Privacy Policy

Introduction

DuoSync LLC ("we," "our," or "us") operates Re:Bond, an AI-assisted app designed to help couples reflect, communicate, and build stronger emotional connections. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services.

We take your privacy seriously. Your relationship reflections and personal data deserve the same protection as your most sensitive information.

Certain mood and emotional reflection data may be treated as consumer health data under some state laws; see our Consumer Health Data Privacy Policy for details.

DuoSync LLC is the data controller responsible for your personal data under applicable data protection laws.

Information We Collect

Account Information

When you create an account, we collect:

• Email address (via Apple or Google Sign-In)
• Display name (optional)
• Profile photo (optional)

Relationship Data

To provide our core services, we collect:

• Daily check-ins: Your mood ratings and written reflections
• Bond answers: Your responses to relationship questions
• Nook notes: Notes, reminders, and lists you create
• Partner connection: Information linking you to your partner's account

Usage Data

We automatically collect:

• Device type and operating system
• App version
• Feature usage patterns (aggregated and/or de-identified where feasible)
• Crash reports and error logs

What We Don't Collect

We do not collect:

• Location data
• Contacts or address book
• Photos or media (unless you explicitly add them)
• Data from other apps on your device

How We Use Your Information

We use your information to:

• Provide our services: Generate weekly insights, facilitate Bond questions, and sync Nook notes
• Improve our services: Analyze aggregated usage trends to improve the quality of our insights (your personal data is never used to train AI models)
• Send notifications: Remind you about check-ins, notify you of partner activity, and deliver weekly insights
• Provide support: Respond to your questions and troubleshoot issues
• Ensure security: Detect and prevent fraud, abuse, and security incidents

We never use your personal relationship data for advertising or sell it to third parties.

Data Sharing

With Your Partner

By pairing with your partner, you choose to share certain data as part of the app's core functionality. You can end this sharing at any time by unpairing your account.

• Shared: Weekly insights (generated from both partners' check-ins), Bond answers (after both respond), shared Nook notes
• Never shared: Your individual check-in content, private Nook notes, how often you check in

Weekly insights summarize themes from both partners' check-ins and may allow your partner to infer aspects of your reflections, even though your raw entries are never shared.

If you unpair your account, future data sharing stops immediately. Each partner retains access to the shared insights and shared notes that already exist in their own account. After unpairing, shared content is no longer accessible through the App by the other partner's account (i.e., it is removed from the shared view). Note: We cannot control content a partner may have already viewed, saved, or recorded outside the App before unpairing. You may request deletion of shared data by contacting us at support@duosync.net.

With Third Parties

We may share data with:

• Cloud providers: Microsoft Azure hosts our infrastructure (data encrypted at rest)
• Authentication: Apple and Google for sign-in via Supabase (our authentication provider). Supabase and the sign-in providers receive only authentication data necessary to verify your identity.
• AI services: We use third-party AI language model services to generate insights. When sending check-in data to AI providers for processing, we do not include direct identifiers such as your name or email. We use a pseudonymous internal couple identifier so results can be returned to the correct paired accounts. Your data is processed under our data processing agreements with these providers and is not used to train AI models. These providers are prohibited by contract from using your data for their own purposes (including training their models) or attempting to identify you. Contact us at support@duosync.net for a current list of our AI service providers.
• Push notifications: Firebase Cloud Messaging delivers notifications to your device (Google receives device tokens, not personal content)
• Infrastructure monitoring: We use Azure Application Insights for backend performance monitoring (tracks request metrics and errors and is configured to avoid collecting personal relationship content)
• Legal requirements: When required by law or to protect our legal rights

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not use advertising networks or behavioral tracking services. We may use privacy-respecting analytics tools to understand how users interact with the App; if we do, we will update this section accordingly.

AI & Automated Processing

We use AI to generate personalized insights and feedback from your check-ins. Here is how it works:

• Your check-in data is processed by AI to generate weekly insights and micro-actions
• AI-generated content is suggestions only — no automated decisions with legal or significant effects are made about you
• You can stop AI processing at any time by not submitting check-ins — AI only processes data you actively provide
• Your data is not used to train AI models
• You may request human review of any AI-generated insight by contacting us at support@duosync.net

Consumer Health Data

Certain data you provide through Re:Bond — such as mood ratings and emotional reflections — may be classified as "consumer health data" under laws like Washington's My Health My Data Act and similar state laws. We take special care with this data.

For a detailed description of the consumer health data we collect, how we use it, who we share it with, and how to exercise your rights, please see our Consumer Health Data Privacy Policy.

Data Security

We implement industry-standard security measures:

• Encryption in transit: All data transmitted using TLS 1.2 or higher
• Encryption at rest: All stored data encrypted at the infrastructure level using AES-256 (provided by Microsoft Azure)
• Access controls: Role-based access controls limit data access to authorized personnel
• Secure infrastructure: Hosted on Microsoft Azure with enterprise-grade security protections

While we strive to protect your data, no method of transmission or storage is 100% secure. We encourage you to use strong, unique passwords and keep your device secure.

Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users without unreasonable delay, and within the timeframe required by applicable law, via email and/or in-app notification
• Notify relevant regulatory authorities as required by applicable law, including within 72 hours where required by GDPR
• Provide details about the nature of the breach, what information was affected, steps we are taking to address it, and steps you can take to protect yourself
• Post notice on our website if the breach affects a large number of users

Cookies & Tracking Technologies

Re:Bond does not use cookies or tracking pixels for advertising or cross-context behavioral tracking. We use limited diagnostics and telemetry (such as Azure Application Insights) to maintain reliability and security.

We use Google Fonts for display purposes. Google may receive standard web request data (such as your IP address) when serving these fonts. We do not use Google Fonts for advertising or cross-context tracking.

If we introduce analytics or tracking technologies in the future, they will be configured to minimize data collection, will not be used for advertising, and we will update this section and notify users before any changes take effect.

Your Rights

You have the right to:

• Access: Request a copy of your personal data (we will respond within the timeframe required by applicable law, typically within 30 days)
• Correction: Update or correct your account information
• Deletion: Request permanent deletion of your account and all associated data. Shared content (such as shared insights and shared notes) that already exists in your partner's account will remain accessible to them unless they also request deletion.
• Withdraw consent: Opt out of optional data processing at any time

To exercise these rights, email us at support@duosync.net or submit a request through our contact form.

California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

When you use Re:Bond, we collect the following categories of personal information:

• Identifiers: Email address, display name, account ID
• Personal information under California Civil Code Section 1798.80: Name
• Internet or network activity: App usage data, device information
• Inferences: Preferences and characteristics derived from your check-ins (used only to provide insights)

Your California Rights

As a California resident, you have the right to:

• Right to Know: Request disclosure of the personal information we have collected about you
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights
• Right to Limit Use of Sensitive Personal Information: Request that we limit our use of sensitive personal information (including inferences derived from your check-in data) to what is necessary to provide our services

We Do Not Sell Your Personal Information

DuoSync LLC does not sell your personal information and does not share it for cross-context behavioral advertising.

Disclosures for Business Purposes

In the preceding 12 months, we disclosed the following categories of personal information for business purposes to service providers and contractors that help us operate the App (such as cloud hosting, authentication, AI processing, notifications, and reliability monitoring): Identifiers, internet or network activity information, and inferences used to provide insights.

Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We may require verification of the agent's authorization before processing the request.

How to Submit a Request

To exercise your California privacy rights, email us at support@duosync.net with the subject line "California Privacy Request," or submit a request through our contact form.

We will verify your identity before processing your request and respond within 45 days. If we need additional time, we will notify you of the extension.

DuoSync LLC operates exclusively online and has a direct relationship with users; California residents may submit requests via email and our contact form.

Additional U.S. State Privacy Rights

Several U.S. states provide residents with specific privacy rights under their respective laws. The table below summarizes rights available in select states as examples. If your state is not listed, you may still have similar rights — we will honor applicable rights based on your state of residence.

Note: We do not currently engage in targeted advertising, sale of personal data, or automated profiling. These opt-out rights are provided for completeness.

How to Submit a Request

To exercise your rights, email us at support@duosync.net with your state of residence and the rights you wish to exercise, or submit a request through our contact form.

Appeals

If your request is denied, residents of Colorado, Connecticut, and Virginia may appeal by contacting support@duosync.net. We will respond to appeals within 45 days, with a final response within 60 days if additional time is needed.

If you reside in a state with a comprehensive privacy law not listed above (such as Texas, Oregon, Montana, Delaware, Iowa, Tennessee, or Indiana), you may exercise your applicable rights by contacting us at support@duosync.net.

Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals on our website and any browser-based interfaces. If your browser transmits a GPC signal, we will treat this as a valid opt-out request for the sale or sharing of your personal information.

You can enable GPC in supported browsers or through browser extensions. When we detect a GPC signal on our website, we automatically apply your privacy preferences without requiring additional action from you.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

Legal Basis for Processing

We process your personal data based on the following legal grounds:

Note: We recognize that mood and emotional data may constitute or reveal information about your health. For users in the EEA, UK, or Switzerland, we process this data based on your explicit consent, which you provide when submitting check-ins through the App.

Your GDPR Rights

In addition to the rights listed above, you have the right to:

• Restrict Processing: Request that we limit how we use your data
• Object to Processing: Object to processing based on legitimate interests
• Data Portability: Request a copy of your personal data. Contact us at support@duosync.net to submit a portability request and we will respond within 30 days.
• Withdraw Consent: Withdraw consent at any time where we rely on consent for processing
• Lodge a Complaint: File a complaint with your local data protection authority

Data Protection Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu.

Contact for GDPR Inquiries

For GDPR-related inquiries, please contact us at support@duosync.net.

Data Retention

We retain your data for as long as your account is active or as needed to provide our services. Specific retention periods by data category:

• Account information (email, name): Retained while your account is active; deleted within 30 days of account deletion
• Check-in data and mood ratings: Retained while your account is active; deleted within 30 days of account deletion
• AI-generated insights: Retained while your account is active; deleted within 30 days of account deletion
• Bond answers: Retained while your account is active; deleted within 30 days of account deletion
• Nook notes: Retained while your account is active; deleted within 30 days of account deletion
• Device tokens and push notification data: Retained while your account is active; deleted within 30 days of account deletion
• Error logs and performance metrics: Retained for up to 90 days for debugging and reliability purposes
• Backups: Backup copies are purged within 90 days of a deletion request
• De-identified and aggregated data: Aggregated and/or de-identified data may be retained indefinitely for service improvement. We apply technical and organizational measures designed to reduce the risk of re-identification, and we do not attempt to re-identify de-identified data except as permitted by law.
• Legal holds: Data may be retained longer if required by law or legal proceedings

Children's Privacy

Re:Bond is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at support@duosync.net.

International Data Transfers

Your data is processed in the United States, where our servers are located. For users in the European Economic Area, United Kingdom, or Switzerland, we protect international data transfers using Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational safeguards. You may request a copy of these safeguards by contacting us at support@duosync.net.

Third-Party Links

Our app or website may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites you visit.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new policy on this page with an updated "Last updated" date
• Sending you an in-app notification or email for material changes

We encourage you to review this policy periodically.

Policy Version History

• March 4, 2026 (v4): Added pseudonymous identifier detail for AI processing, clarified unpairing data access, corrected cookies/analytics and Google Fonts statements, added CHD callout in introduction, added California online-only statement, softened anonymization language, adjusted access rights timing, fixed ambiguous unpairing language, softened Application Insights claim, aligned CPRA sale/share terminology, harmonized de-identified/anonymized language, added CA business-purpose disclosures, strengthened AI vendor contractual restrictions, added unpairing realism disclaimer
• March 4, 2026 (v3): Added Consumer Health Data Privacy Policy, clarified partner data sharing and unpair behavior, expanded retention details per data category, broadened state privacy coverage, narrowed GPC scope to browser contexts, updated breach notification timing
• March 4, 2026 (v2): Updated to reflect current features, added AI processing section, expanded state-specific rights, added breach notification procedures
• January 22, 2025: Initial privacy policy

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

DuoSync LLC
support@duosync.net