This Privacy Policy explains how Dusken ("Dusken", "we", "us", or "our") collects, uses, shares, and protects personal information when you visit dusken.io or use the Dusken service (the "Service"). It applies to account holders, members of a workspace, external reviewers invited through a share link, and visitors to our marketing pages.
Dusken is operated by Salman Khan, a sole proprietor based in India. For any privacy-related question or request, write to [email protected].
1. Information We Collect
We collect only what we need to operate the Service. Below is a field-level breakdown of every category of personal information we store, who provides it, and where it lives.
Account profile
- Full name
- Email address (used as your login identifier and for transactional email)
- Password: stored only as a salted hash; we never see your plaintext password
- Profile photo, if you upload one
- User ID: an internal identifier we generate at signup
- Account creation timestamp, last sign-in timestamp, and email-verification status
- Role within your workspace (owner, admin, member, guest)
Workspace and team
- Workspace name, slug, icon or logo
- List of members you invite (their email addresses and roles)
- Invitation status (pending, accepted, expired) and invite metadata
- Workspace creation timestamp and current plan tier
Billing and subscription
- Stripe customer ID and subscription ID
- Plan name, billing interval, current period start and end, trial status
- Card brand, last four digits, expiry month/year, and country of card issuer (received from Stripe; we never see the full card number, CVC, or full account number)
- Billing address that you enter at checkout (street, city, state, postal code, country, optional tax ID such as GSTIN or VAT)
- Invoices, receipts, and payment history (stored at Stripe; we cache invoice metadata)
Your content
- Files you upload (video, audio, images, PDFs, and other media), together with file name, size, format, duration, and the SHA-256 hash we use to detect duplicates
- Thumbnails, transcoded variants, and streaming manifests we generate from your files
- Audio transcripts produced by our speech-to-text provider for searchability and accessibility
- Folder names, project names, version labels, and the structure you organize them into
- Comments, replies, reactions, mentions, and emoji
- Annotations: drawings, arrows, pins, and the timestamped or pinpoint positions you place them at
- Voice comments, screen recordings, and webcam recordings you record inside the Service
- Share links you create, their access settings, password (hashed if you set one), and expiry
- Approval and version-decision history (who approved what, when)
Support and communications
- Emails you send to [email protected] and our replies
- In-app feedback, bug reports, and feature requests
- Survey responses, if you choose to participate
Automatically collected
- IP address (used for rate-limiting, fraud prevention, and approximate region for analytics)
- Approximate geolocation derived from your IP (country, region, city, not precise GPS)
- Browser name and version, operating system, device type, screen size, and language
- Time zone and locale
- Referring URL and UTM parameters that brought you to the site (utm_source, utm_medium, utm_campaign, initial_referrer)
- Crash reports, error stack traces, and performance metrics, with the URL and user ID that experienced the error
- Session cookies, authentication tokens, and CSRF tokens (see Section 5)
Product analytics events (PostHog)
After you sign in we associate analytics events with your user ID, your email, your name, your role, and your workspace ID, so we can understand how the product is used. We do not run session replay; we do not autocapture clicks or keystrokes. The events we send are limited to a defined list, including:
- $pageview: page URL and your current workspace ID
- $exception: uncaught errors with stack trace and the page they happened on
- user_signed_up, user_logged_in, user_logged_out
- workspace_created, workspace_switched
- project_created, video_uploaded (with file size, duration, format), comment_added, first_comment_added, comment_ui_opened, timeline_clicked
- invite_sent, invite_accepted, review_completed
- Generic call-to-action clicks on marketing pages (cta_clicked with a label)
From third parties
- Authentication providers: if you choose to sign in with Google or GitHub, we receive your name, email address, profile picture, and the provider's user ID, scoped to the permissions you grant.
- Payment processor: Stripe sends us subscription status, invoice metadata, and the limited card-on-file information listed above.
2. How We Use Information
We use the information we collect to:
- Provide, operate, and maintain the Service: including authentication, file processing, transcoding, streaming, annotation sync, sharing, version compare, and automatic transcription of audio and voice comments for in-app search and accessibility.
- Bill you, manage subscriptions, and prevent payment fraud through Stripe.
- Communicate with you: about your account, security, product updates, support requests, and (only with your consent or where allowed by law) occasional product news.
- Improve the Service: diagnose bugs, monitor performance, understand how features are used in aggregate, and inform product decisions.
- Protect the Service and our users: enforce our Terms, detect abuse or illegal activity, and comply with legal obligations.
We do not sell your personal information. We do not use the content you upload (video, audio, images, annotations, comments) to train machine-learning models for ourselves or any third party.
3. Legal Bases (EEA / UK / India DPDP)
Where the GDPR, UK GDPR, or India's Digital Personal Data Protection Act, 2023 applies, we rely on the following legal bases:
- Contract: to deliver the Service you signed up for and process payments.
- Legitimate interests: to keep the Service secure, prevent abuse, improve the product, and grow the business in ways that do not override your rights.
- Consent: where we ask for it (for example, optional product emails or non-essential cookies). You can withdraw consent at any time.
- Legal obligation: to comply with applicable laws, tax requirements, and lawful requests from authorities.
4. Service Providers and Subprocessors
We use the following providers to deliver the Service. Each receives only the data needed for its function and is bound by contractual confidentiality and security obligations.
- Stripe (USA / global): payment processing, billing, fraud prevention.
- Amazon Web Services (AWS): S3 object storage and CloudFront CDN for storing and delivering uploaded media; primary region in the United States.
- Cloudflare R2: additional object storage and edge delivery for media assets.
- Mux (USA): video transcoding, streaming, and playback infrastructure for certain media.
- AssemblyAI (USA): automatic speech recognition used to transcribe audio and voice comments into text for searchability and accessibility.
- PostHog (USA / EU): product analytics, feature flags, session-level event data (no full session replay of your private media).
- Resend (USA): transactional email (account verification, password reset, share-link notifications, billing receipts).
- Google LLC and GitHub, Inc.: only if you choose to sign in with Google or GitHub, in which case those providers handle authentication and share limited profile information with us.
- Hosting and infrastructure: cloud compute and database providers used to run the application and store metadata.
We may update this list as the Service evolves. Material changes will be reflected here and, where required, communicated in advance.
7. Data Retention
We retain personal information for as long as your account is active and for a reasonable period afterward to support recovery, dispute resolution, and legal compliance.
- Uploaded content and workspace data: kept while your subscription is active. After cancellation or account deletion, content is retained for up to 30 days in a recoverable state and then deleted from primary systems, with backup copies removed within an additional 30 days.
- Billing records: invoices and payment metadata are kept for up to 8 years to comply with tax and accounting requirements.
- Logs and security data: retained for up to 12 months for troubleshooting, fraud prevention, and abuse investigation.
8. Your Rights
Depending on where you live, you may have the following rights regarding your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: ask us to fix inaccurate or incomplete information.
- Deletion: ask us to delete your information, subject to limited exceptions (such as legal-retention requirements).
- Restriction or objection: limit how we process your information, or object to certain processing based on legitimate interests.
- Portability: where required by applicable law, receive certain personal information you have provided to us in a structured, commonly used format.
- Withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.
- Complain to a regulator: for example, your local Data Protection Authority in the EEA/UK, or the Data Protection Board of India under the DPDP Act, 2023.
To exercise any of these rights, email [email protected]. We may need to verify your identity before fulfilling the request. We will respond within the time required by applicable law (typically 30 days).
9. International Data Transfers
Dusken is operated from India, and some of our service providers are located in the United States, the European Union, and other regions. When we transfer personal information across borders, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms required by the law of your country.
10. Security
We use appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures evolve as the Service and the threat landscape evolve.
No system is perfectly secure and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify you and the relevant authorities to the extent required by law.
11. Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.
12. Guests and External Reviewers
When you are invited to review work via a Dusken share link, the workspace owner controls what is shared with you and acts as the data controller for that content. We process your information (such as your email, comments, and annotations) on their behalf as a data processor. Direct requests about your data to the workspace owner first; you can also contact us at [email protected] and we will route your request appropriately.
13. Changes to This Policy
We may update this Privacy Policy at any time. When we do, the "Last updated" date at the top of this page reflects the latest revision. It is your responsibility to review this Policy periodically. Your continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.
14. Contact Us
For privacy questions, requests, or complaints, write to [email protected]. Postal mail can be sent to the address we provide on request.
Questions? Write to [email protected].