1. Introduction
Dayloom (“we,” “us,” “our,” or “the Company”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service across all platforms:
- Website: dayloom.xyz
- Android app:
com.samrridh.dayloomon Google Play - iOS app:
com.samrridh.dayloomon the Apple App Store
Dayloom is a mindful video, photo, voice, and text journaling application with AI-generated daily highlight cards. This policy applies to all platforms and interactions with our service.
2. Information We Collect
2.1 Account Information
When you sign up or update your profile, we collect:
- Email address — used for authentication, password recovery, and communications
- Password — securely hashed by Supabase Auth; never stored in plain text
- Display name (optional) — shown in your profile and app UI
- Account creation date — for service administration and compliance
2.2 Journal Content
When you create journal entries, we store:
- Video files — short video recordings you capture or upload
- Photo files — images you upload from your device
- Audio and voice files — voice recordings you capture
- Text content — written reflections and journal entries
- Transcripts — automatically generated from audio using speech-to-text technology
- AI-generated summaries — automated text summaries including mood tags, key themes, and highlights
- Metadata — entry timestamps, file sizes, mood tags, and custom tags you assign
- Daily highlight cards — AI-compiled summaries of your daily entries
2.3 Subscription and Payment Information
- Pro status — whether you have a paid subscription
- Subscription data — stored through RevenueCat
- Purchase history — managed by Apple App Store or Google Play; we do not store payment methods
We do not directly handle credit card or payment information. All payments are processed through the official app stores or the payment processors they use.
2.4 Device and App Data
We store the following locally on your device:
- Cached entries — offline copies of journal entries, cleared on app uninstall
- Pending sync queue — entries waiting to upload when you are offline
- Reminder preferences — your chosen notification times and settings
- App preferences — theme, UI style, haptics, and other settings
- Session tokens — to keep you logged in
2.5 Technical Information
- IP address — logged by our server for rate limiting, security, and debugging
- Device identifiers — app version, operating system version, and device type for error reporting
- Crash reports and telemetry — cold-start performance metrics via Expo Insights on production builds only
- Referrer data — when accessing the website from external links; Google Fonts CDN may log IP and referrer
2.6 What We Do Not Collect
We do not collect any of the following:
- Precise GPS location or coordinates
- Contacts list or address book
- Calendar data
- Health or biometric data, even if permissions are granted
- Advertising identifiers for targeted ads
- Browsing history outside the app
- Screenshots or screen recording data
3. How We Use Your Information
We use the information we collect to:
- Provide the service — authenticate you, store entries, process uploads, generate transcripts and AI summaries
- Enforce quotas — manage free-tier limits and pro-tier access
- Process subscriptions — verify pro status and manage subscription lifecycle through app stores
- Improve AI features — refine transcript accuracy, summary quality, and mood detection
- Send necessary communications — password resets, subscription confirmations, and critical security alerts
- Prevent fraud and abuse — detect misuse, rate-limit API access, and prevent unauthorized access
- Comply with the law — respond to legal requests, investigations, or regulatory requirements
- Analyze usage — understand feature adoption and performance using aggregated, non-personal analytics where possible
We do not use your journal content for marketing, advertising, or any purpose beyond operating the service and providing features you have explicitly chosen.
4. Legal Basis for Processing (GDPR)
If you are in the EU, EEA, or UK, we process your data on these legal bases:
- Contract — to provide the journaling service you have agreed to use
- Legitimate interest — to maintain security, prevent abuse, and improve the service
- Consent — where you have explicitly opted into specific features such as notifications, AI features, or analytics
- Legal obligation — to comply with applicable laws and regulatory requests
5. Third-Party Service Providers
We share your information with the following third parties to operate the service:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication and file storage | Email, password hash, user ID, journal media files |
| Self-hosted Backend | API, metadata storage, AI orchestration | User ID, transcripts, summaries, mood data |
| Hack Club AI | Claude Haiku LLM for summaries and highlights | Transcripts (text only), mood and tag data |
| Groq (optional) | Cloud-based Whisper transcription | Audio files, only if you enable this mode |
| RevenueCat | Subscription management | User ID, subscription status, purchase history |
| Resend | Transactional email | Email address, display name |
| Apple App Store | App distribution and in-app purchases | App store subscription data |
| Google Play | App distribution and in-app purchases | App store subscription data, basic device data |
| Expo / EAS | Build system and OTA updates | App version, build telemetry, cold-start metrics |
| Google Fonts (website only) | Typography on marketing website | IP address, referrer |
We only share the minimum data necessary for each service to function. We do not sell or rent your personal data to any third party for marketing purposes.
6. International Data Transfers
Your data may be transferred to, stored in, or processed in countries outside your country of residence, including the United States. When we transfer data internationally, we use appropriate safeguards such as Standard Contractual Clauses, require third-party processors to maintain similar protections, and comply with applicable data protection laws in your jurisdiction.
By using Dayloom, you consent to your data being transferred and processed internationally as described in this policy.
7. Data Storage and Security
7.1 Where Your Data Is Stored
- Journal media (video, photos, audio): Private Supabase Storage bucket (
video-journals), encrypted in transit and at rest - Account data and metadata: SQLite database on our self-hosted backend server
- Authentication: Supabase Auth, with servers in the US and EU regions
7.2 Security Measures
- Encryption in transit: All data sent to and from our servers uses HTTPS/TLS
- Authentication: Supabase JWT tokens with ES256 or HS256 signing
- Access control: Role-based access control on storage; users can only access their own data
- Private bucket: Journal media stored with signed URLs valid for one hour
- Rate limiting: API endpoints rate-limited by IP address to prevent abuse
- Server-side processing: Audio transcription processed securely on our backend
- Data validation: Input validation and sanitization to prevent injection attacks
We implement industry-standard security practices, but no system is completely secure. If you become aware of a security breach, please email us immediately at contact@dayloom.xyz.
8. Data Retention and Deletion
8.1 Retention
We retain your data for as long as your account is active, plus:
- Deleted entries: Backend metadata removed immediately; Supabase storage objects may persist temporarily
- Account backups: Operational backups may retain data for up to 30 days after deletion
- Logs: Server logs containing IP addresses are retained for up to 30 days for security and debugging
8.2 Account Deletion
When you delete your account in the app via Settings (Insights tab) → Delete Account Permanently:
- All journal entries and highlights are deleted from our database
- Your Supabase Auth account and profile are deleted
- Your user profile and quotas are removed
- We delete your media files from private Supabase Storage when configured on the server
Note: Deleting a single journal entry removes it from the app and database but may not immediately delete the corresponding media file from Supabase Storage. To ensure complete deletion of all media, delete your entire account.
GDPR Right to Erasure: If you are in the EU or EEA, you may request deletion of your personal data by emailing contact@dayloom.xyz with the subject “GDPR Erasure Request.” We will respond within 30 days.
8.3 Data Portability
You may request a copy of your personal data in a machine-readable format. Email contact@dayloom.xyz with the subject “Data Portability Request” and we will respond within 30 days.
9. Permissions
9.1 Mobile App Permissions
Dayloom requires the following device permissions:
- Camera — to record video and capture photos for journal entries
- Microphone — to record voice notes and audio
- Notifications — to send scheduled daily reminders
You can revoke these permissions at any time:
- iPhone (iOS): Settings → Dayloom → Permissions
- Android: Settings → Apps → Dayloom → Permissions
We do not request or use location/GPS, contacts, calendar, health data, or direct access to your photos library.
9.2 Notifications
Notifications are managed locally on your device. You can customize reminder times and opt out in the app’s Settings. We do not send push notifications from our servers; all reminders are set locally by you.
10. Children’s Privacy
Dayloom is not intended for children under 13 years old (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children under 13. If we become aware that a child has provided us with personal data, we will delete it and terminate the account. Parents or guardians who believe a child has provided personal data should contact us at contact@dayloom.xyz.
11. Your Privacy Rights
11.1 GDPR Rights (EU, EEA, UK)
- Right of access — request what personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — delete your data, with exceptions for legal obligations
- Right to restrict processing — limit how we use your data
- Right to object — object to our use of your data for specific purposes
- Right to data portability — receive your data in a standard format
- Right to withdraw consent — at any time, for specific processing
11.2 CCPA Rights (California, USA)
- Right to know — what personal data is collected, used, and shared
- Right to delete — delete your personal data, with exceptions
- Right to opt out of sale — Dayloom does not sell personal data
- Right to correct — correct inaccurate data
- Right to limit use — limit use of your sensitive personal information
- Right to non-discrimination — we will not discriminate for exercising your rights
11.3 How to Exercise Your Rights
Email contact@dayloom.xyz with your request, including your full name, the email address on your account, and the specific right you are exercising. We will respond within 30 days. You may also appoint an authorized representative to submit requests on your behalf.
12. Marketing Communications
We may send you:
- Transactional emails — password resets, account notifications, and subscription confirmations (required for service operation)
- Service updates — important security, privacy, or service changes (required)
- Promotional emails — feature announcements, tips, and special offers, only if you opt in
You can unsubscribe from promotional emails at any time by clicking the Unsubscribe link in any email or updating your preferences in the app.
13. Cookies and Tracking
13.1 Website Cookies
The Dayloom website uses functional cookies for basic site operation, if any. We do not use analytics cookies (such as Google Analytics or Mixpanel) or advertising cookies for retargeting.
13.2 Mobile App Tracking
The Dayloom app does not track your location, track your behavior across other apps, use advertising IDs for profiling, or integrate Facebook SDK, Google Analytics, or similar trackers. We only collect telemetry to improve app performance via Expo Insights on production builds.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy at dayloom.xyz/privacy, sending an email notification if you have an account, and requiring acceptance of the new policy on your next app launch.
Your continued use of Dayloom after updates constitutes acceptance of the revised Privacy Policy.
15. California Privacy Rights
California residents: under the CCPA and CPRA, we do not sell or share your personal information. You have the right to know, delete, correct, and opt out as described in Section 11.2. Submit requests at contact@dayloom.xyz. We will not discriminate against you for exercising your rights.
16. Contact Us
If you have questions, concerns, or requests about this Privacy Policy or our privacy practices, please reach out:
Email: contact@dayloom.xyz
Operator: Dayloom — operated by an individual developer in India.
For legal correspondence, email contact@dayloom.xyz.
We aim to respond to all inquiries within 30 days. For GDPR data requests, include “GDPR Data Request” in your subject line for faster processing.
This Privacy Policy is provided for informational purposes. While we have made reasonable efforts to accurately reflect our data practices, this is not legal advice. We recommend consulting a legal professional before publishing or relying on this policy.