Privacy Policy

Who we are

Donna is an AI executive assistant product operated by Xceed Growth Philippines. If you have questions about this policy, email us at hello@xceedgrowth.com.

What data we collect

• Account email — used to identify you and log you in.
• Profile details — your name, BNI chapter, and business one-liner that you enter in Settings.
• BNI contact records — the names, companies, professions, and phone numbers of contacts you add or import.
• Message drafts — WhatsApp follow-up drafts that Donna generates at your request. Donna never sends these automatically; you tap "Send" to deliver them.
• AI memory and notes — short facts Donna learns during your conversations (e.g. "Prefers morning meetings") so it can give you better help in future sessions.
• Read-only Google Calendar data — when you connect Google Calendar, Donna fetches your calendar events with the calendar.readonly scope. This lets Donna show today's schedule on your dashboard and send you meeting reminders via push notification. Donna does not create, edit, or delete calendar events.

Google API Services — User Data Policy disclosure

Donna's use of information received from Google APIs — including data obtained via the calendar.readonly scope — adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Google Calendar data is used only to display your schedule and generate meeting reminders.
• Google Calendar data is not used for advertising or shared with advertisers.
• Google Calendar data is not sold to third parties.
• Google Calendar data is not shared with third parties except as necessary to operate Donna (e.g. our hosting infrastructure), subject to confidentiality obligations.
• Donna does not use Google Calendar data to train AI models beyond what is strictly needed to answer your own queries in your session.

How we store and protect your data

• Per-tenant isolation — every user's data is stored under a unique tenant ID. Queries are always filtered by that ID so your data is never visible to other Donna accounts.
• Envelope encryption — OAuth tokens and other secrets are encrypted with a per-deployment master key before being written to the database. They are never stored in plaintext.
• Hosted on Render — our servers run on Render, a US-based cloud platform with SOC 2 compliance. Data is not transferred outside Render's infrastructure except for outbound API calls you explicitly trigger (e.g. Google Calendar).
• Session cookies — Donna uses a signed, server-side session cookie to keep you logged in. It does not store personal data; it contains only an opaque session identifier.

No selling of data

We do not sell your personal data to anyone, ever.

Data deletion

To request deletion of all your data, email hello@xceedgrowth.com from the address you signed up with. We will process your request within 30 days.

Changes to this policy

We may update this policy when we add new features. Material changes will be communicated via Telegram or email. Continued use of Donna after the effective date constitutes acceptance.

Questions? hello@xceedgrowth.com