Datenschutzerklärung

Effective date: 28 April 2026

Privacy on duudey starts at the default. Visit duudey.com without signing in and the platform knows very little about you. The network edge in front of the site sees what every web server sees (your IP address, the URL you opened, the timestamp, the user-agent string your browser sends, and the referrer if your browser sent one). For unauthenticated visitors, that request-level visibility is the baseline.

Those edge logs exist primarily to keep the site online and block automated abuse such as denial-of-service attacks, credential stuffing, and large-scale scraping. They are processed by Cloudflare on our behalf as a security firewall and are kept for the short retention windows their policy describes. The current build of duudey does not run a behavioural analytics script, a session-replay tool, or a third-party fingerprinting library. If we ever introduce any analytics, advertising, or measurement technology, this page is updated first and the new processors are listed in the section below before the change goes live.

If you sign in with Spotify, the rest of this page applies to you.

What we hold

To use the platform's personalised features (the radio dock, saved locations, localised news, saved settings), you authenticate via Spotify's OAuth flow. We act as data controller solely for the limited profile information required to maintain your session.

The core profile payload we request and store from Spotify is your Spotify user ID, your display name, and your profile picture URL. The OAuth scopes we ask for are scoped to what the active personalised features need at the time you sign in; the exact permissions Spotify grants on your behalf are listed on Spotify's own consent screen at sign-in time, before you confirm, and that screen is the authoritative description of what we can read from your account on any given day. You can review and revoke those permissions at any moment from your Spotify account dashboard.

Spotify never shares your password with us, and we have no path to it. We do not request access to your payment or subscription data. The OAuth token we receive is held in encrypted form on our infrastructure and is rotated or invalidated when you sign out, when you revoke access from Spotify's dashboard, or when Spotify itself revokes our developer access. Anything Spotify-derived that we choose to use to personalise the experience for you (for example, helping the radio dock or surfacing news that matches your taste) stays inside that session and is not exposed to third parties.

Interface choices (preferred language, news source filters, event location, dark or light mode) are saved locally on your device through cookies and are not tied to your Spotify identity unless you are signed in. On a first visit, before you have saved an event location yourself, the site may use the language preference your browser sends to suggest a country-level events default. That suggestion stays local to the device unless you later sign in and save preferences to your account.

Cookies

The current build of duudey sets functional, first-party cookies only, and we do not sell, rent, trade, or auction your data to brokers. If we ever add a cookie that supports advertising, measurement, or third-party personalisation, this section is updated first, the cookie is named here with its purpose and lifetime, and (where required by KVKK or GDPR) you are asked for consent through an in-page prompt before it is set.

The cookies set directly by the site today are:

• A sign-in cookie keeps you signed in across pages and visits, expiring after thirty days of inactivity. Signing out clears it. So does revoking duudey from your Spotify account dashboard.
• A preferences cookie remembers your language, news source filters, and event location for twelve months from the last change.
• A small radio cookie remembers whether you have hidden the floating radio dock at the top of the page.

In addition, Cloudflare may set its own functional cookies as it operates the network edge in front of duudey: short-lived cookies that help it route requests to the right cache region for performance, and challenge cookies that remember you have already passed a bot-protection check (for example, a CAPTCHA) so you do not have to solve it on every page. These cookies are described in the Cloudflare Privacy Policy and the Cloudflare Cookies Policy, and are set under Cloudflare's role as our processor for security and edge delivery rather than for analytics or advertising.

Clearing duudey's cookies in your browser wipes the duudey-set ones; clearing all cookies for the domain also wipes the Cloudflare-set functional cookies. Some article and event images are cached on our side so the page loads quickly. The cache key is the original image URL, holds nothing about you, and is automatically purged.

Third-party processors

We do not sell, rent, trade, or auction your personal data. The infrastructure your data passes through is paid infrastructure, none of it a partner of ours, and the providers in use today are:

• Cloudflare runs our network edge and security firewall, processing raw web traffic logs to block malicious bot activity. They describe themselves as "a conduit for information controlled by others", and their Privacy Policy covers the request logs they keep on our behalf as a processor.
• Spotify handles the underlying authentication flow as an independent data controller under their own Privacy Policy.
• The database that holds the items above sits on infrastructure under our direct control.

If we add a new sub-processor in the future (for example, an advertising or measurement partner, an email-delivery provider, or a different storage backend), this list is updated before the new processor goes live and the change is flagged at the top of the page.

Legal basis for processing (KVKK and GDPR)

For users in Türkiye, we process data in accordance with the Personal Data Protection Law (KVKK). For users in the EU and UK, we comply with the General Data Protection Regulation (GDPR).

• Performance of a contract under KVKK Art. 5(2)(c) and GDPR Art. 6(1)(b): processing your Spotify ID, display name, and profile picture URL to create your session and apply your saved preferences when you authenticate.
• Legitimate interest under KVKK Art. 5(2)(f) and GDPR Art. 6(1)(f): securing the platform from automated abuse, enforcing our anti-scraping policies, and maintaining our short-lived image cache for site performance, balanced against your rights.

Data retention and deletion

We hold personal data only as long as necessary to provide the duudey service, and we do not store Spotify-derived content indefinitely. We do not build a separate, persistent dataset out of Spotify content beyond what is required to operate the personalised features you are using, in line with the Spotify Developer Terms.

• Spotify-linked profile fields (user ID, display name, profile picture URL, OAuth tokens) are deleted in line with the Spotify Developer Terms. You can disconnect at any time from your Spotify dashboard, by signing out, or by writing to us at the address below; any of those three actions starts the five-day clock.
• Preferences cookies live in your browser until they expire (twelve months from the last change) or you clear them. Server-side preferences attached to a Spotify identity are deleted alongside that identity.
• Cached article and event images stay at most thirty days from the last fetch, after which the cache entry expires automatically and is rebuilt only if a reader requests the image again.
• Edge request logs (the Cloudflare-side IP / URL / timestamp lines described above) are retained for the short windows Cloudflare's policy specifies; we do not extend that retention.
• Mail you send us stays while we need it to answer your request and to keep a record of how it was handled. Threads with no follow-up older than twelve months are deleted; threads connected to a takedown or a regulatory request may be kept for the limitation period of the relevant law (typically six years under Turkish commercial-record practice) and no longer.

Your rights

Under KVKK Art. 11 and GDPR Arts. 13 to 22 you have the right to:

• request a copy of the personal data we hold about you,
• request correction of inaccurate data,
• request complete erasure of your data (the right to be forgotten),
• restrict our processing of it, object to it, or port it elsewhere,
• withdraw consent at any time by disconnecting your Spotify account.

To exercise any of these rights, write to [email protected] with the subject prefix Privacy:. We acknowledge inside five business days and complete inside thirty, free of charge unless the request is manifestly unfounded or repetitive.

If you think we have mishandled your data, you also have the right to lodge a complaint with a supervisory authority. In Türkiye that is the Kişisel Verileri Koruma Kurumu. In the EU it is the data-protection authority of your country of residence.

A few last things

duudey is not directed at children. We do not knowingly collect data from anyone under thirteen, or under sixteen where local law sets a higher minimum (the relevant threshold under KVKK and GDPR depends on the user's place of residence). If we discover that we hold an account belonging to a person under the applicable age, we delete it and the associated profile fields without waiting for a request.

A security incident affecting your personal data triggers a notice to the relevant supervisory authority within seventy-two hours of our becoming aware of it, as GDPR Art. 33 requires, and a notice to affected users without undue delay where the incident is likely to result in a high risk to their rights, as GDPR Art. 34 requires. The notice will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take. The same posture is applied for KVKK-covered users, with notification to the Kişisel Verileri Koruma Kurumu within the seventy-two-hour KVKK window.

This page is updated when our practices change. Material changes are flagged at the top of the page, and signed-in users receive a notice through the address attached to their account. The effective date above always reflects the current version, and previous versions remain available on request.

Contact

duudey.com is operated as a sole proprietorship (Şahıs Şirketi) in Istanbul, Türkiye. For any legal, takedown, privacy, or data-related inquiry, write to the platform administrator at [email protected] with the subject prefix Privacy:. The contact page explains how the inbox is sorted.