Back

Privacy Policy

Last updated: 5 May 2026

1. Plain-English summary

Day01.AI is a daily AI-personalized learning app. We store the minimum data we need to make your daily session work: your profile, learning progress, and AI conversations. We never sell or share your data. You can delete everything yourself in Settings → Danger Zone, and we’ll honor that within seconds.

2. Who we are

Day01.AI is built by the Day01 team. The product is open-source and available at github.com/Khizergenfox/dayoneai — you can inspect, fork, or self-host.

3. What we collect

When you sign up and use the product, we store:

  • Account: email address, display name
  • Profile (your “Learning DNA”): role, sub-role, micro-role, industry, sub-industry, experience level, AI-fluency level, tools you use, learning goals, optional bio paragraph
  • Activity: daily sessions you complete, mastery scores, quiz responses, exercise responses, streak counts
  • AI conversations: messages you exchange with the in-app AI mentor, context the mentor used to respond
  • Operational metadata: when you logged in, which sessions you opened, error reports (auto-captured by Sentry, see §7)

4. What we do NOT collect or store

  • Your AI provider API keys (if you use Bring-Your-Own-Key mode) — encrypted with AES-256-GCM in your browser’s localStorage, never sent to our servers
  • Tracking, advertising, or third-party analytics cookies — none, ever
  • Payment methods— paid wallet top-ups are not currently enabled. When they arrive, payments will be handled by a PCI-compliant third party and we will not see card details.

5. How your data flows

Day01.AI offers two AI modes:

Managed tier(default for new accounts): your daily sessions and mentor replies are generated by Google’s Gemini models via Vertex AI. Your prompt context (role, industry, recent activity) is sent from our server to Vertex on your behalf. The first 30 days are on us at no cost to you.

Bring-Your-Own-Key (BYOK): you provide your own Anthropic / OpenAI / Google API key. Your browser calls the AI provider directly — our server never sees your key or your prompts in this mode.

6. Where your data lives — third-party processors

We use these services to operate Day01.AI. Each holds the data shown:

  • Supabase(Postgres database + auth) — account, profile, activity. Row-Level Security ensures each user only accesses their own rows.
  • Vercel(web hosting + CDN) — page requests; transient.
  • Google Vertex AI (managed tier only) — AI prompts plus your profile context for generation.
  • Sentry(error tracking) — error events with PII redacted server-side (see §7).
  • Cloudflare Turnstile — a bot-prevention captcha token at signup.

7. PII redaction in logs

Server-side errors captured by Sentry are passed through a beforeSend hook that strips: cookies, authorization headers, API key patterns (sk-*, eyJ*, AIza*), and email addresses (we keep only the domain, e.g. “[redacted]@example.com”).

8. Your rights

Wherever you live, you can:

  • Accessyour data — visit Settings → “My Learning DNA” to see it
  • Rectifyyour data — edit any field in Settings, or re-run onboarding
  • Deleteyour data — Settings → Danger Zone → “Delete account…”. This irreversibly purges your profile, sessions, mentor conversations, scores, and skill files within seconds. We retain only your email and a deletion timestamp in an audit log for legal-compliance proof.
  • Portyour data — email us (see §11) and we’ll send you a JSON export within 30 days
  • Object to processing or withdraw consent— same path as deletion

9. Data retention

Active accounts: data is retained while your account is active. Inactive accounts(no login for 24 months): we’ll email you, then delete after 30 days if no response. Deleted accounts: data is purged within seconds; the audit-log entry persists as compliance evidence.

10. Cookies

We use only essential cookies:

  • sb-access-token, sb-refresh-token — Supabase auth, required to keep you signed in
  • news_theme — your /news light/dark preference
  • impersonator_admin_session — only set if you’re an admin viewing as a user during a support flow

No advertising, no analytics, no third-party tracking cookies.

11. Contact

Privacy questions, deletion requests, data exports, or anything else: Khizer@genfox.ai. You can also open an issue on GitHub if you prefer public conversation.

12. Changes to this policy

We’ll update the “Last updated” date at the top whenever we make a material change. If we ever expand what we collect or who we share it with, we’ll email all active users beforehand.