Duku AI - Privacy Policy

Effective date: 05/05/2026
Last updated: 05/05/2026
Version: 1.0

1. About this policy

This policy explains how TCWL Group Ltd (company number 16526828), trading as Duku AI ("Duku AI", "we", "us"), handles personal data in connection with our website (duku.ai), our autonomous QA and simulation platform (the "Platform"), and our other interactions with you.

We comply with the UK GDPR, the Data Protection Act 2018, the EU GDPR (where it applies to you), and other applicable data protection laws. Read this alongside our Terms of Service at https://duku.ai/legal/terms-and-conditions and, where applicable, the Data Processing Agreement ("DPA") between us and your organisation.

2. Who is the controller?

For most of the data covered by this policy (account data, marketing data, website telemetry), Duku AI is the data controller. For data the Platform processes inside a customer's application when running simulations, Duku AI generally acts as a data processor on behalf of the customer (the controller).

TCWL Group Ltd (trading as Duku AI)
71 to 75 Shelton Street, London, England, WC2H 9JQ, United Kingdom
Privacy contact: privacy@duku.ai

3. What we collect

• Information you provide directly: Name, business email, phone, job title, employer, country, account credentials (passwords are stored hashed), MFA factors, support and sales communications, contract and pilot documents, and recruitment data.

• Information collected automatically: IP address, device and browser, language, pages and features used, login events, organisation membership and role, API requests, simulation history, configuration changes, application logs, traces, performance metrics and similar telemetry. We use cookies for authentication, security, analytics and (with consent) marketing; see Section 10.

• Customer Content: Artefacts captured during simulations, which may incidentally contain personal data, including screenshots, video/trace recordings, DOM snapshots, network traffic, console output, and test fixtures. These are Customer Content. Customers are responsible for what is exposed to the Platform.

• Information from third parties: Identity providers, CRM and marketing tools, public business profiles, and infrastructure/service vendors.

We do not intentionally collect special category data (health, biometric, racial or ethnic origin, religious belief).

4. How we use it, and our legal bases

We use personal data for the following purposes, based on the corresponding legal bases:

• Provide and operate the Platform, authenticate users, run simulations, and return results: Contract performance and legitimate interests.

• Support customers, bill, and manage commercial relationships: Contract and legal obligation.

• Keep the Platform secure, prevent abuse, and investigate incidents: Legitimate interests and legal obligation.

• Improve and develop the Platform (using anonymised, aggregated, de-identified or synthetic data, and operational telemetry): Legitimate interests and, where required, consent (explained in Section 6).

• B2B marketing and sales outreach: Legitimate interests (with clear opt-out) or consent.

• Comply with legal and regulatory obligations (e.g., tax, record-keeping, and audit programmes like SOC 2 and ISO 27001 readiness): Legal obligation.

• Establish, exercise and defend legal claims: Legitimate interests.

5. Customer Content: when we are a processor

When we process personal data inside Customer Content (e.g., in a screenshot), we act as a processor on the documented instructions of the customer (the controller).

• The customer is responsible for the lawful basis, user notification, data exposure, and handling end-user rights requests.

• We assist the customer as required by the DPA.

• Where required by Article 28 UK or EU GDPR, we provide a DPA covering processor obligations, sub-processors, transfer mechanisms, and security measures.

6. AI, model training and reinforcement learning

What we do to learn and improve:

• Use operational telemetry (latency, error rates, feature usage).

• Use anonymised and aggregated insights from simulation runs across our customer base to tune models.

• Use synthetic data, internal test environments, and publicly available web content to train and evaluate models.

• May use de-identified Customer Content (e.g., redacted DOM structures) for training/evaluation, but only with a customer's express written agreement (default is off).

• Use enterprise tiers with third-party model providers that contractually exclude using prompts/outputs for training their foundation models, unless explicitly opted in.

What we do not do:

• We do not sell personal data.

• We do not use one customer's confidential information to benefit another customer.

• We do not train shared models on raw Customer Content; it must go through a documented de-identification and review process with customer agreement.

• We do not use special category data for model training.

Safeguards: Artefacts used for product improvement are stripped of direct identifiers, payload bodies, credentials, and free-text fields. Customers can opt their data out of improvement workflows beyond what is strictly necessary by emailing privacy@duku.ai.

7. Sharing

We share personal data only where necessary and with appropriate safeguards. Recipients include:

• Sub-processors and service providers (cloud infrastructure, identity, analytics, billing, etc.).

• Customers, where you act as a User on their behalf.

• Professional advisors (lawyers, auditors for SOC 2/ISO 27001, accountants, insurers).

• Regulators, courts and law enforcement where legally required.

• Counterparties in a corporate transaction (e.g., merger or acquisition).

We do not sell personal data or share it for cross-context behavioural advertising.

8. International transfers

We are based in the United Kingdom. While primary infrastructure is in the UK and EEA, some sub-processors are outside, including in the United States.

For transfers to countries not deemed adequate, we rely on safeguards under Article 46 UK or EU GDPR, typically the EU Standard Contractual Clauses with the UK Addendum or the International Data Transfer Agreement. You can request a copy at privacy@duku.ai.

9. Retention

We keep personal data only as long as needed.

• User account data: Contract duration plus a reasonable period for off-boarding, then deleted or anonymised.

• Customer Content: Per the customer's contract; generally retained while the subscription is active, then deleted or returned per the DPA.

• Authentication and security logs: Typically 12 months.

• Operational telemetry and aggregated metrics: Rolling window for capacity planning; anonymised data may be kept indefinitely.

• Contracts, invoices and tax records: Up to seven years from the end of the relationship, to comply with English law.

10. Cookies

We use cookies for authentication, security, preferences, analytics and (with consent) marketing. Non-essential cookies require consent.

11. Security

We maintain an information security programme based on ISO/IEC 27001 and SOC 2 principles, including:

• Encryption in transit (TLS 1.2 or higher) and at rest.

• Role-based access control with least privilege and mandatory MFA for staff.

• Periodic third-party penetration testing.

We will notify the supervisory authority within 72 hours of a notifiable personal data breach, and notify customers/affected individuals as required.

12. Your rights

You have the right to access, rectify, request erasure, restrict processing, data portability, object to processing, withdraw consent, and lodge a complaint with a supervisory authority.

• In the UK, this is the Information Commissioner's Office at https://ico.org.uk.

• If you are a User acting on behalf of a customer, direct rights requests to that customer first.

• To exercise rights with Duku AI directly, email privacy@duku.ai. We aim to respond within one month.

13. Children

The Platform is intended for business users and is not directed at children under 16. Contact privacy@duku.ai if you believe a child has provided us with personal data.

14. Changes to this policy

We will update the "Last updated" date and post the revised policy at duku.ai/privacy when material changes are made.

15. Contact

For privacy questions, requests or complaints:

Privacy team, Duku AI
TCWL Group Ltd
71 to 75 Shelton Street, London, England, WC2H 9JQ, United Kingdom
Email: privacy@duku.ai
Security disclosures: security@duku.ai