Privacy Policy
Last updated: July 14, 2026
This Privacy Notice for Candy and Potter Media, LLC (doing business as Done By Lunch) (“we,” “us,” or “our”) describes how and why we access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:
- Visit our website at https://donebylunch.co, or any website of ours that links to this Privacy Notice
- Engage with us in other related ways, including marketing, events, our YT90 Activation Lab, or Growth Lab membership
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have questions, contact us at support@donebylunch.co.
Summary of Key Points
- What personal information do we process? Depending on how you interact with us — visiting the site, joining Growth Lab, enrolling in YT90 Activation Lab, or contacting us — we may process your name, email, phone number, billing address, and payment details.
- Do we process sensitive personal information? No.
- Do we collect information from third parties? No.
- How do we process your information? To provide and administer our Services, communicate with you, prevent fraud, and comply with law — always with a valid legal reason.
- Who do we share information with? Our service providers — ThriveCart (payments), Kit (email), Circle.so (Growth Lab community), HelloAudio (private podcast feeds), Base44 (the YT90 app), and WaveApps (only if you pay an invoice through it) — and, if it ever comes up, in a business transfer.
- How do we keep it safe? Reasonable technical and organizational safeguards, though no method of transmission is 100% secure.
- What are your rights? Depending on where you’re located (including the EEA, UK, Switzerland, Canada, and many U.S. states), you have rights to access, correct, delete, or port your data, and to object to or restrict certain processing.
- How do you exercise these rights? Email support@donebylunch.co or visit donebylunch.co/contact.
Table of Contents
- What Information Do We Collect?
- How Do We Process Your Information?
- What Legal Bases Do We Rely On to Process Your Information?
- When and With Whom Do We Share Your Personal Information?
- Do We Use Cookies and Other Tracking Technologies?
- How Long Do We Keep Your Information?
- How Do We Keep Your Information Safe?
- Do We Collect Information From Minors?
- What Are Your Privacy Rights?
- Controls for Do-Not-Track Features
- Do United States Residents Have Specific Privacy Rights?
- Do Other Regions Have Specific Privacy Rights?
- Do We Make Updates to This Notice?
- How Can You Contact Us About This Notice?
- How Can You Review, Update, or Delete the Data We Collect From You?
1. What Information Do We Collect?
Personal information you disclose to us
In short: We collect personal information that you provide to us.
We collect personal information you voluntarily give us when you register for the Services (for example, joining Growth Lab or enrolling in YT90 Activation Lab), express interest in our products, participate in activities on the Services, or otherwise contact us.
The personal information we collect may include:
- Names
- Phone numbers
- Email addresses
- Usernames
- Contact preferences
- Billing addresses
- Debit/credit card numbers
Sensitive information. We do not process sensitive information.
Payment data. We collect data necessary to process payment if you make a purchase, such as your payment instrument number and its associated security code. Payment data is handled and stored by ThriveCart for course and membership purchases, and by WaveApps if you pay an invoice through it. You can review their privacy notices at ThriveCart and WaveApps.
If you upload images to the website, be aware that images can carry embedded location data (EXIF GPS), and anyone who downloads an image from the site could extract that data.
All personal information you provide to us must be true, complete, and accurate, and you must notify us of any changes to it.
Information automatically collected
In short: Some information — such as your IP address and browser/device characteristics — is collected automatically when you visit our Services.
This information does not reveal your specific identity but may include your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services. We use this primarily to maintain security and for internal analytics.
This includes log and usage data — service-related, diagnostic, and performance information our servers automatically collect, such as timestamps, pages viewed, searches, and device event data (system activity, crash reports, hardware settings).
Google API
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
2. How Do We Process Your Information?
In short: We process your information to provide, improve, and administer our Services, communicate with you, prevent fraud, and comply with law. We only process your information with a valid legal reason, or with your consent for anything else.
We process personal information to:
- Facilitate account creation and authentication and manage your Growth Lab or Activation Lab account.
- Deliver the Services you’ve requested — course access, community access, coaching calls, etc.
- Respond to inquiries and provide support.
- Send administrative information, such as changes to our terms or policies.
- Fulfill and manage orders, payments, returns, and exchanges.
- Request feedback about your experience with our Services.
- Send marketing and promotional communications, in line with your preferences. You can opt out at any time — see What Are Your Privacy Rights.
- Protect vital interests, such as to prevent harm, where necessary.
3. What Legal Bases Do We Rely On to Process Your Information?
In short: We only process your personal information when we have a valid legal reason to do so — such as your consent, to fulfill a contract, to comply with law, or to pursue our legitimate business interests.
If you are located in the EU or UK, this section applies to you.
The GDPR and UK GDPR require us to explain our legal bases for processing. We rely on:
- Consent — where you’ve given us permission for a specific purpose. You can withdraw consent at any time.
- Performance of a contract — to fulfill our obligations to you, including delivering the Services.
- Legitimate interests — where processing doesn’t outweigh your rights and freedoms, such as to send information about special offers, or to understand how members use our Services so we can improve them.
- Legal obligations — where necessary to comply with law, cooperate with regulators, or defend legal claims.
- Vital interests — where necessary to protect someone’s safety.
If you are located in Canada, this section applies to you.
We process your information with your express or implied consent, which you may withdraw at any time. In limited circumstances permitted by law, we may process without consent — for example, for fraud investigation, in connection with a business transaction, or where required by court order.
4. When and With Whom Do We Share Your Personal Information?
In short: We share information only in the situations and with the service providers described below.
We may need to share your personal information with the following categories of third parties, each under a written agreement:
- ThriveCart — payment processing. Privacy policy
- Kit — email marketing and communications. Privacy policy
- Circle.so — Growth Lab community hosting. Privacy policy
- HelloAudio — hosts our private podcast feeds. Privacy policy
- Base44 — powers the YT90 app. Privacy policy
- WaveApps — processes invoice payments. We only share your information here if you pay an invoice through Wave; it is not used for general accounting or bookkeeping of your data. Privacy policy
We may also share information in the case of a business transfer — a merger, sale of company assets, financing, or acquisition of all or part of our business.
We have not sold or shared personal information with third parties for cross-context behavioral advertising, and we do not intend to.
5. Do We Use Cookies and Other Tracking Technologies?
In short: Yes — to maintain security, remember your preferences, and understand how you use our Services.
We use cookies and similar technologies (like web beacons and pixels) when you interact with our Services. These help us maintain security, prevent crashes, fix bugs, save your preferences, and support basic site functions. Cookies set when you comment or log in generally last one year; login cookies last two days (two weeks if you select “Remember Me”).
If you visit our login page, we set a temporary cookie to check whether your browser accepts cookies — it contains no personal data and is discarded when you close your browser.
Embedded content. Pages on this site may include embedded content (videos, images, articles). Embedded content behaves as if you’d visited the source site directly — that site may collect data about you, use its own cookies, and track your interaction with the embedded content, including if you’re logged into that site.
Google Analytics. We may share information with Google Analytics to track and analyze use of the Services. Opt out at https://tools.google.com/dlpage/gaoptout. See Google’s Privacy & Terms for more.
To the extent these technologies are considered a “sale” or “sharing” under applicable U.S. state laws, you can opt out as described in Do United States Residents Have Specific Privacy Rights.
6. How Long Do We Keep Your Information?
In short: We keep your information only as long as necessary for the purposes in this notice, unless a longer period is required by law.
We retain personal information for as long as you maintain an account or an active membership with us (Growth Lab or Activation Lab), plus any additional period required for tax, accounting, or other legal obligations. When there’s no ongoing legitimate need to process your information, we delete or anonymize it, or — if that isn’t possible (for example, information in backup archives) — we securely isolate it from further processing until deletion is possible.
7. How Do We Keep Your Information Safe?
In short: We use a system of organizational and technical measures designed to protect your information.
We’ve implemented appropriate technical and organizational security measures. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee that unauthorized third parties will never defeat our security. Transmission of information to and from the Services is at your own risk.
8. Do We Collect Information From Minors?
In short: No — we do not knowingly collect data from or market to children under 18.
We do not knowingly collect, solicit, or sell personal information from anyone under 18 (or the equivalent age of majority in your jurisdiction). By using the Services, you represent that you’re at least 18, or that you’re a parent/guardian consenting on a minor’s behalf. If we learn we’ve collected data from a minor, we’ll deactivate the account and delete the data. Contact support@donebylunch.co if you believe we’ve collected data from a child.
9. What Are Your Privacy Rights?
In short: Depending on where you live — including the EEA, UK, Switzerland, and Canada — you have rights over your personal information, including the right to review, change, or terminate your account at any time.
If you’re in the EEA, UK, Switzerland, or Canada, you may have the right to:
- Access and obtain a copy of your personal information
- Request rectification or erasure
- Restrict processing of your personal information
- Request data portability
- Object to processing, in certain circumstances
- Not be subject to solely automated decision-making that produces legal or similarly significant effects — if this applies, we’ll explain the main factors and offer a simple way to request human review
Make a request via support@donebylunch.co or donebylunch.co/contact. We’ll respond in accordance with applicable law.
EEA/UK residents may lodge a complaint with their Member State data protection authority or the UK ICO.
Switzerland residents may contact the Federal Data Protection and Information Commissioner.
Withdrawing consent: where we rely on your consent, you can withdraw it anytime via the contact details above. This won’t affect the lawfulness of processing before withdrawal.
Opting out of marketing: unsubscribe via the link in our emails, or by contacting us. You’ll still receive non-marketing, service-related messages (e.g., account or purchase confirmations).
Account information: log in to your account settings to update your information, or contact us to terminate your account. We may retain some information after account termination to prevent fraud, troubleshoot, assist investigations, or comply with legal requirements.
10. Controls for Do-Not-Track Features
Most browsers include a Do-Not-Track (“DNT”) feature. Because no uniform standard for recognizing DNT signals has been finalized, we do not currently respond to DNT signals. If a standard is adopted that we must follow, we’ll update this notice.
11. Do United States Residents Have Specific Privacy Rights?
In short: If you’re a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights to access, correct, delete, or obtain a copy of your personal information, and to withdraw consent to processing.
Categories of personal information we collect (past 12 months)
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, address, phone, IP address, email, account name | Yes |
| B. California Customer Records categories | Name, contact info, financial information | Yes |
| C. Protected classifications | Gender, age, race, national origin, etc. | No |
| D. Commercial information | Purchase history, payment info | No |
| E. Biometric information | — | No |
| F. Internet/network activity | Browsing history, interactions with our site | No |
| G. Geolocation data | Device location | No |
| H. Audio/visual information | Recordings from Q&A calls, where you’re aware of the recording | Yes |
| I. Professional/employment information | — | No |
| J. Education information | — | No |
| K. Inferences | — | No |
| L. Sensitive personal information | — | No |
We retain Category A and B information for as long as you have an account with us. Category H information is retained only as part of recorded Q&A calls that you were aware were being recorded.
Your rights
- Right to know whether we’re processing your data
- Right to access your data
- Right to correct inaccuracies
- Right to request deletion
- Right to obtain a copy of data you’ve shared with us
- Right to non-discrimination for exercising these rights
- Right to opt out of targeted advertising, sale, or profiling with legal effects
Depending on your state, you may also have rights to know what categories of third parties we’ve shared data with, and (in some states) which specific third parties.
How to exercise these rights: email support@donebylunch.co or visit donebylunch.co/contact. Under some state laws, you can designate an authorized agent to submit a request on your behalf — we may require proof of that authorization. We’ll verify your identity before acting on a request, and may ask for additional information to do so.
Appeals: if we decline to act on a request, you may appeal by emailing support@donebylunch.co. We’ll respond in writing; if your appeal is denied, you may complain to your state attorney general.
California “Shine the Light” law: California residents can request, once a year and free of charge, the categories of personal information we’ve disclosed to third parties for direct marketing purposes. Submit requests to support@donebylunch.co.
12. Do Other Regions Have Specific Privacy Rights?
In short: You may have additional rights depending on your country of residence.
Australia and New Zealand: We process your information under Australia’s Privacy Act 1988 and New Zealand’s Privacy Act 2020. You have the right to request access to or correction of your personal information at any time (see Section 15). Complaints can be lodged with the Office of the Australian Information Commissioner or the Office of the New Zealand Privacy Commissioner.
Republic of South Africa: You have the right to request access to or correction of your personal information at any time. If unsatisfied with our response, contact The Information Regulator (South Africa) — general enquiries at enquiries@inforegulator.org.za, complaints (POPIA/PAIA Form 5) at PAIAComplaints@inforegulator.org.za or POPIAComplaints@inforegulator.org.za.
13. Do We Make Updates to This Notice?
In short: Yes, as necessary to stay compliant with relevant laws.
We may update this notice from time to time; the “Last updated” date at the top will reflect the most recent revision. If we make material changes, we’ll notify you by posting a prominent notice or sending a direct notification.
14. How Can You Contact Us About This Notice?
Email: support@donebylunch.co
Or by post:
Candy and Potter Media, LLC
12112 N Rancho Vistoso Blvd, Ste 150 #530
Oro Valley, AZ 85755
United States
15. How Can You Review, Update, or Delete the Data We Collect From You?
Based on the applicable laws of your country or U.S. state of residence, you may have the right to request access to the personal information we’ve collected, details on how we’ve processed it, correction of inaccuracies, or deletion. You may also have the right to withdraw consent to our processing, subject to limits under applicable law.
To request to review, update, or delete your personal information, visit donebylunch.co/contact.