Privacy Policy

Last updated: May 1, 2026

This Privacy Policy explains how DoneBox collects, uses, and protects personal data about you as a DoneBox user — your account, billing, and interactions with our service.

1. Scope of this policy — and what it does not cover

This Privacy Policy describes the data Liisberg Consulting ApS processes as a controller: information you give us to register, sign in, pay, and use the DoneBox application; technical data we collect when you visit our websites; and communications you send us.

It does not cover the personal data contained in email messages and metadata of mailboxes you connect to DoneBox. For that, you act as the data controller of your own mailbox, and DoneBox processes that data as your processor on documented instructions. Those terms are set out separately in our Data Processing Addendum (DPA).

2. Controller

The data controller for the data covered by this policy is Liisberg Consulting ApS, registered in Denmark.

Privacy contact: privacy@donebox.eu

3. What data we process about you

• Account information: name, email address, password (hashed), and account preferences;
• Billing data (when paid plans are enabled): billing name, address, VAT number where applicable, and payment-method tokens issued by Stripe — DoneBox does not see or store full card numbers;
• Authentication and security events: sign-in timestamps, IP addresses, browser and device information, two-factor authentication state;
• Usage data on your interactions with the DoneBox application interface — for example, queue navigation, edited suggestions, actions taken, and error reports — used to operate, secure, and improve the service;
• Support communications: the content of any email, message, or form submission you send us, and our replies;
• Cookies: session, CSRF, and remember-me cookies essential to keeping you signed in.

4. Why we process this data

5. Subprocessors for this data

The following subprocessors help us provide the DoneBox application:

• Hetzner Online GmbH (Germany, EU) — hosting of application servers, databases, and stored files;
• Postmark, operated by ActiveCampaign (USA) — delivery of transactional emails such as account confirmations and password resets;
• Stripe Payments Europe Limited (Ireland, EU) — payment processing and subscription management, when paid plans are enabled;
• Plausible Insights OÜ (Estonia, EU) — privacy-friendly, cookieless web analytics on our public marketing pages;
• Rollbar Inc. (USA) — application error and exception tracking; captures stack traces, request metadata, and user identifiers strictly to help us diagnose and fix bugs.

Subprocessors that handle the personal data inside your connected mailboxes are listed separately in our Data Processing Addendum.

6. International transfers

DoneBox is hosted in the European Union (Hetzner, Germany). Some subprocessors, notably Postmark for transactional email delivery, process data in the United States. Where required, we rely on appropriate safeguards such as adequacy decisions, the EU-US Data Privacy Framework, Standard Contractual Clauses, or equivalent legal mechanisms.

7. Retention

• Account data: while your account is active;
• Billing records: as required by tax and accounting law (typically up to five years in Denmark);
• Logs and security events: up to 90 days;
• Backup snapshots: up to 30 days, after which they are automatically overwritten;
• Account deletion: when you delete your account, your account data is removed from the live database immediately. Backup snapshots are overwritten on the schedule above.

8. Security

We use technical and organizational measures designed to protect personal data, including TLS-encrypted connections, encrypted-at-rest storage of sensitive credentials using Rails encrypted attributes, access controls, audit logging, and secure hosting. No system is perfectly secure, but we work to protect data against unauthorized access, loss, misuse, or disclosure.

9. Your rights

For the data covered by this policy, you may have rights to:

• access your personal data;
• correct inaccurate data;
• delete your data;
• restrict processing;
• object to processing;
• receive your data in portable format;
• withdraw consent, where processing is based on consent;
• complain to your local data protection authority. In Denmark this is Datatilsynet (datatilsynet.dk).

To exercise these rights, contact us at privacy@donebox.eu.

Rights requests concerning the personal data inside your connected mailboxes — for example, requests from senders or recipients of emails you have processed through DoneBox — are addressed under the Data Processing Addendum and are routed to you as the controller of that data.

10. Cookies and analytics

DoneBox uses essential cookies for sign-in, security, and session management.

For aggregate usage analytics, we use Plausible Analytics, a privacy-friendly, EU-based service operated by Plausible Insights OÜ. Plausible does not use cookies, does not collect personal data, and does not require consent under the GDPR or the ePrivacy Directive. It collects only aggregate, non-identifying information about how our public pages are used (page views, referrers, browser and device categories) so we can understand which parts of our marketing site work. Plausible's data is hosted in the EU.

We do not use any other non-essential analytics or marketing cookies. If that changes, this policy will be updated and, where required, consent will be requested.

11. Children

DoneBox is intended for users aged 16 or older, the default age of consent for data processing under Article 8 of the GDPR.

12. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify users.

13. Contact

Questions about this Privacy Policy can be sent to privacy@donebox.eu.