/fail authentication result from your device.
    • Precise geolocation: Latitude and longitude coordinates derived from addresses, hometowns, and venue locations you provide. We do not track your real-time location through your device
    • Health-related information: Dietary restrictions, food allergies, and physical measurements that you choose to provide
    • Financial account information: Payment data processed through Stripe (we do not store full credit card numbers)

    We use sensitive personal information only as necessary to provide our talent management services and not for the purpose of inferring characteristics about you. You have the right to limit our use of your sensitive personal information — see Section 9 (Your Rights) for details.

    Automatically Collected Information

    When you use our website or mobile application, we may automatically collect:

    • Device type, operating system, and browser information
    • IP address and approximate location
    • Pages visited, features used, and time spent
    • Referring website or source
    • Push notification tokens (mobile app)
    • App version and performance data
    • Error and crash reports

    3. How We Use Your Information

    We use the information we collect for the following purposes and legal bases:

    • To provide our services (contractual necessity) — managing talent profiles, contracts, calendars, and communications
    • To process transactions (contractual necessity) — handling payments, invoicing, and financial reporting
    • To authenticate users (contractual necessity) — account login, session management, and biometric unlock
    • To send communications (legitimate interest / consent) — service updates, onboarding emails, and push notifications
    • To improve our services (legitimate interest) — analyzing usage patterns, fixing bugs, and optimizing performance
    • To process documents with AI (contractual necessity) — extracting and analyzing contract information using automated processing (see Section 6)
    • To ensure security (legitimate interest) — detecting threats, preventing fraud, and maintaining audit logs
    • To comply with legal obligations (legal obligation) — responding to lawful requests and meeting regulatory requirements

    4. Cookies and Tracking Technologies

    We use cookies and similar tracking technologies to collect information about your browsing activities. You can control cookies through your browser settings and our cookie consent banner.

    We use analytics services including Amplitude to understand how visitors interact with our website and mobile app. These services collect usage data, device information, and user identifiers. Analytics only activate after you provide consent through our cookie banner on the website.

    You can opt out of analytics tracking at any time by declining cookies or clearing your browser cookies.

    5. Third-Party Service Providers

    We use trusted third-party services to operate our platform. These providers process data on our behalf and are contractually obligated to protect your information:

    Authentication

    We use Auth0 (an Okta company) to securely manage user authentication. When you sign in, Auth0 processes your email address and authentication credentials. Auth0 is SOC 2 Type II certified and complies with GDPR. For more information, see Auth0's Privacy Policy.

    Payment Processing

    We use Stripe to process payments. When you make a payment, Stripe receives your payment card information directly — we never store full credit card numbers on our servers. Stripe is PCI DSS Level 1 certified. For more information, see Stripe's Privacy Policy.

    Email Communications

    We use SendGrid (a Twilio company) to deliver transactional and service emails. When we send you an email, SendGrid processes your email address and name. For more information, see Twilio's Privacy Policy.

    Cloud Infrastructure and Storage

    We use industry-leading cloud infrastructure providers for application hosting, file storage, address geocoding, and data processing. Our providers maintain SOC 2, ISO 27001, and other industry certifications.

    Push Notifications

    Our mobile app uses a push notification delivery service to send you alerts. When you enable push notifications, a device token is generated and stored to route notifications to your device. You can disable push notifications at any time through your device settings.

    Calendar Integrations

    You may optionally connect your Google Calendar, Microsoft Outlook/Office 365, or Apple Calendar account via OAuth. When connected, we sync calendar events, availability, and attendee information. We store OAuth tokens securely to maintain the connection. You can disconnect your calendar at any time, which revokes our access and removes stored tokens.

    Error Monitoring and Performance

    We use Sentry to monitor application errors and performance issues. When an error occurs, Sentry may collect technical information including device type, operating system, app version, and error details. This helps us identify and fix problems quickly. Sentry does not collect personal content from your account. For more information, see Sentry's Privacy Policy.

    Analytics

    As described in Section 4, we use Amplitude to understand how users interact with our services. This service collects usage data, device information, and user identifiers to help us improve the user experience. For more information, see Amplitude's Privacy Policy.

    6. AI and Automated Processing

    Document Processing

    When you upload contracts or documents, we use automated processing services for optical character recognition (OCR), data extraction, document analysis, and summarization. Document content and any prompts sent to these services are processed in real time and are not retained by the provider for model training or any other purpose. We also generate text embeddings to enable semantic search across your documents.

    AI Assistant Integrations (MCP)

    Duffle supports integration with AI assistants (such as Claude, ChatGPT, Microsoft Copilot, and Google Gemini) through the Model Context Protocol (MCP). When you connect an AI assistant to Duffle, the following applies:

    • Data you share is your choice. AI assistants can only access Duffle data when you explicitly use a Duffle tool (e.g., "search for a client," "add a note"). No data is shared automatically or in the background.
    • Organization-scoped access. All data access is scoped to your organization. You can only view and modify data you have permission to access in the Duffle dashboard.
    • Authentication. AI integrations use OAuth 2.1 with your existing Duffle login credentials. We do not store your AI assistant account credentials.
    • Data sent to AI providers. When you use a Duffle tool through an AI assistant, the tool's response (e.g., client names, contract statuses) is sent to the AI provider to generate a response. We apply field-level filtering to exclude sensitive data such as financial amounts, personal addresses, dates of birth, and internal system identifiers from tool responses. Duffle does not authorize any AI provider to use your data or prompts for model training. Whether the AI provider retains your prompts is governed by your agreement with that provider — see their privacy policies below.
    • Knowledge storage. If you save conversation summaries or notes to Duffle via an AI assistant, this data is stored in Duffle's database (not by the AI provider) and is subject to the same field-level filtering, access controls, and retention policies as all other Duffle data. Sensitive fields are excluded from saved summaries using the same filtering applied to tool responses.
    • Audit logging. All AI tool usage is logged for security and compliance purposes, including the tool used, timestamp, and your user identity. Tool arguments containing potentially sensitive content are truncated in logs.
    • Revoking access. You can disconnect your AI assistant from Duffle at any time through the AI platform's settings. This immediately revokes the integration's access to your Duffle data.

    For more information about how specific AI providers handle data, please refer to their respective privacy policies:

    7. Data Sharing and Disclosure

    We do not sell or share your personal information as those terms are defined under CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months.

    We may disclose your information to:

    • Service providers who assist us in operating our business (as described in Section 5), under written data processing agreements
    • Other users within your organization, as permitted by your organization's access controls and role-based permissions
    • Professional advisors such as lawyers and accountants
    • Law enforcement or government agencies when required by law or to protect our legal rights
    • Other parties in connection with a merger, acquisition, or sale of assets, with prior notice to you

    8. Data Security

    We implement appropriate technical and organizational measures to protect your personal information, including:

    • Encryption of data in transit (TLS) and at rest
    • Field-level encryption for highly sensitive data such as passport numbers, TSA PreCheck numbers, and Global Entry numbers
    • Role-based access controls and multi-tenant data isolation
    • Secure credential storage using hardware-backed keystores on mobile devices
    • Regular security assessments and audits
    • SOC 2 Type II compliance
    • Audit logging for data access and modifications

    9. Your Rights

    Rights Under GDPR

    If you are located in the European Economic Area or United Kingdom, you have the following rights:

    • Access: Request a copy of your personal information
    • Rectification: Request correction of inaccurate information
    • Erasure: Request deletion of your personal information
    • Portability: Request transfer of your data in a machine-readable format
    • Objection: Object to processing based on legitimate interest
    • Restriction: Request limitation of processing
    • Withdraw consent: Where processing is based on consent, withdraw it at any time

    Rights Under CCPA/CPRA

    If you are a California resident, you have the following additional rights:

    • Right to know: Request the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources, the business purposes, and the categories of third parties with whom we shared it
    • Right to delete: Request deletion of your personal information, subject to certain exceptions
    • Right to opt out of sale or sharing: We do not sell or share your personal information. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link
    • Right to limit use of sensitive personal information: You may request that we limit our use of your sensitive personal information to what is necessary to provide our services
    • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
    • Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority

    To exercise any of these rights, please contact us at support@myduffle.io. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA/CPRA).

    10. Data Retention

    We retain your personal information for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods include:

    • Active accounts: Data is retained for the duration of your account and your organization's use of our services
    • After account deletion: When you request account deletion, we follow a phased process: your account is deactivated immediately, personal data is anonymized within 30 days, and remaining data is permanently removed during our next scheduled purge cycle
    • Financial and contract records: Retained for up to 7 years after the end of the business relationship to comply with tax and legal obligations
    • Analytics data: Aggregated usage analytics are retained indefinitely; identifiable analytics data is retained for up to 2 years
    • Security and audit logs: Retained for up to 1 year for incident investigation and compliance
    • Backups: Encrypted database backups are retained for up to 30 days and are automatically purged

    When your information is no longer needed, we securely delete or anonymize it using industry-standard methods.

    11. International Data Transfers

    Your information may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place to protect your information in accordance with applicable data protection laws.

    12. Account Deletion

    You can request deletion of your account and personal data at any time by:

    Upon receiving your request, we will verify your identity and process the deletion in accordance with the retention periods described in Section 10. You will receive confirmation when the process is complete. Certain data may be retained as required by law (e.g., financial records for tax compliance).

    13. Children's Privacy and Minor Talent

    Service Not Directed at Children

    Duffle is a business service designed for agents, managers, and authorized representatives. Our platform is not directed at individuals under 18, and users must be at least 18 years old to create an account.

    Representing Minor Talent

    We recognize that talent representatives may use Duffle to manage information about athletes, performers, or other talent under 18 years of age. When you provide information about a minor through our platform:

    Your Responsibilities

    • You must have legal authority to act on behalf of the minor (parent, guardian, or authorized agent with signed representation agreement)
    • You must obtain and maintain verifiable parental or guardian consent before providing any personal information about the minor
    • You certify that you have all necessary permissions to share the minor's information with Duffle
    • You are responsible for ensuring the minor's privacy rights under applicable laws (including COPPA, GDPR, and state privacy laws)
    • You may be required to upload or provide parental consent documentation when adding a minor talent profile. Duffle may restrict access to minor profiles until consent documentation has been verified

    How We Protect Minor Information

    • Data Minimization: We collect only information necessary for talent management services
    • Enhanced Security: Minor data receives additional security protections and access controls
    • No Targeted Advertising: We never use minor information for behavioral advertising or marketing
    • Limited Retention: Minor data is retained only as long as necessary for the representation relationship
    • Consent Verification: We require proof of parental or guardian consent before minor talent data can be fully accessed or processed. Representatives may be asked to upload consent documentation directly within the platform

    Parental Rights

    Parents and legal guardians have enhanced rights regarding their child's information, including the right to:

    • Review what information has been collected about their child
    • Request correction of inaccurate information
    • Request deletion of their child's personal information
    • Refuse further collection or use of their child's information
    • Revoke consent at any time (which may affect services provided to the minor)

    To exercise these rights or if you believe we have collected information about a minor without proper authorization, please contact us immediately at support@myduffle.io with the subject line "Minor Privacy Request."

    Compliance

    We comply with the Children's Online Privacy Protection Act (COPPA), GDPR Article 8 (parental consent for children's data), California's Age-Appropriate Design Code, and other applicable children's privacy laws. We require documentation of consent and legal authority as part of our minor talent onboarding process, and may request updated documentation at any time.

    14. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and sending a notification to the email address associated with your account for significant changes.

    15. Contact Us

    If you have any questions about this Privacy Policy or our data practices, please contact us at:

    Duffle Inc.
    Email: support@myduffle.io