Privacy Policy

Effective date: April 6, 2026

Introduction

Protecting your personal data is a priority for Oday. This Privacy Policy explains how we collect, use, store, and protect your information in accordance with the General Data Protection Regulation (GDPR) and applicable privacy laws.

These privacy practices complement our Terms of Service. Please review both documents to understand your rights and obligations. Terms of Service

Data Controller

The data controller responsible for processing your personal data is:

BESSON Guy Dominique

Trading as: Oday

Living in Paris, France

Email: contact@oday.app

Our Core Principles

  • Lawfulness and transparency: We process your data legally and inform you clearly
  • Purpose limitation: Your data is collected for specific and legitimate purposes
  • Data minimization: We only collect data that is strictly necessary
  • Accuracy: We keep your data up to date and allow you to correct it
  • Storage limitation: Your data is only kept for as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures

Data Collected

Identification Data

  • Email address (used as unique identifier)
  • Password (stored in encrypted form if using password authentication)
  • Google or Apple identification tokens (if using social authentication)

Profile Data

  • Username
  • Preferred language
  • Device timezone (e.g. Europe/Paris) — used to correctly display and interpret dates and times for your tasks and events

Device Data

  • Push notification token (for notifications)
  • Device type (iOS, Android)
  • Installed app version

Chat Data

  • Your conversations with Oday's AI

Data from Connected Apps

When you connect external apps to Oday, we collect:

  • Reminders: Title, due date, completion status, and notes from your device's reminder app
  • Calendar: Title, date, time, location, and attendees from your device's calendar

Subscription and Payment Data

  • Subscription status and expiration date
  • Purchase history and transaction IDs
  • Subscribed product identifiers

Important: Payment details (credit card numbers, etc.) are handled exclusively by Apple/Google and RevenueCat. We never have access to your payment information.

Usage Analytics Data

To improve the app, we collect usage analytics via PostHog:

  • User ID linked to your account
  • Email address to identify your account
  • How you interact with the app (screens viewed, features used, buttons clicked)
  • Page-leave events: the page URL, timestamp, and session identifier recorded when you navigate away from a page — used for product analytics and UX improvement
  • Weekly review behavioral events: we capture how you interact with the weekly review flow — how you access it, how you engage with the weekly summary, what actions you take on tasks (complete, delete, or reschedule), whether you use bulk rescheduling, and how you interact with the next-week preview. These events are used solely for product analytics and feature improvement.

Advertising and Attribution Data

To measure the effectiveness of our advertising campaigns, we use the TikTok Business SDK, which may collect:

  • Advertising identifier (IDFA on iOS) — only with your explicit consent via the App Tracking Transparency prompt
  • App events: installs, launches, registrations, subscription starts, and purchases (no personal content data is shared)
  • Basic device information (device model, OS version) for attribution purposes

Satisfaction Feedback Data

When you explicitly submit satisfaction feedback in the app, the following data is sent to Sentry (our error tracking and feedback provider):

  • Your feedback message (the text you type and submit)
  • Your display name (from your profile settings, if set)
  • Your email address (from your account)

Customer Support Chat Data

When you use the in-app support chat (powered by Crisp), the following data is transmitted to Crisp's servers:

  • Your user ID (to identify your support session)
  • Your email address (to link your support conversation to your account)
  • Messages you send and receive in the support chat (processed and retained by Crisp subject to their data retention policy)

Energy and Wellbeing Data

When you complete an energy check-in in the app, we collect the following wellness self-assessment data:

  • Self-reported energy level (high, normal, or low) — a subjective wellbeing indicator used to power personalized task suggestions based on your current capacity
  • Your device timezone (e.g. Europe/Paris) — transmitted with each check-in submission to determine the correct local date for your check-in record
  • Check-in timestamps (check-in date, response time, creation and update times) — stored alongside your user ID, these form a longitudinal wellbeing record linked to your account

Legal basis: This data is processed exclusively on the basis of your explicit consent under GDPR Article 9(2)(a) (by choosing to use the energy check-in feature, as described in Section 13 of our Terms of Service). While energy level is a subjective self-assessment, it may constitute a health-adjacent wellness indicator under GDPR Article 9. We treat it with equivalent care: it is never shared with third parties for commercial purposes, never used to train AI models, and is permanently deleted when you delete your account.

Weekly Review Completion Data

When you complete a weekly review in the app, we record the following data in our database:

  • The start date of the reviewed week — identifying which week the review was completed for
  • Completion timestamp — the date and time at which you completed the weekly review

Legal basis: This data is processed on the basis of our legitimate interest in understanding feature usage and delivering a consistent in-app experience (e.g. not re-prompting you to complete a review you already finished). Weekly review completion records are retained for the lifetime of your account and are automatically and permanently deleted upon account deletion via cascading deletion.

Data We Never Collect

We NEVER collect:

  • Your precise GPS location
  • Your contacts
  • Your photos or media
  • Your SMS messages or call history

How We Use Your Data

Providing the Service

  • Managing your account and authentication
  • Storing your tasks and events
  • Syncing between your devices and external apps
  • Sending reminders, daily recaps, and weekly planning reminders

Artificial Intelligence

We use AI to help you manage your productivity. When you interact with the AI, we send: your message, timezone, current date, and recent conversation context. The AI also accesses your tasks and events — including titles, dates, priorities, labels, and recurrence patterns — to provide scheduling suggestions, productivity insights, and to answer search and retrieval requests. This data may be processed by AI models from OpenAI, Mistral, and Google, routed via OpenRouter or directly via Groq depending on availability.

Automated Scheduling Analysis: When you create or modify a task or event, the app automatically analyzes your full day schedule — including event titles, start/end times, task priorities, durations, and workload weight — to detect scheduling conflicts and overloads. This analysis is used to suggest alternative scheduling dates when your day is over capacity. The scheduling data (conflict details, overload status, and suggested alternatives) is processed by AI models via OpenRouter as part of this automated decision-support feature.

Your email, name, and personal identification information are NEVER sent to the AI.

Important: Your data is NEVER used to train AI models.

Advertising Measurement

We use the TikTok Business SDK to measure the performance of our advertising campaigns. This helps us understand which ads lead users to install and use Oday. Event data (such as app installs, registrations, and subscriptions) is shared with TikTok for attribution purposes. No personal task content, calendar data, or AI conversations are ever shared for advertising.

Service Improvement

  • Usage analytics linked to your account (PostHog) - we track how you use the app to improve features and user experience
  • Bug detection and fixes, and satisfaction feedback processing (Sentry) — when you submit feedback, your name, email, and message are sent to Sentry for product improvement
  • Performance optimization

Weekly Planning Reminder

Every Sunday evening, Oday sends an automated weekly planning reminder notification to all users with push notifications enabled. To deliver this notification at the correct local time (approximately 8:00 PM), we use your push notification token, device timezone, and preferred locale. Your scheduled tasks and calendar events may also be referenced to personalize the notification content. This is a recurring, system-initiated communication sent to all eligible users without an individual opt-in. You can stop receiving it by disabling push notifications for Oday in your device's notification settings.

Energy-Based Task Suggestions (Automated Processing)

When you complete an energy check-in, the app uses an automated suggestions engine to generate personalized productivity recommendations. This engine processes the following data in combination: (1) your self-reported energy level, (2) your task titles — which are analyzed via automated keyword classification to determine cognitive complexity (for example, identifying high-cognitive tasks such as reports, presentations, or architecture work, and low-cognitive tasks such as calls or replies), (3) your task schedule including overdue tasks and upcoming tasks within a 30-day window, (4) linked objective titles associated with your tasks, and (5) your device timezone to compute date-relative suggestions. Based on this cross-data analysis, the engine may suggest rescheduling high-cognitive tasks out of your day when your energy is low, or pulling forward overdue or upcoming tasks when your energy is high. This is an automated decision-support feature — no suggestions are applied without your explicit action. Task title content undergoes automated text analysis (not just storage) as part of this feature.

Data Sharing

We NEVER sell, rent, or trade your personal data with third parties for commercial purposes.

We only share your data with our technical service providers:

  • Supabase: Database hosting and authentication (EU)
  • OpenRouter: AI inference gateway routing requests to AI providers (USA)
  • Groq, Inc.: AI inference provider that may directly process your task content, scheduling inputs, and natural language text (USA). See Groq's privacy policy at https://groq.com/privacy-policy/
  • Google (Gemini AI via OpenRouter): AI model used to process your work items (tasks and events) for search and retrieval requests. Data is routed through OpenRouter (USA). See Google's privacy policy at https://policies.google.com/privacy
  • RevenueCat: Subscription and payment management (USA)
  • PostHog: Usage analytics (EU/USA)
  • Sentry: Error tracking and satisfaction feedback — when you submit feedback, your name, email, and feedback message are sent to Sentry (Germany/USA)
  • Expo: Push notifications (USA)
  • Inngest: Background tasks (USA)
  • TikTok for Business: Advertising attribution and campaign measurement (USA/Singapore)
  • Crisp (crisp.chat): In-app customer support chat — your user ID and email address are transmitted to Crisp's servers on login to identify your support session. Push notifications for support replies are managed by the Crisp SDK. See Crisp's privacy policy at https://crisp.chat/en/privacy/

International Transfers

Some of our subcontractors are located outside the European Union. We ensure the protection of your data through:

  • Standard Contractual Clauses (SCC) from the European Commission
  • Encryption of all data in transit (TLS/HTTPS)

Security

  • Encrypted communications (TLS 1.2+)
  • Row Level Security: You can only access your own data
  • Authentication via signed JWT tokens
  • Continuous monitoring and incident response plan

Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access: Obtain a copy of your data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Delete your data ("right to be forgotten")
  • Right to restriction: Temporarily suspend processing
  • Right to data portability: Receive your data in a structured format (JSON)
  • Right to object: Object to processing
  • Right to withdraw your consent at any time

To exercise your rights, contact us at contact@oday.app. We will respond within 1 month.

You can also file a complaint with the CNIL (www.cnil.fr) or your local supervisory authority.

Data Retention

  • Active account: Data retained as long as your account is active
  • After deletion: All your data is deleted immediately and permanently
  • Technical logs: 30 to 90 days depending on type; satisfaction feedback submitted to Sentry is retained for up to 90 days per Sentry's data retention policy
  • Energy check-in records: Retained for the lifetime of your account and deleted immediately and permanently upon account deletion
  • Weekly review completion records: Retained for the lifetime of your account and permanently deleted upon account deletion (automatic cascade deletion)
  • Inactivity: After 24 months without login, we will contact you before potential deletion

Account Deletion

You can delete your account at any time in Settings > Account > Delete my account. This action is immediate, permanent, and irreversible. All your data will be deleted, including your tasks, events, AI conversations, energy check-in records, and all associated personal data.

Cookies and Tracking Technologies

The mobile app does not use HTTP cookies. We use secure local storage for your session and preferences. Satisfaction feedback tracking data (app open count, last feedback prompt date, and response status) is also stored in secure local storage on your device and is never sent to our servers. The weekly review feature stores a flag (weekly_review_triage_tooltip_shown) in on-device AsyncStorage to remember whether you have already seen the first-use tooltip for the triage feature; this flag never leaves your device. On iOS, the home screen widget stores a snapshot of your task titles, event titles, due dates, labels, completion status, and event start/end times in on-device App Group shared storage (accessible to both the app and the widget extension). This widget data remains entirely on your device and is never transmitted to our servers.

We use the TikTok Business SDK for advertising attribution. On iOS, this SDK requests your consent via the App Tracking Transparency (ATT) prompt before accessing your advertising identifier (IDFA). You can decline this request, and the app will continue to function normally. You can also revoke this permission at any time in your device's Settings > Privacy > Tracking.

Changes

We may modify this policy to reflect changes in our practices or regulations. Substantial changes will be notified to you by email or in-app notification. They take effect 30 days after publication.

Contact

For any questions about this Privacy Policy or your data, contact us at contact@oday.app.

Supervisory Authority
CNIL - 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
www.cnil.fr