Privacy Policy
- 01Who we are and how to contact us
- 02What dcoy does and does not do
- 03Information we collect
- 04How we use your information
- 05How we share your information
- 06Data retention
- 07Data security
- 08Your rights and choices
- 09Children's privacy
- 10California residents (CCPA)
- 11European residents (GDPR)
- 12Cookies and tracking technologies
- 13Third-party services
- 14Changes to this policy
- 15Governing law and disputes
This Privacy Policy is issued by dcoy, Inc., a product of TG Studios LLC, a Florida limited liability company with operations in North Carolina. References to "dcoy," "we," "us," or "our" throughout this document refer to dcoy, Inc. and its parent entity TG Studios LLC, collectively.
This policy governs the collection, use, and disclosure of personal information when you use dcoy's website at dcoy.io, the dcoy browser extension, and the dcoy mobile applications (collectively, the "Service").
If you have questions, concerns, or requests regarding this policy or your personal data, contact us at:
dcoy is an anti-surveillance platform that actively corrupts the commercial data profiles that advertising networks, data brokers, and surveillance companies build on you. Understanding what dcoy does and does not do is essential to understanding how your data is handled.
dcoy submits automated opt-out and deletion requests to 250 or more data brokers on your behalf under applicable privacy laws including CCPA and GDPR. It rotates your mobile advertising identifiers, spoofs your browser fingerprint, blocks known tracker SDK domains at the system level, and injects behavioral noise signals to degrade your ad targeting profile. A monthly Profile Blur Score measures and reports the effectiveness of these protections.
dcoy is not a VPN. dcoy does not encrypt your internet connection, route your traffic through external servers, or mask your IP address. Using dcoy does not make your internet connection private in the way a traditional VPN does. If you require connection-level privacy, you should use a VPN in addition to dcoy. An encrypted VPN connection is planned for a future tier of the Service.
dcoy does not guarantee the complete elimination of your surveillance profile. No privacy tool can make that guarantee. The Profile Blur Score measures what is measurable and discloses what is not yet proven.
| Data type | Why we collect it | Required |
|---|---|---|
| Email address | Account creation, subscription management, service communications | Yes |
| Password (hashed) | Account authentication. We store only a bcrypt hash, never the plaintext password. | Yes |
| Payment information | Processed entirely by Stripe. We do not store card numbers, CVV codes, or full payment details on our servers. | Yes, for paid tiers |
| Data type | Why we collect it |
|---|---|
| Subscription tier and status | Determining which features and protections to activate for your account |
| Profile Blur Score components | Calculating and displaying your monthly PBS audit results in your dashboard |
| Tracker block logs | Populating your dashboard's block activity feed and contributing to your PBS |
| Broker opt-out submission records | Tracking which opt-out requests have been submitted and which brokers have complied |
| API authentication tokens | Maintaining your authenticated session securely across devices |
| Basic server logs | Diagnosing errors, preventing abuse, and maintaining service reliability. Logs are retained for 30 days maximum. |
We do not collect your browsing history. We do not read the content of your web traffic. We do not collect your precise GPS location. We do not build advertising profiles on you. We do not use third-party analytics platforms that track individual user behavior across sessions (such as Google Analytics). We do not sell, rent, or trade your personal information.
We use the information we collect for the following purposes only:
- To create and manage your dcoy account and authenticate your identity
- To deliver the protection features included in your subscription tier
- To calculate and display your monthly Profile Blur Score and audit reports
- To process payments and manage your subscription through Stripe
- To send transactional emails directly related to your account, such as payment confirmations, audit reports, and service updates
- To submit opt-out and deletion requests to data brokers on your behalf
- To diagnose technical issues and maintain the reliability of the Service
- To comply with applicable legal obligations
We do not use your personal information for advertising, marketing to third parties, or any purpose beyond delivering the Service described above.
We do not sell your personal data. We do not share your personal data with advertisers, data brokers, or marketing platforms. We share data only in the following limited circumstances:
We share data with a limited number of third-party service providers who help us operate the Service. These providers are contractually prohibited from using your data for any purpose beyond the specific service they provide to us.
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing and subscription management | Email address, subscription tier, payment information |
| Render | API server hosting and infrastructure | Encrypted account data stored on their servers |
| Mailchimp | Transactional and product update emails | Email address only |
We may disclose your information if required to do so by law, court order, or valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of dcoy, our users, or the public. We will notify affected users of any such disclosure request to the extent permitted by law.
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:
- Account data (email, hashed password, tier) is retained for the duration of your subscription and for up to 90 days after account deletion to allow for dispute resolution
- Profile Blur Score history and audit records are retained for 24 months to support trend analysis in your dashboard
- Broker opt-out submission records are retained for 36 months to support resubmission and compliance verification
- Server logs are retained for a maximum of 30 days
- Payment records are retained as required by Stripe and applicable financial regulations, typically 7 years
You may request deletion of your account and associated data at any time by emailing hello@dcoy.io. Deletion requests will be processed within 30 days.
We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Passwords stored using bcrypt hashing with a work factor of 10 rounds
- Authentication via JWT tokens with 30-day expiration
- All API communications served over HTTPS with TLS encryption
- Database access restricted to the API server process only
- Payment processing fully delegated to Stripe, a PCI DSS-compliant processor
No method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
Depending on your location, you may have the following rights regarding your personal information:
- Access. You have the right to request a copy of the personal information we hold about you.
- Correction. You have the right to request correction of inaccurate or incomplete personal information.
- Deletion. You have the right to request deletion of your personal information, subject to certain legal exceptions.
- Portability. You have the right to receive your personal information in a structured, commonly used, machine-readable format.
- Restriction. You have the right to request that we restrict the processing of your personal information in certain circumstances.
- Objection. You have the right to object to processing of your personal information where we rely on legitimate interests as the legal basis.
- Withdraw consent. Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, email hello@dcoy.io with the subject line "Privacy Request." We will respond within 30 days. We may need to verify your identity before processing your request.
You also have the right to lodge a complaint with the applicable supervisory authority in your jurisdiction if you believe we have violated your privacy rights.
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at hello@dcoy.io.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers (email address), commercial information (subscription history and tier), and internet or other electronic network activity information (service usage logs and PBS component data).
We do not sell or share your personal information as those terms are defined under the CCPA and CPRA. We do not sell personal information to third parties. We do not share personal information with third parties for cross-context behavioral advertising.
California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information (not applicable here as we do not sell or share), and the right to non-discrimination for exercising these rights.
To submit a CCPA request, email hello@dcoy.io with the subject line "CCPA Request." We will respond within 45 days, with one 45-day extension if necessary.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation may apply to our processing of your personal information.
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Performance of contract (Article 6(1)(b)) |
| Delivering protection features | Performance of contract (Article 6(1)(b)) |
| Payment processing | Performance of contract (Article 6(1)(b)) |
| Service communications | Legitimate interests (Article 6(1)(f)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
| Marketing communications (if any) | Consent (Article 6(1)(a)) |
dcoy is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country. By using the Service, you acknowledge this transfer. Where required, we implement appropriate safeguards for international transfers in accordance with applicable data protection law.
dcoy does not currently meet the thresholds requiring a formally designated Data Protection Officer under Article 37 of the GDPR. Privacy-related inquiries should be directed to hello@dcoy.io.
dcoy.io uses minimal cookies and local storage technologies. Specifically:
- Authentication tokens. We store your JWT authentication token in localStorage to maintain your logged-in session. This is strictly necessary for the Service to function.
- Session preferences. Basic UI preferences may be stored in localStorage on your device.
We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar behavioral tracking tools on dcoy.io.
The dcoy browser extension operates entirely on-device. It does not transmit your browsing activity to dcoy servers. Tracker block counts and fingerprint spoof counts are stored locally and reported in aggregate to your dashboard.
The Service integrates with the following third-party services. Each has its own privacy policy that governs how they handle data:
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated policy at dcoy.io/privacy with a new effective date, and by sending an email notification to your registered email address at least 14 days before the changes take effect.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must discontinue use of the Service and may request deletion of your account.
This Privacy Policy is governed by the laws of the State of Florida, without regard to its conflict of law provisions, consistent with the jurisdiction of formation of TG Studios LLC. Any dispute arising from or relating to this Privacy Policy or our privacy practices shall be resolved through binding arbitration in accordance with the American Arbitration Association's Consumer Arbitration Rules, unless you opt out of arbitration by emailing hello@dcoy.io within 30 days of first agreeing to this policy.
Nothing in this section limits your right to lodge a complaint with the applicable data protection authority in your jurisdiction, including the Federal Trade Commission in the United States, the Information Commissioner's Office in the United Kingdom, or the relevant supervisory authority in your EU member state.
If any provision of this Privacy Policy is found to be unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.