Privacy Policy

Effective: March 2025  ·  Last updated: March 2026

Your privacy matters. This policy describes exactly what data DuctStatic collects, why, and how it is used.

1. Data We Collect

Account Information

• Username: Used for account identification and login
• Password: Securely hashed. Never stored in plaintext.
• Email address: Collected at registration (used for password reset and account communication)

Google Sign-In (if used)

• Google account ID and email: Collected only if you choose to sign in with Google. Used solely to identify and authenticate your account. We do not access your Google Drive, contacts, or any other Google data.

Project & Tool Data

• Saved projects: Duct system configurations, segment data, and calculation results you choose to save
• Custom fitting library: Any fittings you add to your personal fitting library
• All project data is stored server-side, associated with your account

Anonymous Usage Analytics

• Calculation metrics: When you run a calculation, we log fully anonymous aggregate data: number of paths, number of fittings, critical path length and loss, fan static pressure, safety factor, inlet/outlet flags, and timestamp. This is not linked to your account and cannot be traced back to you.
• Page visits: We count homepage visits and log the referring URL (e.g., which website linked here). No IP addresses or browser fingerprints are collected. Visit data cannot be traced back to you individually.

2. How We Use Your Data

• Authentication: Username, password hash, email, and Google ID are used to verify your identity
• Account recovery: Email is used to send password reset links
• Project management: To save, load, and organize your duct calculation projects
• Service improvement: Aggregate calculation metrics help us understand how the tool is used and where to focus development
• Traffic analysis: Referrer data helps us understand where visitors come from

3. Data Sharing

We do not share, sell, or transfer your personal data to any third parties. Your information stays on this server.

The only external service involved in authentication is Google OAuth (if you use Google Sign-In). Google's privacy policy governs their handling of that authentication flow.

4. Data Security

• Passwords are hashed using bcrypt. Never stored in plaintext.
• Session cookies are used for authentication only, with no tracking
• Password reset tokens expire after a short window and are single-use
• Data is stored with integrity protections (WAL mode, foreign key constraints)

Note: No system is 100% secure. Use a strong, unique password for your account.

5. Data Retention

• Account and project data are retained indefinitely unless you request deletion
• Calculation run logs are retained for service improvement purposes
• Inactive accounts may be purged at the developer's discretion, with reasonable notice where possible

6. Your Rights

• Access: You can view your project data at any time through the app
• Export: Project data is stored as JSON and can be exported
• Deletion: You may request deletion of your account and all associated data by contacting us

7. Third-Party Services

DuctStatic uses the following external services:

• Google OAuth: Optional sign-in method. Only used if you choose it.
• Resend: Transactional email provider, used only to send password reset emails.
• Chart.js (CDN): JavaScript charting library loaded from a CDN for the admin panel only. Not present on user-facing pages.

We do not use advertising networks, social media integrations, or behavioral analytics services.

8. Contact

For privacy-related questions, data deletion requests, or concerns, contact:

privacy@ductstatic.com

9. Changes to This Policy

This policy may be updated when the data we collect changes. The "last updated" date at the top will reflect any revisions. Continued use of the service after changes constitutes acceptance of the updated policy.