duetto
Sign in

Privacy Policy

Last updated: April 2026

1. Overview

duetto is a household expense-tracking app for couples. We collect only the data you give us -- your account details, your expenses, your budgets, and the lists and projects you create. All financial data (amounts, merchant names, notes) is encrypted with AES-256-GCM before it reaches our database. We do not sell your data. We do not show you ads. We do not share your data with anyone except the third-party services we need to run the app, which are listed below. You can export everything we hold on you, or permanently delete it, at any time from within the app.

2. Who we are

The data controller is duetto (duetto.one). For any privacy-related questions, you can reach us at privacy@duetto.one.

3. What data we collect

Account data

When you sign up through Clerk (our authentication provider), we receive and store your email address, display name, and optionally your profile photo. Clerk also handles your password or OAuth credentials -- we never see or store those.

Household and financial data

Everything you enter in the app: expenses (amounts, merchants, notes, dates, categories, receipt images), settlements, budgets, projects (with their own expenses and settlements), shopping lists, to-do items, and comments on expenses. All monetary amounts, merchant names, notes, and comment bodies are encrypted at rest using AES-256-GCM before being written to the database. Receipt images and avatar photos are stored in Vercel Blob Storage.

Technical data

When you make changes (create, edit, or delete expenses, budgets, or categories), we write an audit log entry. If your IP address is available, it is hashed with SHA-256 and truncated to 16 characters before storage. We never store raw IP addresses. Vercel, our hosting provider, processes standard HTTP request logs which include IP addresses; these are retained for up to 30 days by Vercel and are not accessible to us in raw form.

4. Why we collect it (lawful basis)

  • Contract performance (GDPR Article 6(1)(b)) -- We process your account data and household financial data to provide the service you signed up for: tracking shared expenses, calculating balances, managing budgets and projects.
  • Legitimate interest (GDPR Article 6(1)(f)) -- We maintain audit logs with hashed IP addresses to detect abuse, protect the security of the service, and ensure accountability. We apply rate limiting to prevent misuse.
  • Legal obligation (GDPR Article 6(1)(c)) -- We may need to retain certain records to comply with applicable laws, though we minimise what we store and delete data promptly when you request it.

5. How we protect your data

  • Encryption at rest -- All monetary amounts, merchant names, expense notes, comment bodies, settlement notes, and budget amounts are encrypted with AES-256-GCM using a versioned key system that supports seamless key rotation.
  • Encryption in transit -- All traffic is served over HTTPS/TLS.
  • Household isolation -- Every database query is scoped to your household. You can never access another household's data.
  • Authentication -- Managed by Clerk with OAuth support, session management, and brute-force protection. We never handle or store passwords.
  • Rate limiting -- All API endpoints are rate-limited per user (60 requests/minute for general APIs, 10/minute for AI features, 20/minute for file uploads) using Upstash Redis.
  • Security headers -- We set a strict Content Security Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), and Referrer-Policy (strict-origin-when-cross-origin) on all responses.
  • IP anonymisation -- IP addresses in audit logs are SHA-256 hashed and truncated. Raw IPs are never stored in our database.
  • Input validation -- All API inputs are validated with Zod schemas before processing.

6. Third-party processors

We use the following third-party services to operate duetto. We do not sell or share your data with anyone else.

ProcessorPurposeData sharedLocation
ClerkAuthentication and session managementEmail, name, profile photo, OAuth tokens, session dataUnited States
VercelHosting, serverless functions, Blob storage (receipts and avatars)HTTP request metadata (IP, user agent), uploaded imagesUnited States (global edge network)
Neon (via Vercel)PostgreSQL databaseAll application data (financial fields are encrypted before storage)United States
UpstashRate limiting (Redis)Clerk user IDs (used as rate-limit keys). No financial data.United States
AnthropicAI features: receipt scanning, expense categorisation, spending insights, anomaly detectionDecrypted expense summaries (category names, amounts, merchant names), receipt images, user chat messages. Sent only when you use AI features. Anthropic does not use API inputs to train models.United States
FrankfurterCurrency exchange ratesCurrency pair requested (e.g. EUR to NOK). No personal or financial data.European Union

7. How long we keep your data

  • Account and household data -- Kept for as long as your account exists. When you delete your account, all data is permanently erased immediately (see Your rights below).
  • Audit logs -- Stored in our database for as long as the household exists. Deleted when the account is deleted.
  • Vercel infrastructure logs -- Retained by Vercel for up to 30 days. We do not control this retention period.
  • Deleted accounts -- When you request deletion, we permanently erase all household data (expenses, settlements, budgets, projects, shopping lists, to-do items, categories, invitations, audit logs, notifications, and comments), all user records, the household itself, and your Clerk authentication account. This happens immediately and is irreversible.

8. Your rights

Under the GDPR, you have the following rights. We have built most of these directly into the app so you can exercise them yourself, instantly.

  • Right of access (Article 15) -- You can export all your data as a JSON file from the Account settings page at any time. The export includes every expense, settlement, budget, project, shopping list item, and to-do item in your household, fully decrypted.
  • Right to rectification (Article 16) -- You can edit any expense, budget, project, or other record directly in the app.
  • Right to erasure (Article 17) -- You can permanently delete your entire account and all associated household data from the Account settings page. Deletion is immediate and irreversible. This removes all records from our database and deletes your Clerk authentication account.
  • Right to restriction of processing (Article 18) -- Contact us at privacy@duetto.one and we will restrict processing of your data while we address your concern.
  • Right to data portability (Article 20) -- The data export feature provides your data in a structured, machine-readable JSON format.
  • Right to object (Article 21) -- Contact us at privacy@duetto.one to object to any processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Article 22) -- Our AI features (categorisation, anomaly detection, insights) are assistive only. They suggest categories and surface patterns but never make decisions that have legal or similarly significant effects on you.

If you believe we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection authority.

9. Cookies

duetto uses only strictly necessary cookies. We do not use any analytics, advertising, or tracking cookies.

  • Clerk session cookies -- Set by Clerk to manage your authentication session. These are essential for you to stay signed in and cannot be disabled while using the app.

Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

10. Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date at the top and notify you via the email address associated with your account. We encourage you to review this page periodically.

11. Contact

For any questions about this privacy policy or how we handle your data, contact us at privacy@duetto.one.