Privacy Policy
What we collect, how we use it, who else sees it, and how long we keep it.
Effective date: 6 July 2026
Version: privacy-v1.0-2026-07-06
Controller: Dijin Teknoloji Limited Şirketi, Alsancak Mah. 2136 Cad. Damla Su Apt. No: 32 İç Kapı No: 3, Etimesgut / Ankara, Türkiye (Vergi Kimlik No 2951335557, Etimesgut Vergi Dairesi), trading as DurationX
Privacy contact: support@durationx.com
EU/UK representative or DPO: No DPO or EU/UK representative has been appointed at publication. Privacy requests may be sent to support@durationx.com. This notice will be updated if an appointment becomes legally required.
Section 1
Scope and roles
This Notice describes how DurationX processes personal data when you visit durationx.com, request qualification, purchase or receive an audit, submit project information, use an account, communicate with support, or act on behalf of a business customer.
DurationX generally acts as controller for website, qualification, account, security, support, report delivery, and service-administration data. Where a business customer includes personal data in project material and determines the purposes and means of that processing, DurationX may act as processor under a data processing agreement. Paddle separately acts as merchant of record and an independent controller for buyer/payment processing under Paddle’s own privacy notice and buyer terms.
Section 2
Data we collect
DurationX may process:
- identity and contact data: name, business email, company, role, account identifiers;
- qualification and transaction-reference data: segment, project summary, qualification decision, Paddle customer/transaction identifiers, payment status, currency and amount — DurationX does not need or store full payment-card data;
- project and technical data: project name/site, country, power, duration, use case, CAPEX assumptions, reliability, grid/interconnection, schedule, procurement, evidence and uploaded files;
- generated data: deterministic scores, scenario results, report content, compliance/reconciliation findings, version and provenance records, and signatures;
- authentication and security data: session identifiers, login events, IP address where logged, security/audit records, and rate-limit events;
- communications and service data: support messages, correction/deletion requests, email delivery events, and feedback;
- preferences and consent data: your optional model-learning opt-in and its withdrawal;
- essential browser storage: a Supabase authentication/session cookie and a local intake-wizard step index — see Cookie Notice.
DurationX does not intentionally request special-category/sensitive personal data, government identifiers, health data, credentials, payment-card numbers, or export-controlled material. Please do not submit such data to us.
Section 3
Where data comes from
Data comes from you or your organization, authorised representatives acting for your business, Paddle transaction events, our authentication/security systems, the providers listed in Section 8, and public or licensed benchmark sources. If you submit another person’s information, you are responsible for having the authority to do so and for giving that person any notice required.
Section 4
Purposes and legal bases
| Purpose | Typical data | Proposed legal basis |
|---|---|---|
| Qualification and pre-contract communication | contact, company, project summary | steps requested before contract; legitimate interests for B2B screening |
| Deliver the purchased audit | account, intake, evidence, report | contract; legitimate interests where the customer is a company and data concerns its representative |
| Payment / tax reconciliation | Paddle transaction reference, amount/status | contract; legal obligation; legitimate interests |
| Authentication and security | session, IP/security logs, audit trail | legitimate interests; legal obligation where applicable |
| Human QC, correction and support | report, compliance findings, communications | contract; legitimate interests in quality and dispute handling |
| Transactional email | address, service event, minimal project/report metadata | contract; legitimate interests; legal obligation where applicable |
| Optional minimized product learning | explicit opt-in and derived minimized features | consent, separately obtained and withdrawable |
| Legal claims, audit and compliance | relevant records | legal obligation; legitimate interests in establishing, exercising, or defending claims |
We do not rely on consent where service delivery is actually conditional on processing, and we do not bundle the optional learning opt-in into acceptance of our Terms of Service.
Section 5
AI-assisted processing and human involvement
DurationX sends a minimized deterministic result payload and draft report text to Anthropic’s commercial API to assist explanatory narrative drafting and compliance review. Raw identifiers and other unnecessary personal data are removed before transmission wherever possible. Anthropic states that standard commercial API inputs/outputs are normally deleted within 30 days, subject to safety, legal, or separately agreed retention, and are not used to train generative models unless the commercial customer explicitly opts in.
No solely automated decision producing legal or similarly significant effects is made about an individual. Numeric scoring concerns a project assumption set, not a person; a human reviewer controls report release before it reaches you. You and your advisers make all decisions about your project.
Section 6
Recipients and provider roles
The table below lists every provider category that touches your data and its role. This list does not itself enumerate every subprocessor those providers use; subprocessor lists are incorporated by reference from each provider’s own disclosures.
| Provider | Function | Role / location |
|---|---|---|
| Supabase | Database, authentication, private report storage, backups | Processor; primary region configured in the EU; subprocessors/transfer terms per executed DPA |
| Vercel | Website hosting, API execution, delivery/security logs | Processor for customer data; processing/subprocessors may be international under DPA |
| Hetzner | Analysis worker infrastructure | Processor; EU data-centre location; DPA on file |
| Anthropic | AI-assisted narrative drafting and compliance review (see Section 5) | Processor for commercial API content under commercial terms/DPA; standard retention and transfer terms disclosed |
| Resend | Transactional email and delivery events | Processor; email address/content/metadata and optional tracking data; DPA/SCCs/subprocessors disclosed |
| Paddle | Merchant of record — payment, tax, refund, fraud checks | Independent controller / authorised reseller; DurationX and Paddle share limited transaction data |
| Professional advisers / authorities | Legal, audit, security, insurance, lawful requests | Recipient only where necessary and subject to duties/law |
Section 7
International transfers
Primary project storage and worker hosting are configured in the EU, but the providers listed above — and their own subprocessors — may process data in the United States and other countries. This means not all data processing occurs in the EU: where a restricted transfer occurs from the EU/EEA/UK, DurationX relies on applicable adequacy decisions, the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, and supplementary measures documented in each provider’s data processing agreement or transfer assessment.
You may request information about the specific safeguards that apply to your data from support@durationx.com.
Section 8
How long we keep your data
| Data | Retention |
|---|---|
| Qualification records | 24 months, unless a dispute or security hold requires longer |
| Paid audit inputs, uploaded evidence, scores, and report metadata | 24 months after delivery, or earlier on a verified deletion request subject to legal holds |
| Report files (delivered PDF, private storage) | retained while your account is active; deleted after 24 months of inactivity, but never before 12 months from delivery, with prior notice |
| Paddle/Resend webhook payloads and email delivery events | 12 months (DurationX side); Paddle and Resend independently retain their own records under their own terms |
| Security/audit logs | 12–24 months, depending on event category |
| Opt-in learning features | until opt-in withdrawal, purpose expiry, or account deletion — whichever is first |
| Deletion-request audit records | 24 months after completion, minimized to what is necessary |
| Backups | Encrypted rolling backups, where enabled, expire under the configured provider lifecycle; deletion is reapplied following restoration. |
DurationX may retain narrowly required records for tax, fraud prevention, security, disputes, or legal obligations beyond these figures. A legal hold suspends deletion only for the affected records and is documented when applied.
Section 9
Security
DurationX uses access controls, row-level authorization, encryption in transit, private storage, short-lived signed download links, multi-factor authentication for administrators, credential separation, logging, backups, and integrity/signature checks. Report access requires authentication or a short-lived signed download link — a bare link never exposes a report that is not yours.
No system is guaranteed secure. Security incidents are handled under a written response plan, including any legally required controller/processor, regulator, and data-subject notifications.
Section 10
Your rights
Depending on your location and applicable law, you may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent, and you may complain to a supervisory authority. Send requests to support@durationx.com. We verify identity before acting on a request and normally respond within the legally applicable period. Where DurationX acts as processor for a business customer, we refer your request to the relevant customer/controller.
The competent supervisory authority for a complaint is Türkiye’s Kişisel Verilerin Korunması Kurumu (KVKK — the Turkish Data Protection Authority), or, where applicable, the competent data-protection supervisory authority in your own country of residence.
Section 11
Deletion
You can request deletion of your account and project data at any time from your account page or by emailing support@durationx.com. Deletion removes or redacts your active customer, project, intake, and report data and uploaded files, queues deletion with our providers where available, and removes any optional derived learning features tied to you. We preserve only what we are legally required to keep — for example, payment records our merchant of record must retain for tax purposes — plus a minimized record that the deletion happened. We complete deletion requests within 30 days and confirm completion by email, identifying any material exceptions and backup-expiry timing rather than stating that all data is instantly gone.
Section 12
Cookies and browser storage
At launch, DurationX uses only strictly necessary authentication/session cookies and a non-sensitive local intake-wizard step index — no analytics, advertising, fingerprinting, or tracking technologies are enabled. See our Cookie Notice for the full inventory and posture.
Section 13
Business users and minors
DurationX is a business-to-business service and is not directed to children. Individuals using it must be at least 18 years old and authorised to act for a business. If we learn we collected a child’s data outside a lawful business context, we will delete it.
Section 14
Changes and contact
We publish the effective date and version at the top of this page. Material changes receive reasonable advance notice where required and do not retroactively authorize a new purpose for data we already hold. Contact support@durationx.com; postal address Alsancak Mah. 2136 Cad. Damla Su Apt. No: 32 İç Kapı No: 3, Etimesgut / Ankara, Türkiye; representative/DPO — none appointed at publication (see above); supervisory authority Türkiye KVKK, or the competent authority in your country of residence.