Privacy Policy

This Privacy Policy describes how DailyHero (the app, we) processes personal data about users and data added to the app when its features are used.

DailyHero is an app for family and personal task planning. The main user is the account owner. The account owner may use the app for personal task planning and may also create additional profiles within a family or household, including child profiles, for shared tasks, rewards, and related activity.

By using DailyHero, you confirm that you have read this Privacy Policy.

1. Who processes the data

The controller for the personal data processed in connection with DailyHero is:

Lev Karavanov
Finland, Espoo, 02200
Email: support@dailyhero.ink

If you have questions about privacy, data processing, or your rights, you can contact us at support@dailyhero.ink.

2. What this policy applies to

This Policy applies to:

• the DailyHero app;
• data processed when an account is created and used;
• data that the account owner adds to additional profiles, including child profiles;
• support requests;
• requests related to deletion of data, deletion of an account, and requests for a copy of data.

3. How the app may be used

DailyHero is an app for family and personal task planning. The account owner may use the app independently and may also create additional profiles inside the account, including profiles for other family members.

If a user adds information relating to another person, including a child, the user confirms that they are entitled to provide and use that information in the app and is responsible for the accuracy of that information.

The app may be used in different ways depending on the user’s scenario. In some cases the app is used individually, and in other cases it is used as part of a family setup with shared profiles.

4. What data we process

Account data

• account identifiers;
• sign-in and authentication data (Sign in with Apple);
• an email address if it is provided by the sign-in provider, including an Apple relay address;
• technical identifiers needed for the app to operate.

Profile data

• profile display name;
• profile date of birth;
• profile technical identifier;
• data about linking a profile to an account or device.

App usage data

• tasks, rewards, completion statuses, approvals, points, and related activity history;
• user settings;
• timestamps, technical statuses, and other service data required for the app’s features to work.

Notification data

• whether notifications are enabled;
• local reminder time and other notification settings.

The current version of the app uses only local iOS notifications that are scheduled and stored on the user’s device. Remote push notifications and event-based notifications are not used in the current version.

Support and request data

• support messages;
• account deletion requests;
• requests for access, correction, or deletion of data;
• service information required to process such requests, including status and handling history.

Technical data

• technical logs;
• error logs;
• app version and operating system information;
• service information required for protection, support, and stable operation of the app.

Profile display names are user-defined labels and do not need to match a person’s real name. In the current version of the app, we do not process profile photos, avatars, or biometric data.

5. How we receive data

We receive data:

• directly from the account owner when registering, signing in, and using the app;
• from information that the account owner adds to the account and profiles, including child profiles;
• from authentication and cloud infrastructure providers required for the app to operate;
• from support contacts and from requests related to data subject rights.

6. Purposes and legal bases for processing

The table below lists the purposes of processing and the relevant legal basis under GDPR.

Purpose	Legal basis
Creating and maintaining an account, providing the app’s features	Performance of a contract (Art. 6(1)(b) GDPR)
Creating and maintaining profiles; tasks, rewards, points, statuses, and activity history	Performance of a contract (Art. 6(1)(b) GDPR)
Configuring and operating local notifications	Performance of a contract (Art. 6(1)(b) GDPR)
Synchronizing data across devices and secure storage	Performance of a contract (Art. 6(1)(b) GDPR)
Handling support requests and data subject rights requests	Legal obligation (Art. 6(1)(c) GDPR) and, where applicable, legitimate interests (Art. 6(1)(f) GDPR)
Security, abuse prevention, and technical diagnostics	Legitimate interests (Art. 6(1)(f) GDPR)
Compliance with applicable law	Legal obligation (Art. 6(1)(c) GDPR)

If a separate feature requires consent in the future, that consent will be requested separately.

7. Additional profiles and data about other people

The account owner may create additional profiles, including child profiles, within the app. For those profiles, we process display names, dates of birth, and data connected to the app’s features, including tasks, rewards, statuses, and history.

By adding data that relates to another person, including a child, the account owner confirms that they are entitled to use that information in the app and is responsible for the correctness of the information added.

The account owner is responsible for how family members’ data is used within that account.

8. Who we share data with

We share data only to the extent necessary for the app to work, with the following categories of recipients.

Cloud infrastructure and backend service providers

• Google LLC / Google Cloud — hosting backend infrastructure;
• Firebase, including:
  • Firebase Authentication — authentication and session management;
  • Cloud Firestore — storage of account, profile, task, and reward data;
  • Cloud Functions — server-side logic, including privacy-request handling.

Authentication providers

• Apple Inc. — Sign in with Apple, including Hide My Email.

Internal operational channel for privacy-request handling

• Telegram — used for internal notification to the controller when a privacy request is created. Technical identifiers and request metadata needed to process the request may be sent through this channel.

Public authorities

• where required by law.

Other parties

• where expressly permitted or required by applicable law.

We do not sell personal data and we do not use personal data for advertising or profiling.

9. International data transfers

Some service providers used for the app may process data outside the European Economic Area (EEA). By default, data stored in Cloud Firestore is placed in the europe-west1 region, but certain services, including Apple and Telegram, may process traffic outside the EEA.

Where this happens, we rely on lawful transfer mechanisms, including Standard Contractual Clauses (SCCs), adequacy decisions of the European Commission, and other mechanisms permitted under Chapter V GDPR.

10. Data retention

We keep data only for as long as necessary for the purposes for which it was collected, unless a longer period is required by law.

• account data and related data are kept while the account owner uses the app;
• when an account or profile is deleted, the data may first move to a soft-delete state with a recovery period of up to 30 days;
• after that recovery period, the data is removed from active storage;
• separate copies may remain in backups for a limited additional period until automatic rotation;
• records of privacy requests and related audit information are kept for as long as necessary to document compliance and the handling of data subject rights;
• certain records related to security or legal obligations may be kept longer where necessary to comply with law or protect rights.

11. Account deletion and data-related requests

The account owner may use the in-app account deletion tools or contact us at support@dailyhero.ink.

An in-app request is the preferred channel because it helps identify the user. External email remains a fallback channel and may require additional identity verification.

Users may request:

• access to their data;
• correction of inaccurate data;
• deletion of data;
• restriction of processing;
• data portability;
• objection to processing;
• withdrawal of consent, where processing is based on consent.

We aim to handle such requests within the timelines required by applicable law, which is generally one month where GDPR applies.

12. User rights

Depending on applicable law, you may have the right to:

• receive information about how data is processed;
• access your data;
• correct your data;
• delete your data;
• restrict processing;
• receive your data in portable form;
• object to processing;
• lodge a complaint with a supervisory authority.

If GDPR applies to you, you may also complain to the competent supervisory authority, including the Office of the Data Protection Ombudsman in Finland: https://tietosuoja.fi/en/home

13. Automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal effects or similarly significant effects for users within the meaning of Art. 22 GDPR.

14. Security

We apply technical and organizational measures proportionate to the risks of processing, including:

• encryption of data in transit (TLS);
• role- and project-based access control for backend infrastructure;
• separation of production, staging, and development environments;
• logging of errors and technical events to detect anomalies;
• use of managed services (Firebase, Google Cloud) with their own protection mechanisms.

No storage or transmission method over the internet can guarantee absolute security.

15. Third-party services

The app uses third-party services that are necessary for its operation. Those services may process data within their roles and under their own terms and privacy policies.

These services include:

• Apple (Sign in with Apple, App Store, local iOS infrastructure) — https://www.apple.com/legal/privacy/;
• Google / Firebase / Google Cloud (Authentication, Firestore, Cloud Functions) — https://policies.google.com/privacy, https://firebase.google.com/support/privacy;
• Telegram (internal controller notification about privacy requests) — https://telegram.org/privacy.

The app does not use advertising networks, attribution services, or cross-app trackers. IDFA is not requested.

16. Changes to this policy

We may update this Policy from time to time. If changes are material, we will try to notify users by reasonable means, for example through the app or by updating the effective date and version on this page.

The current version of the Policy must remain available through a public link.

17. Contact

If you have questions about privacy, data processing, or your rights:

Lev Karavanov
Finland, Espoo, 02200
Email: support@dailyhero.ink