Privacy Policy

Last updated: January 1, 2026

1. Introduction

DuckyTrack ("we," "us," "our") operates the DuckyTrack website, mobile applications, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.

This policy applies to all users worldwide and is designed to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the U.S. Children's Online Privacy Protection Act (COPPA).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data We Collect

2.1 Information You Provide

Account information: username, email address, password (hashed), display name, optional profile bio and avatar.
Duck data: duck names, descriptions, photos, and messages you submit when registering or scanning a duck.
Purchase information: billing name, shipping address, and payment details (processed by our third-party payment processor; we do not store full card numbers).
Communications: messages you send to us via email, support forms, or community features.

2.2 Information Collected Automatically

Device information: IP address, browser type and version, operating system, device type, and screen resolution.
Usage data: pages visited, time spent, referring URL, click patterns, and feature usage.
Location data: approximate geographic location derived from IP address; precise location only when you explicitly grant permission during a duck scan.
Cookies and similar technologies: as described in our Cookie Policy.

3. How We Use Your Data

We use the information we collect to:

Provide, maintain, and improve the Service, including duck tracking, leaderboards, and community features.
Process duck scans and display scan locations on maps and travel histories.
Process purchases and deliver products from the Duck Store.
Send transactional emails (scan notifications, order confirmations, password resets).
Send marketing communications (only with your opt-in consent; you may unsubscribe at any time).
Detect and prevent fraud, abuse, and violations of our Terms of Service.
Analyze usage patterns to improve user experience and develop new features.
Comply with legal obligations and respond to lawful requests.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

Contract performance: processing necessary to provide the Service you requested (account creation, duck tracking, purchases).
Legitimate interests: improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
Consent: marketing emails, non-essential cookies, and precise location data for scans. You may withdraw consent at any time.
Legal obligation: compliance with applicable laws, tax requirements, and lawful government requests.

5. Location Data

Location data is central to the duck tracking experience. We handle it as follows:

Duck scans: when you scan a duck's QR code, we request your device's location to log where the duck was found. This requires your explicit permission via your browser or device's location prompt.
Approximate location: if you decline precise location, we may use your IP address to determine an approximate city-level location.
Public display: scan locations (city/region level) are displayed publicly on duck travel histories and maps. Exact coordinates are rounded to protect your precise whereabouts.
Opting out: you may deny location access at any time through your device settings. Scans without location data will be recorded with "Location unknown."

6. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and analyze usage. For full details on the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

We do not sell your personal information. We may share data with:

Service providers: hosting, payment processing, email delivery, analytics, and customer support providers who process data on our behalf under strict contractual obligations.
Legal requirements: when required by law, regulation, legal process, or governmental request.
Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
With your consent: we may share data with third parties when you explicitly authorize us to do so.

Public profile information (username, avatar, bio, duck statistics) and duck scan data (city, message, photo) are visible to other users as part of the Service's core functionality.

8. Data Retention

Account data: retained for as long as your account is active, plus 30 days after deletion to allow recovery.
Duck scan data: retained indefinitely as part of the duck's public travel history, even if the scanning user deletes their account (scan entries will be anonymized).
Released ducks: if you delete your account, the ducks you released are re-homed ("adopted") to a DuckyTrack system account rather than deleted, so their public travel history continues for other finders. On adoption a duck is renamed and its photo, your personal message, and its guestbook comments are removed; the duck's QR tag stays valid. Tags you created but never released are deleted.
Purchase records: retained for 7 years to comply with tax and accounting obligations.
Server logs: retained for 90 days, then automatically deleted.
Analytics data: aggregated and anonymized after 26 months.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

9.1 All Users

Access, correct, or delete your personal data through your account settings.
Unsubscribe from marketing emails at any time using the link in each email.
Request a copy of your data in a machine-readable format.

9.2 EEA/UK Residents (GDPR)

Right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection to processing.
Right to withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint with your local Data Protection Authority.

9.3 California Residents (CCPA)

Right to know what personal information we collect, use, and disclose.
Right to delete your personal information.
Right to opt out of the sale of personal information (we do not sell personal data).
Right to non-discrimination for exercising your privacy rights.

9.4 Brazilian Residents (LGPD)

Right to confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent.

9.5 Canadian Residents (PIPEDA)

Right to access your personal information, challenge its accuracy, and withdraw consent for non-essential processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law).

10. Children's Privacy

DuckyTrack is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent, in compliance with COPPA.

Users between 13 and 18 may use the Service with parental or guardian consent. Parents or guardians may contact us to review, delete, or restrict the processing of their child's data.

If we learn that we have collected personal information from a child under 13 without proper consent, we will take immediate steps to delete that information. If you believe a child under 13 has provided us data, please contact us at [email protected].

11. Security Measures

We implement industry-standard security measures to protect your data, including:

TLS/SSL encryption for all data in transit.
Encryption at rest for sensitive data fields.
Bcrypt hashing for passwords (we never store plaintext passwords).
Regular security audits and vulnerability assessments.
Access controls limiting employee access to personal data on a need-to-know basis.
Automated monitoring for suspicious activity.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify affected users by email within 72 hours of becoming aware of the breach, as required by GDPR.
Report the breach to the relevant supervisory authority within 72 hours.
Provide details of the breach, the data affected, steps we are taking, and recommended actions you can take to protect yourself.
Post a notice on our website if the breach affects a large number of users.

13. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions where applicable.
Contractual obligations requiring recipients to protect data to equivalent standards.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify registered users by email of significant changes.
Display a prominent notice on the Service for at least 30 days.

Your continued use of the Service after changes are posted constitutes acceptance of the revised policy. We encourage you to review this page periodically.

15. Contact & Data Protection Officer

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]
Website: duckytrack.com

For EEA/UK residents, you also have the right to lodge a complaint with your local Data Protection Authority.