Privacy Policy

1. Introduction

Welcome to Duelr. We are Duelr LTD, a company registered in England and Wales. This Privacy Policy explains what personal data we collect when you use the Duelr app and website (getduel.com), how we use it, who we share it with, and what rights you have over it. If you have any questions, contact us at info@getduel.co.uk.

2. What Data We Collect

Account and Profile Data

• Display name and profile photo
• Email address or phone number (used for authentication)
• Approximate location (detected once at login to suggest nearby communities and gyms)
• Points, XP level, weekly and monthly leaderboard scores
• Push notification token (used to deliver alerts to your device)
• Stripe Customer ID (created when you first make a payment)

Challenge and Progress Data

When you create or participate in a challenge, we collect and store:

• Challenge name, description, type (solo, 1v1, or group), and privacy setting (public or private)
• Exercises selected, including any custom exercises you define
• Challenge start and end dates and duration
• Your daily progress logs: reps, sets, weight lifted, and time spent per session
• Your completion percentage, activity days, and performance metrics
• Whether you submitted proof for a given session
• Challenge invitation records (stored with a 48-hour expiry)

Proof Submissions (Photos and Videos)

When a challenge requires proof of completion, you may optionally submit:

• Photos (JPG, PNG, HEIC) or videos (MP4, MOV) uploaded to Google Firebase Storage
• Proof media is visible to all participants in the same challenge only — it is never auto-posted to your activity feed
• Declining to submit proof does not affect your ability to log progress

Wager and Payment Data

When you join a challenge with an entry fee, we collect:

• Stake amount paid (£2, £5, £10, or £20)
• Stripe Payment Intent ID and Refund ID
• Payout amount and in-app wallet balance
• Wager settlement status (pending, paid, settled, or paid out)

Social and Activity Feed Data

• Activity posts you create: exercises, reps, sets, weight, time, points earned, and any proof media you choose to attach (up to 5 items)
• Emoji reactions and comments you leave on others' posts
• Your accepted friend connections and community memberships

Health Data (iOS only)

On iOS, with your explicit permission, the app may read the following from Apple HealthKit:

• Step count, active calories burned, distance, flights climbed, and workout samples
• This data is read-only and stays on your device — it is not sent to Duelr servers unless you explicitly include it in an activity post

3. Camera and Biometric Data

Duelr uses your device camera in two ways: the AI rep counter and proof submissions. Here is exactly how each works:

AI Rep Counter (MediaPipe Pose Detection)

• On-device processing only: Body pose detection is powered by MediaPipe and analyses 33 body keypoints (joints, limbs) in real time. All processing happens entirely on your device — no video, frames, or skeletal data are sent to any external server during your workout.
• Milestone proof frames: At rep 3 and every 10 reps thereafter, a single JPEG frame is captured as a proof snapshot. These frames are stored locally and are only uploaded to Firebase Storage if you confirm the tracking session.
• No facial recognition: The app does not perform facial recognition or extract any identifying biometric data.
• Camera permission is optional: You can track challenge progress manually without granting camera access. You can revoke permission at any time via your device settings.

Proof Photo and Video Submissions

• Photos and videos you submit as challenge proof are uploaded to Google Firebase Storage
• Proof media is visible to challenge participants only — not to the general app or social feed
• Proof submission is always optional, even when a challenge has proof enabled
• Proof media is retained until you request deletion or delete your account

4. Financial Data and Wager Processing

Duelr offers an optional wager feature for 1v1 and group challenges where participants stake real money into a shared pot. Here is how financial data is handled:

• Entry fees: Challenge creators can set an optional entry fee of £2, £5, £10, or £20. All payments are processed securely through Stripe. Duelr never sees or stores your full card details.
• Platform fee: Duelr deducts a 12% platform fee from the total pot before calculating participant payouts.
• Payouts: Participants who meet the challenge completion threshold share the remaining pot equally. Payouts up to your original stake are refunded via Stripe. Any winnings above your original stake are credited to your in-app wallet balance — this is in-app credit, not redeemable as cash.
• Unclaimed pots: If no participants complete a challenge, the full pot is donated to charity.
• Transaction records: We retain records of your entries, stakes, and payouts for legal, tax, and fraud prevention purposes for a minimum of 7 years.
• Responsible participation: Paid challenges involve financial risk. Only enter amounts you are comfortable losing. Duelr is a skill-based competition platform, not a gambling service regulated under the UK Gambling Act.

5. How We Use Your Data

We use your personal data only when the law allows us to. The purposes and legal bases are:

• Creating and managing your account (contract performance)
• Running challenges and tracking your progress (contract performance)
• Processing wager entry fees and distributing payouts (contract performance)
• Sending push notifications about your challenges (legitimate interest / consent)
• Displaying your activity to friends and community members (contract performance)
• Providing AI coaching responses within challenges (legitimate interest)
• Reading HealthKit data to sync workout activity on iOS (consent)
• Monitoring app errors and performance (legitimate interest)
• Complying with financial and tax regulations (legal obligation)

6. What Other Users Can See

Within a Challenge

All participants in a challenge can see:

• Your username and profile photo
• Your current progress percentage and days completed
• Your completion status (active, withdrawn, or completed)
• In competitive challenges: your cumulative performance metrics (total reps, time, or weight)

Other participants cannot see your individual session logs, your payment or wager amount, whether you submitted proof on a specific day, your AI coaching conversations, or your HealthKit data.

On the Social Activity Feed

Activity posts are shared with your accepted friends (Friends feed) and members of communities you have joined (Community feed). Each post shows your username, profile photo, challenge name, exercises, reps, points, any proof media you choose to attach, and your reactions and comments. Activity posts are opt-in — you control what you share.

• Likes: the first 3 people who liked a post are shown by name; the full list is accessible
• Comments are visible to anyone who can see the post (friends or community members)
• When someone comments on your post, the first 50 characters of their comment may appear in a push notification on your device

Public vs. Private Challenges

• Private challenges: Only invited participants can see the challenge exists
• Public challenges: Any Duelr user can discover and join the challenge

7. Third-Party Data Processors

We share data with the following third-party services to operate Duelr. We do not sell your personal data to any third party.

8. Data Sharing and Disclosure

Beyond the processors listed above, we may share your data in the following situations:

• For legal reasons: We may disclose your information if required to do so by law or in response to valid requests by public authorities
• Business transfers: In connection with any merger, sale of company assets, financing, or acquisition, your data may be transferred as part of that transaction
• Fraud prevention: We may share data with fraud detection services to protect the integrity of the wager system

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including Firebase Security Rules that restrict data access to authenticated participants, Stripe handling all payment data (Duelr never stores raw card details), on-device processing for camera and pose detection (no biometric data transmitted), and HTTPS encryption for all data in transit. If you believe your data has been compromised, contact us immediately at info@getduel.co.uk.

10. Your Data Protection Rights

Under UK GDPR and applicable data protection law, you have the following rights:

• Right of access (Article 15): Request a copy of all personal data we hold about you, including your profile, challenge history, progress logs, wager records, and activity posts
• Right to rectification (Article 16): Correct inaccurate data — for example, by updating your display name or profile photo via the Edit Profile screen in the app
• Right to erasure (Article 17): Request full account deletion. We will remove your Firebase account, profile, challenge and progress records, activity posts and comments, notifications, proof media from Firebase Storage, and friend and community connections. We will retain anonymised wager transaction records for financial compliance (7-year minimum), and Stripe retains payment records per their own obligations.
• Right to restrict processing (Article 18): Ask us to stop using your data for AI coaching while keeping your account active
• Right to data portability (Article 20): Request an export of your personal data in a machine-readable format (JSON)
• Right to object (Article 21): Object to push notifications at any time via your device's notification settings
• Right to withdraw consent: Where we rely on consent (e.g. camera access or HealthKit), you can withdraw at any time via your device settings without affecting the lawfulness of prior processing

To exercise any of these rights, email us at info@getduel.co.uk. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Data Retention

We retain your data for as long as your account is active or as needed to provide our services:

• Profile and account data — until account deletion
• Challenge and progress records — until account deletion or on request
• Proof media (photos and videos) — until account deletion or on request
• Activity posts and comments — until account deletion or on request
• Push notification records — until account deletion
• Wager and payment records — minimum 7 years (financial and tax compliance)
• Anonymised challenge data after deletion — retained indefinitely (no personal data)

12. Children's Privacy

Duelr is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has created an account, please contact us at info@getduel.co.uk and we will delete the account promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via a push notification or in-app alert, and update the "Last updated" date at the top of this page. Continued use of the app after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights:

• Email: info@getduel.co.uk
• Through our app's support feature in the Settings screen