Privacy Policy.

We collect your name, email, and the content of your task brief so we can deliver it. Source files are encrypted at rest, accessible only to the operators assigned to your task, and deleted 14 days after delivery.

We don't sell your data. We don't use your content to train AI models. We don't share anything with third parties beyond the tools required to do the work, and those are governed by their own agreements with us.

Done Overnight is the data controller for the personal data it processes. Contact: ask@doneovernight.com

From you, when you submit a task:

• Name and email address
• Task description and any context you provide
• Files you upload (documents, images, data, etc.)
• Company name (if you provide it)

Automatically:

• Basic analytics: page views, approximate location (country-level), device type. We use a privacy-respecting analytics tool that doesn't set cookies or track across sites.
• IP address (retained for 30 days for security and fraud prevention)

We do not collect: social security numbers, financial account numbers, government ID numbers, or any other sensitive identifiers unless you specifically include them in a task (in which case we recommend you don't — see "Sensitive data" below).

Your data is used strictly for:

• Delivering your task. Reading your brief, executing the work, sending the output.
• Communicating with you. Quote emails, delivery notifications, billing.
• Improving reliability. Anonymized patterns (e.g., "most common task types") help us improve. Individual client content is never used for analytics beyond the scope of the task itself.
• Legal and financial records. Invoices and task metadata are retained for 7 years to comply with tax law.

We never use your content to train AI models, populate marketing materials, or appear in case studies without your explicit written consent.

We process personal data on the following legal bases under the GDPR:

• Contract performance: When processing is necessary to deliver the service you requested
• Legitimate interests: For security, fraud prevention, and basic service analytics (with your interests balanced against ours)
• Legal obligation: For tax, accounting, and other statutory requirements
• Consent: For optional marketing communications (you can withdraw anytime)

Internal: Only senior operators assigned to your task can access your files. Access is revoked automatically once the task is closed.

Subprocessors: We use trusted third-party tools to do our work. Each has its own data processing agreement with us:

• Hosting: Vercel (US/EU)
• Email: Google Workspace (EU data residency)
• AI tools: Anthropic, OpenAI (both offer zero-retention enterprise API access, which we use)
• File storage: Google Drive (EU)
• Analytics: Plausible (EU, GDPR-compliant, cookieless)
• Payments: Stripe

We never send your content to subprocessors that train on inputs. All AI API calls go to zero-retention enterprise endpoints.

Source files: Encrypted at rest. Access-controlled to the assigned task operators only. Deleted 14 days after delivery.

Delivered outputs: Archived in your client portal for 12 months so you can retrieve them later. After 12 months, archived deliverables are deleted unless you request extended retention.

Task metadata (title, dates, quote amounts): Retained for 7 years for legal/tax compliance.

NDA: Available on request. Signed before any work if you ask for one.

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectify — correct inaccurate data
• Erase — request deletion of your data (exceptions apply for legal records)
• Restrict — limit how we process your data
• Port — receive your data in a portable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent

To exercise any of these, email ask@doneovernight.com. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

We recommend that you don't send sensitive personal data (health records, financial account numbers, government IDs, biometric data) as part of a task unless it's strictly necessary and we've signed an NDA in advance.

If your task unavoidably involves sensitive data, let us know — we can set up additional access controls and a specific data-handling agreement.

Most of our infrastructure is EU-based. Where data is transferred outside the EEA (e.g., to a US-based subprocessor), we rely on Standard Contractual Clauses and ensure adequate protections are in place.

The main website does not use tracking cookies. Our analytics tool (Plausible) is cookieless.

The client portal uses sessionStorage to keep you logged in during your session. It's cleared when you close the browser or log out. No persistent cookies, no cross-site tracking.

We maintain commercially reasonable security measures including:

• Encryption in transit (TLS 1.3) and at rest
• Access controls scoped per-task
• Two-factor authentication on all internal accounts
• Regular software updates and dependency audits
• Incident response process for any data breach (we'd notify you within 72 hours)

No system is 100% secure. If you become aware of a security issue, email ask@doneovernight.com — we take security reports seriously.

Our service is not intended for anyone under 18. We do not knowingly collect data from minors.

We'll update this policy if our practices change. Material changes will be communicated by email to active clients at least 14 days before taking effect.

Privacy questions or requests: ask@doneovernight.com