Last updated May 25, 2026

Privacy Policy

Dupl lets you send an AI avatar to attend meetings on your behalf. Because this involves recording, transcribing, and representing you in live conversations, we take privacy seriously. This policy explains exactly what we collect, why, and how.

1. Who we are

Dupl ("we", "us") is a service that creates an AI representation of you — your face, voice, and persona — that can attend video meetings autonomously. We are operated by Ibrahim Irfan. Questions: privacy@dupl.app.

2. What we collect

Account information

Name and email address when you sign up. Password stored as a hash by Supabase Auth — we never see it in plaintext.

Biometric data (face and voice)

To create your AI avatar, you upload a training video or photo. We process this through Tavus to generate a replica of your likeness, and optionally through ElevenLabs to clone your voice. This is biometric data. We retain it for as long as your account exists and delete it when you request deletion or close your account. We do not sell or share biometric data with any third party except the processors listed in Section 6.

Meeting content

When your Dupl attends a meeting, Recall.ai captures audio and video of the meeting and generates a real-time transcript. This transcript — including things said by other meeting participants — is stored in your account. You are responsible for ensuring that other participants have been appropriately notified (see Section 9 on recording consent).

Calendar data

If you connect Google Calendar, we access your event titles, times, attendee lists, and meeting links to help dispatch your Dupl automatically. We do not read email body content.

Contact notes

After each meeting, we generate brief notes about attendees based on the transcript. These notes are stored in your account and used to give your Dupl context in future meetings with the same people.

Usage data

Standard server logs: IP address, browser type, pages visited, meeting duration. We use this to operate and improve the service.

3. How we use your data

To provide the service — joining meetings, generating transcripts, summaries, and contact notes on your behalf
To train and serve your AI avatar (face replica and voice clone)
To send you meeting summaries, notifications, and product updates
To detect and prevent abuse
To comply with legal obligations

We do not use your meeting content to train general AI models. We do not sell your data.

4. How long we keep your data

Account data: kept until you delete your account
Meeting transcripts and summaries: kept until you delete them or close your account
Biometric data (replica, voice clone): deleted within 30 days of account closure or on request
Training videos: deleted from our storage after your replica is successfully created, unless you retain them for retraining
Calendar data: deleted when you disconnect the integration

5. Your rights

You can at any time:

Access the data we hold about you
Request correction of inaccurate data
Request deletion of your account and all associated data
Export your meeting transcripts and summaries
Disconnect calendar or Slack integrations from Settings

To exercise any of these rights, email privacy@dupl.app. We will respond within 30 days.

6. Sub-processors

We share data with the following third-party services to operate Dupl. All are contractually obligated to protect your data.

Processor	Purpose	Location
Supabase	Database, authentication, file storage	US (AWS)
Vercel	Hosting and compute	US
Recall.ai	Meeting bot, audio capture, transcription	US
Tavus	AI avatar creation and streaming	US
ElevenLabs	Voice cloning and text-to-speech	US
OpenAI	Meeting summaries, activation gate, suggested replies	US
Groq	Activation gate fallback LLM	US
Resend	Transactional email delivery	US
Slack	Whisper notifications (if connected)	US
Google	Calendar integration (if connected)	US

7. Security

We encrypt data in transit (TLS) and at rest. OAuth tokens and API keys are encrypted at rest using AES-256-GCM. Biometric data is processed only by Tavus and ElevenLabs under data processing agreements. We do not store raw training videos after replica creation is complete.

No system is perfectly secure. If you discover a security issue, please email privacy@dupl.app.

8. Cookies and tracking

We use session cookies for authentication (managed by Supabase). We do not use third-party advertising trackers or sell browsing data. We may use anonymised analytics to understand how the product is used.

9. Recording consent — your responsibility

When your Dupl attends a meeting, it records the conversation including other participants. Recording consent laws vary by jurisdiction:

Most US states: one-party consent (you are the consenting party)
Multi-party consent states: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Washington — all participants must consent
European Union: GDPR requires a lawful basis for processing personal data of meeting participants

You are responsible for ensuring that meeting participants are appropriately notified that an AI avatar is attending and that a transcript is being generated. The opening statement feature in your Dupl settings can help with this. We are not responsible for your compliance with applicable recording laws.

10. Changes to this policy

We will notify you by email of material changes to this policy before they take effect. Continued use of the service after notice constitutes acceptance.

11. Contact

Questions, data requests, or concerns: privacy@dupl.app