Privacy Policy

Introduction

Good Thinking Labs, LLC ("we," "us," or "done.") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the done. application and services. Our approach is simple: your personal data stays on your device. We've built done. from the ground up with a local-first architecture specifically to minimize the data we collect and maximize your privacy.

Our Privacy Architecture

done. uses a local-first architecture. This means:

• 1
  Your data lives on your device. Your emails, contacts, calendar events, messages, and personal information are stored in an encrypted database on your device—not on our servers.
• 2
  Intelligent processing uses anonymized data. When done. helps complete tasks, only anonymized, context-stripped information is sent for processing. Your actual names, email addresses, and personal details never leave your device.
• 3
  Minimal cloud storage. We only store what's absolutely necessary in the cloud: your account identity, subscription status, and encrypted sync metadata for multi-device use.

What We Collect

Information You Provide

• Account Information: Email address and authentication credentials when you create an account.
• Subscription Information: Billing details processed by our payment provider (we don't store full payment card numbers).
• Support Communications: Information you provide when contacting customer support.

Information Stored Locally (On Your Device)

The following data is stored only on your device and never transmitted to our servers:

• Emails, calendar events, and contacts from connected integrations
• Messages and threads from connected apps (Slack, etc.)
• Tasks, reminders, and personal notes
• Your personal knowledge graph and relationship data
• Integration tokens (encrypted and stored locally)

Anonymized Information for Intelligent Processing

When you use done. to complete tasks, we send anonymized context to our processing services. This means personal identifiers (names, email addresses, phone numbers, addresses) are stripped or replaced with placeholders before any data leaves your device. Our systems see the structure and intent of your request without knowing who you are or who you're communicating with.

Automatic Information

• Device Information: Device type, operating system version, and app version for troubleshooting and compatibility.
• Usage Analytics: Anonymized, aggregate usage patterns to improve the service (we use privacy-respecting analytics).
• Error Logs: Technical error information (without personal data) to identify and fix issues.

How We Use Your Information

We use the limited information we collect to:

• Provide the Service: Authenticate your account, process subscriptions, and enable multi-device sync.
• Improve done.: Analyze anonymized, aggregate usage patterns to enhance features and fix bugs.
• Communicate: Send service-related notices, security alerts, and (with your consent) product updates.
• Provide Support: Respond to your questions and resolve issues.
• Legal Compliance: Meet legal obligations and protect our rights.

What We Don't Do

Third-Party Services

We use carefully selected third-party services:

• Intelligent Processing (Amazon Bedrock): Receives only anonymized, context-stripped data for task completion. No personal identifiers are transmitted.
• Authentication (AWS Cognito): Securely manages account authentication with industry-standard protocols.
• Payment Processing: Handles subscription billing securely. We never see or store your full payment details.
• Analytics (Plausible): Privacy-respecting, cookie-free website analytics that don't track individuals.

Data Security

We implement robust security measures:

• Encryption at Rest: Your local data is stored in an encrypted database on your device.
• Encryption in Transit: All communications use TLS 1.2 or higher.
• End-to-End Encryption: Multi-device sync uses end-to-end encryption—we cannot read your synced data.
• Secure Authentication: Multi-factor authentication and secure token management.
• Regular Audits: Our systems follow SOC 2 security principles and we conduct regular security reviews.

Data Retention

• Local Data: Stored on your device until you delete it or uninstall the app. You have full control.
• Account Information: Retained while your account is active. Deleted within 30 days of account closure.
• Anonymized Analytics: Aggregated data may be retained indefinitely for service improvement but contains no personal identifiers.

Your Rights

You have the right to:

• Access: Request a copy of the limited data we store about you.
• Correction: Update your account information at any time.
• Deletion: Delete your account and all associated data from our servers.
• Portability: Export your locally-stored data from the app.
• Objection: Opt out of non-essential communications.

Because most of your data is stored locally on your device, you already have direct control over it. You can view, modify, or delete it at any time within the app.

California Privacy Rights

For California residents (CCPA): We do not sell personal information. You have the right to know what personal information we collect, request deletion, and not be discriminated against for exercising your rights.

Children's Privacy

done. is not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. Continued use of done. after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: