Privacy Policy
Dupexi Group Oy · Business ID: 3630170-2 · Finland
Last updated: June 17, 2026
This Privacy Policy explains how Dupexi Group Oy ("Dupexi", "we", "us") collects, uses, discloses, and protects information when you use our mobile app and web app (the "Service").
Quick summary
- We collect information you provide (like account and organization details) and usage/device data to operate and improve the Service.
- We don’t sell your personal information. We share data with your organization (based on roles) and named service providers to run Dupexi.
- Account deletion is managed by your organization. Owners and admins can remove worker and manager accounts; organization owners can delete the entire organization. Deleted accounts enter a 30-day retention period before permanent removal.
- For privacy rights and GDPR requests, contact support@dupexi.com.
1) Who we are
Dupexi is a shift and workforce management application that helps teams schedule shifts, manage workers, track work logs, and create summaries. Dupexi Group Oy (Business ID: 3630170-2) is the data controller for personal data described in this policy, except where we process workforce data on behalf of customer organizations as described in our Data Processing Agreement.
2) Information we collect
We collect information you provide, information generated as you use the Service, and certain technical information from your device or browser.
Information you provide
- Account information (such as email address, name, password).
- Profile information you choose to add (such as first/last name and profile photo/avatar).
- Organization and team data (such as organization name, member roles/permissions, locations).
- Workforce data you enter (such as workers, shifts, schedules, availability/preferences if provided).
- Work logs and related notes you submit.
- Communications you send to us (support requests, feedback).
Information collected automatically
- Device and app/browser information (such as device type, operating system, browser type, app version, language).
- Log and usage data (such as pages/screens viewed, feature usage, and interaction events).
- Website analytics when enabled (via Google Analytics), including pages visited, referral source, and general device/browser information.
- Approximate location derived from IP address (used for security and fraud prevention).
Sensitive information
We do not intentionally collect sensitive personal information (such as precise location, government identifiers, or health information). Please do not submit sensitive information through the Service.
3) How we use information
- Provide, operate, and maintain the Service (authentication, schedules, work logs, summaries).
- Manage organizations, memberships, roles, and permissions.
- Process and store files you upload (such as profile photos) to display them in the Service.
- Communicate with you about the Service (service messages, security alerts, support responses).
- Improve the Service (debugging, performance monitoring, feature development).
- Protect the Service and our users (fraud prevention, abuse detection, security monitoring).
- Comply with legal obligations and enforce our terms.
4) Legal bases (EEA/UK)
If you are in the EEA/UK, we process personal data under these legal bases: performance of a contract (to provide the Service), legitimate interests (security, product improvement, analytics on our website where permitted), compliance with legal obligations, and consent where required (for optional features or non-essential cookies where applicable).
5) How we share information
We do not sell your personal information. We may share information in the following circumstances:
- With your organization: other authorized members of your organization may see information needed to manage schedules and work logs based on role permissions.
- Service providers: subprocessors that host, store, deliver, or support the Service on our behalf, as described in Section 6.
- Legal and safety: to comply with law, respond to lawful requests, or protect rights, safety, and security.
- Business transfers: if we are involved in a merger, acquisition, or asset sale (with appropriate safeguards).
6) Third-party services
We rely on trusted service providers to operate the Service. They process information under our instructions and contractual obligations. Our primary providers include:
- Supabase, Inc. — database, authentication, file storage, and serverless backend functions
- Vercel, Inc. — web application hosting and related API routes
- Stripe, Inc. — subscription billing and payment processing
- Resend, Inc. — transactional email delivery (such as invitations and service messages)
- Functional Software, Inc. (Sentry) — error monitoring and diagnostic logging
- Expo (Expo Push Notification Service) — mobile push notification delivery
- Google (Google Analytics) — website usage analytics when enabled
A fuller list of subprocessors used when we process workforce data on behalf of customer organizations is available in our Data Processing Agreement.
7) Cookies and analytics
When you visit our website or use the web application, we and our providers may use cookies, local storage, pixels, and similar technologies.
Essential technologies
We use strictly necessary cookies and local storage (such as session and authentication tokens) to keep you signed in and to operate core Service features. These are required for the Service to function and are not used for advertising.
Analytics
When a Google Analytics measurement ID is configured, we use Google Analytics 4 (GA4) to understand website and application usage, including page views and general device/browser information. We configure IP anonymization where supported by the analytics provider. GA4 may set cookies such as _ga and related identifiers.
You can limit analytics tracking by:
- Using your browser’s cookie controls to block or delete cookies.
- Installing the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).
- Using browser privacy settings, tracking protection, or ad-blocking extensions.
If you are in the EEA/UK, non-essential analytics cookies may require your consent under local ePrivacy rules. We are working toward consent-based controls where required; until then, you may use the opt-out options above when visiting public pages.
8) Data retention
We retain personal information only for as long as needed for the purposes described in this policy, unless a longer period is required by law. Approximate retention periods include:
- Active accounts: account, profile, and organization data are retained while your account or organization remains active and for a reasonable period afterward to support reactivation, billing, or support needs.
- Shifts, work logs, and monthly summaries: retained for at least 400 days while the organization remains active, after which eligible records may be deleted through automated cleanup unless your organization still needs them.
- Operational data (such as notifications, pending invites, worker availability records, feedback, and stale push tokens): typically deleted after approximately 90 days.
- Inactive accounts: accounts with prolonged inactivity may be automatically removed according to platform retention policies (including warning and deletion periods described in our service documentation).
- Worker and manager accounts: organization owners and administrators can delete worker and manager accounts within their workspace. Deleted accounts enter a 30-day retention period before permanent removal.
- Organization deletion: when an organization owner deletes their account, the subscription is canceled and the entire organization and all associated data and accounts are permanently removed after a 30-day retention period.
- Support deletion requests: if you cannot reach your organization administrator, you may contact us at the email below; we may ask for information to verify your identity before processing a verified deletion request.
- After account or organization termination: personal account data is deleted or anonymized where feasible. Workforce records created for the organization (such as historical schedules or work logs) may remain until deleted by authorized organization representatives, removed through automated retention processes, or deleted upon verified request where applicable.
- Infrastructure backups: backup copies maintained by our cloud providers may persist for a limited period (typically up to approximately 30 days) before being overwritten through standard backup rotation.
- Billing and legal records: certain payment and accounting records may be retained longer where required by tax, accounting, or other legal obligations.
Your organization may also control retention for organization workforce data through its use of the Service. We delete or anonymize information when it is no longer needed for these purposes, subject to legal requirements to retain it longer.
9) Security and breaches
We use reasonable administrative, technical, and organizational safeguards designed to protect information, including authentication controls, access restrictions, encryption in transit, and organization-scoped access controls. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.
If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and/or your organization without undue delay and in accordance with applicable law. Where Dupexi processes workforce data on behalf of a customer organization, we also notify that organization without undue delay and, where feasible, within 72 hours of becoming aware, as described in our Data Processing Agreement.
10) Your choices and rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal information, and to object to or restrict certain processing. You can also update certain profile and account details within the app. To exercise privacy rights, contact support@dupexi.com.
11) Account management and account deletion
Dupexi is a workforce management service used by organizations. Organizations own and manage all accounts created within their workspace. User accounts are created and administered by authorized organization owners and administrators.
- Worker and manager accounts: organization owners and administrators can delete worker and manager accounts within their organization. Deleted accounts enter a 30-day retention period before they are permanently removed.
- Organization owner accounts: an organization owner can delete their own account, which schedules deletion of the entire organization and all associated data and accounts. The subscription is canceled and permanent removal occurs after a 30-day retention period.
- Self-service deletion: individual members such as managers and workers cannot delete their own accounts within the app. To request deletion, contact your organization owner or administrator.
- If you cannot reach your organization administrator (or no longer have access), email support@dupexi.com from the email address associated with your account and include your organization name (if known). We may ask for additional information to verify your identity and prevent unauthorized deletion.
- Automatic removal: accounts may also be automatically removed after a defined period of prolonged inactivity according to platform retention policies.
- What happens to your data: when an account or organization is permanently deleted, we delete or anonymize personal information associated with that account where feasible. Some information may remain where we must retain it for legal, security, fraud prevention, or backup purposes, as described in Section 8.
12) Children’s privacy
Dupexi is not intended for children under 13 (or under the minimum age required in your country). We do not knowingly collect personal information from children. If you believe a child provided personal information, contact support@dupexi.com and we will take steps to delete it.
13) International data transfers
Dupexi configures production services to use EU/EEA hosting where available. Your information may still be processed in the United States or other countries outside your own when we use subprocessors such as payment processors, email providers, error monitoring, hosting, analytics, or push notification services.
Where personal data is transferred outside the European Economic Area (EEA), we use appropriate safeguards, including the European Commission's Standard Contractual Clauses, adequacy decisions where applicable, or equivalent transfer mechanisms offered by our subprocessors.
14) Changes to this policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date and may provide additional notice when changes are significant.
15) Contact us
If you have questions about this Privacy Policy, your privacy rights, or the Service, contact us at support@dupexi.com.
Dupexi Group Oy
Business ID: 3630170-2
Finland
Looking for something else? Return to the home page.