Privacy Policy

Introduction

DoneTicket (operated by Rowant Labs LLC) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Information We Collect

Account Information

When you create an account, we collect your email address and any profile information you choose to provide.

Content and Files

We store the Lists you create, including text, photos, and videos you upload. This content is necessary to provide our service.

Shared Links and Guests (Important)

DoneTicket allows Account Holders to share Lists via shared links ("anyone with the link" style access). Shared links should be treated as public links.

If you access a List as a guest/recipient, your name (if provided), uploads, comments, and completion actions are visible to the Account Holder and may be visible to others the Account Holder authorizes. Anyone with the shared link may be able to view shared content, depending on how the Account Holder distributes the link.

Usage Data

We collect limited usage and device/log information needed to operate, secure, and troubleshoot the Service (for example, IP address, device/browser information, and basic event logs related to authentication and performance). We do not currently use third-party product analytics tools.

How We Use Your Information

• To provide, maintain, and improve our service
• To process your transactions and manage your account
• To send you service-related notifications and updates
• To respond to your support requests
• To monitor performance and improve reliability (using limited operational logs)
• We currently send only transactional/service emails (for example: account, security, billing, and operational messages). If we introduce marketing communications in the future, we will update this Policy and provide any choices required by law.

Legal Bases for Processing (EEA/UK/Switzerland)

If you are located in the EEA, UK, or Switzerland, we process personal information under one or more of the following legal bases:

• Contract: to provide the Service you request, including creating accounts, hosting Lists, and enabling collaboration
• Legitimate interests: to secure, maintain, and improve the Service (for example, preventing abuse, debugging, and performance monitoring)
• Legal obligation: to comply with applicable laws, lawful requests, and accounting/tax requirements
• Consent: where required (for example, certain cookies/analytics, if enabled)

Data Storage and Security

Your data is securely stored using Supabase, a trusted cloud infrastructure provider. We implement industry-standard security measures including:

• Encrypted data transmission (TLS/SSL)
• Secure authentication mechanisms
• Regular security audits and updates
• Access controls and monitoring

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Third-Party Services

We use the following third-party services:

• Supabase: Database, storage, and authentication
• Stripe: Payment processing (we do not store full payment card details)
• Vercel: Hosting and deployment
• Cloudflare: Security and content delivery (CDN)
• Resend: Email delivery (transactional/service emails)

These services have their own privacy policies governing their use of your information.

How We Share Information

We share information in the following circumstances:

• With the Account Holder and collaborators: Content and activity within a List (including guest uploads, comments, and completion actions) are shared with the Account Holder and may be visible to others the Account Holder authorizes.
• With service providers: We use vendors to help us operate the Service (for example, hosting, storage, email delivery, payments, and security).
• For legal, safety, and security reasons: We may disclose information to comply with law or legal process, enforce our terms, and protect the rights, property, and safety of the Company, users, or the public.
• Business transfers: If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction as permitted by law.

International Data Transfers

We and our service providers may process and store information in the United States and other countries. Where required by law, we may use recognized transfer mechanisms (such as Standard Contractual Clauses) to help protect personal information transferred from the EEA/UK to countries that may not provide the same level of data protection.

Your Privacy Rights (EU/UK and Other Regions)

Depending on where you live, you may have rights to access, correct, delete, or export your personal information, and to object to or restrict certain processing. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, these rights may include:

• Access: Request a copy of your personal information
• Rectification: Request correction of inaccurate information
• Erasure: Request deletion in certain circumstances
• Data Portability: Receive certain information in a portable format
• Objection: Object to certain processing (for example, based on legitimate interests)
• Restriction: Request restriction of processing in certain circumstances

To exercise rights, contact privacy@doneticket.com. If you are a guest/recipient accessing a List shared by an Account Holder, requests related to List content (uploads, comments, completions) may need to be handled by the Account Holder who controls that List. The Account Holder decides who to share Lists with and how List content is used; we provide the Service to the Account Holder.

Data Retention

We retain personal information for as long as reasonably necessary to provide the Service and for legitimate business purposes (such as security, fraud prevention, dispute resolution, and enforcing our terms), unless a longer retention period is required by law.

If you cancel or downgrade a paid plan, your account may be moved to a free plan with limited features (for example, limits on active Lists). Lists or content that exceed your current plan limits may become inactive/locked until you upgrade again. We may retain inactive Lists and content to support reactivation for a limited period (for example, up to approximately 60 days), if available. We do not guarantee reactivation will be available for any specific duration.

We may permanently delete content after applicable retention periods. Residual copies may persist for a limited time in backups or logs.

Cookies and Tracking

We use essential cookies and similar technologies to operate the Service (for example, to keep you signed in and to protect the Service). We do not use cross-site ad tracking, and we do not sell or share personal information for cross-context behavioral advertising. You can control cookies through your browser settings, but disabling essential cookies may prevent certain features from working.

Children's Privacy / Age

DoneTicket is intended for adults. You must be at least 18 years old (or the age of majority in your jurisdiction, whichever is higher) to create an account. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information, contact us and we will take appropriate steps.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date.

Contact Us

If you have questions about this Privacy Policy, please contact us: