Duilink Privacy Policy
This policy applies exclusively to the Duilink service (account registration, Google sign-in, digital card management, public URL, NFC, vCard and the DuiLink Android app).
1) Controller and contact
Data controller: Fabio Giuliodori. Duilink is the service published on duilio.cc. Privacy contact: info@duilio.cc.
2) Data processed
- Account data: email, hashed password, technical timestamps (creation, login, activity).
- Data collected via Google sign-in: email address and basic profile information, when provided by Google.
- Card data: first name, last name, email, optional company/website/address, optional social links, optional photo/logo.
- Technical security data: hosting and application logs (for example rate limiting, security and error diagnostics).
MyPage is a personal page reachable by users who know the link, scan the QR code or use an NFC support configured by the user. The URL is generated with a non-trivial code and the page is not intended for search engine indexing.
Data, links and contacts entered in the MyPage, including social profiles, WhatsApp, email, phone numbers, addresses, images and logos, may become visible to anyone who opens the MyPage through link, QR or NFC.
3) Google sign-in (OAuth)
Duilink supports sign-in with Google accounts. During Google sign-in, we collect:
- Email address associated with the Google account.
- Basic profile information, when available and provided by Google.
These data are used only to:
- Authenticate the user.
- Create or link the Duilink account.
- Allow access to the personal area and MyPage.
Duilink does not use Google-provided data for marketing, profiling or advertising and does not share them with third parties, except technical providers strictly required to deliver the service.
3-bis) DuiLink Android app
The DuiLink Android app displays the Duilink web service inside an authenticated WebView and adds native actions to copy, share and write the public Duilink URL to NFC tags. The app does not use NFC to read personal data from third-party tags: the NFC feature locally writes the user's selected public Duilink URL to the tag.
The app uses Internet access to load Duilink, keep the sign-in session through technical cookies and open the service pages required by the user. When the user uses Android sharing, the public URL is passed to the operating system and to the app selected by the user to complete the share action.
4) Purposes and legal bases
- Provision of the Duilink service (account, authentication, card publishing, password reset).
- Google OAuth sign-in, if chosen by the user.
- Application security and abuse prevention.
- MVP legal basis: data subject consent and pre-contractual/contractual measures for technical service delivery.
5) Retention
Data are retained for the time necessary to provide the service. For inactive accounts, MVP operational policy provides a 12-month retention period followed by a scheduled purge process.
6) Third-party processing
Data may be processed by strictly necessary infrastructure providers (for example OVH hosting, email services, Google OAuth technical authentication services) as technical processors/sub-processors or providers required for service operation.
When the user enters links to third-party services or uses buttons that open external apps, such as social networks, WhatsApp, email, maps, Android sharing apps or external voluntary contribution platforms, any subsequent processing depends on the service selected or opened by the user.
7) Data subject rights
You can request access, rectification, deletion and restriction of processing by writing to info@duilio.cc. A self-service account/card deletion flow is available in the account area. If you believe processing violates applicable law, you may file a complaint with the competent supervisory authority.
8) Cookies
Duilink uses strictly necessary technical session cookies for authentication and security. It does not use profiling or advertising cookies.
| Tool | Use | Indicative duration |
|---|---|---|
| PHP/Duilink session cookie | Account access, session security and personal area operation. | Session or technical duration configured by the service. |
| Remember/login and OAuth state cookies | Login preference, login flow protection and Google OAuth connection. | Limited to the time required by the feature. |
| localStorage | Temporary builder draft, language preference, MyPage Home installation state when supported by the browser. | Until the user clears browser data or the draft is overwritten/removed. |
| sessionStorage | Temporary navigation handling or preferences valid only during the browser session. | Until the browser session is closed. |
9) Purpose/legal basis/retention matrix
| Purpose | Legal basis | Retention |
|---|---|---|
| Account registration and management | Performance of the service requested by the data subject | For the account lifetime; then according to operational retention policy |
| Google OAuth sign-in | Performance of the service requested by the data subject and consent to Google sign-in | For the account lifetime; then according to operational retention policy |
| Application security (anti-abuse, diagnostics, hardening) | Legitimate interest in service security | For the strictly necessary time related to security purposes |
| Digital card and public URL publication | Service performance plus user preferences | While the profile is active or until deletion is requested |
10) Backup, restore and incident management
We apply operational backup and periodic restore procedures, plus a data breach runbook with decision tracking within the timelines required by applicable law.
11) Privacy request handling (DSAR)
Privacy requests are handled through a dedicated tracked procedure. To exercise your rights, write to info@duilio.cc with subject line "Duilink privacy request".
12) Periodic cookie/third-party service review
We periodically review third-party components to ensure consistency with this policy about technical cookies and absence of profiling.
13) Service terms
Duilink use is also governed by the Duilink Terms, which define content rules, user responsibilities and abuse reporting.