1Who is responsible
For the personal data we collect to run Just Publish — your email, your site metadata, security and abuse signals — Just Done LLC is the controller.
For the content you publish (Your Content), you decide what goes on your site. If you publish other people's personal data through your site, you are the controller of that data and Just Done LLC acts as your processor / hosting provider. You are responsible for having a lawful basis and your own privacy notice for whatever you collect from your visitors.
2What we collect
| Data | When & why |
|---|---|
| Email address | Captured when you deploy a site, sign in, join the Builder waitlist, or optionally when you file an abuse report. Used for account identity, recovery, gated actions, and service messages. Captured unverified at first deploy; verified by code/magic-link only when an action requires it. |
| Site metadata | Site ID, slug, a one-way hash of your edit token (never the token itself), file paths and sizes, timestamps, and connected custom domains. Needed to operate, route, and secure your sites. |
| Your Content | The website files you upload. We store and serve them to operate the Service. We do not use Your Content for advertising or to train models. |
| Hashed IP address | We hash your IP with a rotating daily salt for rate-limiting and abuse detection. We do not store raw IP addresses in our database for this purpose, and the hash is not used to track you across sites. |
| Session cookie | When you sign in, we set one first-party cookie (jh_session, HttpOnly, Secure) to keep you logged in. See Cookies below. |
| Payment data (paid plans) | When paid plans launch, billing is handled by Stripe. Just Done LLC does not receive or store your full card number — Stripe does. We receive limited billing metadata (e.g. plan, status, last four digits, country) to manage your subscription. |
| Visitor & usage data | Standard request data and analytics about how our own pages (not your published sites) are used — see Cookies & analytics. |
3How we use data
- To provide, operate, route, and secure the Service and your sites;
- To authenticate you and enable gated actions (custom domains, recovery, paid features);
- To prevent, detect, and respond to abuse, fraud, security incidents, and policy violations;
- To process payments and manage subscriptions (paid plans);
- To send service and transactional messages, and — if you joined the waitlist — to tell you when a feature opens;
- To understand and improve the Service in aggregate; and
- To comply with law and enforce our Terms.
4Legal bases (EU/UK visitors)
Where the EU or UK GDPR applies, we rely on: performance of a contract (to provide the Service you asked for); legitimate interests (to secure the Service, prevent abuse, and improve our product, balanced against your rights); consent (for non-essential analytics cookies, where required); and legal obligation (to comply with law). You can withdraw consent at any time where processing is based on consent.
5Service providers (sub-processors)
We use a small, stable set of providers to run the Service. These are the same providers Just Done LLC relies on across its products:
| Provider | Role |
|---|---|
| Cloudflare, Inc. | Hosting, storage (R2), database (D1), CDN/edge delivery, TLS for custom domains, DNS, and security (WAF, bot protection). Your sites and our database run on Cloudflare. |
| WorkOS, Inc. | Email sign-in (magic code) and Google sign-in. WorkOS sends verification codes and handles authentication. |
| Stripe, Inc. | Payment processing for paid plans (when launched). Stripe processes card data under its own privacy policy. |
| Google LLC | "Sign in with Google" (via WorkOS) and Google Analytics on our marketing pages. |
We require providers to protect personal data and to use it only to provide their services to us. We will keep a current list of providers available and update it as it changes.
6Cookies & analytics
On our own pages (justpublish.ai) we use:
- One essential session cookie (
jh_session) after you sign in. This is required to keep you logged in; it is not used for advertising. - Google Analytics, which sets cookies and collects usage data (such as pages viewed and approximate location derived from IP) to help us understand how our marketing pages are used.
We do not inject analytics or advertising trackers into the sites you publish — what runs on your site is whatever you put there.
7When we share data
We share personal data only: with the service providers above, to run the Service; when required by law, legal process, or a valid government request; to protect the rights, safety, and security of Just Done LLC, our users, or the public (including abuse and CSAM reporting to NCMEC and law enforcement); and in connection with a merger, acquisition, or sale of assets, in which case we will notify you. We do not sell personal data.
8How long we keep data
We keep personal data only as long as needed for the purposes above:
- Your sites and Your Content: for as long as your site is live. Free sites with no traffic for 30 days are archived; archived content is retained for a limited period and may then be deleted.
- Account email and site metadata: while you use the Service, then deleted or anonymized within a commercially reasonable period after your last site is removed.
- Abuse reports and related records: up to 12 months, to detect repeat abuse and meet legal obligations.
- Hashed IP / rate-limit records: up to 90 days.
- Billing records: as required by tax and accounting law.
9International transfers
Just Done LLC is based in the United States, and our providers process data in the United States and other countries. If you are in the EU, UK, or another region with transfer rules, your data may be transferred to and processed in the United States. Where required, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) offered by our providers.
10Your rights
Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, email privacy@just-done.ai. We will respond as required by applicable law. You also have the right to complain to your local data-protection authority.
11U.S. state privacy rights
If you are a resident of California, Colorado, Connecticut, Utah, Virginia, Texas, or another U.S. state with a comprehensive privacy law, you may have rights to know, access, correct, delete, and obtain a portable copy of your personal data, and to opt out of "sale" or "sharing" of personal data and certain targeted advertising. We do not sell personal data and do not share it for cross-context behavioral advertising. To exercise your rights, contact privacy@just-done.ai. We will not discriminate against you for exercising them.
12Children
The Service is not directed to children under 13 (or the minimum age in your country), and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact privacy@just-done.ai and we will delete it.
13Security
We use technical and organizational measures to protect personal data, including encryption in transit (TLS), one-way hashing of edit tokens and IP addresses, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Keep your edit tokens and login credentials confidential.
14Changes
We may update this Privacy Policy. If we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice. Continued use of the Service after changes take effect means you accept the updated policy.
15Contact
Privacy questions or requests: privacy@just-done.ai.
Just Done LLC · 2810 N Church St STE 88992, Wilmington, DE 19802, United States