Privacy Policy
This policy explains how PrivacyDuck collects, uses, stores, and shares your personal data, and the rights you have under UK GDPR, the Data Protection Act 2018, the EU GDPR, and the California Consumer Privacy Act (CCPA/CPRA). Where "we", "us", or "our" appears below it means PrivacyDuck; "you" means the individual whose data we hold.
1 Who we are
PrivacyDuck.com is operated by PrivacyDuck, a US-based company that helps individuals, families, and businesses remove personal information from data brokers and people-search sites. We are the controller of the personal data described in this notice.
2 What we collect
From customers and free-scan users:
- Name, email address, phone number
- Postal/mailing address and country
- URLs and screenshots of public listings you want removed
- Date of birth and partial family/relative information (used to match broker records)
- Government-issued ID — only when a specific broker requires identity verification to action a removal
- Payment data — collected directly by Stripe; we receive a token, never the full card number
From site visitors:
- IP address, browser type, referring page
- Cookies — see our Cookie Policy
3 Why we use it & our lawful basis
Under UK GDPR Article 6, we rely on the following lawful bases for each purpose:
| Purpose | Lawful basis |
|---|---|
| Deliver paid removal services to you | Art. 6(1)(b) — Performance of contract |
| Process free privacy scans | Art. 6(1)(f) — Legitimate interest |
| Service emails (status, account changes) | Art. 6(1)(b) — Performance of contract |
| Marketing emails | Art. 6(1)(a) — Consent (withdrawable any time) |
| Tax / accounting records | Art. 6(1)(c) — Legal obligation |
| Fraud and abuse detection | Art. 6(1)(f) — Legitimate interest |
| Site analytics | Art. 6(1)(a) — Consent via cookie banner |
Where our basis is Legitimate Interest, you have the right to object — see Section 8.
4 How long we keep it (retention)
We may retain longer if law requires, or shorter if you exercise the right to erasure (where the law permits deletion).
| Data category | Retention period |
|---|---|
| Active customer account data | For the life of your account |
| Account marked for deletion | 30-day grace, then irreversibly purged |
| Free-scan email + result | 90 days |
| Broker correspondence (opt-out emails, confirmations) | 2 years from action |
| Payment transaction records | 7 years (tax/accounting legal obligation) |
| Support tickets and chat transcripts | 2 years from resolution |
| Server access logs | 12 months |
| Marketing subscription state | Until unsubscribe; suppression list kept indefinitely |
| Cookie consent record | 12 months, then we re-prompt |
5 Who we share it with (subprocessors)
We do not sell your personal data and we do not use it to train AI models. We use the following processors, each under a Data Processing Agreement:
| Subprocessor | Purpose | Data shared | Location | Transfer safeguard |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, billing address, card data | US | UK IDTA / EU SCCs |
| Google LLC (Tag Manager, Analytics 4) | Website analytics (only with cookie consent) | IP, page events, cookies | US | UK IDTA / EU SCCs |
| Google LLC (Maps Extended Library) | Address autocomplete on signup | Address text entered | US | UK IDTA / EU SCCs |
| Tawk.to | Live chat (only with cookie consent) | Name, email if provided, chat content, IP | US / partner regions | DPA + SCCs |
| DigitalOcean, LLC | Server infrastructure (compute & managed database) | All processed data | US | UK IDTA / EU SCCs |
6 International transfers
We are based in the United States. Data of UK and EEA users is transferred to the US to be processed by us and the providers listed in Section 5. We rely on the UK International Data Transfer Agreement (IDTA) for transfers from the UK and the EU Standard Contractual Clauses (SCCs) for transfers from the EEA, together with supplementary measures (encryption in transit and at rest, access controls). You can request a copy of the safeguards by emailing privacy@privacyduck.com.
7 How we protect it
- TLS encryption in transit (HTTPS only)
- Encrypted storage in databases
- Role-based access — only authorised staff, with audit logging
- Multi-factor authentication for staff accounts
- Regular security reviews and patching
8 Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
| Right | What it means |
|---|---|
| Access | A copy of all personal data we hold about you, free, within one month |
| Rectification | Correct inaccurate data |
| Erasure | Delete your data, subject to legal-retention exceptions |
| Restrict processing | Pause processing while a dispute is resolved |
| Data portability | Receive your data in a machine-readable form and transmit it to another controller |
| Object | Stop processing based on legitimate interest, including direct marketing |
| No solely-automated decisions | We don't make significant decisions about you without human involvement |
| Withdraw consent | At any time, for processing based on consent |
To exercise any right, use our Privacy Request form or email privacy@privacyduck.com. We respond within one month. If your request is complex we may extend by two further months — we'll tell you why.
9 Cookies
We use cookies in three categories: Necessary (always on), Analytics (Google Tag Manager + GA4 — opt-in), and Functional (Tawk.to live chat — opt-in). The cookie banner lets you choose which to allow, and the Cookie Settings link in the footer lets you change your mind any time. For full details — every cookie, what it does, how long it lasts — see our Cookie Policy.
10 Children
Our service is not intended for anyone under 18. We don't knowingly collect data from minors. If you believe we hold data about a child, email privacy@privacyduck.com and we'll delete it.
11 UK Representative
TODO: PrivacyDuck must appoint a UK representative under UK GDPR Article 27 before publicly claiming UK GDPR compliance. This section will be updated with representative contact details once appointed (or removed if UK signups are restricted).
12 Complaints
Please contact us first at privacy@privacyduck.com so we can try to resolve your concern.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
If you are in the EEA, you may contact your national data protection authority.
13 Changes to this policy
We may update this policy. Material changes will be communicated by email to active customers and posted on this page with a revised "Last Updated" date. Continued use of the service after a change means you accept the updated policy.
14 Contact us
PrivacyDuck
Privacy queries: privacy@privacyduck.com
General: hello@privacyduck.com
Website: https://privacyduck.com
Privacy enquiries: PrivacyDuck Privacy Team — privacy@privacyduck.com
