Legal

Privacy Policy.

How we collect, use, and protect your data across the DONEOVERNIGHT website, journey, Builder platform, Viewer Builds, emails, and client work.

Last updated · June 2026 · Version 1.3

TL;DR

We collect the information needed to run DONEOVERNIGHT: task requests, journey progress, Builder IDs, Viewer Build ideas, resource/product interest, email delivery events, and basic platform analytics.

We do not sell your personal data. We do not use client content to train AI models. We use trusted infrastructure such as Vercel, Supabase, email/webhook tools, and analytics tools to operate the platform.

01 · Data Controller

Done Overnight is the data controller for the personal data it processes. Contact: ask@doneovernight.com

02 · What we collect

From you, when you submit a task, join the journey, or interact with the platform:

  • Name, email address, optional social handle, and company/project context if you provide it
  • Task descriptions, Viewer Build ideas, resource/product interest, and any files or links you submit
  • How It Works journey answers, selected language, interests, chosen path, automation focus, and completion progress
  • Journey IDs, Builder IDs, Builder Profiles, Builder Cards, and wallet pass preparation data
  • Files you upload (documents, images, data, etc.)

Automatically:

  • Page events, journey progress, button interactions, share/follow events, resource interest, product interest, and email delivery events
  • Language preference, browser language, lightweight content language detection, device/browser information, referrer and UTM/source information when available
  • Basic analytics through tools such as Plausible, Vercel Analytics, and Vercel Speed Insights
  • IP address and request metadata for security, abuse prevention, and operational reliability

We do not collect: social security numbers, financial account numbers, government ID numbers, or any other sensitive identifiers unless you specifically include them in a task (in which case we recommend you don't — see "Sensitive data" below).

03 · How we use it

Your data is used strictly for:

  • Delivering your task. Reading your brief, executing the work, sending the output.
  • Running the platform. Remembering journey progress, issuing Builder identities, preparing wallet passes, showing live status, and keeping Builder Home useful.
  • Communicating with you. Quote emails, delivery notifications, billing.
  • Improving reliability. Operational analytics help us understand where the platform is useful, where people stop, and which resources/products people care about.
  • Legal and financial records. Invoices and task metadata are retained for 7 years to comply with tax law.

We never use your content to train AI models, populate marketing materials, or appear in case studies without your explicit written consent.

04 · Legal basis (GDPR)

We process personal data on the following legal bases under the GDPR:

  • Contract performance: When processing is necessary to deliver the service you requested
  • Legitimate interests: For security, fraud prevention, and basic service analytics (with your interests balanced against ours)
  • Legal obligation: For tax, accounting, and other statutory requirements
  • Consent: For optional marketing communications (you can withdraw anytime)
05 · Who has access

Internal: Only senior operators assigned to your task can access your files. Access is revoked automatically once the task is closed.

Subprocessors: We use trusted third-party tools to do our work. Each has its own data processing agreement with us:

  • Hosting and serverless functions: Vercel
  • Database and platform storage: Supabase
  • Email and workflow processing: Outlook/Microsoft 365, n8n, and configured webhook processors
  • Internal operations notifications: Telegram or similar internal alerting tools where configured
  • AI tools: Anthropic, OpenAI, or similar tools where appropriate for execution
  • File storage: Google Drive (EU)
  • Analytics and performance: Plausible, Vercel Analytics, Vercel Speed Insights
  • Payments: Stripe or another configured payment provider when payment flows are active
  • Wallet passes: Apple Wallet and Google Wallet infrastructure when wallet delivery is configured

We do not knowingly send client content to AI tools for model training. Where enterprise or zero-retention settings are available and appropriate, we prefer them.

06 · File confidentiality

Source files: Encrypted at rest where supported by the storage provider. Access is limited to the operators or systems needed to deliver the work.

Delivered outputs: Archived in your client portal for 12 months so you can retrieve them later. After 12 months, archived deliverables are deleted unless you request extended retention.

Platform records: Journey IDs, Builder IDs, resource interest, Viewer Builds, email events, and operational analytics may be retained so the platform can remember progress, prevent duplicate identities, and improve reliability.

Task metadata and financial records: Retained as needed for operations, tax, accounting, and legal requirements.

NDA: Available on request. Signed before any work if you ask for one.

07 · Your rights (GDPR)

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectify — correct inaccurate data
  • Erase — request deletion of your data (exceptions apply for legal records)
  • Restrict — limit how we process your data
  • Port — receive your data in a portable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent

To exercise any of these, email ask@doneovernight.com. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

08 · Sensitive data

We recommend that you don't send sensitive personal data (health records, financial account numbers, government IDs, biometric data) as part of a task unless it's strictly necessary and we've signed an NDA in advance.

If your task unavoidably involves sensitive data, let us know — we can set up additional access controls and a specific data-handling agreement.

09 · International transfers

Most of our infrastructure is EU-based. Where data is transferred outside the EEA (e.g., to a US-based subprocessor), we rely on Standard Contractual Clauses and ensure adequate protections are in place.

10 · Cookies

The public site uses localStorage to remember journey progress, language choice, Builder identity, return-visitor state, and selected preferences. This lets DONEOVERNIGHT feel continuous instead of anonymous.

HQ uses a secure session cookie for private access. Client/admin/workspace areas may use session storage, local storage, or secure tokens to keep the experience usable.

We use analytics tools such as Plausible and Vercel Analytics/Speed Insights to understand platform health. We do not sell this data as personal data.

11 · Public and private areas

Public areas include the website, How It Works, Live, Resources, Products, Journal, Connect, and Founder pages. Private or internal areas include HQ, Admin, client workspaces, operator surfaces, and internal workflow systems.

HQ and Admin process platform intelligence, live status, Builder ecosystem data, client tasks, operators, email flows, and internal operations. Private data should not appear on public pages.

12 · Wallet passes

DONEOVERNIGHT prepares wallet pass records for Founder and Builder identities. Apple Wallet and Google Wallet delivery are future or credential-dependent features unless explicitly marked as available.

Wallet preparation may store a pass type, serial number, Builder Number, Journey ID, pass status, and related identity details. We do not generate fake signed wallet passes.

13 · Security

We maintain commercially reasonable security measures including:

  • Encryption in transit (TLS 1.3) and at rest
  • Access controls scoped per-task
  • Two-factor authentication on all internal accounts
  • Regular software updates and dependency audits
  • Incident response process for any data breach (we'd notify you within 72 hours)

No system is 100% secure. If you become aware of a security issue, email ask@doneovernight.com — we take security reports seriously.

14 · Children

Our service is not intended for anyone under 18. We do not knowingly collect data from minors.

15 · Changes

We'll update this policy if our practices change. Material changes will be communicated by email to active clients at least 14 days before taking effect.

Contact

Privacy questions or requests: ask@doneovernight.com