Privacy Policy
Last updated: 2026-02-01
Responsible Entity: Ducto Labs LLC
Jurisdiction: Wyoming, USA
1. Introduction and Scope
This Privacy Policy is issued by Ducto Labs LLC ("Ducto Labs", "we"), the legal entity that owns and operates the services.
This policy governs the specific use of our software platform called Ducto, available at ducto.io and the application app.ducto.io (collectively, the "Service" or "Ducto").
1.1. Role Definitions
To comply with GDPR and global regulations:
- Customer Data (Controller): Data belonging to the company that contracts the Service (billing, admins). We determine the purposes of administrative processing.
- End-User Data (Processor): Data within the WhatsApp messages of its customers. Ducto Labs processes this data through the Service solely under the instructions of the Customer. The Customer is responsible for obtaining legal consent (opt-in).
2. Information We Collect
2.1. Customer Data (You)
- Registration: Email, password, company name.
- Billing: Data processed by Paddle (we do not store full card numbers).
- Technical and Security Data: We collect minimum technical information necessary for the security and operation of the Service, including IP address, access logs, browser type, and operating system.
2.2. End-User Data (Third Parties)
When using the Service's integration with the WhatsApp API, we technically process on your behalf:
- Phone numbers and profile names.
- Message content (text, files).
- Delivery metadata.
- Note: We do not use message content to train public AI models or for our own advertising purposes.
2.3. Cookies and Tracking
We use technical (essential) and analytical cookies.
- Control: You can configure your browser to reject cookies.
- Opt-out: For analytics, we use standard tools that respect the "Do Not Track" settings of modern browsers.
3. Use and Purpose
We process data to:
- Operate and maintain the Service (including error detection).
- Billing and account management.
- Security and fraud prevention.
- Legal compliance.
4. Sub-processors (Third Parties)
We share data only with essential infrastructure providers for the operation of the Service:
| Provider | Function | Location |
|---|---|---|
| Meta Platforms, Inc. | WhatsApp Business API | USA / Global |
| AWS | Hosting and Database | USA |
| Paddle | Payments | USA |
| Cloudflare, Inc. | Security, CDN and DDoS protection | Global |
5. International Transfers
Ducto Labs operates from the USA. For users in the European Economic Area (EEA):
- Transfer Basis: We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection when transferring data to the USA.
- These clauses govern our processing of data from European users.
6. Data Retention
We retain data while the account is active or as necessary to provide the Service.
- Account Deletion: Upon cancellation, customer data is deleted or anonymized within a maximum period of 90 days, unless required by law.
- End-User Messages: Retention of chat histories may vary depending on the configuration defined by the Customer and their own legal obligations. Ducto Labs does not retain messages beyond what is instructed by the Customer or technically required.
7. Your Rights (GDPR / CCPA / Global)
7.1. General Users and GDPR
You have the right to:
- Access and Portability: Request a copy of your data.
- Rectification: Correct inaccurate data.
- Erasure (Right to be Forgotten): Request deletion of your data.
- Restriction: Restrict processing.
7.2. California Residents (CCPA)
- Right to Know: Know what categories of data we collect.
- Right to Delete: Request deletion of your personal information.
- No Sale: Ducto Labs does not sell personal information.
- Non-Discrimination: We will not deny you the Service for exercising these rights.
7.3. How to Exercise Your Rights
- Direct Customers: Write to [email protected].
- End Users (WhatsApp): You must contact directly the company (our Customer) with whom you communicated. Ducto Labs, as processor, cannot handle direct requests from end users and will forward them to the corresponding Customer.
8. Children's Privacy
The Service is not directed to persons under 16 years of age, unless local law permits a lower age. We do not knowingly collect data from minors below the legal age of consent. If we discover such data, we will delete it.
9. Security
We apply technical (TLS encryption, encryption at rest) and organizational measures to protect data. However, no internet transmission is 100% secure.
10. Changes and Contact
We may update this policy. Changes will take effect upon publication.
Privacy Contact
Contact: [email protected]
Operating Company: Ducto Labs LLC
Address: 30 N Gould ST STE R, Sheridan, WY 82801, USA