Skip to main content
Updated March 30, 2026

Privacy Policy

This policy explains exactly what Daybreak collects, why we collect it, where it's stored, and how long we keep it. A summary of our four core commitments comes first; the section-by-section detail follows below.

The short version

Four commitments that shape how we handle your data.

These rules apply to every piece of personal data Daybreak holds — from your check-ins and journal entries to the timestamps on your account activity. If a policy below appears to conflict with one of these, the commitment wins.

We never sell your data

Not to advertisers, not to data brokers, not to anyone. Daybreak is built on a paid model so we never have to.

Local-first by default

Screen-time data stays on your device. Optional cloud sync uses end-to-end encryption — only you can read it.

Passwords never touch us

AWS Cognito handles authentication. We never store your password — even hashed.

Delete anything, anytime

One click in Settings deletes all your data — check-ins, journal entries, conversations. Permanent and irreversible.

Who we work with

Three subprocessors. That's it.

We name every third party that processes your data so you can verify their role. Each one is contractually limited to a single, specific function — hosting, payments, or model inference — and none of them are permitted to use your content to train their own systems or share it with anyone else.

Subprocessor

AWS

Cloud infrastructure

Hosts the application, database, and authentication. SOC 2 + HIPAA-eligible. Data lives in US-East.

Subprocessor

Stripe

Payment processing

PCI-DSS Level 1 certified. We never store card details — only a Stripe customer ID.

Subprocessor

OpenAI

AI model provider

Powers Dawn conversations. Under our enterprise agreement, your messages are never used to train models.

We'll email account holders 30 days before adding any new subprocessor.

The full policy

If you'd like every detail.

1. Introduction

Daybreak (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and related services at daybreakscience.com.

Given the sensitive nature of recovery data, we adopt a HIPAA-conscious design approach even though we may not be a covered entity under HIPAA regulations.

2. What we collect

Account information

When you create an account, we collect your email address and optional display name. We use AWS Cognito for authentication — your password is never stored on our servers.

Recovery data

We collect data you voluntarily provide:

  • Profile information (goals, start date)
  • Daily check-in data (mood, cravings, sleep, stress, triggers)
  • Journal entries
  • Dawn companion conversation history
  • Recovery plan data

Payment information

Payment processing is handled by Stripe. We never store card details — only a Stripe customer ID and subscription status.

Screen-time data (native apps)

If you use our native applications:

  • Application usage statistics (which apps and for how long)
  • Focus session data (duration, completion status)
  • Blocked app and website lists you configure

Local-first architecture

All screen-time data is stored locally on your device by default. Optional cloud sync uses AES-256-GCM encryption with a key derived from your password via PBKDF2. Our servers store only opaque encrypted blobs — we cannot read your data.

Technical data

We collect minimal technical data (device type, browser type, anonymized analytics) to improve the Service.

3. How we use it

  • Provide, maintain, and improve the Service
  • Generate personalized recovery plans and Dawn responses
  • Display your progress analytics and trends
  • Process payments and manage subscriptions
  • Send critical account communications
  • Ensure security and prevent abuse

4. Data sharing

We do not sell, rent, or trade your personal information. See the Subprocessors section above for the three vendors who handle specific jobs on our behalf.

5. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • AWS RDS with encrypted storage
  • Cognito-managed authentication with secure token handling
  • End-to-end encryption for screen-time cloud sync
  • Regular security reviews

6. Retention & deletion

Permanent deletion

You can delete your account at any time from Settings. This permanently deletes all data including check-ins, journal entries, recovery plans, and AI conversations. This action is irreversible.

7. Your rights

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data (upon request)
  • Opt out of non-essential communications

8. Children's privacy

The Service is not intended for users under 18. We do not knowingly collect information from children under 18.

9. Changes

We may update this policy. We will notify you of material changes via email or a notice within the Service.

10. Contact

Questions? Email [email protected].

Have a question?

We answer privacy emails personally, usually within 48 hours.

Email privacy team

Read next

Terms of Service