Dailybite

    Privacy Policy

    Dailybite Privacy Policy

    Effective Date: November 19, 2025

    Dailybite (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains what personal information we collect when you use the Dailybite mobile and web application (“the App”), how we use and share that information, and your rights regarding your data. By signing up for or using Dailybite, you agree to this Privacy Policy and our Terms of Use. If you do not agree, please do not use the App.

    1. Information We Collect

    We only collect the minimum personal data necessary to provide and improve the Dailybite service. This includes:

    Account Information: When you create an account, we collect your email address. If you register via Google OAuth, we receive your email (and possibly basic profile information like your name) from Google. If you choose email/password signup, your password is handled securely by our authentication provider (Supabase) and stored in hashed form – we never see or store your plain password github.com .

    Onboarding & Planning Data: We collect the answers and information you provide in response to onboarding questions and daily planning prompts. This user-generated content may include your goals, preferences, schedule, or other personal inputs you provide to personalize your experience.

    Usage Data: We automatically collect data about how you use the App for analytics and improvement purposes. This may include:

    Technical Data: Device type, operating system, browser type, IP address, and general location (e.g. country or region). We may use IP data to infer location for analytics (we take steps to anonymize or truncate this data when possible).

    App Interaction Data: Features you use, pages or screens viewed, buttons clicked, session duration, and other usage metrics. This helps us understand which features are most popular or if users encounter problems.

    Cookies & Similar Technologies: For the web app, we use cookies or similar technologies to remember your login session and track usage. For example, a cookie may be used to keep you logged in and another to gather analytics data (see Cookies & Tracking below for details).

    We do not knowingly collect any sensitive personal information beyond what is described above. In particular, we do not collect financial information or government ID numbers, and the App is not intended to collect health or special categories of personal data (any health or preference information you provide in planning answers is used only as described here).

    1. How We Use Your Information

    Dailybite uses the collected information for the following purposes:

    Providing and Improving the Service: We use your information to operate the App and provide features to you. For example, your email is used to create and manage your account (authentication and login), and your onboarding/planning answers are used to generate personalized daily plans or recommendations via our AI functionality. The App’s core feature is AI-generated personalization, so we process your inputs with AI tools to deliver tailored content to you.

    Authentication and Account Management: We use your email (and password via Supabase auth) to authenticate you and allow you to log in securely. Google OAuth users are verified through Google, which shares your email with us to identify your account. We may use your email to communicate with you about account-related issues (e.g. password reset, important service updates or notifications).

    Personalization: Your answers to onboarding and planning questions are used to personalize your experience. This includes feeding your responses to our AI systems (OpenAI or Google AI) to create customized plans, suggestions, or other AI-generated outputs tailored to you. This processing is only done to serve you — the AI does not use your data for any purpose other than generating the responses you see, as described in the AI Personalization section below.

    Analytics and Product Improvement: We analyze usage data (feature usage, click paths, session length, etc.) to understand how our users interact with Dailybite. This helps us identify trends, fix bugs, improve the user interface, and develop new features. For example, we might look at how many users complete the onboarding or which features are used most often, so we can enhance those areas. Analytics also help monitor the App’s performance and stability.

    Security and Fraud Prevention: Usage data may be used to protect the security of the service and our users. For instance, we might log account login attempts or unusual activity to detect and prevent malicious behavior. We also use data to enforce our Terms of Use and to prevent abuse of the App (such as detecting spam or unauthorized use).

    Legal Compliance: In rare cases, we may need to use or disclose your information to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. For example, we may preserve or share data if required by law enforcement, or to exercise or defend our legal rights.

    We do not use your personal data for any purpose unrelated to the above. In particular, we do not sell your personal information to third parties, and we do not use your data for advertising targeting. Any use of your data is solely to provide you with the Dailybite service and improve it in accordance with this policy.

    1. Cookies and Tracking Technologies

    We use cookies and similar tracking technologies on the Dailybite web app to ensure the App functions properly and to gather analytics:

    Authentication Cookies: When you sign in on the web, we use a secure cookie or token to keep you logged in during your session. This eliminates the need to log in repeatedly as you navigate through pages. These cookies contain no plaintext passwords or sensitive personal data.

    Preference Cookies: The App may use local storage or cookies to remember your preferences (for example, whether you have completed the tutorial or certain settings) so that your experience is seamless.

    Analytics Cookies: We use analytics tools (like PostHog) that may set cookies or use similar technology to collect usage data. These cookies help us recognize if you have visited before and track aggregate usage patterns (e.g. how often certain pages are visited). The information collected via analytics cookies includes technical and usage data as described above, but is generally aggregated and does not directly identify you by name. We use this data solely to improve our product’s functionality and performance.

    Your Choices: By using the App, you consent to the use of cookies as described. You can control or delete cookies through your browser settings. Most browsers allow you to refuse new cookies or delete existing ones. However, please note that blocking or deleting certain cookies (especially the authentication cookie) may impact your ability to use important features of Dailybite. For example, if cookies are disabled, you might not stay logged in, or analytics features may be limited. On the mobile app, equivalent tracking technologies (such as platform-specific storage identifiers) are used instead of browser cookies.

    Dailybite does not respond to “Do Not Track” signals at this time, because there is no uniform standard for that signal. We do, however, limit our use of tracking to what is described here and do not allow third-party advertising trackers.

    1. How We Share Your Information

    We share your data only with trusted third parties and service providers as needed to operate the Dailybite service, or as required by law. We do not sell or rent your personal data. The categories of recipients of your information are:

    Supabase (Hosting & Database): Dailybite is built on Supabase (a backend platform) which provides our database, authentication, and server infrastructure, hosted on AWS Canada (Central region). All your account data and content (email, profile info, and planning answers) are stored in our Supabase database. Supabase acts as our data processor – it secures the data at rest and in transit supabase.com . In practice, this means your data is stored on encrypted servers (AES-256 encryption at rest) and transferred over secure connections (TLS encryption) supabase.com . Supabase also handles user authentication (including managing password hashes and OAuth tokens). We have configured Supabase with access rules to ensure your data is only accessible to you and as needed for the service. Supabase is SOC 2 Type 2 and HIPAA compliant, and meets high security standards which we rely on to protect your data.

    Artificial Intelligence Providers (OpenAI and Google AI): Dailybite’s AI-powered personalization features are facilitated by third-party AI services. When you input answers or questions for AI-generated plans or assistance, the relevant data (your prompts and necessary context) is sent to either OpenAI or Google’s AI API to generate a response. What does this mean for your data? The AI service will temporarily receive and process the content of your query to return an answer. We do not provide your personal identifiers (like your email) to the AI API, only the content necessary for the AI to perform its task. Both OpenAI and Google have policies to protect privacy: for example, OpenAI does not use data submitted via its API to train its general models by default techcrunch.com , and it retains API request data only for a short period for abuse monitoring (approximately 30 days) techcrunch.com . Google’s AI services similarly do not use customer-provided content to improve their models without permission, keeping such data confidential to the processing task. The outputs from the AI (the plans/suggestions) are returned to Dailybite and shown to you. We may store the AI output along with your inputs in your account so you can revisit your plans. Rest assured, your data sent to these AI providers is used only to provide you the service functionality and not for any provider’s own purposes like marketing.

    LangSmith (LangChain Observability): We use a tool called LangSmith (by LangChain) for tracing and debugging our AI features. Note that this is the main way we improve our ai systems and switching your account to "Private Mode" disables this tracing. LangSmith helps us monitor the sequences of AI calls and their results in order to improve prompt quality and reliability. In doing so, it may log certain details of your interactions with our AI (e.g. the prompts or questions you asked, and the AI’s responses) in a secure dashboard for our development team. These traces are used strictly for monitoring and improving the service’s performance and are accessible only to our team. LangSmith, as part of the LangChain platform, adheres to high standards of security and privacy compliance (including HIPAA, SOC 2 Type 2, and GDPR) docs.langchain.com . We do not use LangSmith to store any information beyond what is necessary for debugging. If sensitive data is involved in an AI prompt, LangSmith provides options to avoid logging it docs.langchain.com , and we take care to use those features to protect your privacy.

    Analytics – PostHog: We use PostHog, an open-source analytics and session tracking platform, to collect product analytics data. PostHog helps us understand user behavior (as described in Usage Data above) by capturing events like button clicks, page views, and other interactions. This information allows us to improve the UI/UX and fix issues. PostHog is a privacy-conscious analytics tool that can be self-hosted and is designed with compliance in mind improvado.io . In our setup, usage data collected via PostHog may include device and technical info, but we do not attach your name or email to these analytics events in our analysis – they are analyzed in aggregate. We have configured PostHog to respect privacy: IP addresses can be anonymized or truncated, and we honor any applicable consent requirements. Analytics data is accessible only to our team and authorized service providers. If you prefer not to be tracked by PostHog, you may disable cookies as noted above, though doing so may limit our ability to improve the product experience.

    Google (OAuth Authentication): If you choose to log in with Google, we redirect you to Google’s OAuth service. Through that process, Google may collect information from you (as per Google’s privacy policy) to verify your identity. Google then shares with us a unique user ID and your email address (and potentially your display name or profile photo URL). We use this information solely to create or log in to your Dailybite account. We do not receive your Google password or any other Google account data beyond basic profile info. Your use of Google’s OAuth is subject to Google’s own privacy policy. We recommend reviewing Google’s privacy policy if you have concerns. Once we have your email from Google, it is treated as Account Information under this Privacy Policy.

    Service Providers: In addition to the above, we may use other third-party service providers for specific functionality, such as email delivery (for sending verification emails or support responses), cloud hosting (our servers are on AWS via Supabase), or error tracking services. We only share the necessary information with such providers for them to perform their work on our behalf. All our service providers are contractually obligated to protect your information and use it only for the purposes we specify. For example, if we use an email service to send a password reset link, that service gets your email address but cannot use it for anything else.

    Legal and Safety Disclosures: We may disclose personal information outside of Dailybite if we have a good-faith belief that such disclosure is necessary to (a) comply with any applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Use or investigate potential violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Dailybite, our users, or the public as required or permitted by law. We will only do so to the extent that is legally required or necessary for the above purposes.

    Business Transfers: If Dailybite is involved in a merger, acquisition, investment, reorganization, or sale of some or all of its assets, your personal information may be transferred as part of that transaction. We would ensure the acquiring party continues to honor your privacy rights in line with this policy. We would notify you (for example, via email or a notice on our site) of any such change in ownership or control of your personal information, as well as any choices you may have regarding your data.

    We emphasize that outside of the scenarios above, we do not share your personal data with third parties. There is no advertising network or social media company receiving your data from us. Your trust is important, and we only share data with parties that are essential to running Dailybite or as mandated by law.

    1. Data Retention

    We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Here is how our data retention practices work:

    Account Data: If you have an active Dailybite account, we will keep your personal data (email, profile info, and any content you have provided) so that we can provide the service to you. This data is retained until you delete your account or until it is no longer needed to provide services to you. If you delete your account (or request deletion), we will initiate the deletion of your personal data from our systems. Deletion will include removal of your profile information and any content or planning data associated with your account in the Supabase database. We will also disable your credentials so that you can no longer log in.

    Onboarding/Planning Responses: The answers and data you provide are stored as part of your account. If you continue to use the App, we retain this data to generate ongoing personalized plans and for you to review past plans. If you delete your account, these user-provided data entries will be deleted from our primary database as part of the account deletion process.

    AI Interaction Logs: Any logs of your AI interactions captured (e.g. via LangSmith) for debugging are generally kept only as long as necessary to improve or ensure the functionality. We periodically review and purge older AI trace logs. If such logs contain personal data and are no longer needed, we delete or anonymize them. We aim to avoid long-term retention of detailed user prompts or outputs unless required for ongoing service improvement. Typically, AI traces are used in real-time or near-term analysis and not archived indefinitely.

    Analytics Data: Analytics information collected via PostHog is stored in our analytics system. We may retain aggregated usage data for a longer period to identify long-term trends and performance metrics, but this data is not tied to individual identities. Raw analytics logs that could be linked to user IDs are either deleted or anonymized after a period of time (for example, we might automatically delete or aggregate event data after 12 months). We follow PostHog’s default data retention guidelines or configure it to an appropriate retention period to minimize storing of identifiable analytics. If we ever switch analytics providers or self-host, we will ensure similar or stricter retention practices.

    Backups: Our database (via Supabase/AWS) likely creates backups for reliability. These backups might incidentally contain your data for a certain retention period. Even after you delete your account, it’s possible that your data could remain in encrypted backups for a short time until those backups are rotated out or pruned. We apply industry-standard practices to backup retention. Typically, backups may be kept for a limited number of days (e.g., 7-30 days) before being automatically deleted. Any restoration from backups would also include re-deleting removed accounts as needed.

    Legal Requirements: In certain cases, we may need to retain information for longer if required by law. For instance, if a legal dispute arises or we receive a legal hold or request, we will retain the necessary data until the issue is resolved. We may also retain information to enforce our agreements or to comply with other laws (such as financial/tax record-keeping or to show consent records), but in such cases, we will limit the data to what is necessary for the specific purpose.

    Once the retention period expires or the purpose is fulfilled, we will securely delete or anonymize your personal information. When we delete data, we use commercially reasonable measures to ensure the data is irrecoverable.

    If you have any questions about our data retention practices (for example, if you want to know if we have specific data about you and how long we keep it), feel free to contact us at support@dailybite.ca.

    1. Your Rights and Choices

    We believe you should have control over your personal information. Subject to applicable laws (such as Canadian privacy law and, if applicable, EU GDPR for some users), you have the following rights and choices regarding your data:

    Access Your Information: You have the right to request a copy of the personal data we hold about you. This includes your profile information and any data you’ve provided (like your planning answers). Most of this information is accessible to you directly in the App (for example, you can see your profile email, and possibly any saved plans). If you require a full export, you can contact us at our support email and we will assist you.

    Correction (Rectification): If any of your information is incorrect or has changed (for example, you want to update your email address), you have the right to correct it. You can update certain info in-app (if we offer profile editing) or by contacting support. We may need to verify your identity before making changes for security reasons.

    Deletion (Right to Erasure): You have the right to delete your account and personal data. Dailybite provides a way to delete your profile at any time. This might be in the account settings or by contacting support. Once you initiate deletion, we will remove your personal data from our active systems within a reasonable time frame. As noted in Data Retention, some residual data (in backups or logs) may persist briefly, but will be removed according to our retention schedule. After deletion, you will no longer be able to log in or recover that data. Important: Deletion is permanent, and we may not be able to recover your data once deleted, so ensure you’ve saved any information you need before deleting your account.

    Withdrawal of Consent: In cases where we rely on your consent to process data (for example, if you consented to a newsletter or certain optional data collection), you have the right to withdraw that consent at any time. For the core App usage, you give consent to this privacy policy when signing up, and you can withdraw consent by discontinuing use of the App and requesting deletion of your data. If you withdraw consent for a specific feature (like analytics tracking), we will stop processing your data for that purpose. For example, you might disable analytics cookies as described earlier, which is a form of withdrawing consent for analytics tracking.

    Portability: To the extent applicable, you may have the right to data portability – i.e., to obtain your personal data in a common format so you can transfer it to another service. If you need such assistance, contact us and we will do our best to provide your data in a structured, commonly used format (likely a JSON or CSV export of your profile and content).

    Objection to Processing: If you believe we are processing your data in a way that you do not agree with, you have the right to object. In practice, Dailybite only processes data as needed to provide the service you signed up for (as described in this policy). If you have objections, you can contact us to discuss or limit certain processing. For example, if you are not comfortable with your usage data being used for analytics, we can try to accommodate by, say, excluding your data from analytics reports (possibly by an opt-out mechanism or manual filtering).

    Marketing Communications: Currently, Dailybite does not send marketing or promotional emails. If we ever start, we will only do so if you opt-in. You would have the right to unsubscribe at any time. Account-related communications (like password reset emails or important notices) are not marketing – those you will receive as part of service, but if you delete your account you will stop receiving them.

    Preferences and Settings: The App or website might provide settings for certain privacy choices. For example, you might toggle certain features on/off, or choose what information to provide in your profile. We encourage you to review the available settings to customize your experience and data sharing (for instance, some apps allow opting out of certain analytics or customizing notification preferences).

    To exercise any of these rights, please contact us at support@dailybite.ca. We will respond to your request as soon as possible, and in any case within the timeframe required by law (for example, under GDPR, typically within 30 days). We may need to verify your identity before fulfilling certain requests (to ensure we don’t disclose or delete data at the request of someone impersonating you).

    If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). If you are in the European Union, you have rights under the GDPR. We aim to respect individuals’ rights under all applicable privacy laws. If you believe your rights have been violated, you also have the right to lodge a complaint with a supervisory authority (such as the Privacy Commissioner of Canada, or an EU Data Protection Authority, depending on your jurisdiction). We would, however, appreciate the chance to address your concerns directly first – so please reach out to us with any questions or issues.

    1. Security Measures

    We take the security of your personal information very seriously. Dailybite implements a range of technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. However, no method of transmission or storage is 100% secure, so we cannot guarantee absolute security. Here are some of the key security practices we follow:

    Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS). This means that when you use the App or website, your information (including login credentials and any answers you submit) is encrypted while it travels over the internet, protecting it from eavesdroppers.

    Encryption at Rest: Our database, hosted via Supabase on AWS, encrypts your data at rest using strong encryption standards (AES-256) supabase.com . This ensures that if the storage media were ever accessed without authorization, the data would be unreadable. In addition, Supabase encrypts sensitive fields at the application level as needed. For example, things like authentication tokens or keys are further encrypted before storage supabase.com .

    Password Protection: As noted, if you use email/password to sign up, your password is never stored in plaintext. Supabase’s authentication uses secure password hashing (bcrypt) to store an irreversible hash of your password github.com . This means even our team cannot see your actual password. Always create a strong, unique password for Dailybite and do not share it. If you use Google OAuth, we rely on Google to authenticate you, so no password is stored with us for those accounts.

    Access Controls: We limit access to personal data to only those team members and service providers who need it to operate or support the service. Our development team may access data if necessary for troubleshooting, but this is done under strict controls. Supabase’s row-level security and permission system is used to ensure that each user can only access their own data from the database. Administrative access to the database or servers is restricted to authorized personnel with multi-factor authentication.

    Security Testing and Best Practices: We keep our software libraries and platforms up to date with the latest security patches. We follow best practices in secure coding to prevent common vulnerabilities. The use of LangSmith and other monitoring helps us catch anomalies in how the AI features operate, which can indirectly help spot any irregular behavior that might indicate a security issue. Our use of PostHog is configured in a privacy-conscious manner, and we ensure it does not expose personal data unnecessarily.

    Third-Party Security: We choose reputable third-party providers that have strong security track records. As mentioned, Supabase is SOC 2 certified and HIPAA compliant, meaning they undergo regular audits of security controls supabase.com supabase.com . LangSmith also meets high standards like SOC 2 and GDPR compliance docs.langchain.com . OpenAI and Google are large organizations that employ industry-standard security measures to protect data (for instance, OpenAI uses encryption and restricted access for API data milvus.io ). PostHog being open-source allows scrutiny of its code, and when used in cloud form, it also provides compliance options. We review our third-party services’ security documentation to ensure they meet our requirements. For example, Amazon AWS (which hosts our data via Supabase) has robust physical and network security and is compliant with numerous standards.

    Monitoring and Logging: We monitor our systems for suspicious activity. Unusual login patterns or errors might be logged and reviewed. We also maintain logs of important actions on our systems, which helps in auditing and diagnosing any incidents if they occur. Our team is alerted to critical issues, and we have the ability to investigate to determine if any data breach has occurred.

    Data Breach Procedures: In the unlikely event of a data breach or security incident, we have a response plan. This includes identifying and fixing the issue, and notifying affected users and authorities as required by law. If a breach were to involve your personal information, we would inform you in accordance with legal requirements, and provide guidance on steps to protect yourself.

    User Responsibilities: Security is also a partnership with our users. It’s important that you keep your login credentials confidential. If you suspect someone has gained access to your account, please change your password immediately and contact us. Also, ensure that when you use the App on a shared device, you log out after use to prevent others from accessing your account.

    While we strive to use commercially acceptable means to protect your personal data, no system is infallible. You can help by using strong passwords and keeping your devices secure. If you have any questions about security on Dailybite, or if you encounter any security vulnerabilities or incidents, notify us at support@dailybite.ca and we will address it promptly.

    1. AI Personalization and Data Usage

    One of Dailybite’s key features is AI-driven personalization. This section explains how our use of artificial intelligence interacts with your data, and what it means for your privacy:

    How AI is Used in Dailybite: Dailybite utilizes AI algorithms (through third-party AI services like OpenAI GPT or Google’s AI models) to generate personalized plans, recommendations, or insights for you. For example, after you answer onboarding questions or input your goals, the App may send those inputs to an AI model, which then returns a tailored plan or suggestion (a “daily bite” of advice or a schedule, etc.). The AI essentially acts like an assistant or coach, using your provided information to create a customized output.

    Data Sent to AI Providers: When you engage with an AI feature (say, asking for a personalized plan), the necessary data is sent securely to the AI provider’s API. This typically includes the text of your question or the relevant profile info and preferences needed for context. We try to limit this to only what’s required for the AI to generate a useful result. Your personal identifiers (like your full name or email) are not included in these AI requests, unless that information is part of the content you explicitly provide in a prompt. In other words, if you just ask “Plan my week with 3 gym days,” we will send that prompt (and perhaps some relevant settings like your stated goal) to the AI, but not your email or unrelated data. The data exchange with AI providers is encrypted in transit, and the response is received and passed back to the app.

    AI Providers’ Data Policies: We only integrate with AI services that have robust privacy and security commitments. For instance, OpenAI’s API terms state that they will not use API-provided data to train their models or improve their services without your opt-in consent techcrunch.com . This means the content of your requests to OpenAI are not added to OpenAI’s general training database. OpenAI retains API request data for 30 days primarily to monitor for abuse/misuse, after which it is deleted techcrunch.com . Google’s AI (such as those on Google Cloud) similarly promises not to use customer data from API calls to train Google's underlying models or services, and they have strict privacy and security controls in place (Google often cites that they never use customer data to train their models in their enterprise AI services). We will update our practices if any provider’s policies change, and we will seek to give you choice if an AI provider were to want to use your data for any broader purpose.

    Internal Use of AI Outputs and Logs: The results generated by the AI for you (e.g. your plan or advice) may be saved in your account so you can refer to it later. It is treated as your data. Also, as mentioned, we may log AI interactions using LangSmith for debugging and improvement. These logs might include your prompt and the AI’s answer. Access to these logs is restricted to our team for the purposes of improving the AI’s performance (for example, to see if the AI is giving relevant advice or if it made a mistake that we need to correct by adjusting prompts). We do not use these AI logs to profile you or make any decisions about you beyond providing the service. If any AI log contains sensitive or personal information, we handle it with care and can erase it from our logs upon request.

    Limitations and Transparency: It’s important to note that AI-generated outputs are based on patterns and information the model has learned and the inputs provided; sometimes the output may be incorrect or not tailored exactly as intended. However, this is more about service quality than privacy. From a privacy perspective, we want you to know that your interactions with the AI are still your private information. We do not publish or share your individual prompts or AI-generated plans with any other users. The AI does not “remember” your personal data beyond the context of your current session (unless we explicitly provide it context from your profile each time, which we only do as needed for functionality). Each AI request is independent, and any memory of past conversations in a session is either handled within the app or via a temporary conversation ID that’s not used for anything outside that session.

    Human Oversight: No humans at Dailybite (nor at OpenAI/Google) are individually reading through your AI conversations as a matter of course. The process is automated. In rare cases, if you request support or if an issue arises, authorized team members might review the content to troubleshoot or improve service, but this will be done with utmost respect for your privacy. For example, if you report “the AI gave a strange answer about my diet plan,” we might look at what the AI was asked and what it responded, to diagnose the issue. All team members are bound by confidentiality obligations.

    Your Choices in AI Features: Using the AI features in Dailybite is optional but it is a core part of the app’s purpose. By providing information for AI personalization, you consent to that information being processed by the AI provider as described. If you are uncomfortable with this, you could choose not to use certain AI-driven features. You can also contact us to inquire if any of your data was stored in AI logs and request deletion if applicable. We are exploring ways to allow an “opt-out” of having your AI interactions logged for development (which might mean we won’t be able to improve the AI as quickly for you, but we respect your choice). For now, if you prefer that none of your AI interactions are retained beyond providing you the answer, please let us know and we will attempt to filter or delete logs related to your account.

    In summary, AI personalization in Dailybite is designed to use your data to benefit you with customized content, without exposing your data unnecessarily or repurposing it beyond your intent. We will continue to refine our AI usage with privacy in mind and be transparent about any changes.

    1. Children’s Privacy

    Dailybite is not intended for children under the age of 13. We do not knowingly collect or solicit personal information from anyone under 13 years old. Our App, content, and services are designed for general audiences and are not targeted to children. If you are under 13, please do not attempt to register for an account or send any personal information about yourself to us.

    Parents or guardians: If you become aware that a child under 13 has provided us with personal information, please contact us immediately at support@dailybite.ca. If we learn that we have inadvertently collected personal data from a child under 13, we will take prompt steps to delete that information from our records. This may include deleting the child’s account and any associated data.

    For users between 13 and the age of majority in your jurisdiction, we advise that you use our App with parental permission and supervision, especially when providing personal information or using any interactive features. If you are a minor, you should review this Privacy Policy with your parent or guardian to make sure you both understand it.

    We also do not specifically market or direct the App to anyone under 13. Dailybite’s content (such as AI-generated planning advice) is geared toward a general audience and not specifically to children. We comply with the Children’s Online Privacy Protection Act (COPPA) in the United States and similar laws which impose requirements for websites/applications collecting data from children. As such, we do not intentionally collect data from or create profiles of users known to be under 13.

    If you are a parent or guardian and have any concerns regarding your child’s use of Dailybite or our handling of their personal data, please contact us. We will be happy to address your questions and, if needed, remove the child’s information from our systems.

    1. International Users and Data Transfers

    Dailybite is operated from Canada, and our primary data storage is in Canada (through AWS Canada Central). However, the nature of the internet and the services we use means your data may be transferred to or processed in other countries:

    Data Location: As mentioned, we use Supabase on AWS Canada, so your data is intended to reside in Canada. This is beneficial for Canadian users as the data stays under Canadian jurisdiction (which follows PIPEDA). Users from other countries should be aware that your data will be stored in Canada. Canada is considered to have strong data protection laws and is recognized by the EU as providing an adequate level of data protection in line with GDPR standards.

    Third-Party Locations: Some of our third-party processors operate in the United States or other countries. For example, OpenAI and LangSmith are U.S.-based services; if you use the AI features, your data (prompts) may be processed on servers in the U.S. Similarly, if we use PostHog’s cloud service, those servers might also be in the U.S. Google OAuth and Google AI services are global and often involve U.S. processing. While in those jurisdictions, your data may be subject to local laws (e.g., U.S. laws may allow government access under certain conditions). We ensure that any transfers of personal data are done in compliance with applicable data protection laws. For instance, for European Economic Area (EEA) users, if any data is transferred outside of the EEA (like to Canada or the U.S.), we would rely on lawful transfer mechanisms such as standard contractual clauses or adequacy decisions (Canada has an adequacy decision from the EU).

    Protection Measures: Regardless of where data is processed, we apply the same privacy protections described in this policy. We also require that our service providers maintain a high standard of privacy and security. For example, where necessary, we have Data Processing Agreements (DPAs) in place with providers that outline their obligations in handling personal data. These agreements incorporate standard data protection clauses to safeguard international data transfers.

    Your Responsibility: If you are accessing Dailybite from outside Canada, you are transferring your data to us in Canada. By using the App, you consent to that transfer, storage, and processing in Canada and other jurisdictions as explained. If you are in a region with laws governing data collection and use, please know that we strive to comply with those laws. For example, if you are in the EU, our intention is to handle your data in accordance with GDPR (lawful bases of processing, rights, etc., as discussed in earlier sections).

    Cross-Border AI Processing: We want to highlight that the AI requests inherently involve sending data across borders (to whichever region the AI provider’s servers are located). OpenAI and Google Cloud have committed to privacy, and if required, we will ensure proper agreements (such as Data Processing Addendums with EU Standard Contractual Clauses) are in place with them for compliance. If at any point these transfers become legally problematic, we will suspend or adjust the affected features until a compliant solution is found.

    If you have questions about international data aspects or need more information about our data transfer safeguards, please contact us.

    1. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we update the policy, we will change the “Effective Date” at the top of this document. If the changes are significant, we may also provide a more prominent notice or seek your consent as required by law. For example, we might notify you via email (sent to the address associated with your account) or display a notice within the App.

    Your continued use of Dailybite after any changes to this Privacy Policy constitutes your acceptance of the updated terms (to the extent permitted by law). We encourage you to periodically review this Privacy Policy when you use the App to stay informed about how we are protecting your information.

    If we were to make changes that materially reduce your privacy rights or our obligations, we would likely ask for your consent again (for instance, if we ever decided to collect additional personal data not previously collected, or to use your data for a new purpose not covered by this policy, we would inform you and get appropriate consent).

    All previous versions of this Privacy Policy will be archived, and you can request a copy if needed to see how our policy has evolved.

    1. Contact Us

    If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

    Email: support@dailybite.ca

    We are the entity responsible for the processing of your personal data (the “data controller” in legal terms). For any privacy-related inquiry – whether it’s help exercising your rights, reporting a problem, asking about data practices, or giving feedback – you can reach us at the email above. We will be happy to assist you.

    Our goal is to address any issues you have in a satisfactory manner. If you’ve contacted us and feel that we haven’t adequately resolved your concern, and you are in a jurisdiction where you have the right to seek further recourse, you may contact your local data protection authority or privacy commissioner. For example, in Canada, that would be the Office of the Privacy Commissioner; in the EU, your national Data Protection Authority.

    Thank you for trusting Dailybite with your personal information. We are committed to keeping that trust by safeguarding your data and using it only to improve your daily planning experience.

    1. Private Mode

    Dailybite includes a Private Mode designed for users who want to limit how their AI conversations are logged and used for improvement of the service.

    13.1 What Private Mode Does

    When you enable Private Mode:

    We disable LangSmith tracing and similar internal logging tools that we normally use to monitor, debug, and improve our AI features.

    Your AI conversations are not used for product analytics, training, or routine quality review.

    We still store your inputs and AI outputs in our database only so that we can display them to you inside the App (e.g., to show your current plan or conversation history).

    In other words, Private Mode limits our ability to observe and analyze your AI interactions. As a result, responses you get while in Private Mode may not contribute to improving the service for you or other users.

    13.2 What Still Happens in Private Mode

    Even in Private Mode:

    Your data is still processed by our AI providers (e.g., OpenAI or Google AI) as described in AI Personalization and Data Usage. Private Mode does not prevent your prompts from being sent to those providers to generate a response.

    Basic technical logs (e.g., error logs, security logs, and minimal metadata such as timestamps and status codes) may still be collected as necessary to operate and secure the service.

    Your conversations and plans remain stored in our Supabase database so you can see and use them, and they are protected under the same security measures and retention rules described in this Privacy Policy.

    13.3 Exceptional Review Cases

    By default, we do not manually review conversations conducted in Private Mode.

    However, in rare and exceptional situations, we may need to access specific Private Mode data, for example:

    To investigate suspected abuse, spam, or security incidents,

    To comply with a legal obligation or enforce our Terms of Use,

    If you explicitly contact us for support and consent to us reviewing a specific interaction (e.g., to debug a serious issue with your plan).

    Any such review will be limited in scope, will only involve authorized personnel, and will be conducted under strict confidentiality obligations.

    13.4 Your Choices

    You can turn Private Mode on or off within the App settings (where available). When Private Mode is off, your interactions may again be traced with LangSmith and used for analytics and service improvement as described elsewhere in this Privacy Policy.

    You can also delete your account at any time, which will remove your conversations and related data from our active systems as described in Your Rights and Choices and Data Retention.