Skip to main content

Privacy Policy

GDPR launch draft v1. Effective May 6, 2026.

Consent-aware analytics
Evidence tracked
No blanket compliance claim

Last Updated: May 6, 2026

1. Who this policy covers

official operates this Space on DukieX. This Privacy Policy explains how official, DukieX platform services, Space owners, creators, sellers, and service providers process personal data when you browse, buy, sell, livestream, message, use AI tools, or contact support through this Space.

2. Data we process

Depending on how you use this Space, we process:

  • Account, profile, authentication, session, role, membership, seller, and team-access data.
  • Store, checkout, order, shipping, refund, dispute, subscription, credit, gift, tip, and payout records.
  • Content you publish or send, including discussions, comments, reviews, wanted posts, direct messages, livestream chat, media uploads, transcripts, clips, thumbnails, and AI conversation content.
  • Creator and seller disclosures such as public trading name, legal name, contact details, registered jurisdiction, VAT or company identifiers, and verification status where required.
  • Device, IP, security, fraud-prevention, analytics, feature-flag, consent, email, notification, support, and incident records.

3. Purposes and legal bases

We use personal data for:

  • Contract: accounts, memberships, purchases, payments, fulfilment, seller tools, livestream access, messages, support, and requested AI features.
  • Legitimate interests: platform security, abuse prevention, moderation, fraud checks, service reliability, search, recommendations, analytics after consent where required, and business operations.
  • Consent: optional analytics/session replay, marketing emails, optional cookies, and optional social/OAuth integrations.
  • Legal obligation: tax, accounting, payment, sanctions, KYC, dispute, consumer, safety, breach-response, and regulatory records.

4. AI, analytics, and payments

AI processing

AI features may process prompts, uploaded media, conversation context, product or discussion text, livestream transcripts, and generated outputs through AWS Bedrock-backed services. Do not submit secrets, raw payment details, or content you do not have rights to use. AI records are included in future export and erasure work tracked for DSR handling.

Analytics and replay

PostHog analytics and session replay are opt-in. Until consent is granted, analytics capture and replay are disabled. Replay uses masking controls and sampling, but you should avoid entering sensitive information into free-text fields that are not needed.

Payments

Stripe processes payments, saved payment references, subscriptions, refunds, disputes, Connect onboarding, KYC, fraud/risk checks, and seller payouts. DukieX does not intentionally store raw card numbers or CVV. Stripe may act as an independent controller for regulated payment, fraud, KYC, sanctions, financial reporting, and network obligations.

5. Recipients and transfers

We share personal data only where needed to operate this Space, complete transactions, meet legal duties, or follow your instructions.

  • AWS for hosting, storage, logs, authentication, email, and livestream infrastructure.
  • Stripe for payments, seller onboarding, fraud, disputes, subscriptions, and payouts.
  • PostHog for consented analytics, feature flags, surveys, and session replay.
  • AWS Bedrock for enabled AI generation and metadata workflows.
  • Cloudflare Turnstile for bot and abuse prevention on protected forms.
  • Typesense for search indexes that may include profile, product, discussion, message, activity, contact, membership, and livestream records.
  • Google, Apple, Meta/Facebook, TikTok, Twitch, and YouTube when you choose login or social/livestream integrations.
  • Sellers, creators, delivery providers, and support providers where needed for fulfilment, support, refunds, or disputes.

UK/EU data may be transferred internationally using provider DPAs, standard contractual clauses, UK addenda, or another approved transfer mechanism. Current provider evidence is tracked in the subprocessor register and evidence checklist.

6. Retention and deletion

We keep personal data only for as long as needed for the relevant purpose. Transaction, tax, accounting, refund, dispute, fraud, KYC, sanctions, safety, moderation, and legal records may be retained after account deletion where required. DSR export, erasure, objection, and restriction requests follow an internal workflow that covers local account/profile/session/activity records plus manual vendor steps for Stripe, PostHog, AWS/Bedrock/SES, Cloudflare, OAuth/social providers, Typesense, media, and connected sellers where applicable.

7. Your rights

Depending on your location, you may ask to access, correct, delete, restrict, object to, or port your personal data, and you may withdraw consent where processing depends on consent. You may also complain to your local data protection authority. Some requests may be limited by legal, tax, payment, fraud, dispute, safety, or other mandatory retention duties.

Contact privacy@charleex.com to exercise rights or ask privacy questions. Data Protection Officer/contact: privacy@charleex.com.