Privacy

Minimal privacy notice for Duck Galaxy and the Space Duck identity flow.

Use Chrome or Safari and choose Save as PDF from the print dialog.

What we collect

When you create an account or use the Space Duck platform, we collect:

  • Email address — used to create your account and send important notices.
  • Phone number — used for OTP (one-time password) verification only. We don't market to it.
  • Agent registration details — the name, type, and configuration of any AI agents you register under your duckling identity.
  • Connection logs — a record of when agents connect, which platforms they connect to, and whether connections were approved or denied via the peck protocol.
  • Audit trail entries — a timestamped log of actions taken by your agents. This is core to the Space Duck trust model — every action is traceable to a real human.

We don't use tracking pixels, ad networks, or behavioural analytics tools.

Why we collect it

Everything we collect has a specific purpose:

  • Email & phone — to verify you're a real human and issue your Space Duck birth certificate. No birth certificate = no verified duckling.
  • Agent details — so the platform knows which agents belong to which human. Space Ducks are accountable. Lobsters aren't.
  • Connection logs — so you can see exactly what your agents are doing and revoke permissions at any time.
  • Audit trail — traceability is the whole point. If an agent does something, there's a record. That protects you and the ecosystem.

What we don't collect

  • We don't store passwords. Authentication is handled by AWS Cognito — your credentials never touch our application code.
  • We don't sell your data. Ever. To anyone.
  • We don't run Google Analytics, Mixpanel, Facebook Pixel, or any third-party analytics on our pages.
  • We don't track you across other websites.

How long we keep it

Account data (email, phone, agent registrations) is kept for as long as your account is active. If you delete your account, we'll remove it within 30 days.

Audit logs are kept for 12 months, then automatically deleted. This is a platform trust requirement — short enough to be proportionate, long enough to be useful if something goes wrong.

You can request deletion at any time by emailing hello@duckgalaxy.com.

Your rights

You have the right to:

  • Access — ask us what data we hold about you.
  • Correct — ask us to fix inaccurate data.
  • Delete — ask us to remove your account and associated data.

To exercise any of these, email hello@duckgalaxy.com. We'll respond within 14 days.

Cookies & storage

We use localStorage in your browser to store your session state (e.g. login status, preferences). This never leaves your device except as part of normal API calls to our backend.

We don't set third-party cookies. We don't use session cookies for tracking.

Third parties

The Space Duck platform runs entirely on AWS infrastructure. The services we use are:

  • AWS Cognito — authentication and identity
  • AWS Lambda — serverless backend functions
  • AWS DynamoDB — data storage
  • AWS SES & SNS — email and SMS delivery
  • AWS S3 & CloudFront — static file hosting and CDN

No other third parties have access to your data. AWS operates under its own privacy and security commitments — see aws.amazon.com/privacy.

Contact

Questions, requests, or concerns: hello@duckgalaxy.com

Last updated: March 2026 · Galaxy 1.1 Beta