Keelday

Privacy Policy

Last updated: May 16, 2026

1. Overview

Keelday (“we,” “our,” or “us”) is a personal goal-planning tool. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding your data. We are committed to handling your data transparently and securely.

2. Data We Collect

a. Account Information

When you create an account, we collect:
  • Email address — required for login and account recovery
  • Name — if provided, from Google OAuth or manual entry
  • Password — stored as a bcrypt hash (not plaintext) for email/password accounts. Not stored for Google-authenticated accounts.
  • Profile picture URL — if provided by Google OAuth

b. Content You Create

We store the content you choose to enter into the Service:
  • Goals — title, description, domain, time horizon, milestones
  • Habits — names, descriptions, cadences, adoption/release status
  • Tasks — daily tasks, completions, notes
  • Account preferences and settings

c. Automatically Collected Data

When you use the Service, we automatically collect:
  • Authentication tokens — httpOnly cookies (token, refreshToken) for session management. These do not track you across sites.
  • Server logs — IP address, request timestamp, URL accessed, response status. Retained for debugging and abuse prevention.
  • Stripe transaction metadata — if you subscribe to paid features. Full payment details (card numbers) are handled by Stripe; we never see or store them.

d. AI Goal Suggestions

If you use the “Make it SMART” or milestone suggestion features, your goal title and domain are sent to OpenRouter (our AI provider) to generate suggestions. OpenRouter's terms govern their handling of this data. We cap input length at 500 characters and limit requests to 20 per hour per user.

3. How We Use Your Data

We use your data exclusively to provide, maintain, and improve the Service:
  • Authenticate your identity and maintain your session
  • Display your goals, milestones, habits, and tasks to you
  • Send transactional emails — account confirmation, password resets, email change confirmations
  • Generate AI goal suggestions when you request them
  • Process payments through Stripe
  • Detect and prevent abuse, fraud, and security incidents
We do not sell, rent, or share your personal data with advertisers or data brokers. We do not use your content to train AI models.

4. Third-Party Processors

We rely on the following third-party services to operate. Each processes data according to its own privacy policy and, where applicable, our Data Processing Agreement:
  • Vercel — Hosting and serverless functions. Data processed: account info, user content, server logs. US-based, SOC 2 compliant. Privacy Policy: https://vercel.com/legal/privacy-policy
  • Neon — PostgreSQL database hosting. Data processed: all account and content data. US-based. Privacy Policy: https://neon.tech/privacy-policy
  • Google — OAuth authentication. Data processed: email, name, profile picture (when you choose Google sign-in). Privacy Policy: https://policies.google.com/privacy
  • Stripe — Payment processing. Data processed: email, transaction metadata (full payment details are handled by Stripe). Privacy Policy: https://stripe.com/privacy
  • OpenRouter — AI inference for goal suggestions. Data processed: goal title and domain (capped at 500 characters). Privacy Policy: https://openrouter.ai/privacy
  • Resend — Transactional email delivery. Data processed: email address, email content. Privacy Policy: https://resend.com/legal/privacy-policy

5. Data Retention

  • Account data — retained as long as your account is active. You may delete your account at any time, which removes your data from production systems within 30 days.
  • Server logs — retained for 30 days for debugging and abuse prevention, then automatically deleted.
  • Stripe records — retained per Stripe's retention policies and our legal obligations.
  • Backups — database backups may retain data for up to 30 days after deletion.

6. Cookies

We use the following cookies, all strictly necessary for the Service to function:
  • token — An httpOnly session cookie. Contains a signed JWT identifying your account. Expires after 15 minutes of inactivity; automatically refreshed during active use.
  • refreshToken — An httpOnly cookie used to obtain new session tokens without re-entering credentials. Expires after 7 days.
These cookies are first-party only, set with SameSite=Lax, and do not track you across websites. We do not use analytics, advertising, or third-party tracking cookies. Because all our cookies are strictly necessary for authentication, no cookie consent banner is legally required.

7. Data Security

We implement reasonable security measures to protect your data:
  • Passwords are hashed with bcrypt (cost factor 10) and never stored in plaintext
  • Authentication tokens are signed HMAC JWTs verified on every request
  • All traffic is encrypted in transit (HTTPS)
  • Database access is restricted and credentials are not shared in code repositories
  • CSRF protection via same-origin validation on all mutation endpoints
  • Rate limiting on authentication and AI endpoints to prevent abuse
  • Input length caps to prevent resource exhaustion

8. Your Rights

Depending on your jurisdiction, you may have the following rights:
  • Access — request a copy of the personal data we hold about you
  • Correction — update or correct inaccurate data (most data can be edited directly in the app)
  • Deletion — delete your account and associated data. You can do this from your account settings page, or contact us for assistance.
  • Portability — request your data in a machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@keelday.com. We will respond within 30 days.

9. Legal Basis for Processing (EEA/UK Users)

For users in the European Economic Area and United Kingdom, we process your personal data under the following lawful bases:
  • Performance of a contract — processing necessary to provide the Service you requested (account creation, displaying your content, sending transactional emails)
  • Legitimate interests — server logging for security and abuse prevention, rate limiting
  • Consent — explicit consent is not required for any currently offered processing activity. If we add marketing communications or analytics in the future, we will obtain consent first.

10. International Data Transfers

Your data is processed and stored in the United States through Vercel and Neon. We use third-party processors that comply with applicable data transfer mechanisms, including Standard Contractual Clauses where required. By using the Service, you consent to your data being transferred to and processed in the United States.

11. Children's Privacy

The Service is not intended for anyone under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the Service. Continued use after changes are posted constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, data requests, or concerns:
Email: privacy@keelday.com