Privacy Policy

1. Introduction

DayByDay ("we", "our", "us") is a personal health tracking application. We are committed to protecting your privacy and handling your data responsibly. This policy explains what information we collect, how we use it, and your rights regarding your data.

2. Information We Collect

Account information

When you create an account, we collect your email address and a password (stored securely hashed). During onboarding, you may optionally provide:

• Display name
• Gender, height, birth year/month
• Starting weight and goal weight
• GLP‑1 medication information (medication name, start date, dosage cadence)

Health & tracking data

Data you voluntarily enter into the app, including:

• Daily weight and body fat percentage
• GLP‑1 medication doses, injection sites, side effects
• Sleep data (SpO2, sleep stages, heart rate, HRV, respiratory rate)
• Body measurements (waist, chest, neck, hip)
• Lab results (A1c, glucose, cholesterol panels)
• Exercise logs (minutes, steps, type)
• Blood glucose, mood, hunger, energy, GI, water, protein
• Progress photos (encrypted, optional cloud sync)

Information we do NOT collect

• We do not use third-party analytics or tracking services
• We do not collect device identifiers or advertising IDs
• We do not collect location data
• We do not collect financial or payment information

3. How We Use Your Data

Your data is used solely to:

• Display your tracking information back to you within the app
• Calculate trends, predictions, and insights based on your entries
• Authenticate you and maintain your session
• Power the optional Dayo AI Coach insights (per-source opt-out available)

We do not use your data for advertising, marketing to third parties, or any purpose other than providing the app's functionality to you.

4. Data Storage & Security

Your data is stored on Supabase Cloud (hosted on AWS in the US West region). All data is:

• Encrypted in transit (TLS/HTTPS)
• Encrypted at rest (AES-256)
• Protected by Row Level Security (RLS) policies ensuring you can only access your own data

5. Data Sharing

We do not sell, rent, or share your personal data with any third parties.

Your data is never shared with advertisers, data brokers, or other companies. The only exception would be if required by law (e.g., a valid legal subpoena).

6. Data Retention & Deletion

Your data is retained for as long as you maintain an active account or subscription. You may:

• Export your data at any time using the CSV export feature in the app
• Delete your account from the Settings page or the paywall screen, which permanently removes all your data from our servers

Account deletion is irreversible. All associated data (profile, weights, doses, sleep, measurements, labs, exercises, and progress photos) is permanently deleted.

Free trial & automatic deletion

New accounts receive a 14-day free trial with full access to all features. If you do not subscribe after your trial ends, your account and all associated data will be automatically deleted 15 days after account creation (1 day after trial expiration). We recommend exporting your data before your trial ends if you do not plan to subscribe.

7. Cookies & Local Storage

The app uses local storage on your device solely for:

• Authentication session tokens
• Theme preference (light / dark / system)
• Milestone configuration and UI preferences

We do not use tracking cookies or third-party cookies of any kind.

8. Children's Privacy & Age Requirements

DayByDay is not intended for children. In the United States, you must be at least 13 years old to use the app. In the European Economic Area, you must be at least 16 years old (or the minimum age of digital consent in your country, if lower). We do not knowingly collect personal information from anyone below these age thresholds. If you believe someone below the applicable minimum age has provided us with personal data, please contact us so we can delete it.

9. Third-Party Service Providers

We use a limited number of third-party service providers to operate DayByDay. These providers process data solely on our behalf and under our instructions:

Supabase (database & authentication)

• Stores your account information and all health tracking data
• Hosted on Amazon Web Services (AWS) in the US West (Oregon) region
• Provides authentication services (email login, Google Sign-In, Apple Sign-In)
• Subject to Supabase's privacy policy and AWS's data processing terms

Anthropic (AI Coach)

• Powers the optional Dayo AI Coach insights via the Claude API
• Receives anonymized fact summaries derived from your data — no personal identifiers, no raw account email
• Per-source opt-out available in Settings to exclude any data category from being sent to the model
• Subject to Anthropic's commercial terms and data usage policies; data is not used to train models

RevenueCat (subscription management)

• Manages subscription status verification between app stores and our servers
• Receives your anonymous user ID and subscription status from Apple/Google
• Does NOT receive any of your health data, personal information, or tracking data

Apple App Store / Google Play Store (payments)

• Process all subscription payments directly
• We never receive or store your payment card details
• Subject to Apple's and Google's respective privacy policies

Apple HealthKit / Google Health Connect (optional)

• Health data synced from these platforms is stored only in your DayByDay account on Supabase
• This data is never shared with third parties, used for advertising, or transferred to any service other than Supabase
• You control exactly which data types are synced via your device's health permissions settings

10. Health Data Handling

DayByDay processes sensitive health-related information. We apply special care to this data:

• Collection: All health data is provided voluntarily by you or synced from Apple HealthKit / Google Health Connect with your explicit permission
• Storage: Health data is stored on Supabase Cloud (AWS US-West), encrypted at rest and in transit, and isolated by Row Level Security so that only your authenticated account can access your data
• Use: Health data is used solely to display your tracking information, calculate trends, and generate insights within the app for your personal use
• Sharing: Health data is never sold, rented, shared with third parties, used for advertising, or used for any purpose other than providing app functionality to you
• Export: You may export all your health data at any time via CSV export or PDF health report from Settings in the app
• Deletion: You may permanently delete all your health data at any time by deleting your account from Settings in the app

11. Your Rights Under GDPR (EU/EEA/UK Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent UK legislation.

Legal basis for processing

We process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing your account information and health tracking data is necessary to provide the DayByDay service that you have signed up for
• Consent (Article 6(1)(a) and Article 9(2)(a)): For optional health data syncing from Apple HealthKit or Google Health Connect, we rely on your explicit consent, which you grant through your device's health permissions settings and which you may withdraw at any time
• Legitimate interest (Article 6(1)(f)): For maintaining security of the service and preventing fraud

Your data subject rights

You have the following rights, most of which you can exercise directly through the app:

• Right of Access (Article 15): You can view all your data within the app at any time. You can also export a complete copy of all your data using the CSV export feature in Settings > Export Data
• Right to Rectification (Article 16): You can correct your personal information at any time via Settings > Edit Profile, and you can edit or delete individual data entries directly within each tracking tab
• Right to Erasure (Article 17): You can permanently delete your account and all associated data via Settings > Account > Delete Account. This action is immediate and irreversible
• Right to Data Portability (Article 20): You can export all your data in CSV format (a standard, machine-readable format) via Settings > Export Data. You can also generate a comprehensive PDF health report
• Right to Restriction of Processing (Article 18): Contact us at the email below if you wish to restrict processing of your data while a dispute is resolved
• Right to Object (Article 21): Since we process your data solely to provide the service you requested and do not engage in direct marketing or profiling, there is no separate processing to object to. If you no longer wish for your data to be processed, you may delete your account
• Right to Withdraw Consent (Article 7(3)): You may withdraw consent for optional health data syncing at any time by disabling health permissions in your device settings. You may withdraw consent for the service entirely by deleting your account

Exercising your rights

Most rights can be exercised directly through the app's self-service features:

• Access & portability: Settings > Export Data (CSV or PDF)
• Rectification: Settings > Edit Profile, or edit entries in each tracking tab
• Erasure: Settings > Account > Delete Account
• Withdraw consent for health sync: Device Settings > Health permissions

For rights that cannot be exercised through self-service (restriction, objection, or any questions), contact us at support@mydaybyday.app. We will respond within 30 days.

International data transfers

Your data is stored on servers in the United States (AWS US-West region via Supabase Cloud). If you are located in the EU/EEA/UK, this constitutes an international transfer of your personal data. These transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as adopted by the European Commission, incorporated into our agreements with service providers.

Automated decision-making

DayByDay does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. The app calculates trends, predictions, and health insights based on the data you enter, but these are informational tools for your personal use only and do not result in any automated decisions about you.

Right to lodge a complaint

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities can be found at edpb.europa.eu.

12. Your Rights Under US State Privacy Laws

Several US states have enacted privacy laws that grant residents specific rights regarding their personal information.

California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

• Right to Know: You have the right to know what personal information we collect, use, and disclose. This privacy policy provides that information. You can also export a complete copy of your data at any time via Settings > Export Data
• Right to Delete: You can delete your account and all associated data via Settings > Account > Delete Account
• Right to Correct: You can correct inaccurate personal information via Settings > Edit Profile
• Right to Opt-Out of Sale or Sharing: We do NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. Therefore, there is no sale or sharing to opt out of
• Right to Limit Use of Sensitive Personal Information: We use your sensitive personal information (health data) solely to provide the DayByDay service. We do not use it for any other purpose
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights

Washington My Health My Data Act

If you are a Washington state resident, the My Health My Data Act provides specific protections for consumer health data:

• Consent: We collect health data only after you have accepted our Terms of Use and Privacy Policy. Additional health data syncing from Apple HealthKit or Google Health Connect requires separate device-level permission
• Right to Know: This privacy policy describes all health data we collect, how it is used, and who it is shared with (no one)
• Right to Delete: You may delete all your health data by deleting your account via Settings > Account > Delete Account
• Right to Withdraw Consent: You may withdraw consent at any time by deleting your account
• No Sale of Health Data: We do not sell, rent, or trade consumer health data

Other state privacy laws

If you reside in a state with a consumer privacy law (including but not limited to Connecticut, Colorado, Virginia, Oregon, Texas, Montana, Indiana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, and Maryland), you generally have rights of Access, Deletion, Correction, Data Portability, Opt-Out of Sale, Opt-Out of Targeted Advertising, and Opt-Out of Profiling. We do not sell personal data, share data for cross-context behavioral advertising, or engage in targeted advertising.

13. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by requiring re-acceptance of the updated policy within the app before you can continue using it. The "Last updated" date at the top of this page will be updated accordingly. We recommend reviewing this policy periodically.

14. Contact

If you have questions about this privacy policy, your data, or wish to exercise any of your privacy rights, please contact us at:

support@mydaybyday.app

We will respond to all privacy-related inquiries within 30 days.