Back

Privacy Policy

Effective date: 6 June 2026

This Privacy Policy explains how DayOS collects, uses, and protects your personal data. It applies to all users of the DayOS application and is compliant with the EU GDPR and UK GDPR.

1. Data Controller

The data controller responsible for your personal data is DayOSDiary, a service operated from the United Kingdom.

DayOSDiary
United Kingdom
Email: info@dayosdiary.com

For all privacy-related enquiries or requests, including exercising your rights, please contact us at the address above.

2. What We Collect

We collect the following categories of personal data:

Account data

  • Email address (required to create and access your account)
  • Name or display name (if provided via OAuth sign-in)
  • Authentication tokens and session identifiers

Diary content

  • Text entries, voice transcriptions, and any other content you add to your diary
  • Entry timestamps and associated metadata (date, session duration)
  • Diary books, titles, and lock/unlock status

Usage data

  • Feature usage patterns (e.g. which parts of the app you use)
  • Error logs and crash reports to help us fix bugs
  • Approximate device type and browser/OS version

We do not collect precise geolocation data. We do not collect payment card details directly — these are handled by our payment provider.

3. How We Use Your Data

We use your data only for the following purposes:

  • Providing the Service: storing, organising, and displaying your diary entries to you
  • Authentication: verifying your identity and keeping your account secure
  • AI features: when you use AI-powered features (summaries, insights, morning briefs, search, canvas board analysis), the relevant portion of your diary content is sent to OpenRouter — an AI routing service — which forwards requests to AI language models. For canvas board analysis, a rendered image of your board may also be sent. This content is processed solely to generate your response; we instruct all providers not to retain or use it to train AI models. See Sections 5 and 6 for details.
  • Billing: processing payments for pages and diary books via our payment provider
  • Service improvement: analysing aggregate, anonymised usage patterns to improve features
  • Support: responding to your enquiries and resolving issues
  • Legal compliance: meeting our legal obligations

We do not use your diary content for advertising, nor do we sell your data to any third party.

4. Legal Basis (GDPR)

Under the GDPR we process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): processing your account data and diary content is necessary to provide the Service you signed up for
  • Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, and aggregate analytics — balanced against your rights and freedoms
  • Legal obligation (Art. 6(1)(c)): retaining certain records as required by applicable law
  • Consent (Art. 6(1)(a)): for optional analytics cookies, where you have given explicit consent via the cookie banner

5. Data Storage

Your diary data is stored on Supabase servers located within the European Union (EU West region). We have a Data Processing Agreement in place with Supabase.

Encryption at rest: Supabase encrypts all stored data with AES-256. DayOS also applies its own application-layer AES-256-GCM encryption to sensitive user-entered content (diary entry text) before writing it to the database — so your diary text is protected by two independent layers of encryption at rest.

Encryption in transit: All data between your device and our servers is protected by TLS 1.2 or higher.

Backups are retained for up to 30 days.

When AI features are used, the relevant content is decrypted on our server and temporarily transmitted to OpenRouter, which routes requests to AI language models. These models may include both open-weight models (such as Llama and Gemma) and proprietary models (such as Claude by Anthropic and Gemini by Google) depending on availability. We configure all requests with an explicit instruction to OpenRouter not to collect or retain your data (data_collection: deny). OpenRouter and the underlying model providers act as data processors and are contractually prohibited from using your content to train AI models.

For canvas board analysis, a rendered image (JPEG screenshot) of your whiteboard content may be transmitted to a vision-capable AI model via OpenRouter. The same data protection instructions apply.

6. Third Parties

We share data with the following third-party service providers only to the extent necessary to deliver the Service:

  • Supabase — database storage and authentication. EU servers. Privacy policy
  • OpenRouter — AI routing service used for AI features (summaries, insights, morning briefs, diary search, canvas board analysis). Relevant diary content — and for canvas analysis, a rendered image of your board — is sent only when you trigger an AI feature. OpenRouter routes requests to underlying model providers including Meta (Llama), Google (Gemma, Gemini), Anthropic (Claude), and Mistral. Privacy policy
  • Vercel — application hosting and edge delivery. Privacy policy
  • Payment provider — billing and payment processing. Card details are never stored by DayOS.

We do not share your data with advertisers, data brokers, or any other third parties.

7. Data Retention

We retain your personal data for as long as your account is active. Specifically:

  • Diary content: kept until you delete individual entries or delete your account
  • Account data: deleted within 30 days of account deletion
  • Billing records: retained for up to 7 years as required by applicable law
  • Anonymised analytics: may be retained indefinitely as they cannot be linked to you

To delete your account and all associated diary content, email hello@dayosdiary.com with the subject "Delete my account". We will process the deletion within 30 days and confirm by email. Deletion is permanent and cannot be reversed.

8. Your Rights (GDPR)

Under the GDPR you have the following rights regarding your personal data:

  • Access (Art. 15): request a copy of the personal data we hold about you
  • Rectification (Art. 16): ask us to correct inaccurate or incomplete data
  • Erasure (Art. 17): request deletion of your data ("right to be forgotten")
  • Portability (Art. 20): receive your diary data in a machine-readable format
  • Restriction (Art. 18): ask us to restrict processing of your data in certain circumstances
  • Objection (Art. 21): object to processing based on legitimate interests
  • Withdraw consent: withdraw any consent you have given at any time, without affecting prior processing

To exercise any of these rights, contact us at info@dayosdiary.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority. As a UK-based controller, our lead supervisory authority is the Information Commissioner's Office (ICO). EU users may also contact their local Data Protection Authority.

9. Cookies

DayOS uses a minimal number of cookies:

  • Essential / session cookies: required for authentication and keeping you signed in. These cannot be disabled without breaking the Service.
  • Analytics cookies (optional): if you consent via the cookie banner, we set a cookie to help us understand aggregate feature usage. These contain no personally identifying information.

Your cookie preferences are saved locally in your browser. You can change your preferences at any time by clearing your browser cookies or via the cookie settings link in the app footer.

We do not use advertising or tracking cookies.

10. Marketing Communications

We may occasionally send you product updates, feature announcements, or other service-related emails. We will only do so where you have given consent or where we have a legitimate interest under applicable law.

To opt out of marketing emails at any time, email us at hello@dayosdiary.com with the subject line "Unsubscribe". We will remove you from all marketing communications within 5 business days. You can also click the unsubscribe link included in every marketing email we send.

Note: opting out of marketing emails does not affect transactional messages essential to the Service (e.g. sign-in codes, billing receipts, account notices), which we are required to send.

11. Contact & DPO

For all privacy-related questions, data subject requests, or complaints, please contact:

DayOS — Data Privacy
info@dayosdiary.com

We aim to respond to all privacy requests within 5 business days and will always meet the 30-day statutory deadline.

If you are not satisfied with our response, you have the right to complain to a supervisory authority. As a UK-based data controller, our lead authority is:

  • Information Commissioner's Office (ICO)ico.org.uk
  • EU users may also contact their local Data Protection Authority.