Last updated: February 2026
When you create an account, we collect:
As you use the app, we store the habit data you create: habit names, start dates, weekly costs, check-in dates, and achievement timestamps. When you check in, you can optionally record a mood rating and journal reflection. If you use the “I'm Struggling” toolkit, we store your struggle intensity, outcome, and optional note. If you reset a streak, we store your optional reflection. This data exists solely to power your dashboard and track your progress.
Your most sensitive data is encrypted on your device before it ever reaches our servers, using AES-256-GCM — the same standard used by banks and governments. This includes:
Your encryption key is derived from your password and never leaves your device. We cannot read your encrypted data — not by policy, but by design. Even if our servers were compromised, your encrypted data would be unreadable without your key.
At registration, you receive a recovery key. This is your only backup if you forget your password. We do not store a copy. If you lose both your password and recovery key, your encrypted data is permanently unrecoverable — by anyone, including us.
Some data is stored without end-to-end encryption so the app can function:
Passwords are hashed using bcrypt, a one-way algorithm — we cannot retrieve or read your password. Your data is not shared with, sold to, or accessed by any third party for advertising, analytics, or any other purpose.
We use a single session token stored as a secure, HTTP-only cookie to keep you logged in. We do not use tracking cookies, advertising cookies, or analytics cookies. No third-party cookies are set by Day One.
If you opt in to daily reminder emails, we send them through a third-party email delivery service. That service receives only your email address and the content of that specific email — nothing else. We do not send marketing emails, newsletters, or promotions. You can disable reminder emails at any time from your settings page.
We do not run analytics scripts, track your behavior across the web, or use fingerprinting, pixel tracking, or any form of behavioral monitoring.
Our site is served through Cloudflare, which may collect anonymized performance metrics (such as page load times and error rates) at the network edge as part of its infrastructure. We do not control or have access to this data. No personally identifiable information is shared with us through this process.
You can delete individual habits and all their associated data at any time from your dashboard. To delete your entire account and all associated data, go to Settings and tap “Delete Account,” or contact us at the email below. Account deletion is permanent and irreversible.
We use two third-party services: an email delivery provider for optional daily reminder emails, and Cloudflare for secure content delivery and DDoS protection. We do not integrate with social media platforms, advertising networks, or data brokers.
We may update this policy from time to time. If we make significant changes, we will notify registered users. The “last updated” date at the top of this page always reflects the current version.
If you have questions about this privacy policy or want to request data deletion, email us at [email protected].