DoneThat

Privacy Policy

How DoneThat handles personal data, AI processing, and your privacy rights.

Last updated: January 23, 2026Contact: [email protected]

Introduction

This Privacy Policy ("Policy") describes how Letss B.V. ("we," "our," or "us") collects, uses, and discloses information when you use our SaaS application ("DoneThat" or the "Service"). DoneThat uses third-party AI technologies to analyze work activity to enhance productivity and visibility.

Data Controller and Data Processor Roles

To ensure clarity regarding your data, we distinguish between two categories of information and our corresponding roles.

A. Recorded Content & Derived Data ("Service Data")

Role: For Service Data, Letss B.V. acts as a Data Processor.

What this is: Your screenshots, activity logs, work summaries, chat history with the agent, goals and todos, and other content you generate or that is captured as part of your use of DoneThat.

Who controls it:

  • Individual Users: If you use DoneThat as an individual, you are the Data Controller. You retain ownership and control over this data.
  • Team/Organization Users: If you use DoneThat as part of a Team subscription, your Organizationis the Data Controller. We process this data solely in accordance with your Organization's instructions and our Data Processing Agreement (DPA).

Privacy inquiries for team members:If you are a team member, please direct privacy questions about your work data to your Organization's administrator.

B. Account & Usage Information

Role:For Account & Usage Information, Letss B.V. acts as the Data Controller.

What this is: Your name, email address, organization name, billing details, and metadata about how you use our website and applications (for example, login times and feature usage statistics).

Why: We control this data to manage your subscription, provide customer support, prevent fraud and abuse, ensure the security of the Service, and improve our product and user experience.

Information DoneThat Collects

Information You Provide

  • Account Information: When you register for DoneThat, we collect information such as your name, email address, organization name, job title or role, billing information, and other profile details you choose to provide (for example, profile pictures or similar identifiers).
  • Recorded Content & Raw Activity Data: Work-related content and signals you or your organization choose to capture through the Service, which may include, for example, screenshots, window titles, activity logs, notes, audio recordings or transcripts, and other work activity information.
  • Derived Data: Summaries, categorizations, tags, analytics, and other insights generated from your use of the Service (for example, time allocation across projects or activities, productivity indicators, or work patterns).
  • User Generated Content: Any activity on the DoneThat platform including, for example, post reactions, comments, goals and todos, manual time entries, working hours or availability information, AI coach or agent interactions, user settings, and other content you voluntarily submit.
  • User Feedback: Information you provide when you contact our support team, participate in research, or respond to surveys and product feedback requests.

Information Collected Automatically

  • Usage Data: Information about how you interact with DoneThat, including, for example, features used, time spent on the Service, actions taken, and general engagement patterns.
  • Device & Technical Information: Information about the devices and software used to access DoneThat, such as IP address, browser type, operating system, device identifiers, and similar technical data.
  • Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information about your browsing activities, maintain your session and preferences, and help secure and personalize the Service.
  • Analytics Data: We use analytics services (such as Google Analytics) to collect and analyze usage data across our website (donethat.ai), our web application (app.donethat.ai), and our desktop application. This may include information about how you interact with our services, pages visited, time spent on features, and other usage patterns. This data helps us improve our services and understand how users engage with our platform.

How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process and complete transactions
  • Send administrative information, including updates about the Service
  • Respond to comments, questions, and customer service requests
  • Analyze usage patterns to enhance user experience
  • Detect, prevent, and address technical issues
  • Comply with legal obligations
  • To create anonymous data for analytics: We may create aggregated, de-identified, or other anonymous data from your personal information. We make personal information into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.

Third-Party AI Processing

AI Analysis of Recorded Content

DoneThat utilizes third-party AI services to analyze Recorded Content and generate Derived Data (for example, summaries, categorizations, and insights).

Third-Party AI Provider Selection

We select third-party AI providers that maintain appropriate security measures and data handling practices. However, once data is shared with these providers, their processing is also governed by their own privacy policies and terms. Details about our providers can be found on our Subprocessors page.

Data Minimization

We take reasonable steps to ensure that sensitive information is not unnecessarily extracted from Recorded Content. In particular:

  • Raw Recorded Content: Neither we nor our third-party AI providers store raw Recorded Content (such as images or audio) beyond the duration of the analysis without explicit user or customer consent.
  • Derived Data: We store Derived Data (for example, summaries and text logs) in order to provide your history, analytics, and product features, until you delete it or your account is terminated, subject to any legal retention requirements.

Bring Your Own AI (BYO-AI)

If you configure the Service to use your own AI provider credentials ("Bring Your Own Key" or BYO-AI), your Raw Activity Data will be sent directly to and processed by your chosen AI provider and will not be shared with DoneThat's default AI partners.

Data Sharing and Disclosure

We may share information with:

Within Your Organization

Information and analyzed content is shared within your organization according to the permissions and settings configured by your account administrator.

Service Providers

Third-party vendors, consultants, and service providers who require access to perform work on our behalf, including cloud hosting providers, payment processors, and analytics services. A complete list of our subprocessors, including their locations and purposes, is available on our Subprocessors page.

Third-Party AI Partners

The third-party AI services that analyze Recorded Content and other content submitted to the Service.

Third-Party Service Integrations

The following third-party integrations are entirely optional. We do not share data from these integrations with other third parties beyond what is necessary to provide these features.

  • Google OAuth: If you choose to sign in with Google, we receive basic profile information (such as your name and email address) necessary to create and manage your account.
  • Google Calendar: If you choose to connect your Google Calendar account, we access calendar data made available through the Google Calendar API. We use this data to provide context for work analysis and to enable our AI agent to manage calendar events on your behalf.
  • Slack: If you choose to connect your Slack account, we may post messages on your behalf in Slack channels and direct messages that you authorize.

Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.

Legal Requirements

If required to do so by law or in response to valid legal process, or if we believe that disclosure is reasonably necessary to protect our rights, property, or safety and that of our users or the public.

Data Security

We implement appropriate technical and organizational measures to protect the information we collect and maintain. However, no security system is impenetrable, and we cannot guarantee the absolute security of our systems.

Data Retention

We retain Account Information and Derived Data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Raw Recorded Content is typically transient and deleted shortly after processing by our systems and AI providers, unless specific features (for example, "Evidence Retention" or similar functionality) are explicitly enabled by you or your Organization. You may request deletion of your personal information at any time, and we will honor such requests in accordance with applicable law and our contractual obligations.

Data Storage

While our primary database storage is located in the EU, AI processing and authentication services may utilize global infrastructure, including servers in the United States. For more information about our data storage locations and providers, please visit our Subprocessors page.

Your Rights and Choices

We believe in transparency and giving you control over your data. You have the following rights regarding your personal information:

Access and Correction

You can access and update your personal information through your account settings. If you need assistance accessing or correcting your information, please contact our support team.

Data Export

You can request a copy of your personal information in a structured, commonly used, and machine-readable format. We will provide this data within 30 days of your request.

Deletion

You can request the deletion of your personal information. We will honor your request unless we are legally required to retain certain information or need it to protect our legal rights.

Processing Preferences

You can control how we process your data by adjusting your account settings or contacting us. This includes managing your communication preferences and data processing options.

Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside (for example, to AI providers or infrastructure located in the United States). These countries may have data protection laws that are different from those in your country. For details about where our subprocessors store and process data, please refer to our Subprocessors page.

We have implemented appropriate safeguards to ensure that your information remains protected in accordance with this Privacy Policy when transferred internationally, including, where applicable, the use of the European Commission's Standard Contractual Clauses (SCCs) and reliance on the EU-U.S. Data Privacy Framework or equivalent mechanisms.

Children's Privacy

DoneThat is not intended for use by children under the age of 16, and we do not knowingly collect personal information from children under 16.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will provide additional notice, such as sending an email to the administrator of your organization's account.

Legal Basis for Processing (For EEA and UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal basis for collecting and using personal information will depend on the specific information concerned and the context in which we collect it:

  • Contract: Processing necessary for the performance of our contract with you.
  • Legitimate Interests: Processing based on our legitimate interests, provided those interests are not outweighed by your rights and interests.
  • Consent: Processing based on your consent, which you can withdraw at any time.
  • Legal Obligation: Processing necessary to comply with our legal obligations.

Explore related pages

Privacy

Learn how DoneThat protects your data with privacy controls, secure architecture, local capture options, and AI data handling.

Explore

Subprocessors

Review the DoneThat subprocessors that support hosting, analytics, email, payments, and AI services for the product.

Explore

DPA

Review the DoneThat Data Processing Agreement for GDPR, controller-processor terms, security measures, and subprocessors.

Explore