We collect only what we need to build your kit. We don't sell or share it.

Last updated: April 17, 2026

Who we are

PolicyDone is a product of Financial Outsiders LLC, a Delaware limited liability company. You can reach us at rob@policydone.io.

What we collect

Two things:

• Payment information — processed by Stripe, not by us. Stripe shares with us your company name, email, and a transaction reference. We never see your card number.
• Intake information — what you enter in the intake form after purchase: company name, approver and owner names and titles, delivery email, logo (if you upload one), cloud and identity provider, data types you handle, TSC scope, and optional notes.

How we use it

Solely to build, deliver, and support the kit you purchased:

• Tailor your policy documents (names, scope, technology references)
• Send you order confirmation and delivery emails
• Respond to your support or refund requests

We do not use your information for advertising, analytics targeting, or for training external AI models.

Who we share it with

Only service providers strictly required to run the business:

• Stripe — payment processing. Stripe's privacy policy.
• Google Workspace — email delivery and document storage. Google's privacy policy.
• Netlify — website hosting and intake form submissions. Netlify's privacy policy.

We do not sell or rent your information to anyone. We do not share it with advertisers or marketing platforms.

How long we keep it

Intake data and delivery records are retained for three years after delivery, for support and audit purposes. You may request earlier deletion at any time by emailing us; we will comply within 30 days, except where retention is required by law (e.g., tax records).

Your rights

Email rob@policydone.io to:

• Access the information we hold about you
• Correct any inaccurate information
• Request deletion (subject to the retention note above)
• Object to or restrict how we process your information

If you're in the EU or UK, these rights come from the GDPR and UK GDPR. If you're in California, they come from the CCPA/CPRA. They all amount to the same thing in practice: you ask, we respond within 30 days.

Cookies and tracking

The main site uses a single first-party analytics cookie (Plausible) for aggregate visitor counts. No advertising pixels, no cross-site trackers, no session recording.

Data transfers

We are based in the United States. Our service providers (Stripe, Google, Netlify) store data in the United States. If you are located outside the U.S., your information is transferred to the U.S. for processing.

Changes

If we materially change this policy, we will email customers of record before the change takes effect.

Questions? Email rob@policydone.io. This policy is intended to be understandable in plain English. It is not a substitute for legal advice. Specific contractual terms appear in our Terms of Service.