Privacy Policy.

This policy describes how duly collects, uses, and protects your personal information when you use the platform.

We collect information from the following sources:

GitHub OAuth

When you sign in with GitHub, we receive your GitHub user ID, username, display name, email address, and avatar URL. We also store the OAuth access token to sync your repositories and verify pull request delivery. The scopes we request are: read:user, user:email, and repo.

Information you provide

When you create an account or use duly, you may provide your email address, password (stored as a salted hash, never in plain text), Solana wallet address, display name, bio, skills, and team or organization details.

Automated collection

We use Google Tag Manager to collect anonymous usage analytics, including page views, button clicks, and feature interactions. We extract your IP address for rate limiting purposes. IP addresses are stored in rate limit buckets for up to 24 hours before automatic deletion. They are not used for tracking or profiling. We do not use device fingerprinting, browser tracking, behavioral heatmaps, or session replay tools.

Blockchain data

When you connect a Solana wallet and interact with duly, your public wallet address and transaction signatures are recorded. This data is inherently public on the Solana blockchain and is not considered private information. See Section 04 for details.

We use the information we collect to:

• Authenticate your identity via GitHub OAuth and email verification
• Connect your Solana wallet to the protocol for escrow and settlement
• Verify pull request delivery and order status through GitHub
• Send transactional emails including account verification and contact form responses
• Calculate and enforce protocol fees on escrow releases
• Detect and prevent fraud, abuse, and unauthorized access
• Enforce rate limits to protect platform stability
• Improve the platform based on aggregated, anonymous usage patterns
• Comply with applicable laws and respond to lawful requests

We do not sell your personal information to third parties. We do not use your data for advertising or targeted marketing.

duly operates on the Solana blockchain. You should understand the following about blockchain privacy:

Your wallet address and all transactions on Solana are publicly visible and permanently recorded. This is a fundamental property of the blockchain, not something we control. Anyone can view your wallet balance, transaction history, and interactions with the duly smart contract by looking up your wallet address on a block explorer.

duly is a non-custodial protocol. We never have access to your private keys, seed phrases, or the ability to move your funds. All transactions are signed by you and executed directly on the Solana blockchain. If you lose access to your wallet, we cannot recover your funds.

Do not use a wallet address you wish to keep private. We cannot delete, modify, or hide any data recorded on the blockchain.

duly shares data with the following third-party services to operate the platform:

• GitHub: Receives your OAuth credentials for authentication, repository access, and pull request verification. Subject to GitHub's privacy policy.
• Google Tag Manager: Receives anonymous analytics events (page views, feature usage). No personal identifiers are sent. Subject to Google's privacy policy.
• Resend: Receives your name and email address to deliver transactional emails (account verification, contact form responses). Subject to Resend's privacy policy.
• Supabase: Hosts our database infrastructure where user profiles, orders, and GitHub data are stored. Subject to Supabase's privacy policy.
• Solana RPC providers: Process blockchain transactions. Wallet addresses and transaction data are sent to RPC nodes for execution. This data is publicly available on the blockchain.

We do not share your personal information with any other third parties except when required by law.

duly uses the following cookies and local storage:

Authentication cookie (duly_auth_session): Keeps you signed in for 12 hours. It is HttpOnly, Secure (in production), and SameSite: Lax. It does not track you across other websites.

CSRF token (duly_csrf_token): A security cookie that protects against cross-site request forgery attacks. Expires after 7 days. SameSite: Strict.

Theme preference: Stored in localStorage (not a cookie) to remember your light or dark mode choice.

Sidebar state: Stored in localStorage to remember your dashboard sidebar preference.

We do not use third-party tracking cookies, advertising cookies, or cross-site cookies.

We may share your information in the following limited circumstances:

• With other users: Your public profile (display name, avatar, GitHub username) is visible to other users on the platform. Your wallet address is visible to parties in a shared order.
• On the blockchain: Your wallet address and transaction data are publicly visible on Solana. This is inherent to blockchain technology.
• With service providers: As described in Section 05, we share data with third-party services necessary to operate the platform.
• For legal compliance: We may disclose information if required by law, court order, or government request.

We retain your data as follows:

• Account data (email, profile, wallet address): Retained until you delete your account.
• GitHub connection data (username, repos, access token): Retained until you disconnect GitHub or delete your account.
• Order and transaction data: Retained indefinitely for audit trail purposes. On-chain data cannot be deleted.
• Analytics data: Retained per Google Tag Manager's default retention policy (typically 14 months).
• Rate limiting data (IP address): Retained in rate limit buckets for up to 24 hours, then automatically deleted.

We take reasonable measures to protect your data:

• All data in transit is encrypted via HTTPS/TLS
• Passwords are salted and hashed using scrypt (never stored in plain text)
• Authentication cookies use HttpOnly, Secure, and SameSite: Lax flags
• CSRF protection on all state-changing requests
• Replay protection with configurable TTL on relayer transactions
• Row-level security (RLS) enforced at the database level
• MFA support available for account security

No system is perfectly secure. We cannot guarantee absolute security, especially for data recorded on the public blockchain.

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and associated data. Note: on-chain data cannot be deleted.
• Opt-out of analytics: You can disable Google Tag Manager by using a browser ad blocker or the Google Analytics opt-out extension.
• Data portability: Request your data in a machine-readable format.
• GitHub disconnection: You can revoke duly's access to your GitHub account at any time through GitHub's settings.

To exercise any of these rights, contact us at hello@duly.finance.

duly is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and may notify you through the platform.

Your continued use of duly after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at hello@duly.finance.