Legal Last updated · 24 May 2026

Privacy Policy

This Policy explains what personal data duffee collects, why we collect it, who we share it with, and the rights you have over your data. It applies to everyone who uses duffee — customers ordering at events, sellers operating stands, and event organisers running festivals on the platform.

Available in English only at this time. Portuguese (BR/PT) versions will publish before commercial launch. Data-protection requests: privacy@duffee.com.

1. Who we are

"duffee" (also "we", "us", "our") operates the festival ordering platform available at duffee.com and through the duffee mobile and web apps. For data-protection purposes duffee is the controller of personal data it collects about platform users, except where this Policy explicitly says another party (a seller, a festival organiser, or a sub-processor like Stripe) is the controller.

2. Data we collect

From customers placing orders

  • Account data: name, email, optional phone number, account password (stored hashed).
  • Order data: what you ordered, when, from which stand, the total, your pickup status, and any notes you added.
  • Payment data: card details and billing info that you enter at checkout are sent directly to Stripe — duffee never receives the card number. Stripe returns to us a token and the last four digits of the card so we can show you which card was used.
  • Location data: approximate location (event grounds, stand) when you grant permission, used to find stands near you and route pickup notifications. We do not track location in the background.
  • Device and log data: IP address, device type and OS, browser, app version, and timing of requests — used for security, fraud prevention, and diagnosing bugs.
  • Communications: messages you send to support and the responses we send back.

From sellers and seller staff

  • Account and business data: seller name, slug, hero image, country, operational mode (events vs establishment), and the team members you invite.
  • Onboarding data: name, date of birth, address, government-issued ID, business registration documents, and bank account details — collected during Stripe Connect onboarding. This data goes directly to Stripe; duffee receives only the cached verification status and the requirements still due.
  • Operational data: menus, prices, item availability, orders received, refunds issued.
  • Communications: support tickets and onboarding correspondence.

From event organisers

  • Organisation data: organisation name, slug, contact details for the organiser team.
  • Event data: event name, dates, locations, the sellers and stands you've invited.
  • Aggregate analytics: orders placed at your events, top-selling items, queue pressure heatmaps.

3. How we use your data

We use the data above to:

  • Provide the ordering and operator experiences — sending orders to the right stand, showing the customer their pickup ETA, paying out sellers.
  • Authenticate you and keep your account secure.
  • Detect and prevent fraud, abuse, and policy violations.
  • Send transactional emails and push notifications you've consented to (order ready, password reset, dispute opened).
  • Improve the platform — debugging, performance work, deciding which features to build next. We rely on aggregated and pseudonymised data for this whenever possible.
  • Comply with legal obligations — tax reporting, responding to lawful requests from authorities, regulatory reporting in the markets we operate in.

Legal bases (EU/UK residents)

Where the GDPR applies, we process your data on these bases:

  • Performance of a contract — to fulfil orders, pay out sellers, and deliver the platform.
  • Legitimate interests — to secure the platform, detect fraud, and improve the product, balanced against your rights.
  • Legal obligation — to comply with tax, accounting, and anti-money-laundering rules.
  • Consent — for things you opt into, like location access or marketing emails. You can withdraw consent at any time.

4. Who we share data with

We share personal data only with the parties listed below, and only as needed for the purposes described.

Sellers and event organisers

When you place an order, the relevant seller receives your name, your order contents, and a pickup identifier so they can prepare and hand over the order. The event organiser receives aggregated, anonymised order statistics for their event.

Stripe (payments sub-processor)

Stripe processes all payments and handles seller onboarding KYC. Card details, identity documents, and bank info you submit during checkout or onboarding go to Stripe directly. Stripe is an independent controller of that data and its handling is governed by Stripe's Privacy Policy.

Infrastructure and tooling providers

We use a small set of vendors to run the platform: hosting (Cloudflare, our own servers in the EU), email delivery, error monitoring, and customer-support tooling. Each operates under a data-processing agreement with us and is bound to use your data only on our instructions.

Authorities

We disclose data to law enforcement or regulators only when we're legally compelled (court order, valid subpoena, mandatory reporting). Where the law allows, we'll tell you before we comply.

Business transfers

If duffee is acquired or merges with another business, your data may transfer as part of that transaction. Any acquirer must honour this Policy or notify you of changes before any new uses apply.

We do not sell your personal data. We do not share your data with advertisers for cross-context behavioural advertising.

5. Cookies and local storage

duffee uses a small number of strictly-necessary cookies and browser localStorage entries:

  • Session token — keeps you signed in.
  • Language preference (duffee_lang) — remembers your chosen locale.
  • Active seller — remembers which of your seller accounts you last operated on, when you hold grants on more than one.

We do not use analytics or advertising cookies on this site today. If we add analytics later we'll update this Policy and ask for consent where the law requires it.

6. International data transfers

duffee's primary infrastructure is hosted in the EU. Stripe processes payment and KYC data on its global infrastructure, which includes the United States.

Where personal data crosses borders out of your home region, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses, or equivalent mechanisms recognised under Brazil's LGPD — to protect the data in transit and at the destination.

7. Your rights

Depending on where you live, you may have rights including:

  • Access — ask for a copy of the personal data we hold about you.
  • Correction — fix data that's wrong or out of date.
  • Deletion — ask us to delete data we no longer need to keep. Some data we must retain to meet legal obligations (e.g. tax records of past orders).
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / restriction — object to certain processing, or ask us to limit it.
  • Withdraw consent — for processing based on consent, at any time.
  • Complain — to your local data-protection authority. In the EU you can find your authority via the EDPB member list; in Brazil it's the ANPD.

To exercise any of these, email privacy@duffee.com. We respond within 30 days and may ask for proof of identity before acting on requests that could affect another person's data.

8. Data retention

We keep personal data only as long as we need it for the purposes described in Section 3, or as required by law:

  • Account data: kept while your account is active and for 12 months after closure, then deleted or anonymised.
  • Order and payment records: retained for the period required by tax and accounting law in your jurisdiction (typically 5–10 years).
  • Identity documents (KYC): kept by Stripe per its own retention schedule, plus our cached verification flags for as long as your seller account exists.
  • Server logs: retained for up to 90 days for security and debugging, then deleted.
  • Support correspondence: kept for up to 3 years from the last interaction.

9. Security

We use industry-standard measures to protect personal data: TLS for all data in transit, encryption at rest for sensitive fields, hashed passwords, role-scoped access controls inside the platform, audit logging on privileged actions, and regular review of our security posture. No system is perfectly secure; if a breach affects you, we'll notify you and the relevant authority in line with the law (typically within 72 hours of discovery under GDPR / LGPD).

10. Children

duffee is not directed at children. Customer accounts may only be created by people who are at least 16 (or the digital-consent age in their country, if higher). Sellers and seller staff must be of legal age to enter a commercial contract in their jurisdiction. If you believe a child has created an account, contact privacy@duffee.com and we'll delete it.

11. Changes to this Policy

When we change this Policy in a way that materially affects how we handle your data, we'll notify you by email and in the app before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision.

12. Contact

Data-protection questions and rights requests: privacy@duffee.com
General support: support@duffee.co

See also the Terms of Service — the rules that govern how sellers use the platform.