Privacy Policy

Last updated: July 8, 2026

This Privacy Policy explains how Xaion Labs, LLC collects, uses, discloses, and protects personal information when you visit our website or use DoneDock.

1. Information we collect

  • Account information, such as name, email address, login details, workspace membership, preferences, and support communications.
  • Billing information, such as plan, transaction details, billing contact details, and payment status. Payment card data is handled by Stripe.
  • Connected financial account data, if you choose to connect a bank account through Stripe Financial Connections, such as financial account identifiers, institution information, account metadata, balances where enabled, and transaction history you authorize us to access.
  • Workflow and automation data, such as prompts, instructions, workflow definitions, schedules, task history, generated output, uploaded files, logs, and records you route through DoneDock.
  • Connected account data, such as authorization tokens, identifiers, metadata, messages, files, calendar entries, records, or other content you authorize DoneDock to access from third-party services.
  • Usage and device data, such as IP address, browser type, pages viewed, feature usage, diagnostics, error logs, and approximate location.
  • Cookie and tracking data, as described in our Cookie Declaration.

2. How we use information

We use personal information to:

  • provide, operate, secure, and maintain DoneDock;
  • run automations and integrations you configure;
  • analyze bank transaction history for personal finance features you enable, such as spending insights, recurring charge detection, expense categorization, unusual transaction review, savings opportunities, and financial reminders;
  • process AI requests and generate automation outputs;
  • create and manage accounts, subscriptions, and billing;
  • provide support, troubleshooting, notices, and service updates;
  • monitor performance, prevent fraud, and protect the service;
  • improve workflows, features, usability, and documentation;
  • comply with legal obligations and enforce our terms; and
  • send marketing communications where permitted by law.

3. Connected email account data and Google Workspace API data

Connecting an email account is optional. DoneDock currently supports Gmail and Outlook integrations, and we may add providers such as Apple iCloud Mail and Yahoo Mail over time. Provider availability and supported features may vary. DoneDock accesses connected email data only as permitted by the provider permissions you authorize and only for workflows you enable.

Gmail and Google Workspace API data

If you choose to connect your Gmail account, DoneDock requests the Gmail read-only scope (https://www.googleapis.com/auth/gmail.readonly) and Gmail compose scope (https://www.googleapis.com/auth/gmail.compose). The read-only scope permits DoneDock to read relevant Gmail messages and related metadata, including message headers, bodies, and attachments, for workflows you enable. The compose scope permits DoneDock to manage drafts and send emails. DoneDock will not delete messages, modify labels, or change Gmail settings.

DoneDock uses connected email data only to provide user-facing features you request, including inbox triage, accounts payable tracking, customer service reply assistance, and personal finance automations. These features may identify and summarize actionable items such as bills, invoices, receipts, customer inquiries, and reminders. Gmail compose access is used only when a workflow creates an AI-generated reply or draft that you can view, revise, edit, and send from DoneDock. For Gmail, more limited metadata access is not sufficient because accurate classification, extraction, summaries, and replies may require message body and attachment content, such as vendor, amount, due date, and context. Read-only access alone cannot create drafts or send approved replies.

DoneDock may store OAuth authorization tokens and connected email-derived workflow records, such as extracted fields, summaries, and user-visible automation results, only as necessary to provide the features you configure. Raw connected email content is processed only as needed to provide those features and is not used to create a permanent independent copy of your mailbox. Stored connected email-derived data is retained only for as long as needed to provide the requested features, protect security, or comply with applicable law.

Where necessary to provide a feature you request, connected email data may be processed by contracted service providers, including AI service providers, solely to deliver that feature. We do not sell Google Workspace API data, use it for advertising, transfer it for unrelated purposes, use it to determine credit-worthiness or for lending purposes, or use it to create, train, or improve generalized or shared artificial intelligence or machine learning models.

We do not allow humans to read Google Workspace API data except with your explicit consent for specific data, when necessary for security purposes, when required by law, or when data has been aggregated and anonymized for permitted internal operations.

You can disconnect an email account from the DoneDock Integrations settings. For Gmail, you can also revoke DoneDock's access from your Google Account permissions. These actions stop future access to the disconnected account. To request deletion of stored connected email-derived data, contact info@donedock.com.

DoneDock's use of information received from Google Workspace APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

4. Connected bank account data and Stripe Financial Connections

Connecting a bank account is optional. If you choose to connect a bank account, DoneDock uses Stripe Financial Connections to allow you to securely authorize access to selected financial account data. Stripe Financial Connections lets users link external financial accounts and share user-permissioned financial data, such as account metadata, account balances where enabled, ownership details where enabled, and historical transactions.

DoneDock uses connected bank account data only to provide user-facing features you request, including the DoneDock Personal Finances OS. These features may analyze transaction history to help you understand spending patterns, categorize expenses, detect recurring charges and subscriptions, identify upcoming or repeated expenses, spot unusual or duplicate transactions, surface possible refunds or reimbursements, and find opportunities to reduce costs or save money.

DoneDock does not use connected bank account data to determine credit-worthiness, make lending decisions, provide investment advice, sell your financial data, or serve advertising. We do not move money from or to your connected bank account through the Personal Finances OS unless you separately enable a payment feature that clearly asks for your authorization.

We may store Stripe identifiers, financial account metadata, transaction records, extracted fields, summaries, analysis results, and user-visible financial insights as needed to provide the features you enable, maintain security, troubleshoot issues, comply with applicable law, and keep a useful history for your account. We retain connected bank account data only for as long as needed for those purposes or as otherwise required by law.

Where necessary to provide a feature you request, connected bank account data may be processed by contracted service providers, including Stripe and AI service providers, solely to deliver that feature. We use administrative, technical, and organizational safeguards designed to protect connected financial data, including access controls, encryption in transit and at rest where applicable, and limited access based on business need.

You can disconnect a connected bank account from the DoneDock Integrations settings where supported. Disconnecting a bank account stops future access to that account but may not automatically delete previously stored financial insights, transaction-derived records, or records we must retain for security, legal, or business purposes. To request deletion of stored connected bank account-derived data, contact info@donedock.com.

5. AI processing

DoneDock may send prompts, workflow instructions, context, files, connected-account data, connected bank account-derived data, and generated output to third-party AI providers, including OpenAI and Google, as necessary to provide AI features you request. You should not submit information to AI workflows unless you have the right to process it through DoneDock and its service providers. Google Workspace API data is handled only as described in Section 3. Connected bank account data is handled as described in Section 4.

6. How we disclose information

We may disclose information to:

  • service providers and subprocessors listed on our Subprocessors page;
  • third-party services you connect or instruct us to use;
  • payment processors and billing providers;
  • professional advisors, auditors, insurers, and legal counsel;
  • authorities, courts, or parties where required by law; and
  • a successor in connection with a merger, acquisition, financing, restructuring, or sale of assets.

Connected email account data is disclosed only as described in Section 3. Connected bank account data is disclosed only as described in Section 4. Google Workspace API data is subject to the additional restrictions described in Section 3.

7. Legal bases

Where applicable law requires a legal basis for processing, we rely on performance of a contract, legitimate interests, consent, and compliance with legal obligations, depending on the processing activity.

8. Retention

We retain information for as long as needed to provide DoneDock, comply with legal obligations, resolve disputes, enforce agreements, protect security, and maintain business records. Retention periods may vary by data type, plan, account settings, and legal requirements.

9. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal information, or to withdraw consent. You can contact us at info@donedock.com. You can manage cookies through the Cookiebot banner and the Cookie Declaration page.

10. Security

We use administrative, technical, and organizational safeguards designed to protect personal information. We use encryption in transit and at rest to protect connected email account data, Google Workspace API data, connected bank account data, OAuth tokens, and other sensitive records where applicable. No system is completely secure, and you are responsible for securing your credentials, connected accounts, devices, and workflow permissions.

11. Children

DoneDock is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

12. International transfers

We and our service providers may process information in the United States and other countries. Where required, we use appropriate transfer mechanisms for personal information.

13. Contact

Questions or requests may be sent to info@donedock.com.