DoItFor.LifePrivacy Policy
Effective date: March 18, 2026
1. Introduction
Level Up Basket Corp., a Delaware corporation (“Company,” “we,” “us,” or “our”), operates DoItFor.Life (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. By using the Service, you agree to the practices described in this Privacy Policy.
This Privacy Policy applies to all users of the Service, including the web dashboard, AI assistant, messaging channel integrations, and skill marketplace. It should be read together with our Terms of Service.
2. Information We Collect
Information you provide
- Account information: name, email address, and authentication credentials when you create an account (directly or via Google/Apple sign-in).
- Messaging data: messages exchanged with your AI assistant via WhatsApp or Telegram, including commands, queries, and content you ask the assistant to process.
- Connected service data: emails, calendar events, task lists, and financial records that you authorize the assistant to access on your behalf.
- Skill interaction data: data processed by installed skills (both first-party and third-party), including input data, skill outputs, and configuration preferences.
- Payment information: processed securely by Stripe. We do not store your credit card number or full payment details on our servers.
- Onboarding data: business type, preferences, and configuration choices you make during setup.
- Support communications: messages you send to our support team, including any attachments or screenshots.
Information collected automatically
- Usage data: pages visited, features used, AI budget consumption, skill installations, and interaction patterns.
- Device information: browser type, operating system, screen resolution, and device identifiers.
- Log data: IP address, access times, referring URLs, and request metadata.
- Instance telemetry: virtual machine health status, uptime metrics, resource utilization, and error logs (no message content).
- AI model interaction logs: metadata about AI model invocations (model used, response time, token counts), but not the content of prompts or responses.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Contract performance: processing necessary to provide the Service you have subscribed to, including operating your AI assistant, processing your data through installed skills, and managing your account and billing.
- Legitimate interests: processing necessary for our legitimate business interests, including fraud prevention, security monitoring (Guardian system), service improvement, and protecting our legal rights, where these interests are not overridden by your data protection rights.
- Consent: processing based on your explicit consent, including marketing communications and optional analytics. You may withdraw consent at any time by contacting us at privacy@doitfor.life.
- Legal obligation: processing necessary to comply with applicable laws and regulations, including tax, accounting, and reporting requirements.
4. How We Use Your Information
- Provide, operate, and improve the Service.
- Process AI assistant actions on your behalf (email triage, task management, calendar scheduling, financial monitoring).
- Build and deploy custom skills through the Skill Factory.
- Monitor instance health and security through the Guardian system.
- Process payments and manage subscriptions via Stripe.
- Track AI budget usage for billing purposes.
- Send transactional communications (account confirmations, receipts, security alerts).
- Respond to support requests.
- Detect, prevent, and address technical issues, abuse, or security threats.
- Conduct aggregated analytics to improve the Service (no individual user data is used).
- Comply with legal obligations and enforce our Terms of Service.
5. AI Data Processing
The Service uses third-party AI model providers to process your requests and generate responses. This section describes how your data interacts with AI systems:
What data is sent to AI models
When your assistant processes a request, relevant context may be sent to AI model providers, including: message content, email text, calendar event details, task descriptions, financial summaries, and skill-specific data. Only data necessary for the specific operation is transmitted.
AI model providers
The primary AI model provider is Google Gemini via Google Cloud’s Vertex AI platform. Additional providers (such as OpenAI or Anthropic) may be used for specific system components (e.g., Guardian monitoring). All providers operate under enterprise data processing agreements.
No training use
Google’s Vertex AI does not use customer data to train Google’s AI models. This is a contractual commitment under Google Cloud’s data processing terms. Other AI model providers used by the Service operate under similar enterprise agreements that prohibit using customer data for model training.
Data retention by AI providers
Data sent to AI model providers is processed in real time and is not retained by the providers beyond the duration necessary to complete the request, as governed by their respective data processing agreements. We do not control the internal processing of data by third-party AI providers beyond our contractual agreements with them.
6. Third-Party Skill Data Access
The Service allows you to install skills from a marketplace, including third-party skills developed by independent developers. Installed skills may access data within your assistant’s environment, depending on the permissions you grant.
Data accessible by skills
Depending on the skill’s requirements and your permissions, third-party skills may access: messages, emails, calendar events, task lists, financial records, and files stored within your assistant’s environment.
User control
You control which skills are installed on your assistant. Each skill’s permission requirements are disclosed before installation. You may uninstall skills at any time through your dashboard.
Skill audit process
All skills submitted to the marketplace undergo automated security auditing, including static code analysis and permission scope review. However, the Company cannot guarantee that third-party skills will not access, modify, or transmit data in unexpected ways.
Limitation of responsibility
The Company is not responsible for data handling practices of third-party skill developers. Third-party skills are governed by their own privacy policies (if any). You install third-party skills at your own risk.
7. How We Share Your Information
We do not sell your personal information. We may share data with:
- Google Cloud Platform: hosting, compute (virtual machines for your assistant), storage, and AI-processing infrastructure. Data is processed in accordance with Google’s Cloud Data Processing Addendum.
- Firebase: authentication, analytics, and push notifications.
- Google Gemini (Vertex AI): AI model processing for your assistant’s operations. See Section 5 for details.
- Stripe: payment processing and subscription management.
- Telegram / WhatsApp (Meta): message delivery to and from your AI assistant via their respective APIs.
- Meta (Facebook Pixel): anonymous conversion tracking for advertising optimization. No personal data is shared.
- Google Analytics: anonymous usage analytics.
- Third-party skill developers: only if a third-party skill transmits data to external services as part of its functionality (see Section 6).
- Legal requirements: when required by law, subpoena, court order, or government request.
- Business transfers: in connection with a merger, acquisition, or sale of assets, where your data may be transferred to the acquiring entity.
8. Subprocessor List
The following third-party services process personal data on our behalf as subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting, compute, storage, infrastructure | United States (us-central1) |
| Google Gemini (Vertex AI) | AI model processing | United States |
| Firebase (Google) | Authentication, analytics | United States |
| Stripe | Payment processing, subscription management | United States |
| Meta (WhatsApp) | Messaging channel delivery | United States / Global |
| Telegram | Messaging channel delivery | Global |
| OpenAI | AI model processing (Guardian system) | United States |
| Anthropic | AI model processing (Guardian fallback) | United States |
We will update this list when we add or change subprocessors. Material changes will be communicated via email to account holders.
9. Data Security Measures
We implement the following security measures to protect your data:
- Encryption at rest: all data stored on Google Cloud is encrypted using Google-managed encryption keys (AES-256).
- Encryption in transit: all data transmitted between your device, our servers, and third-party services is protected by TLS 1.2 or higher.
- VM isolation: each user receives a dedicated, isolated virtual machine. Your data is not shared with or accessible to other users at the infrastructure level.
- Access controls: OS Login with ephemeral SSH keys for virtual machine access. Service accounts with least-privilege IAM roles.
- Multi-factor authentication: MFA support (SMS and TOTP) for user accounts.
- Guardian monitoring: automated health and security monitoring of each virtual machine instance.
- Skill audit pipeline: automated security auditing of marketplace skills before publication.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee absolute security.
10. Data Retention
We retain your data for the following periods:
- Account data: retained for as long as your account is active, plus 30 days after account deletion for export purposes.
- AI budget usage logs: retained for 12 months for billing and dispute resolution purposes.
- Guardian security logs: retained for 90 days for security monitoring and incident investigation.
- Virtual machine data: permanently destroyed within 30 days of account deletion.
- Messaging data: retained on your virtual machine for as long as your account is active. Note that messaging platforms (WhatsApp, Telegram) retain message data independently per their own policies.
- Payment records: retained for 7 years as required by tax and accounting regulations.
- Support communications: retained for 3 years after resolution.
- Anonymized analytics: retained indefinitely in aggregated, non-identifiable form.
If you delete your account, we will delete your personal data and terminate your virtual machine within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records, legal compliance).
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify affected users via email and in-app notification without undue delay, and in any event within 72 hours of becoming aware of the breach (as required by GDPR Article 33).
- Notify relevant supervisory authorities as required by applicable law.
- Comply with state-specific breach notification requirements, including the California Consumer Privacy Act (CCPA) and other applicable state laws.
- Provide details of: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
12. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion of your data, including your virtual machine and all stored content.
- Restriction: request that we restrict processing of your data in certain circumstances.
- Data portability: request your data in a structured, commonly used, machine-readable format (export your assistant’s data).
- Objection: object to processing based on legitimate interests.
- Withdraw consent: withdraw consent at any time where processing is based on consent.
- Complaint: lodge a complaint with a supervisory authority in your jurisdiction.
To exercise these rights, contact us at privacy@doitfor.life. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the categories of third parties with whom we share your data.
- Right to delete: you may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
- Right to correct: you may request correction of inaccurate personal information.
- Right to opt-out of sale or sharing: we do not sell your personal information and do not share it for cross-context behavioral advertising.
- Right to limit use of sensitive personal information: you may request that we limit the use of sensitive personal information to what is necessary to provide the Service.
- Non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise your California privacy rights, contact us at privacy@doitfor.life or call us at the number listed on our website. We will verify your identity and respond within 45 days.
14. Cookies & Local Storage
We use essential cookies for authentication and session management. We use local storage for app preferences and temporary client-side state. We use the Facebook Pixel and Google Analytics for anonymous conversion tracking and usage analytics. You can manage cookie preferences through your browser settings or our cookie consent banner.
15. Children’s Privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@doitfor.life.
16. International Data Transfers
Your data is processed and stored in the United States (Google Cloud us-central1 region). If you are located outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.
For transfers of personal data from the EEA, United Kingdom, or Switzerland to the United States, we rely on: (a) the EU-U.S. Data Privacy Framework (and the UK and Swiss extensions thereof), where applicable; and (b) Standard Contractual Clauses (SCCs) approved by the European Commission, where the Data Privacy Framework does not apply. Our subprocessors (see Section 8) maintain their own transfer mechanisms, including participation in the Data Privacy Framework and/or execution of SCCs.
By using the Service, you acknowledge and consent to the transfer, processing, and storage of your data in the United States as described in this Privacy Policy.
17. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting the updated policy on this page; (b) updating the “Effective date” above; and (c) sending an email notification to the address associated with your account for material changes. Continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance.
18. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:
Privacy inquiries: privacy@doitfor.life
General legal inquiries: legal@doitfor.life
Level Up Basket Corp.
A Delaware Corporation