Skip to main content
DunaAI

Privacy Policy

This Privacy Policy describes how DUNA AI LIMITED handles personal data across its website, applications, APIs and related services.

Last updated: 2026-05-21

1. Introduction

DUNA AI LIMITED (“DUNA AI”, “DunaAI”, “we”, “us”) is committed to protecting personal data and operating in line with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. This policy explains what data we may collect, why we collect it, how it is used, and the rights available to individuals.

This policy applies to our public website, software applications (including any iOS or Android applications we may publish), APIs, and other services we provide. It will evolve as our products evolve; material changes will be reflected here.

2. Who we are

DUNA AI LIMITED is a company established in Ireland, providing software engineering, data engineering and applied AI services and products. Where this policy refers to a “data controller”, DUNA AI LIMITED acts as the data controller for personal data it collects directly through its own website, apps and accounts. Where we process personal data on behalf of a customer under a services agreement, we act as a data processor for that customer.

Contact for privacy matters: privacy@dunaai.dev. General contact: contact@dunaai.dev.

3. Scope

This policy covers personal data processed in connection with:

  • visits to our public website at dunaai.dev;
  • DunaAI applications, including any mobile applications we may distribute via Apple App Store or Google Play;
  • APIs and backend services we operate;
  • AI-enabled features that may process content you provide to the service;
  • communications with us by email, contact form, scheduling tools or similar channels.

Where a specific product offers an additional, product-specific privacy notice, that notice supplements this policy.

4. Data we may collect

The categories of personal data we may process depend on the service you use. Not every category applies to every user.

4.1 Account and contact data

  • name, email address, organisation, role and similar identifiers you provide when creating an account or contacting us;
  • authentication data such as hashed passwords or identifiers from supported sign-in providers, where applicable.

4.2 Application usage data

  • actions performed in the app, feature usage, configuration choices and preferences;
  • diagnostic data such as crash reports, performance metrics and error logs.

4.3 User-generated content

  • files, text, prompts, messages or other content you submit to a DunaAI service, including content processed by AI-enabled features.

4.4 Device and log data

  • device type, operating system, app version, language and approximate location derived from IP address;
  • IP address, request timestamps and similar technical metadata captured in server and security logs.

4.5 Analytics data

  • where analytics tools are used, aggregated and pseudonymised usage metrics; this is described in our Cookie Policy.

4.6 Payment and subscription data

  • where paid services or subscriptions are offered, billing details are handled by our payment processor; we do not store full card data on our servers.

5. How we use data

We may use personal data to:

  • provide, operate, secure and improve our services;
  • create and manage accounts, including authentication and access control;
  • respond to enquiries, support requests and contractual communications;
  • deliver AI-enabled features that you have chosen to use, including generating responses or analysing the content you submit;
  • maintain reliability, prevent abuse, detect fraud and protect the integrity of our systems;
  • comply with legal, regulatory and accounting obligations applicable in Ireland and the EU.

6. AI processing disclosure

Some DunaAI features are AI-enabled. When you use such a feature, the content you submit (for example a prompt, message, file or other input) may be processed by AI models in order to produce a response or perform the requested task.

Depending on the feature and configuration, AI processing may take place using:

  • our own infrastructure and models that we operate; and/or
  • third-party AI providers acting as subprocessors under contractual data protection terms.

We aim to minimise the personal data sent to AI providers, apply contractual and technical safeguards where reasonably practicable, and avoid sending sensitive data to AI features that are not designed to process it. AI outputs may be inaccurate, incomplete or unsuitable for a particular purpose; users should review AI outputs before relying on them, especially for decisions with legal, financial, medical or safety implications.

We do not sell personal data and we do not use customer-submitted content to train third-party foundation models, except where a provider’s standard terms apply and we have communicated this to you in the relevant product documentation. Where applicable, we will update this policy as our AI providers and configurations evolve.

7. Legal bases under GDPR

Where GDPR applies, we rely on one or more of the following legal bases:

  • Contract — to deliver a service you have requested or to take steps before entering into a contract;
  • Legitimate interests — to operate, secure and improve our services, prevent abuse, and run our business in a reasonable manner that does not override your rights;
  • Consent — for optional features such as non-essential analytics, marketing communications or optional integrations, where required;
  • Legal obligation — to comply with applicable law, including tax, accounting and lawful requests from authorities.

8. Third-party processors and subprocessors

We rely on a limited set of trusted third parties to operate our services. These may include cloud infrastructure providers, email delivery, contact-form processing, calendar scheduling, error and performance monitoring, analytics, and AI model providers. These providers process personal data only on our instructions and under data protection terms.

A current list of key subprocessors can be requested at any time by emailing privacy@dunaai.dev.

9. International transfers

Some of our service providers are located outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as European Commission adequacy decisions, Standard Contractual Clauses, or equivalent legal mechanisms, supplemented by technical and organisational measures where appropriate.

10. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements. Retention periods depend on the data category and the service. Account-related data is generally retained while the account is active and for a limited period afterwards. Security logs and billing records may be retained for longer periods where required by law.

You can request deletion of personal data we hold about you; see our Data deletion page. When DunaAI introduces user accounts or applications, account-deletion instructions will be added to the same page.

11. Your rights under GDPR

Subject to applicable law, you have the right to:

  • access personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request deletion of personal data in defined circumstances (the “right to be forgotten”);
  • restrict or object to certain processing, including processing based on legitimate interests;
  • request a copy of your personal data in a structured, commonly used, machine-readable format (data portability);
  • withdraw consent where processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal;
  • lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.

12. How to exercise your rights

To exercise any of these rights, email privacy@dunaai.dev from the email address you used to contact us, or use our Data deletion page. We may require additional information to verify your identity before actioning the request. We aim to respond within the timeframes required by law.

13. Children’s privacy

Our services are not directed to children under the age of 16, and we do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, please contact us so that we can take appropriate action.

14. Security

We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Examples include encryption in transit, access controls, segregation of environments, logging and least-privilege access. No internet service can be guaranteed to be perfectly secure, and we encourage users to use strong, unique passwords and to keep their devices up to date.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements or business practices. The “Last updated” date at the top of this page indicates when it was last revised. Where changes are significant, we will provide more prominent notice.

16. Contact

Privacy enquiries: privacy@dunaai.dev
General contact: contact@dunaai.dev
Support: /support

DUNA AI LIMITED, Ireland.