Privacy Policy - DuckTracks

Effective Date: February 20, 2026
Last Updated: March 2, 2026

DuckTracks, LLC ("DuckTracks," "we," "us," or "our") operates the DuckTracks mobile application (available on Apple App Store and Google Play Store) and website (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service.

We take your privacy seriously. DuckTracks does not sell, rent, trade, or share your personal information with third parties for their marketing or advertising purposes. Period.

By using DuckTracks, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

Email address
Password (securely hashed — we never store or see your actual password)
Display name

Profile Information (optional):

Username
Bio (up to 500 characters)
Profile photo and cover photo
Gallery photos (up to 6)
Phone number
Social media links (e.g., Instagram handle)
Home location (city and state — see Section 1.3 for details on location data)

Content You Create:

Posts (text, up to 2,000 characters)
Comments and replies
Photos attached to posts, duck profiles, and events
Direct messages to other users
Duck setup information (duck name, description, type)
Group and event details you create
Reports you submit about content or users

Communication Preferences:

Email marketing opt-in/opt-out status
Push notification preferences (per-category toggles)

1.2 Information Collected Automatically

Device Information:

Device type and operating system version
App version
Push notification token (Firebase Cloud Messaging token — used solely to deliver push notifications you have enabled)

Biometric Authentication:

If you enable biometric authentication (Face ID, Touch ID on iOS, or fingerprint/face unlock on Android), biometric data is processed entirely on your device by your operating system. DuckTracks never receives, transmits, stores, or has access to your biometric data.

Offline Data:

If you use the app without an internet connection, actions are temporarily stored on your device and synced when connectivity returns. This data is stored locally and is not accessible to us until synced.

1.3 Location Information

DuckTracks collects GPS coordinates in the following situations:

When you pass or find a duck — your location is recorded to track the duck's journey
When you activate a duck — your location is optionally recorded as the duck's origin
When you set your profile location — you choose a home city/state
When you search for nearby users, groups, or events — your location is used temporarily to find results near you

How location is displayed:

Your location is displayed publicly as city and state only (e.g., "Spartanburg, SC")
Your precise GPS coordinates (latitude/longitude) are never displayed to other users
GPS coordinates are stored securely to calculate duck journey distances and maps, but are not shared in a way that reveals your exact location

You control location access:

You can deny location permission at any time through your device settings
Some features (duck passing/finding) require location to function properly

1.4 Information from Third Parties

Google Sign-In: If you sign in with Google, we receive your name, email address, and profile photo from Google. We do not receive your Google password or access your Google account data beyond what is needed for authentication.

Apple Sign-In: If you sign in with Apple, we receive your name and email address (or an Apple-provided relay email address if you choose to hide your email). We do not receive your Apple password or access your Apple account data beyond what is needed for authentication.

2. How We Use Your Information

2.1 To Provide and Operate the Service

Create and manage your account
Enable duck tracking (QR scanning, passing, finding, journey history)
Enable social features (posts, comments, likes, follows, direct messages, groups, events)
Display your profile and content to other users
Display your location as city/state on duck events and your profile
Store and serve your photos
Send push notifications for app events you have enabled
Process your offline actions when connectivity returns

2.2 To Communicate with You

Send transactional emails (verification codes, password resets, account notifications) — you cannot opt out of these as they are necessary for account security
Send marketing emails about DuckTracks updates and features — only if you opt in, and every email includes an unsubscribe link
Send push notifications — configurable per-category in your app settings

2.3 To Maintain Safety and Security

Enforce our Terms of Service and Acceptable Use Policy
Review reported content and take moderation action
Prevent fraud, abuse, and unauthorized access
Respond to legal requests (subpoenas, court orders)

2.4 What We Do NOT Use Your Information For

We do NOT sell your personal information. Not now, not ever.
We do NOT share your information with advertisers. DuckTracks has no advertising partners.
We do NOT use analytics SDKs that track you across apps or websites. There are no third-party analytics tools (no Google Analytics, no Mixpanel, no Amplitude, no Segment) in the DuckTracks app.
We do NOT share your precise GPS coordinates with other users or third parties. Only city/state is displayed.
We do NOT access or transmit your biometric data. Face ID and Touch ID are processed entirely on your device.
We do NOT build advertising profiles or track your behavior for targeted advertising.
We do NOT sell or rent your email address to marketing companies.

3. How We Share Your Information

3.1 Publicly Visible Information

When you use DuckTracks, certain information is visible to other users:

Your profile (name, username, bio, profile photo, cover photo, gallery photos)
Your posts, comments, and likes
Your duck activity (ducks activated, passed, found) and journey contributions
Your location as city/state only
Your groups and event participation

Direct messages are private — only visible to participants in the conversation.

3.2 Service Providers (Data Processors)

We use the following third-party service providers to operate DuckTracks. These providers process data on our behalf and under our instructions — they do not use your data for their own purposes:

Provider	Purpose	Data Processed
Amazon Web Services (AWS)	Cloud hosting, database storage, file storage, authentication, email delivery	All service data (encrypted in transit and at rest)
Firebase (Google)	Push notification delivery	Device push token, notification content
Google OAuth	Sign-in with Google	Name, email, profile photo (during authentication only)
Apple Sign-In	Sign-in with Apple	Name, email or relay email (during authentication only)
Google Play Services	App distribution and updates (Android)	Device identifiers for app delivery and update verification

These are data processors, not data sharing partners. They are contractually obligated to protect your data and may only use it to provide services to DuckTracks.

3.3 We Do NOT Share With

Advertising networks or ad exchanges
Data brokers or data resellers
Analytics companies
Marketing partners or affiliates
Social media companies (beyond Google OAuth for sign-in)
Government agencies (unless legally compelled — see Section 3.4)

3.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, including:

Subpoenas, court orders, or legal proceedings
Requests from law enforcement when we believe disclosure is necessary to prevent harm, fraud, or illegal activity
To protect the rights, property, or safety of DuckTracks, our users, or the public

3.5 Business Transfers

In the event DuckTracks, LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent in-app notice before your information becomes subject to a different privacy policy.

4. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS
Encryption at Rest: Data stored in AWS DynamoDB and S3 is encrypted using AWS-managed encryption keys
Authentication Security: User authentication is managed by AWS Cognito with industry-standard JWT tokens. Passwords are hashed using secure algorithms — we never store plaintext passwords
Access Control: Access to production systems and user data is strictly limited to authorized personnel (the company owner). There is no team of people browsing your data
Token Expiration: Access tokens expire after 1 hour; refresh tokens expire after 30 days
Secure Storage: Sensitive data on your device (tokens, credentials) is stored using platform-secure storage (iOS Keychain on Apple devices, Android Keystore on Android devices)

Your data is not stored in some basement being passed around. It is hosted on Amazon Web Services, one of the most secure cloud platforms in the world, in their US-East-1 (Virginia) data centers, protected by enterprise-grade security, encryption, and access controls.

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

5. Data Retention

Active Accounts: Your data is retained as long as your account is active and you continue to use the Service
Account Deletion: When you request account deletion, we process the request within 30 days. See our Data Deletion Instructions for details on what is deleted and what may be retained
Soft-Deleted Content: Content you delete (posts, comments, photos) is marked as deleted and hidden from view, but may be retained in our systems for abuse prevention and legal compliance
Backups: Backup copies of data may be retained for up to 90 days for disaster recovery purposes, after which they are permanently deleted
Legal Requirements: We may retain certain data longer if required by law, legal proceedings, or to protect our legal rights

6. Your Rights and Choices

6.1 Access and Update Your Information

You can view and update your profile information, notification preferences, and privacy settings directly in the DuckTracks app at any time.

6.2 Request Your Data

You may request a copy of the personal data we hold about you by emailing support@ducktracks.com. We will respond within 30 days.

6.3 Delete Your Account

You may request deletion of your account and personal data. See our Data Deletion Instructions for the full process, or email support@ducktracks.com with the subject line "Account Deletion Request."

6.4 Marketing Communications

Email: You can unsubscribe from marketing emails at any time using the unsubscribe link included in every marketing email, or by updating your preferences in the app
Push Notifications: You can disable push notifications in your device settings or configure per-category preferences in the app

6.5 Location Data

You can revoke location permissions at any time through your device's settings. Note that some features (passing and finding ducks) require location access to function.

7. California Residents — Your CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to Know: You have the right to know what personal information we collect, how we use it, and whether we share it
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
Right to Opt-Out of Sale: You have the right to opt out of the "sale" of your personal information. DuckTracks does not sell your personal information, so there is nothing to opt out of
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights

To exercise your rights: Email support@ducktracks.com with your request. We will verify your identity before processing.

Categories of information collected: Identifiers (name, email, username), internet activity (app usage), geolocation data (city/state), audiovisual information (photos you upload), and inferences (none — we do not build profiles for advertising).

Information sold or shared for cross-context behavioral advertising: None. We do not sell or share your information for advertising.

8. European Residents — Your GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights:

Right of Access: Request a copy of your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing: Request that we limit how we use your data
Right to Data Portability: Request your data in a structured, machine-readable format
Right to Object: Object to processing of your data for certain purposes
Right to Withdraw Consent: Withdraw consent for processing at any time (where consent is the legal basis)
Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal basis for processing: We process your data based on: (a) your consent (e.g., marketing emails), (b) performance of a contract (providing the Service), (c) legitimate interests (security, fraud prevention), and (d) legal obligations.

Data transfers: Your data is stored in the United States (AWS US-East-1 region). By using the Service, you consent to the transfer of your data to the United States.

To exercise your rights: Email support@ducktracks.com.

9. Children's Privacy

DuckTracks is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under the age of 13.

If we become aware that we have collected personal information from a child under 13, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe your child under 13 has provided personal information to DuckTracks, please contact us immediately at support@ducktracks.com so we can delete the information.

10. Cookies and Local Storage

Mobile App

The DuckTracks mobile app does not use cookies. The app uses secure local storage for:

Authentication tokens (stored in iOS Keychain / Android Keystore / secure storage)
Offline queue data (actions saved locally when offline)
App preferences and settings
Cached content for performance

Web Application

The DuckTracks web application (app.ducktracks.com) uses only essential cookies and local storage required for the app to function:

Session and authentication cookies
Local storage for app preferences and offline functionality

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

11. Third-Party Links

DuckTracks may contain links to third-party websites or services (e.g., social media links on user profiles). We are not responsible for the privacy practices, content, or security of third-party sites. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:

We will update the "Last Updated" date at the top of this policy
For significant changes, we will notify you via email or prominent in-app notification
Continued use of the Service after changes are posted constitutes your acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

DuckTracks, LLC
Email: support@ducktracks.com
Address: PO Box 161253, Boiling Springs, SC 29316
Website: www.ducktracks.com

For account-related inquiries: admin@ducktracks.com
For privacy-specific requests: support@ducktracks.com

By using DuckTracks, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and storage of your information as described herein.