Legal

Privacy Policy

What we collect, why we collect it, who else sees it, and the rights you have over it.

Last updated · May 21, 2026

This Privacy Policy explains how Dusken ("Dusken", "we", "us", or "our") collects, uses, shares, and protects personal information when you visit dusken.io or use the Dusken service (the "Service"). It applies to account holders, members of a workspace, external reviewers invited through a share link, and visitors to our marketing pages.

Dusken is operated by Salman Khan, a sole proprietor based in India. For any privacy-related question or request, write to [email protected].

1. Information We Collect

We collect only what we need to operate the Service. Below is a field-level breakdown of every category of personal information we store, who provides it, and where it lives.

Account profile

  • Full name
  • Email address (used as your login identifier and for transactional email)
  • Password: stored only as a salted hash; we never see your plaintext password
  • Profile photo, if you upload one
  • User ID: an internal identifier we generate at signup
  • Account creation timestamp, last sign-in timestamp, and email-verification status
  • Role within your workspace (owner, admin, member, guest)

Workspace and team

  • Workspace name, slug, icon or logo
  • List of members you invite (their email addresses and roles)
  • Invitation status (pending, accepted, expired) and invite metadata
  • Workspace creation timestamp and current plan tier

Billing and subscription

  • Stripe customer ID and subscription ID
  • Plan name, billing interval, current period start and end, trial status
  • Card brand, last four digits, expiry month/year, and country of card issuer (received from Stripe; we never see the full card number, CVC, or full account number)
  • Billing address that you enter at checkout (street, city, state, postal code, country, optional tax ID such as GSTIN or VAT)
  • Invoices, receipts, and payment history (stored at Stripe; we cache invoice metadata)

Your content

  • Files you upload (video, audio, images, PDFs, and other media), together with file name, size, format, duration, and the SHA-256 hash we use to detect duplicates
  • Thumbnails, transcoded variants, and streaming manifests we generate from your files
  • Audio transcripts produced by our speech-to-text provider for searchability and accessibility
  • Folder names, project names, version labels, and the structure you organize them into
  • Comments, replies, reactions, mentions, and emoji
  • Annotations: drawings, arrows, pins, and the timestamped or pinpoint positions you place them at
  • Voice comments, screen recordings, and webcam recordings you record inside the Service
  • Share links you create, their access settings, password (hashed if you set one), and expiry
  • Approval and version-decision history (who approved what, when)

Support and communications

  • Emails you send to [email protected] and our replies
  • In-app feedback, bug reports, and feature requests
  • Survey responses, if you choose to participate

Automatically collected

  • IP address (used for rate-limiting, fraud prevention, and approximate region for analytics)
  • Approximate geolocation derived from your IP (country, region, city, not precise GPS)
  • Browser name and version, operating system, device type, screen size, and language
  • Time zone and locale
  • Referring URL and UTM parameters that brought you to the site (utm_source, utm_medium, utm_campaign, initial_referrer)
  • Crash reports, error stack traces, and performance metrics, with the URL and user ID that experienced the error
  • Session cookies, authentication tokens, and CSRF tokens (see Section 5)

Product analytics events (PostHog)

After you sign in we associate analytics events with your user ID, your email, your name, your role, and your workspace ID, so we can understand how the product is used. We do not run session replay; we do not autocapture clicks or keystrokes. The events we send are limited to a defined list, including:

  • $pageview: page URL and your current workspace ID
  • $exception: uncaught errors with stack trace and the page they happened on
  • user_signed_up, user_logged_in, user_logged_out
  • workspace_created, workspace_switched
  • project_created, video_uploaded (with file size, duration, format), comment_added, first_comment_added, comment_ui_opened, timeline_clicked
  • invite_sent, invite_accepted, review_completed
  • Generic call-to-action clicks on marketing pages (cta_clicked with a label)

From third parties

  • Authentication providers: if you choose to sign in with Google or GitHub, we receive your name, email address, profile picture, and the provider's user ID, scoped to the permissions you grant.
  • Payment processor: Stripe sends us subscription status, invoice metadata, and the limited card-on-file information listed above.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service: including authentication, file processing, transcoding, streaming, annotation sync, sharing, version compare, and automatic transcription of audio and voice comments for in-app search and accessibility.
  • Bill you, manage subscriptions, and prevent payment fraud through Stripe.
  • Communicate with you: about your account, security, product updates, support requests, and (only with your consent or where allowed by law) occasional product news.
  • Improve the Service: diagnose bugs, monitor performance, understand how features are used in aggregate, and inform product decisions.
  • Protect the Service and our users: enforce our Terms, detect abuse or illegal activity, and comply with legal obligations.

We do not sell your personal information. We do not use the content you upload (video, audio, images, annotations, comments) to train machine-learning models for ourselves or any third party.

4. Service Providers and Subprocessors

We use the following providers to deliver the Service. Each receives only the data needed for its function and is bound by contractual confidentiality and security obligations.

  • Stripe (USA / global): payment processing, billing, fraud prevention.
  • Amazon Web Services (AWS): S3 object storage and CloudFront CDN for storing and delivering uploaded media; primary region in the United States.
  • Cloudflare R2: additional object storage and edge delivery for media assets.
  • Mux (USA): video transcoding, streaming, and playback infrastructure for certain media.
  • AssemblyAI (USA): automatic speech recognition used to transcribe audio and voice comments into text for searchability and accessibility.
  • PostHog (USA / EU): product analytics, feature flags, session-level event data (no full session replay of your private media).
  • Resend (USA): transactional email (account verification, password reset, share-link notifications, billing receipts).
  • Google LLC and GitHub, Inc.: only if you choose to sign in with Google or GitHub, in which case those providers handle authentication and share limited profile information with us.
  • Hosting and infrastructure: cloud compute and database providers used to run the application and store metadata.

We may update this list as the Service evolves. Material changes will be reflected here and, where required, communicated in advance.

5. Cookies and Local Storage

We use cookies and similar browser-storage technologies (localStorage, sessionStorage) for the purposes described below. We do not use advertising cookies and we do not sell data to ad networks.

Strictly necessary

  • Authentication session token: keeps you signed in
  • CSRF protection token: prevents cross-site request forgery on form submissions
  • Selected workspace and last-opened folder: so the app remembers what you were working on

The Service cannot function without these. They cannot be disabled.

Functional

  • Theme preference (light or dark)
  • Sidebar open/collapsed state
  • Player preferences (volume, playback speed)
  • Onboarding progress flags (so we do not show the same hint twice)

Analytics (PostHog)

PostHog sets a persistent identifier in cookies and localStorage (a randomly generated distinct_id). After you sign in, this identifier is linked to your user account so events can be attributed to you. The data collected is described in detail in Section 1 under "Product analytics events."

Analytics is not anonymous once you are signed in. We do not run session replay, we do not autocapture every click, and we do not record keystrokes or form values.

You can opt out of analytics by enabling Global Privacy Control (GPC) or "Do Not Track" in your browser. We honor these signals automatically. To request deletion of analytics data already collected about you, email [email protected].

6. How We Share Information

We share personal information only as described below:

  • With your workspace: content and activity in a workspace is visible to other members of that workspace and to people invited via share links, according to the permissions configured by the workspace owner.
  • With service providers: see Section 4. They process data on our behalf, under written agreements.
  • For legal reasons: when required by valid legal process or to protect the rights, property, or safety of Dusken, our users, or the public, and to enforce our Terms.
  • In a business transfer: if we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will require the recipient to honor the commitments in this Policy.

7. Data Retention

We retain personal information for as long as your account is active and for a reasonable period afterward to support recovery, dispute resolution, and legal compliance.

  • Uploaded content and workspace data: kept while your subscription is active. After cancellation or account deletion, content is retained for up to 30 days in a recoverable state and then deleted from primary systems, with backup copies removed within an additional 30 days.
  • Billing records: invoices and payment metadata are kept for up to 8 years to comply with tax and accounting requirements.
  • Logs and security data: retained for up to 12 months for troubleshooting, fraud prevention, and abuse investigation.

8. Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to fix inaccurate or incomplete information.
  • Deletion: ask us to delete your information, subject to limited exceptions (such as legal-retention requirements).
  • Restriction or objection: limit how we process your information, or object to certain processing based on legitimate interests.
  • Portability: where required by applicable law, receive certain personal information you have provided to us in a structured, commonly used format.
  • Withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.
  • Complain to a regulator: for example, your local Data Protection Authority in the EEA/UK, or the Data Protection Board of India under the DPDP Act, 2023.

To exercise any of these rights, email [email protected]. We may need to verify your identity before fulfilling the request. We will respond within the time required by applicable law (typically 30 days).

9. International Data Transfers

Dusken is operated from India, and some of our service providers are located in the United States, the European Union, and other regions. When we transfer personal information across borders, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms required by the law of your country.

10. Security

We use appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures evolve as the Service and the threat landscape evolve.

No system is perfectly secure and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify you and the relevant authorities to the extent required by law.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

12. Guests and External Reviewers

When you are invited to review work via a Dusken share link, the workspace owner controls what is shared with you and acts as the data controller for that content. We process your information (such as your email, comments, and annotations) on their behalf as a data processor. Direct requests about your data to the workspace owner first; you can also contact us at [email protected] and we will route your request appropriately.

13. Changes to This Policy

We may update this Privacy Policy at any time. When we do, the "Last updated" date at the top of this page reflects the latest revision. It is your responsibility to review this Policy periodically. Your continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.

14. Contact Us

For privacy questions, requests, or complaints, write to [email protected]. Postal mail can be sent to the address we provide on request.

Questions? Write to [email protected].