Quick summary
Duly is built around a simple idea: your life admin should not become someone else's data set. We do not require accounts, do not sync your data to our servers, and do not use trackers, advertising IDs, or analytics SDKs that send personally identifiable information off your device. The information you put into Duly stays on your device unless you explicitly choose to back it up or share it.
This page explains the details — what runs locally, what does not, and what limited data we (or the app stores) may receive in the normal course of distributing and supporting an app.
Who we are
Duly is built and operated by Crossing Cloud LLC, a software studio based in Salt Lake City, Utah, USA.
| Legal entity | Crossing Cloud LLC |
|---|---|
| Mailing address | Crossing Cloud LLC 2720 S W Temple St #1023 South Salt Lake, UT 84115, USA |
| Phone | +1 801-896-7986 |
| General contact | [email protected] |
| Privacy contact | [email protected] |
For the purposes of EU and UK GDPR, Crossing Cloud LLC is the data controller for the limited information described in this policy. Crossing Cloud has not appointed a Data Protection Officer because it is not required to do so under GDPR Article 37.
EU/UK representative. Crossing Cloud has assessed that the processing of EU/UK personal data described in this policy — namely, purchase receipts received via the App Stores, opt-in pseudonymous crash reports, and unsolicited support correspondence — is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in risk to the rights and freedoms of natural persons within the meaning of GDPR Article 27(2) and UK GDPR Article 27(2). On that basis, Crossing Cloud has not appointed a representative under Article 27. EU, EEA, and UK users may contact us directly at [email protected]. We will reassess this position if the nature or scale of our processing changes.
What "local-first" means in Duly
Duly is a local-first application. In practice that means:
- All of your reminders, tasks, completions, photos you attach, and asset records (homes, vehicles, pets, etc.) live on your device, in the app's private sandbox.
- We do not run a Duly account system. There is no login, no email signup, and no password to reset, because there is no server-side profile of you to log into.
- The Duly app, by default, does not transmit your reminder content, task contents, asset names, or photos to Crossing Cloud servers.
The exceptions to this are limited and described below: optional cloud backup (when you turn it on), in-app purchases (handled by Apple/Google, not us), and crash diagnostics (only if you opt in).
Information we do not collect
Because so much of what other apps collect, we deliberately do not, it is worth being explicit:
- We do not require or collect your name, email address, phone number, or postal address to use Duly.
- We do not assign you a Crossing Cloud user ID.
- We do not use third-party advertising SDKs, ad identifiers (IDFA, AAID), or cross-app tracking.
- We do not sell or rent any personal information. We do not have a "sale" of personal information as defined by US state privacy laws (CCPA/CPRA, etc.), nor do we "share" personal information for cross-context behavioral advertising.
- We do not build advertising profiles, behavioral profiles, or psychographic profiles of you.
- We do not process sensitive personal information as defined in California Civil Code § 1798.140(ae) for any purpose beyond those listed in § 1798.121(a). Because of this, we are not required to host a "Limit the Use of My Sensitive Personal Information" link, and we do not.
Information that stays on your device
The following data is stored locally on your device only, and is not transmitted to Crossing Cloud unless you explicitly enable a feature that does so:
- Assets you create — names, types, and any notes you add (e.g. "Hub", "The Honda", "Mom").
- Reminders / tasks — titles, descriptions, recurrence settings, due dates, lead times.
- Completions — when you marked something done, optional photos, optional notes.
- Local preferences — theme (light/dark), filter selections, region, notification preferences.
- Local IDs — randomly generated UUIDs used to link reminders to assets internally. These are device-local and are not seen by us.
If you uninstall Duly, this local data is removed by the operating system in the normal course of uninstalling an app.
Information processed off-device (and why)
There are a small number of cases where data may leave your device. Each is opt-in or unavoidable as part of how mobile apps work, and we describe each one below.
a) In-app purchases
If you make a purchase inside Duly (for example, unlocking a paid feature pack), that transaction is handled entirely by Apple's App Store or Google Play Billing, depending on your device. Crossing Cloud receives:
- A confirmation that a purchase has occurred for a given product ID, in the form of a receipt or purchase token from the platform.
- The platform-provided transaction identifier, which we use to validate purchases and restore them on the same account.
We do not receive your full credit card number, billing address, or store account email. Apple's and Google's privacy policies govern the data they collect when you transact with them.
b) Optional cloud backup (coming in a future release)
A future version of Duly may offer an optional end-to-end-encrypted backup of your data so you can restore it on a new device. Before enabling Crossing Cloud-hosted backup, we will (i) update this Privacy Policy with the specific processing details, (ii) obtain your explicit, opt-in consent in-app under GDPR Article 6(1)(a) and Article 7, and (iii) update the App Store App Privacy and Google Play Data safety disclosures.
If and when this feature ships:
- It will be off by default.
- You will be able to choose between your platform's backup (e.g. iCloud Backup, Android Backup) and, where available, a Crossing Cloud-hosted backup.
- If you use a Crossing Cloud-hosted backup, the data will be encrypted on your device with a key that we cannot read, and we will store only the encrypted blob plus the minimum metadata needed to recover it (such as a backup ID).
Until that update happens, you can assume Duly does not back up your data to Crossing Cloud servers.
c) Crash diagnostics (opt-in)
We would like to know when Duly is crashing on your device, but not at the cost of your privacy. So crash reporting is off by default and only ever opt-in. If you turn it on in Settings:
- We collect a crash trace, the version of Duly, the device model and operating system version, and a coarse country code.
- We do not collect your reminder content, asset names, photos, notes, location, contacts, or any account identifier.
- A pseudonymous, randomly generated install ID may be included so we can group repeated crashes from the same install. You can reset or clear this ID from Settings, which will sever the link.
- You can turn crash reporting back off at any time. Reports already submitted may be retained as described under "Data retention".
We will name the crash reporting provider in this policy and on our sub-processor list page once one is selected.
d) Notifications
Duly schedules local notifications through your device's operating system to remind you of upcoming tasks. These notifications are scheduled and delivered locally on your device. Duly does not currently use push notifications routed through Apple Push Notification Service or Firebase Cloud Messaging. If that changes in a future release (for example, to support cloud backup recovery), we will update this policy before the feature ships.
e) Optional photos
When you attach a photo to a completion (for example, a snapshot of a service receipt), Duly will request access to your camera or photo library only if you initiate that action. Photos you attach are stored locally with your other Duly data. We do not upload them to Crossing Cloud servers. If, in the future, you opt into encrypted cloud backup, attached photos will be included in the encrypted backup blob alongside your other reminder data.
Information the app stores receive
Apple and Google each receive certain information when you download or use Duly. We do not control what they collect, but we want you to be aware:
- Apple App Store / Apple Inc. may collect download counts, crash reports through TestFlight or App Store Connect (which we have configured to be aggregated and de-identified where possible), and information about your Apple ID's relationship to the app.
- Google Play / Google LLC may collect download counts, install / uninstall events, Play Integrity signals, and information about your Google account's relationship to the app.
Both stores publish their own privacy policies, which apply to that data:
- Apple privacy policy: https://www.apple.com/legal/privacy/
- Google privacy policy: https://policies.google.com/privacy
We also publish "Privacy Nutrition Labels" on the App Store and a "Data safety" section on Google Play that summarize what data, if any, leaves your device. These summaries are kept consistent with this policy.
Apple Privacy Manifest and Required Reason APIs
Duly ships an Apple PrivacyInfo.xcprivacy manifest as required by Apple since May 1, 2024. The manifest declares the Required Reason APIs used by the app and its third-party SDKs (currently: NSPrivacyAccessedAPICategoryUserDefaults reason CA92.1, NSPrivacyAccessedAPICategoryFileTimestamp reason C617.1, NSPrivacyAccessedAPICategorySystemBootTime reason 35F9.1, NSPrivacyAccessedAPICategoryDiskSpace reason E174.1). The manifest also declares that Duly does not perform tracking and does not collect any data type linked to the user. Our App Store App Privacy responses and Google Play Data safety form are derived from these declarations.
Children's privacy
Duly is not directed to children. We do not knowingly collect personal information from children under 13 in the United States. In the EU and EEA, the age of digital consent for information-society services varies by member state between 13 and 16 under GDPR Article 8; in the United Kingdom the age is 13 under UK GDPR / the UK Data Protection Act 2018. We do not knowingly collect personal information from any user below the applicable age in their country.
If you are a parent or guardian and believe a child has used Duly in a way that resulted in their personal information being processed by us, please contact [email protected] and we will investigate and, where appropriate, delete that information without undue delay.
Legal bases (EU/UK GDPR)
For users in the EU, UK, or Switzerland, we rely on the following lawful bases under Article 6(1) GDPR:
| Processing | Lawful basis |
|---|---|
| Storing your reminders, assets, and tasks on your device | This is on-device processing carried out by you in your own personal capacity. We do not act as controller for this data unless and until you transmit it to us. |
| Validating an in-app purchase via Apple/Google | Contract — Article 6(1)(b). Necessary to deliver the paid feature you requested. |
| Optional crash diagnostics (if you turn them on) | Consent — Article 6(1)(a). You can withdraw consent at any time in Settings, with no effect on your use of Duly. |
| Responding to your privacy or support requests | Legitimate interests — Article 6(1)(f) — and, where applicable, our legal obligation to respond to data subject rights requests. |
Where Duly handles data only on your device, we do not consider Crossing Cloud to be a "controller" of that data within the meaning of GDPR — the on-device processing is for your personal/household purposes. We become a controller of the limited data described above (purchase receipts, opt-in crash reports, support correspondence) when those are transmitted to us.
Your rights
Regardless of where you live, you can:
- Use Duly without giving us your personal information. This is the design of the product, not a concession.
- Delete your local Duly data at any time by deleting individual items in the app, by using "Reset all data" in Settings (when available), or by uninstalling Duly.
- Email us at [email protected] with any privacy question or request.
If you live in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to:
- Request access to any personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data ("right to erasure").
- Request restriction of, or object to, our processing.
- Request portability of data you have provided to us.
- Withdraw consent for any processing based on consent (e.g. crash diagnostics) at any time.
- Lodge a complaint with your local data protection authority. A list of EU authorities is at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK users can contact the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.
If you live in California, Colorado, Connecticut, Virginia, Utah, or another US state with a comprehensive privacy law, you have the right to:
- Know what categories of personal information, if any, we have collected about you.
- Request deletion of personal information we have collected.
- Correct inaccurate personal information.
- Opt out of "sale" or "sharing" for cross-context behavioral advertising — Duly does neither, and we have a global "do not sell or share" stance for all users by default.
- Be free from discrimination for exercising these rights.
To exercise any of these rights, email [email protected] from the address you would like us to respond to. We do not have an account system, so we cannot identify you by username. If your request relates to data we may hold about you (for example, a previous support email or a crash report), please describe the context so we can find it.
We will respond to verifiable requests within the timeframes required by the applicable law (typically 30 days under GDPR, 45 days under CCPA, with one extension where allowed).
Categories of personal information we collect (for California, Colorado, Connecticut, Virginia, and Utah residents)
The table below lists each statutory category of personal information that Crossing Cloud may collect from or about you in the preceding 12 months, the source of that information, the business purpose for which we collect it, the categories of third parties with whom we may disclose it, and how long we retain it.
| Category (Cal. Civ. Code § 1798.140(v)) | Specific items | Source | Business purpose | Disclosed to | Retention |
|---|---|---|---|---|---|
| A. Identifiers | Email address (only if you write to us); platform-provided transaction ID for in-app purchases | You; Apple App Store; Google Play | Respond to your inquiries; validate and restore in-app purchases | Email service provider; payment platforms (Apple, Google) | Support correspondence: 24 months after closure. Receipts: 7 years (US tax recordkeeping). |
| B. Customer records (Cal. Civ. Code § 1798.80(e)) | None | — | — | — | — |
| C. Protected classifications | None | — | — | — | — |
| D. Commercial information | Purchase history limited to product IDs of paid Duly features you have purchased | Apple App Store; Google Play | Validate and restore purchases | Apple, Google | 7 years (US tax recordkeeping) |
| E. Biometric information | None | — | — | — | — |
| F. Internet/network activity | None for Duly use itself; if you opt in to crash diagnostics: device model, OS version, app version, coarse country code, install ID | Your device (opt-in only) | Diagnose and fix crashes | Crash reporting provider (to be named when selected) | Up to 12 months |
| G. Geolocation | None precise. Coarse country code only, and only if you opt in to crash diagnostics. | Your device (opt-in only) | Diagnose region-specific crashes | Crash reporting provider (to be named when selected) | Up to 12 months |
| H. Sensory data | None | — | — | — | — |
| I. Professional/employment | None | — | — | — | — |
| J. Education | None | — | — | — | — |
| K. Inferences | None | — | — | — | — |
| Sensitive personal information (Cal. Civ. Code § 1798.140(ae)) | None collected. Crossing Cloud does not process sensitive personal information for purposes other than those listed in Cal. Civ. Code § 1798.121(a). | — | — | — | — |
We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months, and we do not sell or share personal information for cross-context behavioral advertising at all. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.
International transfers
Crossing Cloud is based in the United States. Any limited data we receive — purchase receipts, opt-in crash reports, support emails — is processed on servers located in the United States and, in the case of email, in services operated by major US-based providers. If you are in the EEA, UK, or Switzerland and you contact us, you are transferring that correspondence to the United States.
Where we use third-party providers (for example, our email provider) that process EU/UK personal data on our behalf, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to provide an appropriate safeguard for that transfer. We will publish our current sub-processor list at https://crossingcloud.dev/subprocessors and will name those providers there as we add them.
Data retention
- Local data on your device: retained for as long as you keep Duly installed. Removed when you uninstall the app or use "Reset all data" inside Settings.
- Purchase receipts / transaction IDs: retained for as long as needed to validate and restore purchases for that platform account, and for tax and accounting purposes (typically 7 years under US tax rules).
- Opt-in crash reports: retained for up to 12 months from receipt, after which they are deleted or aggregated to non-identifying statistics.
- Support correspondence: retained for up to 24 months after the request is closed, unless we are required to keep it longer for legal reasons.
Security
We design Duly to minimize the data that can be exposed by any single failure:
- Data on your device is stored in the app's private sandbox, protected by your device's standard app isolation and (where you have set one) device passcode/biometrics.
- We do not run user-account servers, so there is no Duly password database to compromise.
- When end-to-end-encrypted backup ships, your encryption key is derived from a passphrase you set; we will not have access to it. If you lose your passphrase, we cannot recover your backed-up data — that is the intended trade-off.
- For the limited data we do receive (purchase receipts, opt-in crash reports, support email), we apply standard transport encryption (HTTPS/TLS) and reasonable access controls.
No system is perfectly secure. If we ever experience a personal data breach, we will:
- Notify the competent supervisory authority within 72 hours of becoming aware, where required by GDPR Article 33 or UK GDPR;
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34);
- Comply with applicable US state breach-notification statutes (e.g., Cal. Civ. Code § 1798.82, Utah Code § 13-44-202) within their statutory windows.
Changes to this policy
When we change this policy in a way that materially affects your privacy, we will:
- Update the "Last updated" date at the top.
- Note the change in the app (for example, on first launch after the update) and on this page.
- Where required by law (for example, where we begin relying on consent for a new processing activity), ask for your consent before that processing begins.
Older versions of this policy will be available on request via [email protected].
Contact
If you have questions about this policy, or about how Duly handles your data, please email: