Privacy Policy

Introduction

Dayopt (the "Service") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, and protect your personal information.

Information We Collect

• Account Information (email address, name, profile picture)
• Service Usage Data (tasks, calendar, settings)
• Technical Data (IP address, browser information, device information)
• Cookies and similar technologies

How We Use Your Information

• Providing, operating, and improving the Service
• User support and responding to inquiries
• Preventing unauthorized use and maintaining security
• Service analysis and feature improvements
• Sending important notices and service updates

Third-Party Services

We work with the following service providers:

• Supabase (authentication & database)
• Vercel (hosting)
• Sentry (error monitoring)

These providers manage information according to their respective privacy policies.

Data Ownership

You retain full ownership of all data you create, upload, or store through the Service. Dayopt does not claim any intellectual property rights over your data.

• You may export your data at any time through the account settings page. Exports are available in standard formats (JSON, CSV) to ensure portability.
• Upon account deletion or service discontinuation, you will have at least 30 days to export your data before it is permanently removed from our systems.

Sub-Processors

We engage the following sub-processors to assist in providing the Service. Each sub-processor has entered into a Data Processing Agreement (DPA) with us:

• Supabase, Inc. — Authentication and database services. Data location: AWS US-East-1 (N. Virginia, USA)
• Vercel, Inc. — Hosting, serverless functions, edge delivery, and web analytics (Vercel Analytics / Speed Insights). Data location: Global Edge Network
• Functional Software, Inc. (Sentry) — Error monitoring and diagnostics. Data location: United States
• Stripe, Inc. — Payment processing and subscription management. Data location: United States. Stripe is PCI DSS Level 1 certified. We do not store credit card numbers on our servers.
• Anthropic, PBC — AI-powered features (chat, weekly review insights). Data location: United States. Your data is processed under Anthropic's API terms and is not used for model training.
• OpenAI, LLC — AI-powered features (optional, when user provides their own API key). Data location: United States. Data processed via API is not used for model training per OpenAI's API data usage policy.
• Resend, Inc. — Transactional email delivery (account notifications, billing confirmations). Data location: United States
• Upstash, Inc. — Rate limiting and abuse prevention via serverless Redis. Data location: United States. Only IP hashes and request counts are stored temporarily.
• Google LLC — reCAPTCHA v2/v3 for bot protection on forms. Google may collect usage data subject to Google's Privacy Policy.

We will notify you at least 30 days before engaging a new sub-processor or making material changes to existing sub-processor arrangements.

International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence.

• Primary data storage: AWS US-East-1 (N. Virginia, USA) via Supabase. Edge caching and serverless functions are distributed globally via Vercel.
• For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.
• For transfers from Japan, we comply with the Act on the Protection of Personal Information (APPI) requirements for cross-border data transfers, including obtaining consent and ensuring the recipient country provides an equivalent level of protection.

Legal Basis for Processing

We process your personal data on the following legal bases (as applicable under GDPR and similar regulations):

• Contract Performance — Processing necessary to provide the Service you have signed up for, including account management, task storage, and calendar synchronization
• Consent — Where you have given explicit consent, such as opting in to analytics cookies or marketing communications
• Legitimate Interests — Processing for service improvement, security monitoring, and fraud prevention, where these interests are not overridden by your rights
• Legal Obligation — Where processing is required to comply with applicable laws, regulations, or legal proceedings

Data Processing Details

The following describes how we process each category of personal data:

• Account Data (email, name, avatar) — Processed to create and manage your account, authenticate your identity, and communicate service-related notices
• Usage Data (tasks, plans, calendar entries, settings) — Processed to provide core Service functionality, generate productivity insights, and improve features
• Technical Data (IP address, browser, device information) — Processed for security monitoring, performance optimization, and error diagnostics

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. AI-powered features (such as weekly review insights) provide suggestions only and do not make decisions on your behalf.

You can export your data in standard formats (JSON, CSV) at any time from your account settings. We support data portability to ensure you can move your data to another service if desired.

AI-Powered Features

The Service includes optional AI-powered features that process your data to provide productivity insights and suggestions:

• When you use AI features, the following data may be sent to our AI providers (Anthropic or OpenAI): task titles and descriptions, time tracking data, energy mapping data, and calendar entries. This data is used solely to generate contextual suggestions and insights.
• Your data is NOT used to train AI models. Both Anthropic and OpenAI process API requests without using the data for model training or improvement, as specified in their respective API data usage policies.
• You may optionally provide your own API key (Bring Your Own Key) for OpenAI or Anthropic. When using your own key, requests are sent directly to the provider under your own API agreement. Your API key is encrypted and stored locally on your device, not on our servers.
• AI-generated content is provided for informational purposes only. We do not guarantee the accuracy, completeness, or reliability of AI outputs. You should review all AI-generated suggestions before acting on them.
• AI features are optional. You can use the Service without enabling any AI functionality. Free tier users are limited to 30 AI interactions per month.

Data Retention

• We retain your data while your account is active
• Data is permanently deleted within 30 days after account deletion
• Except where retention is required by law

Your Rights

• Right to access your personal information
• Right to correct your personal information
• Right to delete your personal information (right to be forgotten)
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with a supervisory authority (e.g., your local data protection authority under GDPR, or the Personal Information Protection Commission in Japan)

To exercise these rights, please contact us through the settings page or contact form.

Security Measures

We implement industry-standard security measures to protect your personal information from unauthorized access, loss, damage, alteration, and disclosure.

• SSL/TLS encryption for data transmission
• Access control and authentication systems
• Regular security audits

About Cookies

We use cookies to improve user experience.

• Essential Cookies (maintain login state)
• Analytics Cookies (understand usage)
• Preference Cookies (save user settings)

You can disable cookies in your browser settings, but some features may be limited.

For detailed information about our use of cookies, please see our Cookie Policy.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Inform affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches, including the facts, effects, and remedial actions taken
• Take immediate steps to contain and remediate the breach, and implement measures to prevent recurrence

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know — You have the right to request information about the categories and specific pieces of personal information we have collected about you
• Right to Delete — You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale — We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights
• Categories of personal information we collect: identifiers (email, name), commercial information (subscription status), internet activity (usage data, device info), and inferences drawn from the above

To exercise your California privacy rights, contact us at support@dayopt.app or through your account settings.

Children's Privacy

Our Service is not intended for children under 13 years old, and we do not knowingly collect personal information from them.

Policy Changes

This Privacy Policy may be updated due to legal changes or business reviews. We will notify users in advance of any significant changes.

Contact Us

If you have any questions or concerns about privacy, please contact us at: