Privacy Policy

About DayBrief

DayBrief ("DayBrief", "we", "us", or "our") is an SMS‑based daily briefing service operated from Ontario, Canada. We integrate with Google Calendar to generate personalised morning briefings and let users manage their calendar via text message. This Privacy Policy describes what we collect, how we use it, who we share it with, how long we keep it, and the rights you have over your information. By signing up for or using DayBrief, you agree to this Policy.

Information we collect

Information you provide

• Account information: name, mobile phone number, and account type (business, student, or personal).
• Personalisation details: depending on account type, optional details such as business name, website, location, university, degree, year of study, or city.
• Preferences: your preferred briefing time and timezone.
• SMS conversations: the content of messages you send to and receive from DayBrief, so the AI assistant can reference recent context across days.

Information we receive from Google

When you connect Google Calendar, we receive an OAuth access token and refresh token from Google, along with the calendar event data we explicitly request. See the dedicated Google user data section below for full details.

Information collected automatically

• Usage data: server logs of API requests (timestamps, route, response status) used to operate and debug the service.
• Analytics: we use Google Analytics to understand aggregate site traffic. Analytics data is not linked to your calendar or SMS data.

Information we do not collect

• Payment card details — these are handled directly by Stripe; we never see or store them.
• Email content, contacts, files, or any Google service other than Calendar.
• Location beyond the city or location text you optionally provide at signup.

Google user data

Scopes we request

DayBrief requests the following Google OAuth scope during signup, and only this scope:

We do not request, receive, or store any other Google user data. We do not access Gmail, Drive, Contacts, Photos, Tasks, or any other Google product.

What we do with Google Calendar data

• Read upcoming events on your primary calendar to generate your daily morning briefing and pre‑meeting reminders.
• Read recent events (last 30 days) to provide the AI with conversational context about people and meetings you've referenced.
• Create, update, or delete events only when you explicitly request a change via SMS (e.g. "move my 3pm to tomorrow", "cancel dinner Friday", "add gym 7am tomorrow").
• Read your Google Calendar timezone setting so that briefings and reminders are delivered in your local time.

We do not read your free/busy availability outside the primary calendar. We do not read other users' calendars, even if they are shared with you. We do not modify events that you did not ask us to modify.

How long we store Google data

• OAuth tokens (access and refresh) are stored encrypted at rest in our database and used to make authorised requests on your behalf. Tokens are retained for as long as your account is active.
• Calendar event content is read on demand to build a briefing and is not stored in our database in raw form. Briefing summaries that the AI generates may reference event titles and times.
• If you revoke access via your Google Account or by deleting your DayBrief account, we delete the stored OAuth tokens within 30 days. Any briefing text that referenced calendar content remains as part of your SMS conversation history unless you request its deletion (see Your rights).

How we protect your Google user data

We treat Google user data — including OAuth access tokens, refresh tokens, and any calendar event content read at request time — as sensitive data, and apply the following specific protection mechanisms:

• Encryption at rest: OAuth access and refresh tokens are stored encrypted at rest in PostgreSQL on Supabase using AES‑256. Encryption keys are managed by Supabase's infrastructure and are not stored alongside the data they protect.
• Encryption in transit: All communication between you and DayBrief, between DayBrief and Google APIs, and between DayBrief and our service providers is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on our public endpoints.
• Authentication and access control: OAuth 2.0 with Google's authorization_code flow and state-parameter CSRF protection is used for the calendar handshake. Access to production systems by our personnel requires single sign‑on with multi‑factor authentication (MFA) and is granted on a least‑privilege, role‑based basis (RBAC).
• Per‑user data isolation: PostgreSQL row‑level security (RLS) policies enforce that each user's records can only be accessed by that user's authenticated session or by service‑role code on that user's behalf. Customer keys never share storage rows.
• Token lifecycle: Access tokens are auto‑refreshed before expiry; refresh tokens are rotated automatically when Google returns a new one; revoked or invalidated tokens are deleted within 30 days of revocation or account deletion.
• Data minimisation: We request the minimum Google OAuth scope required for the user‑facing features of the product (a single calendar scope — no Gmail, Drive, Contacts, or other Google scopes). We read calendar content on demand and do not store raw event payloads in our database.
• Audit logging: All API calls to Google services and all server‑side accesses to user tokens are logged with timestamp, route, response status, and authenticated identity. Logs are retained for up to 30 days and reviewed for anomalies.
• Secure development: Dependencies are pinned, security advisories are reviewed weekly, and code changes affecting authentication, authorization, or Google data handling are reviewed before merge. Secrets are stored in our hosting provider's encrypted environment store and are never committed to source control.
• Incident response: If we become aware of unauthorised access to or disclosure of your Google user data, we will (a) take immediate steps to contain the incident, (b) notify affected users by SMS or email within 72 hours of confirming the incident, and (c) notify the relevant supervisory authorities where required by applicable law.
• Sub‑processor diligence: Each third party listed in Sharing and disclosure is contractually bound to maintain comparable security controls. We review sub‑processor security posture annually.

Limited Use — compliance with Google API Services User Data Policy

In plain English, this means:

• We use Google user data only to provide and improve the user‑facing features of DayBrief (your briefings and calendar control over SMS) that are prominent in the app's user interface.
• We do not use Google user data to serve advertisements, including retargeting, personalised, or interest‑based advertising.
• We do not sell Google user data to data brokers, information resellers, or anyone else.
• We do not transfer Google user data to third parties except as necessary to provide or improve user‑facing features of the app, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data to develop, improve, or train generalised or non‑personalised AI and/or machine‑learning models. Calendar content sent to Anthropic's Claude API is used solely to generate the response to your specific request and is not retained or used by Anthropic for model training (per Anthropic's commercial terms).
• We do not allow humans to read Google user data unless (a) we have your specific consent, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and de‑identified.

How to revoke DayBrief's access to your Google account

You can revoke DayBrief's access to your Google Calendar at any time. Two ways:

1. Visit myaccount.google.com/permissions, find DayBrief, and choose "Remove access". This immediately revokes the tokens we hold.
2. Email info@daybrief.ca or text "delete my account" to your DayBrief number. We will revoke and delete your tokens, and delete your account data within 30 days.

Revoking access does not automatically cancel a paid subscription — please cancel from your dashboard or text "cancel" to your DayBrief number as well.

How we use your information

• To generate and deliver your daily morning briefing over SMS.
• To send pre‑meeting reminders 15 minutes before relevant calendar events.
• To respond to your SMS messages, including reading your calendar to answer questions and making calendar changes you explicitly request.
• To deliver operational notifications (for example, payment failures, trial expiring, calendar reconnection needed).
• To improve the service, debug issues, prevent abuse, and enforce our Terms of Service.
• To comply with applicable laws and respond to lawful legal process.

Sharing and disclosure

We do not sell your personal information. We share data only with the service providers strictly necessary to operate DayBrief, each of which is contractually bound to handle data in accordance with this Policy and applicable law:

• Anthropic (Claude API) — to generate the natural‑language content of your briefings and AI replies. No data is retained by Anthropic for training.
• Twilio — to send and receive SMS messages.
• Supabase — our PostgreSQL database and authentication provider. Hosts your account and OAuth tokens, encrypted at rest.
• Render — application hosting.
• Stripe — payment processing for subscriptions. Stripe receives only what is needed to bill you.
• Google — when you connect Google Calendar, you authorise us to make API requests to Google on your behalf. We do not share other DayBrief data back to Google beyond what is required by their APIs.
• Google Analytics — aggregated, anonymised website traffic only. Not linked to your calendar or SMS data.

We may also disclose information if required by law, regulation, valid legal process, or to protect the rights, safety, or property of DayBrief, our users, or others.

Data retention

• Active accounts: we retain account data for as long as your account is active.
• Cancelled accounts: 90 days after cancellation we delete account data in case you reactivate, then permanently delete it (except where retention is required by law, e.g. tax records).
• Google OAuth tokens: deleted within 30 days of account deletion or revocation via Google permissions.
• SMS history: retained while your account is active; you can request deletion at any time.
• Server logs: retained for up to 30 days for operational and security purposes.

Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information — many fields are editable directly from your dashboard.
• Delete your account and associated data.
• Export a copy of your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent at any time by revoking Google access (see above) or deleting your account.
• Lodge a complaint with your local data protection authority (e.g. the Office of the Privacy Commissioner of Canada, or your EU/UK supervisory authority).

To exercise any of these rights, email info@daybrief.ca. We respond within 30 days.

Security — how we protect sensitive data

Encryption

• In transit: All communication between you and DayBrief, between DayBrief and Google APIs, and between DayBrief and our sub‑processors is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on public endpoints.
• At rest: All sensitive data — including Google OAuth tokens, calendar‑derived content, SMS history, and authentication records — is stored encrypted at rest using AES‑256 in Supabase (PostgreSQL). Encryption keys are managed by Supabase's infrastructure and are rotated according to their schedule; keys are not stored alongside the data they protect.
• Backups: Database backups are encrypted with AES‑256 and retained for disaster‑recovery purposes by our hosting provider.

Authentication and access control

• End‑user authentication: users authenticate via SMS one‑time‑password (OTP) issued through Supabase Auth. We never see or store user passwords. Session tokens are JWTs signed by Supabase and validated server‑side on every protected request.
• Personnel access: access to production systems and customer data by DayBrief personnel is restricted by role‑based access control (RBAC), requires multi‑factor authentication (MFA), and is granted on a least‑privilege basis. Production access is reviewed quarterly and revoked promptly when no longer required.
• Per‑user data isolation: PostgreSQL row‑level security (RLS) policies ensure each authenticated user can only read or modify their own records. Cross‑user access is impossible through the user‑facing API.
• CSRF protection: OAuth flows use HMAC‑signed state parameters that we verify on callback; short‑lived signed tokens guard endpoints that need to be reachable before a session is established.

Data minimisation and retention

• We request the minimum Google OAuth scope required for user‑facing functionality (a single calendar scope) and no others.
• Raw Google Calendar event payloads are not stored in our database — they are read on demand to generate a briefing and then discarded.
• OAuth tokens for revoked or deleted accounts are deleted within 30 days.
• Server logs are retained for a maximum of 30 days.
• Cancelled accounts and their associated data are deleted within 90 days (see Data retention).

Monitoring, auditing, and incident response

• Audit logging: all API requests, all server‑side accesses to OAuth tokens, and all writes to user records are logged with timestamp, request route, response status, and authenticated identity.
• Anomaly review: logs are reviewed for unusual access patterns and rate‑limit violations.
• Vulnerability management: we monitor our dependency tree for known vulnerabilities continuously through GitHub's automated security advisories and apply patches according to severity (critical within 72 hours).
• Incident response and breach notification: if we become aware of unauthorised access to or disclosure of sensitive data, we will (a) immediately contain the incident, (b) notify affected users by SMS or email within 72 hours of confirming the incident, and (c) notify relevant supervisory authorities where required by applicable law (including GDPR Article 33 where applicable).

Secure development

• Code changes affecting authentication, authorization, or sensitive data handling are reviewed before merge.
• Production secrets (API keys, encryption keys, OAuth client secrets) are stored in our hosting provider's encrypted environment store and are never committed to source control.
• Dependencies are pinned to known versions and updated regularly.
• Service‑role database credentials never leave the server. Only public anonymous keys are exposed to the browser, and those keys are scoped by RLS policies.

Sub‑processor security

Each sub‑processor listed under Sharing and disclosure is contractually required to maintain comparable security controls. Our principal sub‑processors maintain widely recognised security attestations:

• Supabase (database, authentication) — SOC 2 Type 2.
• Anthropic (Claude API) — SOC 2 Type 2; contractually does not retain data for training.
• Twilio (SMS) — SOC 2 Type 2, ISO 27001.
• Stripe (payments) — PCI‑DSS Level 1 Service Provider.
• Render (hosting) — SOC 2 Type 2.
• Google (Calendar API) — operates under Google's own security and compliance programs.

No method of transmission or storage is 100% secure, and no security program can guarantee absolute prevention of unauthorised access. We commit to applying the mechanisms above continuously, reviewing them at least annually, and improving them as the threat landscape changes. If you have specific questions about our security posture, contact us at info@daybrief.ca.

Children's privacy

DayBrief is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with information, please contact us and we will delete it.

Changes to this Policy

If we make material changes to this Privacy Policy, we will notify you by SMS, by email, or by prominent notice on this page at least 14 days before the changes take effect. Non‑material changes (clarifications, typos) may be made without notice. The "Last updated" date at the top of this page always reflects the most recent version.

Contact

If you have questions about this Privacy Policy or how we handle your data, contact us:

• Email: info@daybrief.ca
• For Google data questions specifically, please include "Google data" in the subject line so we can route it quickly.