Privacy Policy

We collect only what's necessary to provide our service. Here's exactly what we store:

Account Information: Your email address and authentication credentials. This is stored in plaintext so we can send you notifications and help you recover your account.

Journal Entries & Check-in Notes: Your journal vault entries and encrypted check-in notes are encrypted on your device using AES-256-GCM encryption before being transmitted to our servers. We store only ciphertext. We cannot read these entries.

AI-Generated Summaries & Insights: When you use AI features, Daylogue generates summaries, narratives, and pattern insights from your check-ins. These AI-generated outputs are stored separately and are not end-to-end encrypted, as they power features like your daily narrative, weekly insights, and pattern detection. Your raw words remain encrypted; the AI-generated derivatives are kept in a separate layer.

Structured Metrics & Metadata: Mood scores, energy levels, stress ratings, sleep data, tags, timestamps, and device identifiers. This structured data powers your dashboards, trends, and AI features, and is protected by access controls and row-level security but is not end-to-end encrypted.

Encryption Keys: Your encryption keys are generated and stored on your device. We never have access to them.

We use your information to:

• Provide the core journaling and check-in experience
• Generate AI-powered insights and pattern detection
• Send reminders and notifications (with your permission)
• Respond to support requests
• Improve and maintain our services
• Prevent abuse and ensure security

**We never use your data for:** - Advertising or ad targeting - Selling to third parties - Training AI models - Any purpose you haven't consented to

Your privacy is protected by multiple layers of security:

Device-Side Encryption: Your journal vault entries and encrypted check-in notes are encrypted on your device using AES-256-GCM before transmission. The encryption keys are derived from credentials only you possess. We cannot decrypt this content.

Client-Encrypted Vault: For your journal entries and encrypted notes, our servers store only ciphertext. Even with full database access, these entries remain unreadable to us. Important: AI-generated summaries of your entries are stored separately and are readable by our systems to power features like narratives, insights, and pattern detection. Your original words remain encrypted; the AI-generated derivatives exist in a separate layer.

Transmission Security: All data in transit is protected by TLS 1.3 encryption.

Device-Based Key Management: Your encryption keys live on your devices. Cross-device sync requires explicit device approval.

HIPAA-Aligned Safeguards: Our technical security measures follow HIPAA Security Rule principles, including access controls, audit logging, and integrity verification. Note: We are not HIPAA compliant and do not offer Business Associate Agreements.

AI is core to Daylogue's insights. Here's exactly how it works:

How AI Processing Works: 1. When you use AI features, your content is sent to our AI provider (AWS Bedrock) for processing 2. AI generates insights, summaries, and narratives 3. AI-generated summaries are stored server-side to power features like your daily narrative, pattern detection, and insights 4. Your raw journal vault entries and encrypted notes remain device-encrypted with keys only you hold

Important Disclosures: - During AI processing, your content briefly exists as readable text at AWS Bedrock - Your content is NOT used to train AI models. AWS Bedrock does not store, log, or train on your data - Anthropic (the AI model provider) never sees your data. Bedrock isolates it within our AWS environment - Voice check-ins use Deepgram for speech-to-text (zero data retention per contract) and AWS Bedrock for AI processing (zero data retention, encrypted transit) - AI-generated summaries are not end-to-end encrypted, as they are needed server-side for features you use

We do not sell your data. Period.

Our Data Trust Promise: - We never sell data to third parties, data brokers, or anyone else - We never share with advertisers or marketing platforms - We never use your data for ad targeting - We never train AI models on your personal entries (AWS Bedrock does not store or train on your data) - Our revenue comes from subscriptions only - You can delete your account and all data anytime

Service Providers: We use the following subprocessors to deliver the service. Each is bound by a data processing agreement and only processes your data as necessary for the service they provide:

• **Supabase** — Database hosting and authentication
• **AWS Bedrock** — AI inference (zero data retention, no model training)
• **Deepgram** — Speech-to-text transcription (zero data retention per contract)
• **Resend** — Transactional email delivery
• **Stripe** — Payment processing
• **Vercel** — Application hosting and edge delivery

A full subprocessor list is available at [/subprocessors](/subprocessors).

Legal Requirements: We may disclose information if legally required (e.g., court order). Your journal vault entries and encrypted notes are encrypted with keys we do not possess. We can only provide encrypted ciphertext for that content. AI-generated summaries and structured metrics could theoretically be provided if legally compelled.

Business Transfers: In the event of acquisition or merger, your data protections continue. We would notify you of any ownership change.

Never Shared: Your journal content, AI insights, and personal reflections are never shared with advertisers, data brokers, or any third party for their own purposes.

Social Sharing (Insight Cards): When you choose to share an insight card, Daylogue generates a static image containing a visual summary of your data (e.g., color palettes, mood gradients, wellness labels). These images never contain raw journal text, specific dates, or personally identifiable information. Share images include subtle Daylogue branding. Once you share an image outside Daylogue (via social media, messaging, etc.), that content is outside our control and subject to the receiving platform's policies. We log share events (card type, aspect ratio, platform) to improve the feature. No third-party tracking SDKs are used for sharing.

Daylogue offers optional organization and team features for workplaces, sports teams, and other groups. Here is how your data is handled in those contexts.

Aggregate Data Access: Organization administrators can view aggregate (anonymized) wellness data about their members through a dashboard and API. Individual data is never included in these aggregates. We require a minimum of 5 active members before any aggregate metrics are shown, so no individual can be identified through small group sizes (this is called k-anonymity).

Individual Score Sharing: Members who join an organization can optionally choose to share their individual wellness scores (mood, energy, stress) with organization leaders. This sharing is: - Entirely voluntary and opt-in - Controllable per metric (you can share mood but not stress, for example) - Revocable at any time through your settings - Limited to the past 7 days of scores (leaders cannot see historical data, written reflections, or voice entries)

API Access: Enterprise organizations may access aggregate data and, where members have opted in, individual scores through authenticated API endpoints. All API access is: - Authenticated via organization-specific API keys - Rate-limited and monitored for abuse - Logged for compliance auditing - Scoped to specific data types (an API key cannot access more than what was granted)

Webhook Data Transfers: Organizations may configure webhooks to receive automated notifications about organizational events (such as wellness alerts or weekly report availability). Webhook data: - Contains aggregate information only (no individual data is sent via webhooks) - Is signed with HMAC-SHA256 so the receiving server can verify authenticity - May be delivered to URLs specified by the organization administrator - Delivery is logged for audit purposes

API Request Logging: We log API request metadata including client IP addresses, user agent strings, and request timestamps for security monitoring, abuse prevention, and compliance auditing. These logs are retained for 90 days.

AI-Generated Content: Team narrative summaries provided through the API are generated by AI from anonymized aggregate data. They are not clinical assessments and should not be treated as medical, psychological, or diagnostic information.

When you leave an organization (voluntarily, via admin removal, or via SCIM offboarding), your personal check-in history and account remain intact. Your past contributions to team aggregates are frozen in the historical windows they belonged to — they are not removed retroactively, to preserve the statistical integrity of those aggregates for the remaining team members. Going forward, your data no longer contributes to team averages. You can export your data at any time from Settings → Privacy → Export.

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights regarding your personal information.

Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.

Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Opt Out of Sale: We do not sell your personal information to third parties. There is nothing to opt out of.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Submit a Request: Email privacy@daylogue.io with "California Privacy Request" in the subject line. We will respond within 45 days.

You have complete control over your data:

Export: Download all your data in standard formats anytime from your account settings.

Delete: Request permanent deletion of your account and all associated data. Deletion requests are processed within a 30-day grace period, during which you can cancel the deletion. After 30 days, all data is permanently removed and cannot be recovered.

Access: Request a copy of all data we hold about you.

Correction: Update your account information at any time.

Opt-Out: Unsubscribe from marketing emails anytime. Essential service communications (security alerts, account issues) cannot be opted out of while your account is active.

To exercise these rights, email privacy@daylogue.io or use the in-app settings.

Program Name: Daylogue SMS Check-ins

What It Is: When you opt in through the Daylogue app, we send text message check-in prompts to your phone number. You reply with how you're feeling, and your response is processed as a check-in. You can also opt in to SMS notifications (reminders, weekly summaries, and gentle nudges).

Message Frequency: Up to 5 messages per day (1 outbound prompt plus up to 4 conversational follow-ups per session). Notification texts are sent based on your chosen schedule.

Message and Data Rates: Standard message and data rates may apply depending on your mobile carrier plan.

Opt-In: You opt in to SMS check-ins exclusively through the Daylogue app settings by entering your phone number, verifying it with a one-time code, and toggling on SMS check-ins. SMS is off by default. No messages are sent until you explicitly opt in. There is no web form, keyword, or checkout-based enrollment.

Opt-Out: You can stop receiving messages at any time by replying **STOP** to any message, or by toggling off SMS check-ins in your Daylogue app settings.

Help: Reply **HELP** to any message for support information, or contact us at hello@daylogue.io.

Your Phone Number and Mobile Information: We store your phone number solely for delivering SMS check-ins. No mobile information, including phone numbers, SMS consent records, and opt-in/opt-out data, will be shared with or sold to third parties or affiliates for marketing or promotional purposes. Your number is stored securely and used only to deliver the messages you requested.

AI-Personalized Messages: Some SMS check-in messages are personalized using AI. When this occurs, aggregated data from your recent check-ins (mood trend, tags, check-in frequency) is processed by our AI provider to generate a contextually relevant opening message. This processing is ephemeral. No SMS content or AI inputs are stored by the AI provider. Approximately 40% of messages use standard templates with no AI personalization.

SMS conversations and crisis handling: If your SMS conversation is identified as containing signs of a crisis, such as thoughts of suicide, self-harm, or immediate danger, Daylogue is designed to pause its usual data capture. This detection is automated and may not identify every instance.

Detection of crisis content is performed automatically using a combination of keyword pattern matching and AI-assisted review. No human reviews your message content.

If a crisis is detected, we will send you crisis resource information: 988 Suicide and Crisis Lifeline (US), Crisis Text Line at 741741 (US), and findahelpline.com (international directory). The check-in session ends at that point. Daylogue does not provide crisis counseling or intervention, and does not contact emergency services, notify any third party, or take any action on your behalf in response to crisis content.

Service Provider: SMS messages are delivered through Twilio, our messaging infrastructure provider. Twilio processes your phone number and message content only as necessary to deliver the service.

Carriers: Supported on all major U.S. carriers. Carriers are not liable for delayed or undelivered messages.

We use minimal, necessary cookies:

Essential Cookies: Keep you logged in and remember your preferences. These cannot be disabled without breaking core functionality.

Analytics: We use privacy-respecting analytics to understand usage patterns. This data is aggregated and cannot identify individual users.

What We Don't Use: - Third-party advertising cookies - Cross-site tracking - Social media tracking pixels - Fingerprinting techniques

You can control cookies through your browser settings.

Daylogue is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@daylogue.io and we will delete it.

We may update this policy to reflect changes in our practices or for legal reasons. When we make material changes:

• We'll post the updated policy here with a new "Last updated" date
• We'll notify you via email for significant changes
• Continued use after changes constitutes acceptance

We encourage you to review this policy periodically.

Questions about privacy? We're here to help.

Email: privacy@daylogue.io

Response Time: We aim to respond within 48 hours.

Data Protection: For data protection inquiries or to exercise your rights, email privacy@daylogue.io with "Data Request" in the subject line.

Address: Daylogue LLC Los Angeles, CA United States