Privacy Policy

Personal Information

• Name and email address when you create an account
• Profile information you choose to provide
• Payment information for subscription services (processed securely by third-party providers)

Usage Data

• How you interact with our AI features
• Email and calendar data you connect for AI processing
• Device information and browser details
• Log data including IP address, access times, and click paths

Primary Uses

• Provide and improve our AI-powered productivity services
• Process emails and calendar data to deliver intelligent insights
• Customize AI responses based on your preferences and patterns
• Send important service updates and notifications

Analytics and Improvement

• Analyze aggregate, non-Google product usage patterns to improve our service
• Conduct research and development for new features
• Ensure system security and prevent fraud

We do not use data from Google, Microsoft, or Zoom — including email, calendar events, meetings, recordings, or transcripts — to train, fine-tune, or develop generalized AI/ML models. See Section 3 for our scope-by-scope commitments.

Google (Limited Use)

DayHelm's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google scopes we request:

• Gmail (gmail.readonly): read message metadata and snippets to display a prioritized inbox, extract tasks, and generate AI suggestions. We never send, modify, or delete mail.
• Calendar (calendar.readonly): read events and shared calendars to show a unified day view, detect conflicts, and identify open focus time.
• Calendar (calendar.events): create, update, and remove focus-time blocks and events that you explicitly schedule from within DayHelm.
• Calendar (calendar): list the calendars available in your account so you can pick which one DayHelm writes to. calendar.readonly does not expose this metadata.
• Google Meet (meetings.space.readonly): read conference records, transcript metadata, and transcript entry text for meetings you attend, used by the post-meeting AI to generate summaries and extract follow-up tasks. Transcripts are read directly from the Meet API; we do not access Google Drive.

Microsoft (Outlook, Calendar, Teams)

Microsoft Graph scopes we request via Microsoft Entra ID (formerly Azure AD):

• Mail.ReadWrite + Mail.Send: read Outlook message metadata and snippets, mark messages read, archive, save drafts, and send mail when you directly authorize a send action in DayHelm. We only act in response to your direct interactions in the app — we never send, modify, or delete mail automatically.
• Calendars.ReadWrite: read your Microsoft 365 calendar for the day view and write focus-time blocks and events you explicitly schedule from within DayHelm.
• Team.ReadBasic.All, Channel.ReadBasic.All, ChannelMessage.Read.All, Chat.Read: (Teams only, opt-in) read team and channel rosters and the messages you have access to so DayHelm can show a unified chat view and convert messages to tasks. We never post on your behalf.
• OnlineMeetings.Read, OnlineMeetingTranscript.Read.All: (Teams only, opt-in) read metadata and transcripts for Teams meetings you attend, used by the post-meeting AI to generate summaries and extract follow-up tasks.
• offline_access: issue refresh tokens so syncing continues without re-prompting you.

Zoom

Zoom scopes we request via Zoom OAuth 2.0 (all read-only, granular scopes):

• user:read:user — read your Zoom user profile (id, email, name) to identify the account that has connected.
• meeting:read:list_meetings, meeting:read:meeting — list your scheduled and past meetings and read the metadata (id, topic, start time, duration, join URL) of an individual meeting so DayHelm can show them in your calendar view and detect when a meeting has ended.
• cloud_recording:read:list_user_recordings, cloud_recording:read:recording — list your cloud recordings, read recording metadata, and download the VTT transcript text for meetings you attended, used by the post-meeting AI to generate summaries and extract follow-up tasks. We do not download or store the audio or video recording files themselves.

Zoom scopes are read-only. DayHelm does not create, modify, end, or delete Zoom meetings, recordings, or any other Zoom resources. You can revoke access at any time from your Zoom Marketplace account or from Settings → Integrations in DayHelm.

How we handle data from all of these providers

• Used only to provide user-facing productivity features you request
• Never sold, rented, or used for advertising
• Never used to train, fine-tune, or develop generalized AI/ML models
• Not transferred to third parties except as necessary to provide the features you request, for security, or to comply with applicable law (see Section 5)
• OAuth access and refresh tokens are encrypted at rest with AES-256-GCM before being written to our database
• Tokens are decrypted in memory only at the time of an outbound API request and are never logged or returned to the client
• You can disconnect any provider at any time from Settings → Integrations, which revokes our access and removes cached data for that provider

We implement industry-standard security measures to protect your data:

• AES-256-GCM application-layer encryption for OAuth tokens and sensitive PII fields (e.g. contact phone and address) at rest
• Storage-layer encryption-at-rest provided by our managed database, Redis, and object-storage providers
• TLS 1.2+ for all data in transit (TLS 1.3 negotiated when supported by the client)
• Passwords hashed with bcrypt (12 rounds) and screened against a curated list of known-breached passwords
• Per-request rate limiting and admin-surface IP allowlisting (fail-closed in production)
• Automated security scanning on every commit: Semgrep static analysis, Dependabot dependency updates, and gitleaks secret scanning, with results reviewed in GitHub Code Scanning
• Audit logging for security-relevant events (password changes, data exports, account deletions, admin actions) retained for two years
• Structured request logging with correlation IDs and Sentry error monitoring with PII scrubbing
• OAuth flows secured with PKCE (RFC 7636); webhook payloads verified via OIDC JWT (Google Pub/Sub) and timing-safe HMAC comparison (Microsoft Graph, Stripe, Zoom)

We do not sell, rent, or share your personal information with third parties except in these limited circumstances:

• With your explicit consent
• With service providers who assist in our operations (under strict data protection agreements)
• To comply with legal obligations or protect our rights
• In connection with a business transfer or acquisition

AI sub-processors

When you use AI features, we send the minimum necessary content to the following providers to generate your results:

• OpenAI — email subjects and snippets, calendar event titles and times, task content, and meeting transcript text are sent to the OpenAI API to generate suggestions, summaries, and extracted tasks. Data sent to the OpenAI API is retained for up to 30 days for abuse monitoring and is not used to train OpenAI models (per OpenAI's API data usage policies).

We do not send data received from Google, Microsoft, or Zoom to any third party for any purpose other than providing the AI features you request, and we do not use that data to train, fine-tune, or develop generalized AI/ML models.

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Opt out of certain data processing activities

To exercise these rights, contact us at privacy@dayhelm.com

We retain your data only as long as necessary to provide our services and comply with legal obligations:

• Account data: Until you delete your account plus 30 days
• Usage data: Up to 24 months for analytics and improvement
• Legal records: As required by applicable law

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Certified data protection frameworks

Our service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it immediately.

We may update this privacy policy from time to time. We will notify you of significant changes by email or through our service. Your continued use of the service after changes become effective constitutes acceptance of the updated policy.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• We do not sell or share personal information for cross-context behavioural advertising, as those terms are defined in the CCPA/CPRA.
• You have rights to know, access, delete, correct, and limit use of your personal information.
• We will not discriminate against you for exercising these rights.

See our California Privacy Rights notice for full disclosures and instructions on exercising your rights.

If you have questions about this privacy policy or our data practices, please contact us: