Privacy Policy

This Privacy Policy describes how DONE. Global B.V. (“DONE”, “we”, “us”) collects, uses, and protects personal data when you use DONE Touring — the web dashboard at advance.itsdone.global and the iOS mobile app DONE Touring(together, the “Service”).

DONE Touring is a business-to-business tool used by music industry professionals to advance, coordinate, and travel for live shows. The Service is not directed at the general public and is not intended for children under 17.

1. Who is the data controller

The data controller for the Service is:

DONE. Global B.V.
Jan van Riebeekstraat 15-1
1057 ZW Amsterdam
The Netherlands
KvK: 99452774
Email: info@itsdone.global

1a. Customer organisations and individual users

DONE Touring is contracted by customer organisations (for example, management companies, production teams, artist services) under a separate commercial agreement. For tour and itinerary content stored in their workspace, the customer organisation generally acts as the data controller and DONE acts as the processor on their instructions under our Data Processing Agreement.

Where we collect personal data about you as an individual user — your email address, name, role, login history, device push token, crash reports tied to you — DONE acts as the controller, and this Privacy Policy describes those processing activities.

Where workspace content includes personal data of others (for example, the names and phone numbers of venue or tour contacts that a user adds to an itinerary), the customer organisation is the controller and their own privacy notice governs that processing. We process such data only under the customer’s instructions.

2. Data we collect

We collect only the data we need to operate the Service. Specifically:

• Account data— your email address, name, organisation, and role (admin, tour manager, manager, or crew). Created on the dashboard by a workspace admin; you do not create accounts yourself in the mobile app.
• Tour and itinerary data— artist names, show dates, venues, ground transport, flight numbers, hotels, schedules, and any notes you or your team enter. This is the operating core of the Service.
• Email auto-extraction (advancing tier only)— if your workspace uses the advancing tier, you may forward show-related emails to a dedicated inbox we operate. We pass the email body to a third-party large language model (LLM) provider to extract structured advance details. We have selected LLM providers that contractually agree not to use customer inputs to train or improve their general-purpose models. Inputs may be retained by the provider for a short period (typically up to 30 days) for abuse monitoring and operational reliability, after which they are deleted. We do not use Customer Content to fine-tune our own models. The use of AI for this extraction is disclosed here in line with our transparency obligations under the EU AI Act. The output is reviewed and corrected by you or your team before it is acted upon — we do not make automated decisions about you within the meaning of GDPR Article 22. Forwarded emails may contain personal data of third parties (for example, venue contacts, drivers, hotel staff). The workspace and the user forwarding the email are responsible for ensuring they have a lawful basis to share that data with us. We process this data only to provide the Service to the customer.
• Live flight data— when a flight is added to an itinerary we query a third-party flight data provider by flight number and date to fetch the current status (scheduled, delayed, departed, landed, gate, terminal). We do not transmit personal data to that provider.
• Push tokens— when you install the mobile app we store an Apple Push Notification service (APNs) token so we can deliver alerts and update Live Activities on your lock screen.
• Approximate location (mobile, optional)— the mobile app does not request your location by default. If a future release prompts you for location access, it will be used only to centre maps on your position or surface nearby venues, and you can deny or revoke the permission at any time in iOS Settings.
• Diagnostic data— we record crash reports and error logs through a third-party error monitoring service. These contain a device model, OS version, app version, stack trace, and a pseudonymous user identifier. They do not include itinerary content.
• Session and request logs— standard web server logs (IP address, user agent, timestamp, path) retained for security and abuse-prevention purposes.

We do not collect health data, financial account numbers, government identifiers, contacts, photos from your camera roll, microphone audio, or precise background location.

3. Why we collect it (legal bases)

• Performance of a contract— to provide the Service to your organisation under our customer agreement.
• Legitimate interests— to keep the Service secure, prevent abuse, monitor stability (crash reports), and improve features.
• Consent— for optional features that prompt for permission, such as push notifications and (if introduced) device location.

4. How long we keep it

• Account and tour data— for as long as your workspace is active. Deleted within 30 days of a deletion request or workspace closure.
• Forwarded emails (advancing tier)— retained with your tour data; same lifecycle as above.
• Crash reports— up to 90 days, then deleted.
• Server logs— up to 30 days.
• Push tokens— deleted when you sign out, uninstall the app, or the token expires.

5. Categories of recipients

We share personal data with the following categories of service providers, each bound by a data processing agreement and processing data only on our instructions:

• Cloud hosting and infrastructure — Web hosting, edge caching, database, file storage
• Authentication providers — Sign-in and session management
• Push notification gateways — Apple Push Notification service for lock-screen alerts and Live Activities
• Mapping providers — Map tile rendering in the mobile app
• Flight data providers — Live flight status by flight number — no personal data transmitted
• Error monitoring — Crash reports and stability metrics
• AI/LLM providers — Extracting structured advance details from forwarded emails (advancing tier only)

A list of our current named sub-processors is available on request — contact info@itsdone.global.

6. International transfers

Some service providers are located outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on (i) the European Commission’s Standard Contractual Clauses, supplemented where appropriate by a transfer impact assessment in line with the Court of Justice of the European Union’s Schrems IIjudgment, and (ii) the EU–US Data Privacy Framework where the recipient is certified under it. You can obtain a copy of the safeguards in place for a specific transfer by contacting info@itsdone.global.

7. Your rights and how to exercise them

Under the GDPR and the Dutch Implementing Act (UAVG) you have the right to:

• Access the personal data we hold about you (Art. 15)
• Correct inaccurate or incomplete data (Art. 16)
• Delete your data — the right to erasure (Art. 17)
• Restrict or object to certain processing (Art. 18, 21)
• Receive your data in a portable, machine-readable format (Art. 20)
• Withdraw consent at any time for consent-based processing, without affecting prior lawful processing (Art. 7(3))
• Lodge a complaint with a supervisory authority (Art. 77)

How to request deletion or other rights. Although your account is provisioned by your workspace administrator, you can exercise your rights directly by emailing info@itsdone.global from the email address associated with your account. We will:

• Verify your identity before acting on the request;
• Action the request within 30 days, or notify you within that period of an extension of up to 60 additional days for complex requests (GDPR Art. 12(3));
• Delete your personal data and any data you cannot continue to access without an account (login records, push tokens, crash reports tied to you);
• Inform your workspace administrator that an individual deletion request has been honoured, since they hold the workspace contract and may need to re-provision access if you continue to work with their organisation;
• Retain the minimum data needed to comply with our own legal obligations (for example, financial records on paid workspaces) until those obligations expire.

If you are an employee of a workspace and your account was provisioned for work purposes, you may also ask your administrator to delete your account on your behalf — they can do this at any time from the dashboard.

You have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens, or with the supervisory authority in your EU member state of residence or place of the alleged infringement.

8. Security

All traffic to the Service is encrypted in transit (TLS 1.2+). Data at rest in our primary database is encrypted by the database provider. We enforce role-based access at the row level. Only employees and contractors who require access for support or operations can reach customer data, and access is logged.

8a. Cookies and similar technologies

The web dashboard at advance.itsdone.global uses strictly necessary cookies and browser storage to keep you signed in, maintain your session, and remember interface preferences (for example, theme). These are required for the Service to function and, under the Dutch Telecommunicatiewet (Article 11.7a) and the EU ePrivacy Directive, do not require your consent.

We do not use third-party advertising cookies, cross-site tracking, or behavioural advertising. If we introduce analytics or other non-essential cookies in the future, we will request your consent through a cookie banner and update this policy before doing so.

9. Children

The Service is not directed at children under 17 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact info@itsdone.global and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the effective date at the top of this page. For material changes we will also notify active users by email or via an in-app notice.

11. Contact

Questions about this policy or how we handle your data: info@itsdone.global