Privacy Policy

1. Introduction

DirectoryDuck ("DirectoryDuck," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, API, embeddable widgets, and related services (collectively, the "Services").

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree with our practices, please do not use the Services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Password (securely hashed, never stored in plain text)
• Profile information you choose to provide

2.2 Directory Data

When you use the Services, you may provide:

• Listings — Business information including names, descriptions, contact details, categories, and custom fields
• Reviews — Customer reviews including reviewer names, email addresses, ratings, and review content
• Activity Data — Notes, status changes, and other CRM-related activities
• Custom Fields — Any additional data fields you create for your directories

2.3 Usage Data

We automatically collect certain information when you use the Services:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Time spent on pages
• Referring URLs
• Error logs and performance data

2.4 Enrichment Data

When you use AI Enrichment features, we may process:

• Website URLs you submit for enrichment
• Data extracted from publicly available websites (company descriptions, logos, contact information, social links)
• Enrichment request history and results

Note: Enrichment data is obtained from publicly available sources through third-party services. We do not collect or store passwords, private communications, or other non-public information.

2.5 Payment Information

Payment processing is handled by Stripe. We do not directly collect or store credit card numbers or bank account details. We may receive:

• Last four digits of your card
• Card type and expiration date
• Billing address
• Payment history and subscription status

3. How We Use Information

We use the information we collect to:

• Provide the Services — Operate, maintain, and deliver the features and functionality of DirectoryDuck
• Process Transactions — Handle payments, billing, and subscription management
• Send Communications — Deliver transactional emails, service updates, security alerts, and support messages
• Improve the Services — Analyze usage patterns, diagnose technical issues, and develop new features
• Personalize Experience — Remember your preferences and customize the Services for you
• Ensure Security — Detect, prevent, and respond to fraud, abuse, and security incidents
• Comply with Law — Meet legal obligations and respond to lawful requests

3.1 Aggregated Data

We may create aggregated, anonymized data from your information for statistical analysis, benchmarking, and improving our Services. This aggregated data does not identify you personally and may be used and shared without restriction.

4. Third-Party Service Providers

We share information with third-party service providers who help us operate the Services:

• Supabase — Database hosting, user authentication, and file storage
  Supabase Privacy Policy
• Stripe — Payment processing
  Stripe Privacy Policy
• Firecrawl — Web scraping for AI Enrichment features
  Firecrawl Privacy Policy
• Anthropic (Claude) — AI-powered data extraction
  Anthropic Privacy Policy
• Vercel — Application hosting and analytics
  Vercel Privacy Policy
• Resend — Transactional email delivery
  Resend Privacy Policy

These service providers are contractually obligated to protect your information and may only use it to provide services to us.

5. Data Sharing and Disclosure

5.1 Public Information

Certain information may be publicly accessible through the Services:

• Approved reviews displayed via embeddable widgets
• Verified badges and rating information
• Listing information you choose to make public via the API

5.2 With Your Consent

We may share information with third parties when you give us explicit consent to do so.

5.3 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal requests, such as:

• Subpoenas, court orders, or other legal processes
• Requests from government agencies
• To protect our rights, privacy, safety, or property
• To enforce our Terms of Service

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your information.

5.5 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Your Rights

6.1 General Rights

You have the right to:

• Access — Request a copy of your personal information
• Correction — Request correction of inaccurate information
• Deletion — Request deletion of your account and data
• Export — Download your data in a portable format
• Opt-out — Unsubscribe from marketing communications

6.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to be Forgotten — Request erasure of your personal data
• Data Portability — Receive your data in a structured, machine-readable format
• Object to Processing — Object to processing based on legitimate interests
• Restrict Processing — Request limitation of processing in certain circumstances
• Withdraw Consent — Withdraw consent at any time where processing is based on consent
• Lodge Complaints — File a complaint with your local data protection authority

Legal Basis for Processing: We process your data based on contractual necessity (to provide the Services), legitimate interests (to improve and secure our Services), and consent (where you have provided it).

6.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know — Request disclosure of the categories and specific pieces of personal information collected
• Right to Delete — Request deletion of your personal information
• Right to Opt-Out — Opt out of the sale of personal information (we do not sell your data)
• Non-Discrimination — Receive equal service regardless of exercising your privacy rights

To exercise your CCPA rights, contact us at privacy@directoryduck.com.

7. Data Retention

We retain your information for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy:

• Active Accounts — Data is retained while your account remains active
• Deleted Accounts — Personal data is deleted within 30 days of account deletion request
• Backups — Backup copies may be retained for up to 90 days
• Legal Requirements — Some data may be retained longer if required by law
• Aggregated Data — Anonymized, aggregated data may be retained indefinitely

8. Security Measures

We implement appropriate technical and organizational measures to protect your information:

• Encryption in Transit — All data transmitted between you and our servers uses TLS encryption
• Encryption at Rest — Sensitive data is encrypted when stored
• Access Controls — Access to personal data is limited to authorized personnel
• Authentication — Secure password hashing and optional two-factor authentication
• Monitoring — Continuous monitoring for security threats and anomalies
• Regular Audits — Periodic security assessments and vulnerability testing

While we strive to protect your information, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

9. Cookies and Tracking

We use cookies and similar technologies:

• Essential Cookies — Required for authentication and core functionality
• Analytics Cookies — Help us understand how users interact with the Services (via Vercel Analytics)
• Preference Cookies — Remember your settings and preferences

We do not use third-party advertising cookies.

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Services.

10. Children's Privacy

The Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at privacy@directoryduck.com.

11. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers are located. These countries may have different data protection laws than your country of residence.

For transfers from the EEA, we rely on:

• Standard Contractual Clauses approved by the European Commission
• Service providers' certification under recognized frameworks

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Sending an email to your registered email address
• Posting a notice on the Services
• Updating the "Last updated" date at the top of this page

Your continued use of the Services after changes take effect constitutes acceptance of the revised Privacy Policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@directoryduck.com

DirectoryDuck
San Francisco, CA
United States

For GDPR-related inquiries, you may also contact your local data protection authority.