Privacy Policy

We collect only what's necessary to provide our service. Here's exactly what we store:

Account Information: Your email address and authentication credentials. This is stored in plaintext so we can send you notifications and help you recover your account.

Journal Entries & Check-in Notes: Your journal vault entries and encrypted check-in notes are encrypted on your device using AES-256-GCM encryption before being transmitted to our servers. We store only ciphertext—we cannot read these entries.

AI-Generated Summaries & Insights: When you use AI features, Daylogue generates summaries, narratives, and pattern insights from your check-ins. These AI-generated outputs are stored separately and are not end-to-end encrypted, as they power features like your daily narrative, weekly insights, and pattern detection. Your raw words remain encrypted; the AI-generated derivatives are kept in a separate layer.

Structured Metrics & Metadata: Mood scores, energy levels, stress ratings, sleep data, tags, timestamps, and device identifiers. This structured data powers your dashboards, trends, and AI features, and is protected by access controls and row-level security but is not end-to-end encrypted.

Encryption Keys: Your encryption keys are generated and stored on your device. We never have access to them.

We use your information to:

• Provide the core journaling and check-in experience
• Generate AI-powered insights and pattern detection
• Send reminders and notifications (with your permission)
• Respond to support requests
• Improve and maintain our services
• Prevent abuse and ensure security

**We never use your data for:** - Advertising or ad targeting - Selling to third parties - Training AI models - Any purpose you haven't consented to

Your privacy is protected by multiple layers of security:

End-to-End Encryption: Your journal vault entries and encrypted check-in notes are encrypted on your device using AES-256-GCM before transmission. The encryption keys are derived from credentials only you possess—we cannot decrypt this content.

Zero-Knowledge Vault: For your journal entries and encrypted notes, our servers store only ciphertext. Even with full database access, these entries remain unreadable to us. AI-generated summaries and structured metrics are stored separately and are accessible server-side to power features like narratives, insights, and pattern detection.

Transmission Security: All data in transit is protected by TLS 1.3 encryption.

Device-Based Key Management: Your encryption keys live on your devices. Cross-device sync requires explicit device approval.

HIPAA-Aligned Safeguards: Our technical security measures follow HIPAA Security Rule principles, including access controls, audit logging, and integrity verification. Note: We are not HIPAA compliant and do not offer Business Associate Agreements.

AI is core to Daylogue's insights. Here's exactly how it works:

How AI Processing Works: 1. When you use AI features, your content is sent to our AI provider (AWS Bedrock) for processing 2. AI generates insights, summaries, and narratives 3. AI-generated summaries are stored server-side to power features like your daily narrative, pattern detection, and insights 4. Your raw journal vault entries and encrypted notes remain end-to-end encrypted

Important Disclosures: - During AI processing, your content briefly exists as readable text at AWS Bedrock - Your content is NOT used to train AI models—AWS Bedrock does not store, log, or train on your data - Anthropic (the AI model provider) never sees your data—Bedrock isolates it within our AWS environment - Voice check-ins use ElevenLabs with PHI mode enabled (zero data retention) - AI-generated summaries are not end-to-end encrypted, as they are needed server-side for features you use

We do not sell your data. Period.

Our Data Trust Promise: - We never sell data to third parties, data brokers, or anyone else - We never share with advertisers or marketing platforms - We never use your data for ad targeting - We never train AI models on your personal entries (AWS Bedrock does not store or train on your data) - Our revenue comes from subscriptions only - You can delete your account and all data anytime

Service Providers: We use trusted providers for hosting (Supabase), AI processing (AWS Bedrock), and essential infrastructure. These providers are bound by strict confidentiality agreements and only process data as necessary to provide their services.

Legal Requirements: We may disclose information if legally required (e.g., court order). Your journal vault entries and encrypted notes are encrypted with keys we do not possess—we can only provide encrypted ciphertext for that content. AI-generated summaries and structured metrics could theoretically be provided if legally compelled.

Business Transfers: In the event of acquisition or merger, your data protections continue. We would notify you of any ownership change.

Never Shared: Your journal content, AI insights, and personal reflections are never shared with advertisers, data brokers, or any third party for their own purposes.

You have complete control over your data:

Export: Download all your data in standard formats anytime from your account settings.

Delete: Permanently delete your account and all associated data. Deletion is processed within 24 hours and cannot be undone.

Access: Request a copy of all data we hold about you.

Correction: Update your account information at any time.

Opt-Out: Unsubscribe from marketing emails anytime. Essential service communications (security alerts, account issues) cannot be opted out of while your account is active.

To exercise these rights, email privacy@daylogue.io or use the in-app settings.

We use minimal, necessary cookies:

Essential Cookies: Keep you logged in and remember your preferences. These cannot be disabled without breaking core functionality.

Analytics: We use privacy-respecting analytics to understand usage patterns. This data is aggregated and cannot identify individual users.

What We Don't Use: - Third-party advertising cookies - Cross-site tracking - Social media tracking pixels - Fingerprinting techniques

You can control cookies through your browser settings.

Daylogue is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@daylogue.io and we will delete it.

We may update this policy to reflect changes in our practices or for legal reasons. When we make material changes:

• We'll post the updated policy here with a new "Last updated" date
• We'll notify you via email for significant changes
• Continued use after changes constitutes acceptance

We encourage you to review this policy periodically.

Questions about privacy? We're here to help.

Email: privacy@daylogue.io

Response Time: We aim to respond within 48 hours.

Data Protection: For data protection inquiries or to exercise your rights, email privacy@daylogue.io with "Data Request" in the subject line.

Address: Daylogue LLC Los Angeles, CA United States