Privacy Policy
Last updated: 18 April 2026.This Privacy Policy explains how ClientDone LLC ("ClientDone", "we", "us"), a Wyoming limited liability company, handles personal information. It covers three groups of people:
- Customers: the people or businesses that create an account and use the Service to run their own business.
- Customers' Clients (Clients): the people or businesses our Customers send galleries, contracts, invoices, or other materials to through the Service.
- Visitors: everyone else who visits our website at
clientdone.com.
A plain-language summary is in section 1. The legal detail starts in section 2. Read this together with our Terms of Service, Data Processing Agreement, and Cookie Policy.
1. Summary
- We collect only what we need to run the Service: your account details, the content you upload, transactional logs, billing information, and email preferences.
- When you share galleries, contracts, or invoices with your Clients, we process your Clients' personal information on your behalf as a processor. You remain the controller. You decide what to collect from them and how long to keep it.
- We do not sell personal information and do not "share" it for cross-context behavioral advertising as those terms are used under California law. We do not show third-party advertising inside the Service. We do not use your Customer Content to train third-party foundation models.
- Payment card data is handled by Stripe directly through Stripe Connect. We do not receive or store card numbers or card security codes.
- You can export or delete your data at any time from account settings. We respond to GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and other applicable privacy rights requests through our support email.
- Our main infrastructure sub-processors are Supabase (database and auth), Cloudflare R2 (file storage), Resend (email), Stripe (payments and Stripe Connect), and Vercel (hosting). Full list in our DPA.
2. Our role for different kinds of data
Privacy law distinguishes between the "controller" (who decides what data is collected and why) and the "processor" or "service provider" (who handles the data on the controller's instructions). Our role changes depending on whose data it is.
| Category of data | Our role | Who is the controller |
|---|---|---|
| Customer account data (your name, email, billing, login history, support conversations) | Controller / Business | ClientDone |
| Customer Content including data about your Clients (names, emails, addresses, signed contracts, invoices, uploaded deliverables, messages, signature evidence) | Processor / Service Provider on your behalf | You (the Customer) |
| Visitor data on the marketing website (cookies, analytics, contact form) | Controller / Business | ClientDone |
| Payment information processed through Stripe Connect | Stripe is a separate controller for its own fraud, risk, and compliance purposes | Stripe (see Stripe's privacy notice) |
For the processor role, our responsibilities are set out in the Data Processing Agreement. If this Privacy Policy and the DPA conflict on processor duties, the DPA controls.
3. Information we collect
3.1 Information Customers give us
- Account registration: full name, email, password (hashed), optional business name.
- Profile and branding: photo, logo, brand color, business description, website.
- Billing: billing address, Tax ID / EIN (if provided), last four digits of card and card brand. Full card data is held by Stripe, not by us.
- Stripe Connect onboarding: identifiers and verification data you submit to Stripe through our onboarding flow are collected by Stripe directly. We receive the Connected Account ID and status flags only.
- Support: messages you send to us, including attachments you choose to include.
3.2 Information your Clients give you through the Service
When you use the Service to send galleries, contracts, invoices, or other materials, your Clients provide information directly into your account. Typical examples: name, email, phone, address, signature image, signing IP and user-agent, reactions or selections on deliverables, comments, testimonial submissions, and payment events (amount, status, last-four card digits) relayed by Stripe. You decide what fields to collect. We store and process this information on your behalf.
3.3 Information we collect automatically
- Device and connection data: IP address, browser type and version, operating system, referring site, pages viewed.
- Usage logs: actions in the Service (for example a contract viewed or signed, a file uploaded, a gallery opened), used for security, abuse prevention, billing, and Customer-facing analytics.
- Cookies and similar technologies: a small number of first-party cookies needed to keep you signed in and to run the Service safely. We do not use third-party advertising cookies inside the Service. See our Cookie Policy.
3.4 Information from third parties
- If you sign in with Google or another identity provider, we receive the basic profile the provider makes available (name, email, profile image).
- If you connect a third-party integration, we receive the data the integration exposes and only for the scope you authorize.
- Stripe sends us payment events (not full card data) for your account and your Connected Account.
4. How and why we use information
- Provide the Service. Operate the account, store and serve Customer Content, deliver emails, generate PDFs, collect payments through Stripe Connect, and keep records you rely on.
- Secure the Service. Prevent and investigate fraud, abuse, unauthorized access, and violations of our Acceptable Use Policy.
- Support. Respond to your questions and help you troubleshoot.
- Billing. Charge you, issue invoices, calculate platform fees on Stripe Connect payments, and keep accounting records.
- Legal obligations. Comply with tax, accounting, and other legal requirements, and respond to lawful requests from public authorities.
- Improve the Service. Understand how the Service is used and design new features, using aggregated and pseudonymous data where possible.
- Marketing (Customers only, optional). Send product updates, with a clear unsubscribe in every message. We do not send marketing to Clients of Customers.
5. Legal bases (GDPR / UK GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the Service to Customers | Performance of the contract (these Terms) |
| Processing Customers' Clients' data | Customer's legitimate interest and contract with their Client, processed by us under the DPA |
| Billing and tax records | Legal obligation |
| Security, fraud, and abuse prevention | Legitimate interest |
| Product research and improvement | Legitimate interest |
| Marketing to Customers | Consent (withdrawable at any time) |
| Non-essential cookies | Consent |
6. Sharing personal information
We do not sell personal information. We do not "share" it for cross-context behavioral advertising. We do not rent or exchange personal information with data brokers. We share personal information only in the ways described below.
- Sub-processors. We use a short list of vetted sub-processors to run the Service. Each is contractually bound to data protection terms at least as strict as ours. The current list (Supabase, Cloudflare R2, Resend, Stripe, Vercel, and a small number of optional integrations) is in our DPA.
- Your Clients. When you share a gallery, contract, or invoice link with a Client, the Client sees the information you shared. That is the normal operation of the Service.
- Stripe. If you enable payments, Stripe receives information about you, your Connected Account, and payment events to provide payment processing and meet its own legal obligations. Stripe uses the information under its own privacy notice.
- Business transfer. If ClientDone is acquired, merged, or reorganized, personal information may be transferred to the successor entity, bound by terms at least as protective as this Policy.
- Lawful requests. We may disclose personal information to comply with a valid court order, subpoena, or similar lawful request; to protect our rights or the rights and safety of others; or to prevent fraud or abuse. We challenge overbroad requests where we reasonably can.
7. International transfers
ClientDone LLC is based in the United States. Our sub-processors store data in the US, the EU, or both, depending on the user and the feature. When personal information is transferred from the EU, UK, or Switzerland to a country that has not been declared adequate, we rely on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and the Swiss FADP addendum, with additional safeguards where needed. Copies are available on request fromprivacy@clientdone.com.
8. Retention
| Category | Default retention |
|---|---|
| Active account data | For as long as the account is active, plus 30 days after closure for recovery |
| Signed contracts and related audit trail | Seven (7) years from the signing date, to align with common US statutes of limitation for contracts |
| Paid invoices and Stripe Connect payment records | Seven (7) years from issue, to meet tax and accounting requirements |
| Deliverables (images, videos, documents) | As long as the account is active, unless deleted earlier |
| Support conversations | Three (3) years from the last message |
| Server logs (IP, user-agent, action) | Ninety (90) days |
| Marketing data | Until you unsubscribe, then up to 90 days for suppression list |
You can delete most categories at any time from the Service. We may retain copies in secure backups for up to an additional 35 days after deletion. We also retain minimal records where a legal obligation, a legal hold, or our legitimate interest in defending a claim requires it.
9. Your rights
Depending on where you live you may have some or all of the following rights in personal information we hold about you as a controller:
- Access: a copy of your personal information.
- Rectification: correct inaccurate or incomplete data.
- Erasure: delete your personal information (subject to legal exceptions).
- Restriction or objection: pause or stop processing in certain cases.
- Portability: receive your personal information in a common machine-readable format.
- Consent withdrawal: withdraw any consent you gave, without affecting earlier lawful processing.
- Complaint: lodge a complaint with a data protection authority. In the EU, your local supervisory authority. In the UK, the ICO. In California, the CPPA. In Canada, the Office of the Privacy Commissioner.
Where you are a Client of one of our Customers, please contact that Customer first, since they are the controller of your data. We will help, on their instruction, to fulfil your request. If you cannot reach the Customer, you can also contact us atprivacy@clientdone.com and we will try to help.
To exercise any right you have with us as controller, emailprivacy@clientdone.com. We respond within the timelines applicable law requires (typically 30 days under GDPR, 45 days under CCPA, with one extension where allowed). We may need to verify your identity before we act. We do not discriminate against anyone for exercising a privacy right.
10. California-specific notice (CCPA / CPRA)
If you are a California resident, you have the additional rights to:
- Know the categories of personal information we collect, the sources, business purposes, and categories of recipients.
- Access a copy of your personal information.
- Correct inaccurate personal information.
- Request deletion, subject to statutory exceptions.
- Limit the use and disclosure of sensitive personal information.
- Opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising.
- Not be retaliated against for exercising these rights.
In the 12 months before this date, we collected the following CCPA categories: identifiers (name, email, IP); commercial information (subscription and transaction history); internet or network activity information (usage logs); geolocation data (coarse, from IP); professional or employment-related information (your business name); and inferences drawn from the above for product improvement. We do not knowingly collect sensitive personal information as defined by the CPRA beyond what a signer writes into a contract of their own choice.
We do not sell personal information and do not "share" it for cross-context behavioral advertising. To submit a CCPA request, emailprivacy@clientdone.com or use an authorized agent with written permission.
11. Other US state privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and similar states have rights similar to those described in section 9 under their respective state laws. We honor verifiable requests regardless of the law that applies and do not require residents to prove their state of residence beyond a reasonable verification step. For appeals of decisions on a request, reply to our response email and we will re-review.
12. Canada (PIPEDA) and other jurisdictions
Canadian residents may exercise the access and correction rights provided by PIPEDA and the provincial privacy acts. Residents of other jurisdictions may exercise rights available under their own law by contacting us.
13. Children
The Service is not intended for anyone under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected data from a child, email privacy@clientdone.com and we will delete it.
14. Security
We use encryption in transit (HTTPS/TLS) and at rest, access controls and role-based authorization, signed and time-limited URLs for sensitive files, rate limiting on abusable endpoints, audit logging for consequential actions, and regular security reviews. Card data is tokenized by Stripe. No system is perfectly secure. We will notify affected Customers and, where required, the relevant authorities of any personal data breach in line with applicable law (for example, within 72 hours under GDPR, and without unreasonable delay under most US state laws).
15. Changes to this Policy
We may update this Policy from time to time. If a change is material, we will give you at least thirty (30) days notice by email or in-app notification before it takes effect, and we will update the "last updated" date above. Continued use of the Service after the new effective date means you accept the updated Policy.
16. Contact us
Privacy questions and rights requests: privacy@clientdone.com.
Service operator: ClientDone LLC, a Wyoming limited liability company. Registered office: [Wyoming Registered Office Address]. Mailing address: [Mailing Address]. Entity filing number: [Wyoming Filing ID].