Legal

Privacy Policy

Last updated 16 June 2026 · Effective 16 June 2026

This Privacy Policy explains how Just Done LLC, a Delaware limited liability company, handles personal data in connection with Just Publish (justpublish.ai and the sites we host at {slug}.justpublish.site). Just Done LLC operates more than one product; the way we work with the service providers below is the same across our products, so this policy is written to stay consistent as we unify it.

1Who is responsible

For the personal data we collect to run Just Publish — your email, your site metadata, security and abuse signals — Just Done LLC is the controller.

For the content you publish (Your Content), you decide what goes on your site. If you publish other people's personal data through your site, you are the controller of that data and Just Done LLC acts as your processor / hosting provider. You are responsible for having a lawful basis and your own privacy notice for whatever you collect from your visitors.

2What we collect

DataWhen & why
Email addressCaptured when you deploy a site, sign in, join the Builder waitlist, or optionally when you file an abuse report. Used for account identity, recovery, gated actions, and service messages. Captured unverified at first deploy; verified by code/magic-link only when an action requires it.
Site metadataSite ID, slug, a one-way hash of your edit token (never the token itself), file paths and sizes, timestamps, and connected custom domains. Needed to operate, route, and secure your sites.
Your ContentThe website files you upload. We store and serve them to operate the Service. We do not use Your Content for advertising or to train models.
Hashed IP addressWe hash your IP with a rotating daily salt for rate-limiting and abuse detection. We do not store raw IP addresses in our database for this purpose, and the hash is not used to track you across sites.
Session cookieWhen you sign in, we set one first-party cookie (jh_session, HttpOnly, Secure) to keep you logged in. See Cookies below.
Payment data (paid plans)When paid plans launch, billing is handled by Stripe. Just Done LLC does not receive or store your full card number — Stripe does. We receive limited billing metadata (e.g. plan, status, last four digits, country) to manage your subscription.
Visitor & usage dataStandard request data and analytics about how our own pages (not your published sites) are used — see Cookies & analytics.
We do not sell your personal data, and we do not use Your Content to train AI models.

3How we use data

  • To provide, operate, route, and secure the Service and your sites;
  • To authenticate you and enable gated actions (custom domains, recovery, paid features);
  • To prevent, detect, and respond to abuse, fraud, security incidents, and policy violations;
  • To process payments and manage subscriptions (paid plans);
  • To send service and transactional messages, and — if you joined the waitlist — to tell you when a feature opens;
  • To understand and improve the Service in aggregate; and
  • To comply with law and enforce our Terms.

4Legal bases (EU/UK visitors)

Where the EU or UK GDPR applies, we rely on: performance of a contract (to provide the Service you asked for); legitimate interests (to secure the Service, prevent abuse, and improve our product, balanced against your rights); consent (for non-essential analytics cookies, where required); and legal obligation (to comply with law). You can withdraw consent at any time where processing is based on consent.

5Service providers (sub-processors)

We use a small, stable set of providers to run the Service. These are the same providers Just Done LLC relies on across its products:

ProviderRole
Cloudflare, Inc.Hosting, storage (R2), database (D1), CDN/edge delivery, TLS for custom domains, DNS, and security (WAF, bot protection). Your sites and our database run on Cloudflare.
WorkOS, Inc.Email sign-in (magic code) and Google sign-in. WorkOS sends verification codes and handles authentication.
Stripe, Inc.Payment processing for paid plans (when launched). Stripe processes card data under its own privacy policy.
Google LLC"Sign in with Google" (via WorkOS) and Google Analytics on our marketing pages.

We require providers to protect personal data and to use it only to provide their services to us. We will keep a current list of providers available and update it as it changes.

6Cookies & analytics

On our own pages (justpublish.ai) we use:

  • One essential session cookie (jh_session) after you sign in. This is required to keep you logged in; it is not used for advertising.
  • Google Analytics, which sets cookies and collects usage data (such as pages viewed and approximate location derived from IP) to help us understand how our marketing pages are used.

We do not inject analytics or advertising trackers into the sites you publish — what runs on your site is whatever you put there.

7When we share data

We share personal data only: with the service providers above, to run the Service; when required by law, legal process, or a valid government request; to protect the rights, safety, and security of Just Done LLC, our users, or the public (including abuse and CSAM reporting to NCMEC and law enforcement); and in connection with a merger, acquisition, or sale of assets, in which case we will notify you. We do not sell personal data.

8How long we keep data

We keep personal data only as long as needed for the purposes above:

  • Your sites and Your Content: for as long as your site is live. Free sites with no traffic for 30 days are archived; archived content is retained for a limited period and may then be deleted.
  • Account email and site metadata: while you use the Service, then deleted or anonymized within a commercially reasonable period after your last site is removed.
  • Abuse reports and related records: up to 12 months, to detect repeat abuse and meet legal obligations.
  • Hashed IP / rate-limit records: up to 90 days.
  • Billing records: as required by tax and accounting law.

9International transfers

Just Done LLC is based in the United States, and our providers process data in the United States and other countries. If you are in the EU, UK, or another region with transfer rules, your data may be transferred to and processed in the United States. Where required, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) offered by our providers.

10Your rights

Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, email privacy@just-done.ai. We will respond as required by applicable law. You also have the right to complain to your local data-protection authority.

11U.S. state privacy rights

If you are a resident of California, Colorado, Connecticut, Utah, Virginia, Texas, or another U.S. state with a comprehensive privacy law, you may have rights to know, access, correct, delete, and obtain a portable copy of your personal data, and to opt out of "sale" or "sharing" of personal data and certain targeted advertising. We do not sell personal data and do not share it for cross-context behavioral advertising. To exercise your rights, contact privacy@just-done.ai. We will not discriminate against you for exercising them.

12Children

The Service is not directed to children under 13 (or the minimum age in your country), and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact privacy@just-done.ai and we will delete it.

13Security

We use technical and organizational measures to protect personal data, including encryption in transit (TLS), one-way hashing of edit tokens and IP addresses, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Keep your edit tokens and login credentials confidential.

14Changes

We may update this Privacy Policy. If we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice. Continued use of the Service after changes take effect means you accept the updated policy.

15Contact

Privacy questions or requests: privacy@just-done.ai.

Just Done LLC · 2810 N Church St STE 88992, Wilmington, DE 19802, United States