Privacy Policy

What we collect, how we use it, who else sees it, and how long we keep it.

Effective date: 6 July 2026

Version: privacy-v1.0-2026-07-06

Controller: Dijin Teknoloji Limited Şirketi, Alsancak Mah. 2136 Cad. Damla Su Apt. No: 32 İç Kapı No: 3, Etimesgut / Ankara, Türkiye (Vergi Kimlik No 2951335557, Etimesgut Vergi Dairesi), trading as DurationX

Privacy contact: support@durationx.com

EU/UK representative or DPO: No DPO or EU/UK representative has been appointed at publication. Privacy requests may be sent to support@durationx.com. This notice will be updated if an appointment becomes legally required.

Section 1

Scope and roles

This Notice describes how DurationX processes personal data when you visit durationx.com, request qualification, purchase or receive an audit, submit project information, use an account, communicate with support, or act on behalf of a business customer.

DurationX generally acts as controller for website, qualification, account, security, support, report delivery, and service-administration data. Where a business customer includes personal data in project material and determines the purposes and means of that processing, DurationX may act as processor under a data processing agreement. Paddle separately acts as merchant of record and an independent controller for buyer/payment processing under Paddle’s own privacy notice and buyer terms.

Section 2

Data we collect

DurationX may process:

  • identity and contact data: name, business email, company, role, account identifiers;
  • qualification and transaction-reference data: segment, project summary, qualification decision, Paddle customer/transaction identifiers, payment status, currency and amount — DurationX does not need or store full payment-card data;
  • project and technical data: project name/site, country, power, duration, use case, CAPEX assumptions, reliability, grid/interconnection, schedule, procurement, evidence and uploaded files;
  • generated data: deterministic scores, scenario results, report content, compliance/reconciliation findings, version and provenance records, and signatures;
  • authentication and security data: session identifiers, login events, IP address where logged, security/audit records, and rate-limit events;
  • communications and service data: support messages, correction/deletion requests, email delivery events, and feedback;
  • preferences and consent data: your optional model-learning opt-in and its withdrawal;
  • essential browser storage: a Supabase authentication/session cookie and a local intake-wizard step index — see Cookie Notice.

DurationX does not intentionally request special-category/sensitive personal data, government identifiers, health data, credentials, payment-card numbers, or export-controlled material. Please do not submit such data to us.

Section 3

Where data comes from

Data comes from you or your organization, authorised representatives acting for your business, Paddle transaction events, our authentication/security systems, the providers listed in Section 8, and public or licensed benchmark sources. If you submit another person’s information, you are responsible for having the authority to do so and for giving that person any notice required.

Section 4

Purposes and legal bases

PurposeTypical dataProposed legal basis
Qualification and pre-contract communicationcontact, company, project summarysteps requested before contract; legitimate interests for B2B screening
Deliver the purchased auditaccount, intake, evidence, reportcontract; legitimate interests where the customer is a company and data concerns its representative
Payment / tax reconciliationPaddle transaction reference, amount/statuscontract; legal obligation; legitimate interests
Authentication and securitysession, IP/security logs, audit traillegitimate interests; legal obligation where applicable
Human QC, correction and supportreport, compliance findings, communicationscontract; legitimate interests in quality and dispute handling
Transactional emailaddress, service event, minimal project/report metadatacontract; legitimate interests; legal obligation where applicable
Optional minimized product learningexplicit opt-in and derived minimized featuresconsent, separately obtained and withdrawable
Legal claims, audit and compliancerelevant recordslegal obligation; legitimate interests in establishing, exercising, or defending claims

We do not rely on consent where service delivery is actually conditional on processing, and we do not bundle the optional learning opt-in into acceptance of our Terms of Service.

Section 5

AI-assisted processing and human involvement

DurationX sends a minimized deterministic result payload and draft report text to Anthropic’s commercial API to assist explanatory narrative drafting and compliance review. Raw identifiers and other unnecessary personal data are removed before transmission wherever possible. Anthropic states that standard commercial API inputs/outputs are normally deleted within 30 days, subject to safety, legal, or separately agreed retention, and are not used to train generative models unless the commercial customer explicitly opts in.

No solely automated decision producing legal or similarly significant effects is made about an individual. Numeric scoring concerns a project assumption set, not a person; a human reviewer controls report release before it reaches you. You and your advisers make all decisions about your project.

Section 6

Recipients and provider roles

The table below lists every provider category that touches your data and its role. This list does not itself enumerate every subprocessor those providers use; subprocessor lists are incorporated by reference from each provider’s own disclosures.

ProviderFunctionRole / location
SupabaseDatabase, authentication, private report storage, backupsProcessor; primary region configured in the EU; subprocessors/transfer terms per executed DPA
VercelWebsite hosting, API execution, delivery/security logsProcessor for customer data; processing/subprocessors may be international under DPA
HetznerAnalysis worker infrastructureProcessor; EU data-centre location; DPA on file
AnthropicAI-assisted narrative drafting and compliance review (see Section 5)Processor for commercial API content under commercial terms/DPA; standard retention and transfer terms disclosed
ResendTransactional email and delivery eventsProcessor; email address/content/metadata and optional tracking data; DPA/SCCs/subprocessors disclosed
PaddleMerchant of record — payment, tax, refund, fraud checksIndependent controller / authorised reseller; DurationX and Paddle share limited transaction data
Professional advisers / authoritiesLegal, audit, security, insurance, lawful requestsRecipient only where necessary and subject to duties/law

Section 7

International transfers

Primary project storage and worker hosting are configured in the EU, but the providers listed above — and their own subprocessors — may process data in the United States and other countries. This means not all data processing occurs in the EU: where a restricted transfer occurs from the EU/EEA/UK, DurationX relies on applicable adequacy decisions, the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, and supplementary measures documented in each provider’s data processing agreement or transfer assessment.

You may request information about the specific safeguards that apply to your data from support@durationx.com.

Section 8

How long we keep your data

DataRetention
Qualification records24 months, unless a dispute or security hold requires longer
Paid audit inputs, uploaded evidence, scores, and report metadata24 months after delivery, or earlier on a verified deletion request subject to legal holds
Report files (delivered PDF, private storage)retained while your account is active; deleted after 24 months of inactivity, but never before 12 months from delivery, with prior notice
Paddle/Resend webhook payloads and email delivery events12 months (DurationX side); Paddle and Resend independently retain their own records under their own terms
Security/audit logs12–24 months, depending on event category
Opt-in learning featuresuntil opt-in withdrawal, purpose expiry, or account deletion — whichever is first
Deletion-request audit records24 months after completion, minimized to what is necessary
BackupsEncrypted rolling backups, where enabled, expire under the configured provider lifecycle; deletion is reapplied following restoration.

DurationX may retain narrowly required records for tax, fraud prevention, security, disputes, or legal obligations beyond these figures. A legal hold suspends deletion only for the affected records and is documented when applied.

Section 9

Security

DurationX uses access controls, row-level authorization, encryption in transit, private storage, short-lived signed download links, multi-factor authentication for administrators, credential separation, logging, backups, and integrity/signature checks. Report access requires authentication or a short-lived signed download link — a bare link never exposes a report that is not yours.

No system is guaranteed secure. Security incidents are handled under a written response plan, including any legally required controller/processor, regulator, and data-subject notifications.

Section 10

Your rights

Depending on your location and applicable law, you may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent, and you may complain to a supervisory authority. Send requests to support@durationx.com. We verify identity before acting on a request and normally respond within the legally applicable period. Where DurationX acts as processor for a business customer, we refer your request to the relevant customer/controller.

The competent supervisory authority for a complaint is Türkiye’s Kişisel Verilerin Korunması Kurumu (KVKK — the Turkish Data Protection Authority), or, where applicable, the competent data-protection supervisory authority in your own country of residence.

Section 11

Deletion

You can request deletion of your account and project data at any time from your account page or by emailing support@durationx.com. Deletion removes or redacts your active customer, project, intake, and report data and uploaded files, queues deletion with our providers where available, and removes any optional derived learning features tied to you. We preserve only what we are legally required to keep — for example, payment records our merchant of record must retain for tax purposes — plus a minimized record that the deletion happened. We complete deletion requests within 30 days and confirm completion by email, identifying any material exceptions and backup-expiry timing rather than stating that all data is instantly gone.

Section 12

Cookies and browser storage

At launch, DurationX uses only strictly necessary authentication/session cookies and a non-sensitive local intake-wizard step index — no analytics, advertising, fingerprinting, or tracking technologies are enabled. See our Cookie Notice for the full inventory and posture.

Section 13

Business users and minors

DurationX is a business-to-business service and is not directed to children. Individuals using it must be at least 18 years old and authorised to act for a business. If we learn we collected a child’s data outside a lawful business context, we will delete it.

Section 14

Changes and contact

We publish the effective date and version at the top of this page. Material changes receive reasonable advance notice where required and do not retroactively authorize a new purpose for data we already hold. Contact support@durationx.com; postal address Alsancak Mah. 2136 Cad. Damla Su Apt. No: 32 İç Kapı No: 3, Etimesgut / Ankara, Türkiye; representative/DPO — none appointed at publication (see above); supervisory authority Türkiye KVKK, or the competent authority in your country of residence.