Privacy Policy - One Duck Theory

ONE DUCK THEORY

PRIVACY NOTICE

Last Modified on September 7, 2021

Please read this privacy notice carefully, as it contains important information on who we are, how and why we collect, store, use, and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities if you have a complaint.

1. Who we are

One Duck Theory LLC (“One Duck Theory,” “We,” or “Us”) collects, uses, and is responsible for certain personal information about you, in providing you with the mobile software application, including the website located at oneducktheory.com (collectively, the “Service”).

For those in the European Union, we are regulated under the General Data Protection Regulation which applies across the European Union (including in the United Kingdom) and we are responsible as a controller of that personal information for the purposes of those laws.

2. The Personal Information we collect and use

Information collected by us: In providing the Service, we collect the following personal information either automatically or when you voluntarily provide it to us:

Type of data collected	Examples of the data collected	How we use the data	Our legal basis for collecting the data
Contact Information	Your name, email address, and any device specific information required to provide support	For customer and technical support, marketing and promotional emails, surveys, and for the operation of contests and sweepstakes	Based on your explicit consent, under GDPR Art. 6 (1) (a).
Technical Information	Your IP address, device information, and system configuration information	Operation of the Service, and for analytics and Service improvements	To fulfill a contract with you, under GDPR Art. 6 (1) (b).
Advertising Information	Unique device identifiers for advertising (Google Advertiser ID or IDFA, for example), device information, usage data, demographic information, location, cookie data, IP and/or MAC address	To personalize advertisements to your interests	Based on our legitimate interest, under GDPR Art. 6 (1) (f).
Analytic Information	Device and user information, including: Number of users and sessions Session duration Operating systems Device models Geography First launches App opens App updates In-app purchases In-app events	Analyzing user behavior and to operate and improve the service	Based on our legitimate interest, under GDPR Art. 6 (1) (f).

Information shared with us: In operating the Service, certain third parties may share personal information with us. These are:

Third party sharing the information with us	Examples of the data shared	How we use the data
Facebook or other social networks	If you connect your Facebook or other social network account to the Service, it may share your name, email address, and profile information with us	To provide you with the Service or to contact you for Service-related issues, such as customer service or marketing and promotional communications
Google and Apple	Analytic information and information about your purchases on the Service	To improve and operate the Service, to ensure that you are credited with any purchases you make through the Google Play Store and Apple App Store, and for customer service purposes

Who we share your Personal Information with: We share your personal information with certain third parties in operating the Service. This enables us to provide you with the Service in the optimal way.

Some of those third-party recipients may be based outside the European Economic Area — for further information, including how we safeguard your personal data when this occurs, see their individual privacy policies linked to above and the section entitled “Transfer of your Information out of the EEA,” below.

We share your Personal Information with the following third parties:

Reason for sharing	What information is being shared?	Who is it being shared with?	The third party’s privacy policy
Service operation and traffic optimization; Backups	Technical Information, Contact Information	Cloudflare and Amazon Web Services	Cloudflare: https://www.cloudflare.com/privacypolicy/ Amazon: https://aws.amazon.com/compliance/data-privacy-faq/
Newsletters and other marketing communications	Contact Information	Mailchimp	https://mailchimp.com/legal/privacy/
Surveys	Contact Information	TapResearch Note: Any information you enter into a questionnaire or survey hosted by TapResearch on the Service is provided to TapResearch directly and is subject to their privacy policy.	https://www.tapresearch.com/legal/privacy-policy-en
Advertisements	Advertising Information	Advertising Partners	A list of our advertising partners and their privacy policies is available at: https://oneducktheory.com/privacy/partners
Fraud Prevention	Technical Information	Google’s Recaptcha	https://policies.google.com/privacy?hl=en-GB
Analytics	Analytic Information	Google Analytics	https://policies.google.com/privacy?hl=en-GB

In addition to the above, we will also share your personal information if we have a good faith belief that (i) access, use, preservation or disclosure of such information is reasonably necessary to satisfy any applicable law, regulation, legal process, such as a court order or subpoena, or a request by law enforcement or governmental authorities, (ii) the action is necessary to detect, prevent, or otherwise address fraud, security or technical issues associated with the Service, or (iii) the action is appropriate to protect One Duck Theory’s or its employees’, clients’, or users’ rights, property, or safety.

We will not share your personal information with any other third party.

How long your Personal Information will be kept: We will keep your Personal Information for the length of time required to provide you with the Service, unless a longer retention period is required or permitted by law. Afterwards, we delete all aforementioned data in our possession within a reasonable timeframe. We do not verify the correctness of personal data that we collect or you provide.

Please note that some data may be retained, if necessary to resolve disputes, enforce our user agreements, and comply with technical and legal requirements and constraints related to the security, integrity, and operation of the Service.

Children’s Privacy: We do not knowingly collect any personal information from children under the age of 13, nor do we allow them to create accounts, sign up for newsletters, make purchases, or use the Service. In addition, we may limit how we collect, use, and store some of the information of EU users between 13 and 16.

“Do Not Track” Signals: Because there’s not yet a consensus on how companies should respond to web browser-based or other “do not track” mechanisms yet, we do not respond to web browser-based do not track signals.

Cookies: Any use of Cookies or similar tracking tools by the Service, or by third-party services used by the Service, is for the purpose of providing the Service as required by you, in addition to any other purposes described in this privacy notice and in our Cookie Policy, if any.

Mobile Advertising Opt-Out: If you would like more information about online advertising and your choices about not having personal information used to personalize ads for you, please see the following links:

If you have an Android device, see Google’s instructions here: https://support.google.com/ads/answer/2662856?co=GENIE.Platform%3DAndroid&hl=en
If you have an iOS device, see Apples’ instructions here: https://support.apple.com/guide/iphone/control-app-tracking-permissions-on-iphone-iph4f4cbd242/14.0/ios/14.0
For general information on opting out of network-based advertising, see the following link: http://www.networkadvertising.org/managing/opt_out.asp

3. Transfer of your Information out of the EEA

One Duck Theory is based in the United States. No matter where you are located, you consent to the processing, transfer and storage of your information in and to the United States, in accordance with the privacy policies of third parties with whom we share your personal information. The laws of these countries governing data collection and use may not be as comprehensive or protective as the laws of the country where you live.

If you would like further information, please contact us (see “How to contact us” below).

4. EU Residents – Your Rights

Under the laws of the General Data Protection Regulation in the EEA, you have a number of important rights with regard to your personal data.

By law, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.
If we are processing your personal data for reasons of consent or to fulfill a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.
If we are processing your personal data for reasons of consent or legitimate interest, you can request that your data be erased.
You have the right to ask us to stop using your information for a period of time, if you believe we are not doing so lawfully.
Finally, in some circumstances, you can ask us not to reach decisions affecting you using automated processing or profiling.

If you would like to exercise any of those rights, please email us at [email protected]. We may ask for additional verification information, such as your username and other information required to be sure that you are the owner of that data.

5. California Residents – Your Rights

If you are a California resident, beginning on January 1, 2020, the California Consumer Privacy Act (CCPA) gives you the following rights:

Right to Know: You can ask us what personal data we hold about you and request a copy of the information. This information includes:

The categories of personal information we have collected about you.
The categories of sources from which we collect the personal information.
The business or commercial purpose for collecting your personal information.
The categories of third parties with whom we share that information.
The specific pieces of personal information we have collected about you.

Right to Delete: You can request that your personal information be erased. However, there are some exceptions to this right, in situations where we:

Need to complete the transaction for which the personal information was collected, provide a good or service that you requested, or that is reasonably anticipated within our ongoing business relationship with the consumer, or to otherwise perform a contract between us.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
Debug to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law.
Need to comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with us.
Need to comply with a legal obligation.
Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Right to Opt Out: One Duck Theory does not sell any of your personal information for any purposes.

Other Rights: In addition to the rights above, you also have the right to request certain information about our disclosure of personal information to third parties for their own direct marketing purposes during the calendar year preceding your request. This request is free and may be made only once a year.

You also have the right not to be discriminated against for exercising any of the rights of California residents listed in this section.

If you would like to exercise any of the rights listed above, please contact us at the addresses below in the section entitled “How to contact us.”

6. Brazil Residents

If you are a resident of Brazil, you have several important rights free of charge under the Lei Geral de Proteção de Dados (“LGPD”). These rights apply to any data collected or processed in Brazil, as well as any data processed for the purpose of providing goods or services in Brazil.

These rights include the right to:

Know when we use your information
Access your personal information
Correct any errors with your personal information
Anonymize, block, or delete data that we do not need or are not processing in compliance with the LGPD
Request we transfer your data to another provider
Delete personal data
Be informed about who we share your data with
Be informed about your ability to deny consent and any consequences of such a denial
To revoke your consent

7. Keeping your Personal Information secure

One Duck Theory LLC takes privacy and security very seriously. We do not want to just pay lip service to customers for such important topics, so we have a wide variety of security controls in place and are always looking to improve our security posture.

All connections to the Service must use a modern encryption algorithm/cipher. Auto negotiation is performed to ensure compliance.
The One Duck Theory email server automatically tries to negotiate the highest encryption algorithm available from any other mail server for sending/receiving emails.
Our network is highly segmented and isolated, with every VLAN only allowing the minimum necessary ports/traffic for inter-VLAN traffic as well as traffic from the WAN.
Additionally, our network is protected by IDS/IPS, Geo-IP blocking, reputation based blocking, and various other perimeter defenses.
Our infrastructure was built from the ground up with the principle to limit access to personal information as much as possible at every step.
Company data on the company’s servers is encrypted at rest and in motion. The servers themselves use encrypted storage.
Frequent encrypted backup images are taken and stored both locally and in a secure off-site data center.
Multi-factor authentication (MFA) is utilized wherever possible, including for password management used by any of our employees as well as for management of the off-site data center.
All company systems are regularly patched/updated, and anti-spam and anti-virus systems are in place where applicable.
IP access controls, permissions, brute-force lockouts, and other mechanisms help prevent anyone besides company personnel from administering company systems.
Also, since there’s no such thing as perfect security, various custom monitors also watch for suspicious activity on company systems at several layers with daily reports.
Finally, 3rd party vendors and partners are also vetted through research to help ensure they also follow general cybersecurity best practices.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

8. Resolving Disputes

We hope that we can resolve any questions or concern you raise about our use of your Personal Information. Please contact us via the methods listed below in the section entitled “How to contact us” to let us know about any of your questions or concerns, and we will get back to you to resolve the issue.

If you are an EU citizen, the General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred.

9. Changes to this Privacy Notice

This privacy notice was last updated on September 7, 2021.

We may update this privacy policy from time to time. When we do, we will inform you via email to the email address you have provided us, or by posting a message about the change on the Service.

10. How to contact us

Please contact us if you have any questions about this privacy policy or the information we hold about you.

If you wish to contact us, you can do so by email to [email protected], or by physical mail to the address below.

One Duck Theory LLC
6 Liberty Sq #94945
Boston, MA 02109