This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use DD Auth services, including DD Auth Web Application (auth.duodev.in), DD Auth Mobile Application (in.duodev.auth), and DD Accounts (accounts.duodev.in). By using our services, you agree to the collection and use of information in accordance with this policy.

When you create an account, we collect:
• Email address - Used for account identification and communication
• Name - Used for personalization and display purposes
• Profile picture (optional) - For account personalization
• Phone number (optional) - For account recovery and two-factor authentication

We collect authentication-related data including:
• OAuth2 tokens - Access tokens and refresh tokens for secure authentication
• Session data - Session identifiers and state information
• PKCE verifiers - Proof Key for Code Exchange data for secure mobile authentication
• Login timestamps - Record of authentication events

Your vault contains sensitive data that is end-to-end encrypted before being stored:
• Passwords - Website credentials including usernames, passwords, and URLs
• TOTP Secrets - Two-factor authentication codes and associated account information
• Secure Notes - Private text notes

Important: We CANNOT read your vault data. All vault items are encrypted on your device using AES-256-GCM encryption with keys derived from your master password. The server only stores encrypted payloads.

To enable search functionality, we store limited metadata:
• Item names/titles - For search and display purposes
• Service names/issuers - For organizing vault items
• Account names - For identifying accounts (not passwords)
• URLs (domain only) - For auto-fill functionality

We automatically collect:
• Device information - Device type, operating system, browser type
• IP addresses - For security monitoring and fraud prevention
• Usage data - Features used, timestamps of actions
• Error logs - Technical errors for debugging purposes

Service Provision:
• Authenticating your identity via OAuth2/OpenID Connect
• Storing and syncing your encrypted vault data
• Generating and validating TOTP codes
• Providing password management features
• Enabling cross-device synchronization

Security:
• Monitoring for unauthorized access attempts
• Detecting and preventing fraud
• Implementing rate limiting and security measures
• Auditing authentication events

Service Improvement:
• Analyzing usage patterns (anonymized)
• Debugging and fixing technical issues
• Developing new features

Our encryption model ensures your data remains private:
1. Master Password - You create a master password that never leaves your device
2. Key Derivation - We use PBKDF2 to derive encryption keys from your password
3. Two-Level Encryption - Master Key = PBKDF2(password, master_salt), Item Key = PBKDF2(master_key, item_salt)
4. AES-256-GCM - All vault data is encrypted using industry-standard encryption
5. Zero Knowledge - We cannot decrypt your vault data

Data Storage:
• Account data - Stored on secure servers in encrypted databases
• Vault data - Stored as encrypted blobs; server never sees plaintext
• Session data - Temporarily stored for authentication purposes
• Backups - Encrypted backups are maintained for disaster recovery

We Do NOT Sell Your Data. We do not sell, rent, or trade your personal information to third parties.

We may share information only in these circumstances:
• With your consent - When you explicitly authorize sharing
• Service providers - With trusted service providers who assist our operations (under strict confidentiality agreements)
• Legal requirements - When required by law, court order, or legal process
• Security incidents - To protect against fraud, security threats, or illegal activity

We may share anonymized, aggregated data that cannot identify you for analytics and research purposes.

Active Accounts:
• Account data - Retained while your account is active
• Vault data - Retained until you delete items or close your account
• Authentication logs - Retained for 90 days for security purposes

Deleted Data:
• Soft-deleted items - Retained for 30 days before permanent deletion
• Account deletion - All data permanently deleted within 90 days
• Backup retention - Encrypted backups retained for up to 30 days after deletion

Access and Portability:
• View your account information
• Export your vault data in multiple formats
• Request a copy of data we hold about you

Correction:
• Update your profile information
• Modify vault item metadata

Deletion:
• Delete individual vault items
• Request account deletion
• Right to be forgotten (where applicable)

Data Protection Rights (GDPR/CCPA):
If you are in the EU, UK, or California, you have additional rights including right to object to processing, right to restrict processing, right to data portability, right to withdraw consent, and right to lodge a complaint with supervisory authorities.

The DD Auth mobile app supports biometric authentication:
• Fingerprint - Used for app unlock (processed on device only)
• Face recognition - Used for app unlock (processed on device only)

Biometric data never leaves your device and is not stored on our servers.

If you have questions about this Privacy Policy or our data practices, please contact us:
• Email: privacy@duodev.in
• Website: https://duodev.in/contact

For data protection inquiries: dpo@duodev.in