Privacy Policy

This Privacy Policy explains how Dueva LLC ("Dueva," "we," "us," or "our") collects, uses, discloses, stores, and protects personal information when you use Dueva, a web application for AI-native M&A and deal diligence workflows.

By using Dueva, you acknowledge that we process personal information as described in this Privacy Policy. This policy does not override rights you may have under applicable law.

Depending on how you use Dueva, we may collect the following categories of personal information.

Dueva workspaces are designed for organization-scoped deal diligence. Users may upload, enter, generate, or save confidential workspace content, including deal records, source materials, parsed document text, extracted tables, analysis jobs, report-agent messages, diligence questions, summaries, red flags, citations, investor-ready output, team membership records, billing state, and workspace events.

Supported uploads include PDF, DOCX, TXT, CSV, and XLSX files. Original source documents can be stored in a private Supabase Storage bucket with organization-scoped object paths and short-lived signed URL access. Parsed content and related metadata may be stored with the relevant deal record or analysis job.

Demo or local-development mode may use browser localStorage or IndexedDB for non-production deal data, report-agent chat history, workspace events, and local original-file previews. Demo/local storage is not intended for real customer or live deal data.

Dueva uses Supabase Auth as the user system of record. Users can create accounts and sign in with email/password, passwordless magic links, Google OAuth, and Microsoft/Azure OAuth when those providers are configured.

Authentication data may include email address, password credentials submitted to Supabase Auth, OAuth provider identifiers, session cookies, confirmation and magic-link state, organization membership, workspace role, and account status. Dueva stores workspace membership and tenant context so access remains scoped to the correct organization.

Dueva uses Stripe for subscription billing, Checkout, and the Customer Portal. Stripe may process payment method details, invoices, payment status, tax and billing details, fraud-prevention signals, and related transaction data under Stripe's own terms and privacy policy.

Dueva may store or receive subscription status, plan, trial dates, Stripe customer IDs, Stripe subscription IDs, Checkout state, portal state, and limited payment metadata needed to manage billing and entitlements. Dueva does not store full payment card numbers.

Dueva uses server-side model calls to provide deal analysis, workspace and report-agent responses, summaries, red flags, diligence questions, citations, source-backed explanations, and investor-ready output.

When you use AI-powered features, private workspace content may be processed by Dueva and configured server-side AI model providers to provide the requested feature, maintain safety, debug errors, improve service quality, prevent abuse, and comply with law.

Dueva outputs may be AI-generated and should be reviewed by a qualified professional. Dueva does not provide legal, tax, accounting, investment, or financial advice. Dueva analysis is based on uploaded materials and configured workspace context unless otherwise stated.

Private workspace content is not used to train Dueva models unless separately disclosed. The current codebase uses OpenAI through server-side API calls when an OpenAI API key is configured; any additional model provider, retention, logging, or training terms should be reflected here before that provider is enabled.

Dueva may use cookies, browser storage, and similar technologies for authentication, session management, security, preferences, local demo mode, IndexedDB original-file previews, diagnostics, performance, and product operation.

The current MVP does not claim advertising, retargeting, cross-context behavioral advertising, session replay, or third-party analytics. If analytics, crash reporting, marketing pixels, or session replay are added later, this policy should be updated before those tools are enabled.

We do not share personal information except as described in this Privacy Policy or as directed by you.

Dueva relies on vendors and service providers to deliver the Services. The final production vendor list should be confirmed before launch.

We keep personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention depends on the type of information and why it was collected. When information is no longer needed, we delete, de-identify, anonymize, or securely retain it as required by law.

You may request deletion of your account and associated personal information by contacting us at privacy@dueva.app or using /account/delete. Deleting a browser profile, local files, or cached app data does not automatically delete a production account or workspace data stored by Dueva.

When we process a deletion request, we will delete or de-identify personal information associated with the account or workspace where required, subject to legal, security, fraud-prevention, backup, tax, accounting, dispute-resolution, and legitimate business exceptions.

Depending on your location and how you use Dueva, you may have the following privacy rights.

This section applies to residents of U.S. states with applicable consumer privacy laws, including California where the California Consumer Privacy Act, as amended, applies.

In the past 12 months, depending on your use of Dueva, we may have collected the following categories of personal information.

If you are located in the European Economic Area, United Kingdom, Switzerland, or a similar jurisdiction, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy, withdraw consent, object to direct marketing, and lodge a complaint with your local data protection authority.

Where GDPR, UK GDPR, or similar laws apply, our legal bases may include performance of a contract, legitimate interests, consent, legal obligation, or another lawful basis permitted by applicable law. Where we rely on legitimate interests, we balance those interests against your privacy rights and expectations. Where we rely on consent, you may withdraw consent at any time.

We are based in United States / Illinois, USA, and personal information may be processed in countries other than where you live. Those countries may have data protection laws different from those in your jurisdiction.

Where required, we use appropriate safeguards for international transfers, such as data processing agreements, standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms.

Dueva is a professional deal diligence product and is not directed to children. We do not knowingly collect personal information from children under 13 or any higher age required by applicable law.

If you believe a child has provided us personal information, contact us at privacy@dueva.app. If we learn that we collected personal information from a child without required consent, we will delete it or take other appropriate steps required by law.

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information. These may include authentication safeguards, tenant-scoped access controls, private storage paths, encryption in transit, server-side model calls, logging, monitoring, vendor review, secure development practices, and data minimization.

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we work to protect personal information and improve safeguards over time.

Dueva may contain links to, receive data from, or send data to third-party websites, services, identity providers, billing providers, email providers, AI model providers, integrations, SDKs, or platforms. Their privacy practices are governed by their own policies.

You should review the privacy policies of third-party services you use with Dueva, including OAuth providers, Stripe, Supabase, and any integrations or recipients you direct Dueva to use.

We may update this Privacy Policy from time to time. The updated version will be posted with a new "Last updated" date. If we make material changes, we will provide additional notice where required by law, such as through the app, email, or website notice.

Your continued use of Dueva after an updated Privacy Policy becomes effective means you acknowledge the updated policy.

For privacy questions, requests, or complaints, contact: