Legal

Privacy Policy

Last updated: 2026-05-17

This Privacy Policy explains what data Tomodaily ("we", "us", "the service") collects, how we use it, who we share it with, and what rights you have. It applies to tomodaily.com, the Tomodaily dashboard, and any messages we deliver to you through Telegram or email.

This is an early draft and a licensed attorney has not yet reviewed it. We will revise it before general availability. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) inform this draft.

1. Overview

We are the data controller for the personal data described below. You can reach us at support@tomodaily.com. For privacy-specific questions, the same address is fine — use the subject line "Privacy" so we can route it correctly.

2. Data we collect

We collect only what we need to run the service for you.

  • Account data — your email address, your name if you give it to us, your timezone, and your delivery preferences (which briefs you want, when, and on which channels).
  • Memory Ledger content — the facts, beliefs, preferences, and notes you ask us to remember. These are the inputs that personalize the assistant's output for you.
  • Telegram messages — if you link Telegram, we receive the messages you send to the bot along with your Telegram user id and chat id. We use them to reply to you, to update memory you asked us to capture, and to send scheduled briefs to the right chat.
  • Portfolio data — tickers, lots, cost basis, and the performance snapshots we generate from them, when you use the finance features.
  • Calendar events — if you link Google Calendar, we read event titles, times, locations, and attendees so we can include them in briefs and reflections. We do not modify your calendar unless you ask us to.
  • Usage telemetry — operation logs covering which routes ran, which tools fired, model usage, and cost. We use this to debug, to bill correctly, and to improve the service.
  • Billing data — handled by Stripe. We store only the Stripe customer id and subscription id needed to manage your subscription. We do not store full card numbers.

3. Subprocessors

We use the following processors to run the service. Each one only receives the data needed for its function.

  • OpenAI — model inference for some agent routes.
  • Anthropic — model inference for some agent routes.
  • Cloudflare — Worker hosting, KV, R2 storage, and edge routing for tomodaily.com and the dashboard.
  • Neon — the managed Postgres database that stores account, memory, and operation data.
  • Resend — outbound email delivery for briefs, receipts, and account messages.
  • Stripe — subscription billing and payment processing.
  • Telegram — chat channel delivery, only if you have linked your Telegram account.
  • Google — Calendar OAuth and Calendar API access, only if you have linked your Google account.

We will update this list as our infrastructure changes and notify subscribers of material additions.

4. Legal basis (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases:

  • Performance of a contract — we process account, billing, memory, telemetry, and message data so we can deliver the subscription you bought.
  • Consent — we process Telegram messages and Google Calendar events only after you actively link those integrations. You can revoke consent at any time by unlinking the integration from the dashboard.
  • Legitimate interests — we process limited operation logs to keep the service secure, to debug issues, and to track abuse. We balance this against your privacy and keep logs only as long as needed.

5. How we use your data

We use your data to:

  • Provide the assistant — generate briefs, answer questions, and run the routines you set up.
  • Send the messages you asked for — morning briefs, digests, and reflections to your selected channels.
  • Bill you correctly and keep records required by tax and accounting rules.
  • Debug, monitor, and improve the service.
  • Communicate with you about account, billing, and service changes.

We do not sell your personal data. We do not share it with advertisers. We do not use your data to train models for other customers.

6. Data retention

We keep operation logs (route metadata, tool calls, model and cost data) for a minimum of 90 days so we can audit and debug. After that, logs may be aggregated or deleted on a rolling basis.

We keep your Memory Ledger, portfolio data, linked calendar context, and other content for as long as your account is active or as needed to provide the service. You can delete individual memories from the dashboard at any time, or delete your entire account by emailing support@tomodaily.com or using the dashboard delete option when it is available.

When you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to keep limited records for billing reconciliation, tax, or legal compliance.

7. Your rights

You have the following rights with respect to your personal data:

  • Access — see what we hold about you.
  • Export — download your data in a machine-readable format.
  • Correction — fix anything that is inaccurate.
  • Deletion — ask us to delete your data, subject to a 30-day grace period while we reconcile billing and legal records.
  • Portability — receive your data in a portable format and move it elsewhere.
  • Object or restrict — object to or restrict certain processing.
  • Withdraw consent — for processing that depends on consent, withdraw it at any time. Withdrawal does not affect processing already performed.
  • Lodge a complaint — with a data protection supervisory authority in your jurisdiction. California residents have analogous rights under the CCPA, including the right to know and the right to delete.

To exercise any of these rights, email support@tomodaily.com.

8. International transfers

Tomodaily is operated from the United States and our infrastructure runs primarily in US regions of Cloudflare, Neon, and our model providers. If you use the service from outside the United States, your data will be transferred to and processed in the US and other countries where our subprocessors operate. Where required, we rely on Standard Contractual Clauses and equivalent transfer mechanisms.

9. Cookies

We use first-party session cookies to keep you signed in to the dashboard. We do not use third-party advertising cookies and we do not run third-party trackers on tomodaily.com. We may use minimal first-party analytics to understand aggregate usage; this does not identify individual users.

10. Children

Tomodaily is not directed to users under 18 and we do not knowingly collect personal data from minors. If you believe a child has provided us personal data, email support@tomodaily.com and we will delete it.

11. Changes

We may update this Privacy Policy from time to time. If the change is material, we will notify subscribers by email and place a banner in the dashboard. The updated effective date will appear at the top of this policy.

12. Contact

For privacy questions, data requests, or complaints, email support@tomodaily.com with the subject "Privacy". An EU Representative will be designated if and when our processing falls within GDPR Article 27 scope; this draft is a placeholder pending legal review.