DuyraCraft Privacy Policy

Effective date: May 13, 2026
Last updated: May 13, 2026
Version: 2026-05-13
Contact: [email protected]

1. Scope

This Privacy Policy applies to the DuyraCraft mobile app, DuyraCraft backend API services, and related pages hosted on duyracraft.com. It explains what information is collected, how it is used, when it is shared, how long it is kept, and what choices you have.

The app interface and content may support English, French, Italian, Spanish, and German. Your selected language or locale may be sent to the backend so we can show the correct app content, legal links, tutorials, AI behavior, and messages.

2. Who Is Responsible For Your Data

DuyraCraft is operated by the DuyraCraft team. For privacy questions, deletion requests, or data rights requests, contact us at [email protected].

3. Information We Collect

3.1 Account and sign-in data

If you create an account, sign in, or use account-based features, we may process:

• Email address.
• Display name, if you provide one.
• Preferred language/locale.
• Authentication provider, such as email sign-in or Google Sign-In.
• Password hash for email sign-in. We do not store your raw password.
• Backend session token information. The backend stores token hashes, not raw tokens. The app stores the active token in secure device storage when available.
• For Google Sign-In, Google account verification data such as ID token verification result, verified email, and Google provider user id. Raw Google ID tokens are used for verification and are not stored as an account password.

3.2 Legal consent records

When you accept the Privacy Policy or Terms of Use, we may store:

• Accepted privacy and terms versions.
• Effective dates and legal document URLs shown at the time of consent.
• Locale/language, source of consent, and timestamp.
• Hashed IP address and hashed app-specific device identifier for compliance and abuse-prevention evidence.

3.3 App-specific device identifier

The app creates a random app-specific device identifier, sometimes called a device hash. This is stored in app preferences. It is not your hardware serial number and it is not intended to identify you outside DuyraCraft. We use it for guest limits, rewarded ad grants, AI request limits, aggregate metrics, crash diagnostics, and abuse prevention. In some flows, such as crash logs, legal consent, and AI feedback, the backend stores only a hashed form of this identifier.

3.4 Local app data stored on your device

DuyraCraft stores data locally so the app works smoothly and remembers your work. This may include:

• Favorites, pattern progress, completed rows, manual part state, and project state.
• Row counter data and row counter settings.
• Private pattern notes and private PDF notes.
• PDF reader/editor settings, annotation settings, color/tool choices, and keep-awake preferences.
• Imported PDFs, generated PDFs, DuyraCraft PDF downloads, local PDF metadata, and PDF annotations.
• Images selected for Image to PDF, while they are being processed locally.
• Local AI conversation cache/history and app content caches.
• Login state, preferred language, theme, premium status cache, and similar settings.

Local data remains on your device until you delete it in the app, clear app data, or uninstall the app. Clearing your account on the backend does not automatically erase all local files already stored on your device.

3.5 Public content requests

When the app loads patterns, pattern details, abbreviations, tutorials, hero cards, legal links, images, or downloadable DuyraCraft PDFs, the backend may receive request details such as locale, pattern id, PDF asset id, filter, pagination values, and standard technical request data.

3.6 Project progress and PDF metadata sync

If you are signed in, DuyraCraft may sync limited project information to your account:

• Pattern project start/progress state.
• PDF project metadata such as local PDF id, title, source type, file size, page count if available, storage/deleted status, and timestamps.

Normal PDF library, PDF reader, annotations, and Image to PDF flows do not upload your PDF or image file contents to the backend. The sync described above is metadata-only unless a separate online feature clearly says it uploads or processes file content.

3.7 Pattern PDF download history and limits

If you access DuyraCraft Pattern PDFs, we may process pattern id, PDF asset id, locale, source, user tier, user id if signed in, app-specific device identifier for guest users, timestamps, and quota/re-download information. This lets us enforce free/member/premium limits, allow re-downloads, and show PDF history.

3.8 AI assistant and Pattern Ask AI

If you use AI features, we process the information needed to answer your request and enforce limits. This may include:

• Your AI message text.
• Selected pattern, part, or step identifiers for Pattern Ask AI.
• Locale/language.
• User id when signed in, or guest/device limit information when not signed in.
• Optional recent conversation history sent by the app for context.
• AI answer, model name, token usage, feature key, cache/error state, timestamps, and similar usage metadata.
• Signed-in general AI conversation/message history where the history feature is used.

AI requests are sent through the DuyraCraft backend and may be processed by third-party AI providers such as OpenAI. Do not submit sensitive personal information, passwords, payment details, health information, or information you do not want processed by an AI service.

3.9 AI feedback and reports

If you like, dislike, or report an AI answer, we may store feedback type, locale, timestamp, hashed device identifier, limited prompt context, limited assistant answer context, and optional report text. This helps us investigate quality and safety issues.

3.10 Metrics and analytics

DuyraCraft uses best-effort internal metrics and Firebase Analytics. Internal metrics may include event key, locale, subject type/id, user tier, device identifier, and timestamp. These metrics are intended to be aggregate counters and should not include raw user messages, PDF text, private notes, file contents, or passwords.

Firebase Analytics may collect app usage and technical information according to Google's Firebase terms and privacy practices, such as device/app information, app interactions, and event data.

3.11 Crash diagnostics

If the app reports a crash or error, we may process platform, app version, build number, locale, screen/route, error type, shortened error message, shortened stack preview, fatal/source flags, optional user id when an auth token is valid, hashed device identifier, hashed IP address, and timestamp. The app and backend attempt to redact emails, tokens, API keys, file paths, PDF file names, and similar sensitive values before storing crash diagnostics.

3.12 Ads, ad consent, and rewarded ads

DuyraCraft may use Google Mobile Ads and Google's User Messaging Platform to request consent where required, show ads, and provide ad privacy choices. Google may process advertising identifiers, device information, approximate location derived from IP address, consent state, and ad interaction information according to Google's policies.

If you watch a rewarded ad, the backend may store reward feature key, app-specific device identifier or user id, ad network, ad unit key, reward amount, consumed count, reward day, expiry, and timestamps so we can grant and limit rewards.

3.13 Push notifications

DuyraCraft uses OneSignal for push notifications. If you grant notification permission, OneSignal may process push subscription identifiers, device/app information, permission state, and delivery/interactions needed to send notifications. You can opt out in the app or through your device settings.

3.14 Tutorials, external links, and YouTube

The app may show tutorial videos through YouTube or open YouTube/external links. When you use these features, YouTube/Google or the external site may receive information under their own privacy policies.

3.15 Purchases, subscriptions, and premium status

DuyraCraft may offer premium features, subscriptions, or store-based purchases. Payment card details are handled by the applicable app store or payment provider, not by DuyraCraft. If store billing or subscription verification is enabled, we may process purchase/subscription identifiers, product id, provider name, customer id, purchase token or token hash, receipt/verification status, plan key, entitlement status, start/renewal/trial/cancellation/expiry dates, verification logs, and related support metadata. We use this to unlock premium features, restore purchases, prevent abuse, and resolve support issues.

3.16 Support messages

If you contact us by email or another support channel, we process your contact details and message content so we can respond, investigate issues, and keep support records.

4. Information We Do Not Intentionally Collect

DuyraCraft does not intentionally require or collect as a core app requirement:

• Precise GPS location.
• Contacts list.
• SMS or call logs.
• Microphone recordings.
• Payment card numbers.
• Biometric identifiers.
• Raw hardware serial numbers.
• Raw passwords, raw backend auth tokens, or raw Google ID tokens as stored account records.
• PDF/image file contents through normal PDF reader, annotation, PDF library, and Image to PDF flows.

5. How We Use Information

We use information to:

• Create and authenticate accounts.
• Provide patterns, tutorials, abbreviations, PDF tools, row counters, project progress, favorites, and private notes.
• Sync account-based project and PDF metadata where supported.
• Provide AI answers, remember AI history where enabled, process AI feedback, and enforce AI usage limits.
• Provide premium access, restore purchases, apply quotas, and grant rewarded-ad benefits.
• Show ads and manage ad consent/privacy choices where required.
• Send push notifications if you opt in.
• Detect abuse, rate-limit suspicious activity, secure accounts, and protect the service.
• Diagnose crashes, fix bugs, measure aggregate feature usage, and improve app quality.
• Record legal consent and comply with legal obligations.
• Respond to support requests.

6. Legal Bases For Processing

Where laws such as the GDPR or UK GDPR apply, we rely on the following legal bases, depending on the context:

• Contract: to provide account, app, premium, sync, and requested AI features.
• Consent: for legal acceptance, certain analytics/ads choices where required, push notifications, and optional permissions.
• Legitimate interests: to maintain security, prevent abuse, debug crashes, improve reliability, and understand aggregate feature usage.
• Legal obligation: to keep records required for compliance, purchases, disputes, tax/accounting, and legal requests.

7. Permissions

The app may request permissions depending on the feature you use:

• Internet/network access: to contact DuyraCraft services, AI providers through the backend, Google/Firebase, OneSignal, ads, YouTube, and external links.
• Notifications: to send push notifications if you allow them.
• Files/photos/media access or system file picker: to import PDFs, select images, create PDFs, export files, or save documents. Selected files are processed for the feature you requested.
• Legacy external storage permission on older Android versions: used only where required by Android for file save/import behavior.

8. Sharing And Third-Party Providers

We do not sell your personal information. We share information only as needed to operate the app, provide requested features, comply with law, or protect the service. Providers may include:

• Hosting and backend infrastructure providers.
• Google services, including Google Sign-In, Firebase Analytics, Google Mobile Ads, User Messaging Platform, Google Play services, and YouTube.
• OneSignal for push notifications.
• OpenAI or other AI providers used by the backend for AI responses.
• App stores and payment/subscription providers, such as Google Play, Apple App Store, or subscription infrastructure providers if premium billing is enabled.
• Support, security, legal, or compliance providers when necessary.

We may disclose information if required by law, court order, government request, to enforce our terms, to protect users or the service, or in connection with a business transfer such as merger, acquisition, or asset sale.

Some privacy laws treat personalized advertising as a "sale" or "sharing" of personal information. DuyraCraft does not sell personal information for money. Where ad law treats personalized ads as sharing, you can manage ad privacy choices through the in-app ad privacy option where available, Google consent forms, app store/device settings, or operating system advertising controls.

9. Retention

We keep information only as long as needed for the purposes described above, unless a longer period is required by law. Current technical retention rules include:

• Local device data remains until deleted by you, cleared from app storage, or removed by uninstalling the app.
• Account data remains while your account exists, unless deleted or required longer for legal reasons.
• Backend session tokens expire after about 30 days and older tokens may be revoked.
• Crash diagnostics are cleaned after about 90 days.
• AI feedback records are cleaned after about 180 days.
• AI device/feedback limit rows are cleaned after about 35 days.
• Image to PDF usage limit rows are cleaned after about 35 days.
• Guest Pattern PDF device rows older than about 90 days are cleaned.
• Reward grants usually expire according to their reward expiry, often the next day, but related records may be kept as needed for abuse prevention and support.
• Purchase, subscription, entitlement, accounting, dispute, and legal records may be kept as long as necessary for the subscription, support, tax/accounting, anti-fraud, or legal obligations.

10. Account Deletion

You can request account deletion through the app account flow or by contacting us. When the backend deletes an account, it removes the user record and related account data handled by database relationships. The backend also explicitly deletes certain user-owned records where applicable, such as AI usage logs, Pattern PDF download records, PDF project metadata records, PDF AI feedback if applicable, and crash logs linked to the user.

Some records may not be linked directly to your account, such as guest limit counters or AI feedback stored with a hashed/pseudonymous device signal. These are retained only for the limited periods described in this policy. Local files and local app data already stored on your device may remain until you delete them, clear app data, or uninstall the app.

11. Your Choices And Rights

Depending on your location, you may have rights to:

• Request access to personal information.
• Request correction of inaccurate information.
• Request deletion.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Request a copy or portability of certain information.
• Appeal or complain to a data protection authority where applicable.

You can also manage notifications in the app or device settings, manage ad privacy options where available, sign out, delete local PDFs/notes/projects where app controls exist, clear app data, or uninstall the app.

12. Security

We use reasonable technical and organizational safeguards designed to protect information. Examples include HTTPS for API communication, password hashing, backend token hashing, secure token storage on the device where supported, input validation, rate limits, legal/crash diagnostic hashing, and redaction of sensitive diagnostic data. No system is perfectly secure, so we cannot guarantee absolute security.

13. International Processing

DuyraCraft, its hosting providers, and third-party providers may process information in countries other than your own. Where required, we rely on appropriate legal safeguards for international transfers, such as provider terms, data processing agreements, standard contractual clauses, or other recognized transfer mechanisms.

14. Children

DuyraCraft is not intended for children under 13, or under the applicable digital consent age in their country, without permission from a parent or legal guardian. We do not knowingly collect personal information from children in a way that violates applicable law. If you believe a child has provided personal information without appropriate permission, contact us.

15. Changes To This Policy

We may update this Privacy Policy as the app changes, legal requirements change, or new features are added. If we make material changes, we will update the effective date and, where appropriate, notify users through the app, website, store listing, or other reasonable means.

16. Contact

For privacy questions, data requests, or account deletion help, contact DuyraCraft at [email protected].