Privacy Policy
Effective Date: May 7, 2026
1. Who We Are
DoWithAI (“we,” “us,” or “our”) is operated by Zhang Xun. For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, we act as the data controller of your personal data. This privacy policy applies to our website at dowithai.it.com and all related services.
2. About This Policy
This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have. We process your data based on one or more of the following legal grounds: your consent, performance of a contract, compliance with a legal obligation, or our legitimate interests (as detailed in Section 4). If you do not agree with this policy, please discontinue use of our service and contact us to exercise your data rights.
3. Data We Collect
3.1 Information You Provide
- Account data: email address and name (optional). Passwords are hashed using bcrypt; we never store plain-text passwords.
- Newsletter data: email address, collected and managed via ConvertKit when you subscribe.
- Payment data: transactions are processed entirely by Stripe. We receive a transaction confirmation and the last four digits of your payment card. We never receive or store your full card number or CVC.
- Correspondence: the content of any messages you send us via email or contact form.
3.2 Information Collected Automatically
- Usage data: pages visited, time on page, scroll depth, click events, referral source.
- Device data: browser type and version, operating system, screen resolution, device category.
- Affiliate click data: when you click an affiliate link via our
/go/redirect, we log the destination tool, source page URL, and timestamp. This is pseudonymized: we do not associate click events with your account unless you are logged in. - Server logs: IP address, request timestamp, HTTP method, status code, and user agent. These are retained for error diagnosis and security.
3.3 Cookies
| Cookie | Purpose | Duration | Category |
|---|---|---|---|
| _ga, _ga_* | Google Analytics | 2 years | Analytics |
| ph_* | PostHog analytics | 1 year | Analytics |
| next-auth.session-token | Session authentication | Session | Strictly necessary |
| NEXT_LOCALE | Language preference | 1 year | Functional |
On your first visit, you will see a cookie consent banner. Analytics cookies are only set after you accept. Strictly necessary cookies (authentication) are always set. You may withdraw consent or manage preferences at any time by clearing your browser cookies and revisiting the banner, or by adjusting your browser settings. We honor Do Not Track (DNT) signals: if your browser sends a DNT:1 header, we disable analytics cookies by default.
4. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and maintain the service | Account data, server logs | Contractual necessity |
| Process purchases | Payment data, account data | Contractual necessity |
| Send newsletter (subscribers only) | Email address | Consent |
| Website analytics | Usage data, device data, IP address | Consent (EU/UK); Legitimate interest (elsewhere) |
| Affiliate tracking & reporting | Affiliate click data, IP address | Legitimate interest |
| Fraud prevention & security | Server logs, IP address, account data | Legitimate interest |
| Comply with legal obligations | Payment data, account data | Legal obligation |
5. Affiliate Programs
DoWithAI participates in affiliate marketing programs. When you click a link to a third-party tool and complete a purchase, we may earn a commission at no extra cost to you.
Our affiliate links route through /go/<slug> redirects. When you click one, we log: the destination tool, the page you came from, your IP address, and a timestamp. This data is used solely for (a) measuring click-through rates, (b) reporting aggregate statistics to affiliate partners, and (c) detecting click fraud. We do not share individual click logs with affiliate partners.
Our rankings reflect independent research and testing. Tools marked as “Sponsored” or “Featured” disclose commercial arrangements. We are not responsible for the privacy practices or content of any third-party tool linked from our platform.
6. Third-Party Services & Data Sharing
We do not sell your personal data. We share data with the following service providers under data processing agreements (DPAs) where required by law:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Vercel | Hosting & CDN | Server logs, IP address | Vercel Privacy |
| Neon | Database hosting | Account data, click logs | Neon Privacy |
| Stripe | Payment processing | Payment details, email | Stripe Privacy |
| Google Analytics | Website analytics | Usage data, device data, IP address | Google Privacy |
| PostHog | Product analytics | Usage data, device data, IP address | PostHog Privacy |
| ConvertKit | Email newsletter | Email address | ConvertKit Privacy |
We may also disclose your data: (a) if required by law, court order, or government regulation; (b) to protect our rights, property, or safety; (c) in connection with a merger, acquisition, or sale of assets — users will be notified beforehand; (d) with your explicit consent.
7. How Long We Keep Your Data
- Account data: retained while your account is active. Deleted within 30 days of account deletion request.
- Newsletter subscriptions: retained until you unsubscribe or withdraw consent.
- Affiliate click logs: retained for 24 months, then permanently deleted.
- Payment records: retained for the period required by applicable tax and accounting laws (typically 7 years).
- Server logs: retained for 90 days for security and debugging purposes.
- Analytics data: retained per the data retention settings of Google Analytics (26 months) and PostHog (as configured in our account).
8. Data Security & Breach Notification
We implement appropriate technical and organizational measures: TLS 1.3 for all data in transit, bcrypt-hashed passwords, encrypted database storage at rest (AES-256), and role-based access controls. Our infrastructure is hosted on Vercel and Neon, both SOC 2 Type II compliant.
In the event of a personal data breach, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware, where required by GDPR; (b) notify affected users without undue delay if the breach is likely to result in high risk to their rights and freedoms; (c) document the breach, its effects, and remedial actions taken.
9. Your Data Protection Rights
9.1 GDPR & UK GDPR Rights
If you are in the EEA or United Kingdom, you have:
- Right of access (Art. 15): obtain confirmation and a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion where applicable.
- Right to restrict processing (Art. 18): limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint (Art. 77): with your local data protection supervisory authority. Find your EU authority here; UK ICO here.
9.2 CCPA / CPRA Rights (California)
- Right to know: request the categories and specific pieces of personal information collected, and the categories of sources and business purposes.
- Right to delete: request deletion of personal information, subject to legal exceptions.
- Right to correct: correct inaccurate personal information.
- Right to opt out: we do not sell or share personal information as defined by the CCPA/CPRA.
- Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, email zhanxun6608@gmail.com. We will respond within 30 calendar days (extendable by a further two months for complex requests, with notice). We may ask you to verify your identity before fulfilling your request. There is no fee unless your request is manifestly unfounded or excessive (Art. 12(5) GDPR).
10. Children's Privacy
Our service is not directed to individuals under 16 (or the applicable age of digital consent in your country — 13 in the United States under COPPA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.
11. International Data Transfers
Your data may be transferred to and processed in the United States (where Vercel, Neon, Stripe, PostHog, and ConvertKit are based). For transfers from the EEA/UK to the US, we rely on: (a) the EU-US Data Privacy Framework for providers certified under it (Google, Stripe, PostHog); (b) Standard Contractual Clauses with supplementary measures; or (c) adequacy decisions by the European Commission. Contact us for copies of relevant safeguards.
12. Changes to This Policy
We may update this policy. For material changes, we will provide at least 14 days' notice by posting a prominent notice on our website and, for registered users, via email. The date at the top of this page reflects the most recent revision. Continued use after changes take effect constitutes acceptance. If a change requires fresh consent under applicable law, we will ask for it.
13. Contact Us
For questions about this privacy policy or to exercise your data rights:
- Email (Data Controller): zhanxun6608@gmail.com
- Website: dowithai.it.com
Given the nature and scale of our processing, we are not required to appoint a formal Data Protection Officer under Art. 37 GDPR. The data controller listed above handles all privacy inquiries.