Quick summary

Duly is built around a simple idea: your life admin should not become someone else's data set. We do not require accounts, do not sync your data to our servers, and do not use trackers, advertising IDs, or analytics SDKs that send personally identifiable information off your device. The information you put into Duly stays on your device unless you explicitly choose to back it up or share it.

This page explains the details — what runs locally, what does not, and what limited data we (or the app stores) may receive in the normal course of distributing and supporting an app.

Who we are

Duly is built and operated by Crossing Cloud LLC, a software studio based in Salt Lake City, Utah, USA.

Legal entity Crossing Cloud LLC
Mailing address Crossing Cloud LLC
2720 S W Temple St #1023
South Salt Lake, UT 84115, USA
Phone +1 801-896-7986
General contact [email protected]
Privacy contact [email protected]

For the purposes of EU and UK GDPR, Crossing Cloud LLC is the data controller for the limited information described in this policy. Crossing Cloud has not appointed a Data Protection Officer because it is not required to do so under GDPR Article 37.

EU/UK representative. Crossing Cloud has assessed that the processing of EU/UK personal data described in this policy — namely, purchase receipts received via the App Stores, opt-in pseudonymous crash reports, and unsolicited support correspondence — is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in risk to the rights and freedoms of natural persons within the meaning of GDPR Article 27(2) and UK GDPR Article 27(2). On that basis, Crossing Cloud has not appointed a representative under Article 27. EU, EEA, and UK users may contact us directly at [email protected]. We will reassess this position if the nature or scale of our processing changes.

What "local-first" means in Duly

Duly is a local-first application. In practice that means:

The exceptions to this are limited and described below: optional cloud backup (when you turn it on), in-app purchases (handled by Apple/Google, not us), and crash diagnostics (only if you opt in).

Information we do not collect

Because so much of what other apps collect, we deliberately do not, it is worth being explicit:

Information that stays on your device

The following data is stored locally on your device only, and is not transmitted to Crossing Cloud unless you explicitly enable a feature that does so:

If you uninstall Duly, this local data is removed by the operating system in the normal course of uninstalling an app.

Information processed off-device (and why)

There are a small number of cases where data may leave your device. Each is opt-in or unavoidable as part of how mobile apps work, and we describe each one below.

a) In-app purchases

If you make a purchase inside Duly (for example, unlocking a paid feature pack), that transaction is handled entirely by Apple's App Store or Google Play Billing, depending on your device. Crossing Cloud receives:

We do not receive your full credit card number, billing address, or store account email. Apple's and Google's privacy policies govern the data they collect when you transact with them.

b) Optional cloud backup (coming in a future release)

A future version of Duly may offer an optional end-to-end-encrypted backup of your data so you can restore it on a new device. Before enabling Crossing Cloud-hosted backup, we will (i) update this Privacy Policy with the specific processing details, (ii) obtain your explicit, opt-in consent in-app under GDPR Article 6(1)(a) and Article 7, and (iii) update the App Store App Privacy and Google Play Data safety disclosures.

If and when this feature ships:

Until that update happens, you can assume Duly does not back up your data to Crossing Cloud servers.

c) Crash diagnostics (opt-in)

We would like to know when Duly is crashing on your device, but not at the cost of your privacy. So crash reporting is off by default and only ever opt-in. If you turn it on in Settings:

We will name the crash reporting provider in this policy and on our sub-processor list page once one is selected.

d) Notifications

Duly schedules local notifications through your device's operating system to remind you of upcoming tasks. These notifications are scheduled and delivered locally on your device. Duly does not currently use push notifications routed through Apple Push Notification Service or Firebase Cloud Messaging. If that changes in a future release (for example, to support cloud backup recovery), we will update this policy before the feature ships.

e) Optional photos

When you attach a photo to a completion (for example, a snapshot of a service receipt), Duly will request access to your camera or photo library only if you initiate that action. Photos you attach are stored locally with your other Duly data. We do not upload them to Crossing Cloud servers. If, in the future, you opt into encrypted cloud backup, attached photos will be included in the encrypted backup blob alongside your other reminder data.

Information the app stores receive

Apple and Google each receive certain information when you download or use Duly. We do not control what they collect, but we want you to be aware:

Both stores publish their own privacy policies, which apply to that data:

We also publish "Privacy Nutrition Labels" on the App Store and a "Data safety" section on Google Play that summarize what data, if any, leaves your device. These summaries are kept consistent with this policy.

Apple Privacy Manifest and Required Reason APIs

Duly ships an Apple PrivacyInfo.xcprivacy manifest as required by Apple since May 1, 2024. The manifest declares the Required Reason APIs used by the app and its third-party SDKs (currently: NSPrivacyAccessedAPICategoryUserDefaults reason CA92.1, NSPrivacyAccessedAPICategoryFileTimestamp reason C617.1, NSPrivacyAccessedAPICategorySystemBootTime reason 35F9.1, NSPrivacyAccessedAPICategoryDiskSpace reason E174.1). The manifest also declares that Duly does not perform tracking and does not collect any data type linked to the user. Our App Store App Privacy responses and Google Play Data safety form are derived from these declarations.

Children's privacy

Duly is not directed to children. We do not knowingly collect personal information from children under 13 in the United States. In the EU and EEA, the age of digital consent for information-society services varies by member state between 13 and 16 under GDPR Article 8; in the United Kingdom the age is 13 under UK GDPR / the UK Data Protection Act 2018. We do not knowingly collect personal information from any user below the applicable age in their country.

If you are a parent or guardian and believe a child has used Duly in a way that resulted in their personal information being processed by us, please contact [email protected] and we will investigate and, where appropriate, delete that information without undue delay.

Legal bases (EU/UK GDPR)

For users in the EU, UK, or Switzerland, we rely on the following lawful bases under Article 6(1) GDPR:

Processing Lawful basis
Storing your reminders, assets, and tasks on your device This is on-device processing carried out by you in your own personal capacity. We do not act as controller for this data unless and until you transmit it to us.
Validating an in-app purchase via Apple/Google Contract — Article 6(1)(b). Necessary to deliver the paid feature you requested.
Optional crash diagnostics (if you turn them on) Consent — Article 6(1)(a). You can withdraw consent at any time in Settings, with no effect on your use of Duly.
Responding to your privacy or support requests Legitimate interests — Article 6(1)(f) — and, where applicable, our legal obligation to respond to data subject rights requests.

Where Duly handles data only on your device, we do not consider Crossing Cloud to be a "controller" of that data within the meaning of GDPR — the on-device processing is for your personal/household purposes. We become a controller of the limited data described above (purchase receipts, opt-in crash reports, support correspondence) when those are transmitted to us.

Your rights

Regardless of where you live, you can:

If you live in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to:

If you live in California, Colorado, Connecticut, Virginia, Utah, or another US state with a comprehensive privacy law, you have the right to:

To exercise any of these rights, email [email protected] from the address you would like us to respond to. We do not have an account system, so we cannot identify you by username. If your request relates to data we may hold about you (for example, a previous support email or a crash report), please describe the context so we can find it.

We will respond to verifiable requests within the timeframes required by the applicable law (typically 30 days under GDPR, 45 days under CCPA, with one extension where allowed).

Categories of personal information we collect (for California, Colorado, Connecticut, Virginia, and Utah residents)

The table below lists each statutory category of personal information that Crossing Cloud may collect from or about you in the preceding 12 months, the source of that information, the business purpose for which we collect it, the categories of third parties with whom we may disclose it, and how long we retain it.

Category (Cal. Civ. Code § 1798.140(v)) Specific items Source Business purpose Disclosed to Retention
A. Identifiers Email address (only if you write to us); platform-provided transaction ID for in-app purchases You; Apple App Store; Google Play Respond to your inquiries; validate and restore in-app purchases Email service provider; payment platforms (Apple, Google) Support correspondence: 24 months after closure. Receipts: 7 years (US tax recordkeeping).
B. Customer records (Cal. Civ. Code § 1798.80(e)) None
C. Protected classifications None
D. Commercial information Purchase history limited to product IDs of paid Duly features you have purchased Apple App Store; Google Play Validate and restore purchases Apple, Google 7 years (US tax recordkeeping)
E. Biometric information None
F. Internet/network activity None for Duly use itself; if you opt in to crash diagnostics: device model, OS version, app version, coarse country code, install ID Your device (opt-in only) Diagnose and fix crashes Crash reporting provider (to be named when selected) Up to 12 months
G. Geolocation None precise. Coarse country code only, and only if you opt in to crash diagnostics. Your device (opt-in only) Diagnose region-specific crashes Crash reporting provider (to be named when selected) Up to 12 months
H. Sensory data None
I. Professional/employment None
J. Education None
K. Inferences None
Sensitive personal information (Cal. Civ. Code § 1798.140(ae)) None collected. Crossing Cloud does not process sensitive personal information for purposes other than those listed in Cal. Civ. Code § 1798.121(a).

We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months, and we do not sell or share personal information for cross-context behavioral advertising at all. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.

International transfers

Crossing Cloud is based in the United States. Any limited data we receive — purchase receipts, opt-in crash reports, support emails — is processed on servers located in the United States and, in the case of email, in services operated by major US-based providers. If you are in the EEA, UK, or Switzerland and you contact us, you are transferring that correspondence to the United States.

Where we use third-party providers (for example, our email provider) that process EU/UK personal data on our behalf, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to provide an appropriate safeguard for that transfer. We will publish our current sub-processor list at https://crossingcloud.dev/subprocessors and will name those providers there as we add them.

Data retention

Security

We design Duly to minimize the data that can be exposed by any single failure:

No system is perfectly secure. If we ever experience a personal data breach, we will:

Changes to this policy

When we change this policy in a way that materially affects your privacy, we will:

Older versions of this policy will be available on request via [email protected].

Contact

If you have questions about this policy, or about how Duly handles your data, please email:

[email protected]