Privacy Policy

1. Introduction

DupeDJ is a product of Sindro LLC, a California limited liability company (“Sindro,” “we,” “our,” or “us”). We operate the DupeDJ desktop application and the website at dupedj.com (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, you should not use the Service.

2. Information We Collect

2.1 Account Information

When you register for a DupeDJ account, we collect:

• Email address
• Full name (if provided)
• Password (for email/password accounts: salted and hashed using bcrypt with a work factor of 12; we never store plaintext passwords)
• Account preferences and settings

2.2 Authentication via Third-Party Providers

You may sign in using Google or Discord. When you do, we receive the following information from that provider (via the Neon Auth social sign-in flow):

• Google: your email address, display name, and (where shared) your profile picture URL.
• Discord: your email address, username, and (where shared) your avatar URL.

We only receive information you authorize the third-party provider to share. We never receive your password for those services. Users who sign in via Google or Discord do not have a password stored with us at all.

2.3 Payment Information

All payment transactions are processed by Stripe, Inc. (“Stripe”), which is PCI DSS Level 1 certified. Sindro LLC does not directly store cardholder data. When you subscribe to a paid plan or purchase a lifetime license, Stripe collects your payment card details, billing address, and related financial information. We receive and retain only a Stripe customer ID, subscription status, plan type, and (for display purposes only) the last four digits of your card.

2.4 License and Device Information

When you activate DupeDJ on a device, we collect:

• License key
• Machine identifier (“machine_id”): an anonymous hardware-derived ID (such as the platform UUID combined with the device hostname) used to enforce per-device activation limits. The machine_id is not the same as any personal identifier you provided and is not used to track you across services.
• Operating system type (Windows or macOS) and app version
• Device name (as configured on your computer)
• Device fingerprint (anti-abuse): we also retain a row keyed by the machine_id that records (a) the license keys ever activated on that device and (b) whether the free trial allowance has been consumed. This is used solely to prevent abuse of free trials and is not shared with anyone.

2.5 Usage Data

We collect limited usage metrics to operate the Service and enforce plan limits:

• File move counts (the number of duplicate files moved through the application)
• License activation and deactivation events (including timestamp and machine_id)
• Subscription plan and billing cycle

2.6 Library Sync (Pro and Lifetime tiers only)

Pro and Lifetime users may enable the optional library sync feature, which uploads audio fingerprints (compact mathematical summaries derived from your files, used to detect duplicates across machines) to our servers. We store these fingerprints together with the corresponding metadata you ask us to sync (title, artist, album, file path on your device, quality information). We never upload the audio content itself, cover art, or any other file data. Library sync is opt-in: it is off by default and you can disable it at any time. Disabling it deletes your synced library entries within 30 days.

2.7 Website Analytics and Log Data

When you visit dupedj.com, our servers may automatically collect standard log information, including your IP address, browser type and version, pages visited, time and date of your visit, and referring URL. This data is used for security monitoring and to understand general traffic patterns.

2.8 Information We Do NOT Collect

DupeDJ is designed with privacy at its core. The desktop application performs all audio scanning, fingerprinting, and deduplication entirely on your local machine. We never:

• Upload, transmit, or access the contents of your audio files or any other files on your computer
• Collect audio waveforms, cover art, or any binary audio data on our servers
• Track which specific files you scan, flag, move, or delete (file counts are recorded for metering, but not file identities, unless you opt into library sync)
• Sell or rent your personal information to third parties
• Use cross-context behavioral advertising or share data with advertising networks

3. How We Use Your Information

We use the information we collect for the following purposes (and corresponding GDPR legal bases for users in the European Economic Area, United Kingdom, and Switzerland):

• Account management (contract): create and maintain your account, authenticate your identity, and provide access to the Service.
• License management (contract): validate license activations, enforce device limits, and track move counts.
• Payment processing (contract, legal obligation): process subscription payments, issue refunds, manage billing through Stripe.
• Customer support (contract, legitimate interest): respond to your requests, troubleshoot, provide technical assistance.
• Service communications (contract, legal obligation): send transactional emails such as purchase confirmations, license-activation notices, password resets, and critical product updates.
• Anti-abuse and fraud prevention (legitimate interest, legal obligation): detect, investigate, and prevent unauthorized access, abuse of free trials, and fraudulent transactions. This is the basis for our device fingerprint (§2.4).
• Product improvement (legitimate interest): analyze aggregate usage trends to improve reliability, performance, and features. We do not use individual-level analytics for this.
• Legal compliance (legal obligation): comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

Sindro LLC does not engage in automated decision-making, including profiling, that produces legal effects for users. License-enforcement decisions (e.g., whether to allow a move) are rule-based and may be reviewed by Sindro support staff on request.

4. Data Storage and Security

4.1 Where We Store Your Data

Account information, license data, usage metrics, and (if you opt in) synced library fingerprints are stored in a managed Neon PostgreSQL database. The website and API are hosted on Vercel. Both providers operate in the United States.

4.2 Security Measures

We implement industry-standard security practices to protect your data, including:

• Data in transit is encrypted using TLS (Transport Layer Security)
• Passwords (for email/password accounts) are salted and hashed using bcrypt with a work factor of 12
• Database connections are encrypted and access is restricted to authorized services only
• Payment information is handled by Stripe, which is PCI DSS Level 1 certified
• License-server requests use signed (Ed25519) tokens to authenticate licensed installations and resist replay

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to addressing identified vulnerabilities promptly. To report a security issue, please email security@dupedj.com.

5. Third-Party Services (Subprocessors)

We rely on the following third-party service providers to operate the Service. Each provider processes data in accordance with their own privacy policy. A maintained list is also available at dupedj.com/subprocessors.

• Stripe — payment processing and subscription billing (PCI DSS Level 1).
• Neon — managed serverless PostgreSQL database hosting.
• Vercel — website and API hosting.
• Resend — transactional email delivery (password resets, license lookup, billing notifications).
• Neon Auth — authentication, including Google and Discord social sign-in.
• GitHub — release artifact hosting (used to distribute the DupeDJ desktop installers).

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

6. Cookies and Tracking Technologies

We use only strictly-necessary cookies on dupedj.com (session, security, preference). We do not use third-party advertising or tracking cookies, cross-site tracking pixels, or behavioral profiling. The full Cookie Policy is at dupedj.com/cookies.

7. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal data:

• Right to know / access: request a copy of the personal data we hold about you, in a portable JSON format.
• Right to correct: request that we correct inaccurate or incomplete personal data.
• Right to delete: request deletion of your personal data, subject to our legal obligations and legitimate business needs.
• Right to data portability: request your data in a structured, commonly used, machine-readable format.
• Right to limit use of sensitive personal information: we do not use any “sensitive personal information” (as defined under the CPRA) for purposes other than those for which it was collected.
• Right to non-discrimination: we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.
• Right to lodge a complaint: users in the EEA, UK, and Switzerland may also lodge a complaint with their local data-protection authority.

To exercise these rights, email privacy@dupedj.com from the email address associated with your account, or use the in-app data-export tool. We will verify your identity (typically by sending a confirmation email to the address on file) and respond within forty-five (45) days, as required by the California Consumer Privacy Act. We may extend that period by up to forty-five (45) additional days when reasonably necessary, with notice to you.

8. Your Privacy Choices

Sindro LLC does not sell your personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act. Accordingly, there is no “Do Not Sell or Share My Personal Information” opt-out to provide — the answer is always “no.”

If you wish to opt out of any use of your personal information beyond what is necessary to operate your account and your subscription, or if you wish to limit how long we retain your data, please email privacy@dupedj.com.

California “Shine the Light” law (Cal. Civ. Code § 1798.83): California residents may request information about our disclosures (if any) of personal information to third parties for those parties' direct marketing purposes. We do not currently make any such disclosures. Direct questions to privacy@dupedj.com.

9. Data Retention

• Active accounts: account data, license info, and usage metrics retained for as long as your account is active.
• Account deletion: upon a deletion request, we delete or anonymize your personal data within thirty (30) days, except where retention is required by law or for fraud prevention.
• Synced library entries (Pro/Lifetime): deleted within thirty (30) days after you disable library sync or request deletion.
• Device fingerprint anti-abuse records: retained for up to two (2) years to prevent re-abuse of free trials on the same hardware.
• Payment records: transaction records may be retained for up to seven (7) years as required by tax and financial regulations.
• Server logs: automated log data retained for up to ninety (90) days, then deleted or anonymized.

10. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States. For transfers of personal data out of the European Economic Area, United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable, and we maintain technical and organizational safeguards as required by applicable law.

Sindro LLC has not yet appointed an EU representative under Article 27 of the GDPR. Users in the EEA, UK, or Switzerland who wish to exercise data-subject rights may do so by emailing privacy@dupedj.com; we will respond in accordance with applicable law.

11. Children's Privacy

The Service is not directed to individuals under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will delete that information promptly.

12. Changes to This Privacy Policy

When we make material changes we will update the version number and “Last updated” date below, and notify you by email or through a prominent notice on the website or within the desktop application.

13. Contact Us

Questions, concerns, or requests regarding this Privacy Policy or our data practices can be sent to:

California consumer complaint notice (Cal. Civ. Code § 1789.3): California residents may contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 1625 N. Market Blvd., Suite N-112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

Last updated: see git history of this document on the website repository.