Privacy Policy
Last updated: 22 March 2026
Duly ("we", "us", "our") is an AI executive assistant that monitors your emails, calendar, and messages to track commitments and deadlines on your behalf. This policy explains what data we collect, how we use it, and your rights. Duly is operated by Duly AI Pty Ltd, based in Australia.
Duly never stores the content of your emails or messages. Raw content is processed in memory, used to extract structured commitments, and immediately discarded. Only AI-generated summaries are retained.
1. What we collect
Account information
When you sign up, we store your name, email address, and profile image as provided by your Microsoft or Google account. This is used solely for authentication and to identify you within the app.
Email and message content (transient only)
When you connect Microsoft Outlook or Teams, Duly reads your recent emails and messages to extract commitments and deadlines. During this process:
- Email and message content is processed in memory on our servers and immediately discarded
- Only AI-generated summaries (e.g. "Follow up with Sarah on Q3 report by Friday") are stored
- Sender and recipient names may be referenced in summaries
- Original email content is never stored in our database, application logs, or error reports
Calendar metadata
Duly reads calendar event metadata — subject, start/end time, location, and attendee count — to provide context for daily briefings. Event bodies and attendee email addresses are never fetched or stored.
Information you provide directly
Anything you share with Duly through the chat interface (e.g. professional goals, team context, project notes) is stored as structured context files. You can view, edit, and delete these at any time.
Usage data
We collect basic, anonymised usage metrics (page views, feature usage) to improve the product. We do not track you across other websites.
2. How we use your data
We use your data exclusively to provide and improve the Duly service:
- Commitment extraction — Identifying tasks, deadlines, and follow-ups from your communications
- Daily briefings — Summarising your priorities based on calendar, tasks, and context
- Chat responses — Answering your questions about your commitments and schedule
- Style profiling — Learning your writing tone from sent emails to draft replies that sound like you
We do not use your data for:
- Training AI models
- Advertising or profiling
- Selling or sharing with third parties
- Any purpose beyond managing your commitments
3. AI processing
Duly uses Anthropic's Claude AI to analyse your emails, generate briefings, and respond to questions.
- Email content is sent to Anthropic's API over an encrypted connection, processed, and discarded
- Anthropic does not use API inputs or outputs to train models (per their commercial API terms)
- Duly does not use your inputs or outputs for any purpose beyond delivering the service to you
- Your data remains your own — you retain full ownership of all content processed through Duly
If you want complete control over the AI processing pipeline, you can provide your own Anthropic API key in Settings. All processing then flows through your own API account.
4. Data security
| Measure | Detail |
|---|---|
| Encryption in transit | All connections use TLS/HTTPS |
| Encryption at rest | OAuth tokens and API keys encrypted with AES-256-GCM |
| Authentication | Industry-standard OAuth 2.0 via Microsoft and Google |
| Database | Hosted in Asia-Pacific (Sydney) region |
| Access control | Role-based access; production credentials restricted to essential personnel |
| Rate limiting | API rate limiting to prevent abuse |
| Security headers | CSP, HSTS, X-Frame-Options, X-Content-Type-Options |
| Monitoring | Application-level error monitoring with sensitive data scrubbed from all logs |
5. Data sharing and third-party services
We share data with the following services, solely to provide the Duly service:
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude) | AI processing | Email/message content (transient — processed and discarded) |
| Microsoft Graph API | Email, calendar, and Teams access | OAuth tokens (encrypted at rest) |
| Cloud database provider | Database hosting | Commitment summaries, context files, account data |
| Cloud hosting provider | Application hosting | Application code, request logs |
| Payment processor | Payment processing | Email address, subscription status |
| Email delivery service | Transactional email | Email address (for account notifications only) |
We do not sell, rent, or share your personal information with advertisers or data brokers under any circumstances.
6. Cross-border data transfers
Duly is operated from Australia. Your data may be transferred to and processed in:
- Australia — Database hosting (Sydney)
- United States — AI processing (Anthropic), email platform access (Microsoft Graph API), payment processing, application hosting
In accordance with Australian Privacy Principle 8, we take reasonable steps to ensure that overseas recipients handle your personal information consistently with the Australian Privacy Principles. All third-party providers listed above maintain robust data protection practices, relevant industry certifications, and contractual commitments to data security.
7. Data retention
- Commitment summaries and context files are retained for as long as your account is active, or until you delete them
- Email and message content is never retained beyond the few seconds required for AI processing
- Account data (name, email) is retained until you delete your account
- Payment records are retained as required by Australian tax law
When you use the "Clear All Data" feature in Settings, all stored data (commitments, context files, chat history, style profiles, connected accounts) is permanently and irreversibly deleted. Your account remains active but is reset to a fresh state.
8. Your rights
Under the Australian Privacy Principles and the Privacy Act 1988 (Cth), you have the right to:
Access (APP 12)
View all data Duly holds about you. Your commitments, context files, chat history, and briefings are all visible in the app. You can also request a copy of your data by contacting us.
Correction (APP 13)
Edit or delete context files, dismiss incorrect commitments, and update your account details at any time through the app.
Deletion
Clear all your data at any time via Settings → AI & Privacy → Clear All Data. This removes all commitments, chat history, context files, style profiles, and connected account tokens. Your account remains but is reset as if you had just signed up.
Disconnection
Revoke Duly's access to your Microsoft account at any time via Settings → Linked Accounts → Disconnect. This immediately invalidates the access token. You can also revoke access directly from your Microsoft account security settings.
Complaint
If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us at privacy@getduly.ai. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
9. Cookies and tracking
Duly uses only essential cookies required for authentication and session management. We do not use:
- Advertising cookies
- Third-party tracking pixels
- Cross-site tracking
- Browser fingerprinting
10. Children's privacy
Duly is designed for professional use and is not directed at children under 18. We do not knowingly collect personal information from children.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email and/or an in-app notification. The "Last updated" date at the top reflects the most recent revision.
12. Contact
If you have questions about this privacy policy, how we handle your data, or wish to make a complaint, please contact:
Privacy Officer
Duly AI Pty Ltd
Email: privacy@getduly.ai
For complaints about privacy practices, you may also contact the Office of the Australian Information Commissioner:
Website: www.oaic.gov.au
Phone: 1300 363 992