How DayDash protects your data

DayDash is built so your personal data stays yours. This page explains, in plain language, how our encryption works — and the one place it works differently (AI Chat).

The short version

  • You hold the keys. Your data is encrypted with a key that stays on your devices. We store only the encrypted version.
  • Encrypted at rest. The data points behind your dashboards are encrypted before they’re saved on our servers.
  • No data mining, no ads. We don’t sell your data or use it for advertising. Our users are our customers, not the product.

How the encryption works

When you set up DayDash, your device generates a personal key pair:

  • A public key our servers use to encrypt data to you — anyone can lock a box for you, but only you can open it.
  • A private key that stays on your devices. It’s the only thing that can decrypt your data.

Your private key is derived from a 24-word recovery code (a standard BIP39 phrase) generated when you create your account. That recovery code is your master backup: with it you can restore access on any device; lose it and all your devices, and the data can’t be recovered. We use well-established, audited cryptography (the libsodium “sealed box”) for all of this — no home-grown crypto.

By default, our servers only ever hold the encrypted version and never your private key — so your stored data is unreadable to us. (Two deliberate exceptions, both explained below: if you opt into DayDash-managed recovery, and the AI assistant.)

What’s encrypted — and what isn’t

Encrypted (readable only on your devices):

  • All of your data points — everything synced from connected services (health, finance, productivity) and anything you enter yourself.
  • Your notes and your AI Chat conversations.

Not encrypted (operational metadata — how your dashboards are set up, not the values they display):

  • Dashboard names and layouts, widget configuration, data-source names, and connector settings — which services you’ve connected and how they’re configured (not the access credentials, which are separately encrypted). Because names and labels are stored as-is, avoid putting sensitive details directly into a dashboard or data-source name.

Held by our authentication provider:

  • Your account profile — the email and name you sign up with — is managed by Clerk, our authentication provider, and isn’t part of the end-to-end-encrypted data set.

Recovering your data

You choose how recovery works when you set up your account:

  • You hold the recovery code (default). Only you have the 24-word code, saved in your Emergency Kit. This is the strongest privacy model — we keep no copy.
  • DayDash holds a copy. For convenience, you can let us keep a copy of your recovery code — encrypted on our servers with a key we hold — so new devices set themselves up automatically, with no kit to manage. The trade-off: unlike everything else on this page, this copy is something we could decrypt, which also means the everyday risks to any online account (like someone resetting your password to get in) could reach your data in this mode. We don’t access it except to set up your own new devices — and there’s still no data mining and no ads — but if you want the strongest guarantee that only you can read your data, hold the code yourself (the default).

You can download a fresh Emergency Kit any time, and switch from the DayDash-managed option back to holding the code yourself.

AI Chat works differently

AI Chat is the one place where “your stored data is unreadable to us” doesn’t fully apply — and we want to be upfront about it.

To answer a question, the assistant has to actually see the relevant data. Here’s what happens:

  1. DayDash reads the relevant data on your device, decrypted with your key. These lookups run locally.
  2. It sends the results of those lookups to our AI provider, Amazon Bedrock — under our HIPAA Business Associate Agreement, inside our compliant AWS perimeter — to generate the response. We send the relevant results, not a bulk copy of your data.
  3. The conversation is encrypted and saved, readable only on your devices.

So for AI Chat specifically:

  • The relevant data is decrypted and processed in the cloud to generate a response — we don’t claim we can’t see it here.
  • That processing happens inside our compliant perimeter (Amazon Bedrock under a HIPAA BAA), not on a third-party consumer AI service.
  • Amazon Bedrock doesn’t use your conversations to train its models, and — as everywhere in DayDash — there’s no data mining and no ads.

If we ever add a way to run the assistant fully on your own device, we’ll update this page to reflect that different privacy model.

Questions?

We’re a small team and we read everything. Email us at support@daydash.io, or reach out through our support page.

For data retention, deletion, export, and the third-party services we rely on, see our Privacy Policy.