How is my journal data encrypted?

All journal entries are encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Database backups are also encrypted with limited access controls.

Does Dayora sell my personal data?

No. We never sell your journal entries or personal information to third parties, advertisers, or data brokers.

Does OpenAI train models on my journal entries?

No. Under our agreement with OpenAI, they do not use your data to train machine learning models. API requests are encrypted and your entries remain confidential.

How does magic link authentication work?

Magic link authentication eliminates passwords by sending a secure, time-limited login link to your email. This reduces the risk of credential theft and password database breaches.

Security

Your journal is personal. We take every measure to keep it private and secure.

Our Security Commitment

Journaling requires trust. You're sharing your most personal thoughts, and we take that responsibility seriously. This page explains exactly how we protect your data, what security measures are in place, and what you can do to keep your journal secure.

End-to-End Encryption

All journal entries are encrypted in transit (TLS 1.3) and at rest (AES-256) using industry-standard encryption.

Secure Authentication

Magic link authentication eliminates password vulnerabilities and reduces the risk of credential theft.

Private AI Processing

OpenAI does not train models on your data. API requests are encrypted and your entries remain confidential.

Regular Security Audits

We conduct regular security reviews and keep all dependencies updated with the latest security patches.

How We Protect Your Data

Data Encryption

In Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption, the same security standard used by banks and financial institutions.

At Rest: Journal entries are stored in an encrypted database using AES-256 encryption. Even if someone gained unauthorized access to our servers, your data would be unreadable.

Backups: Database backups are also encrypted and stored securely with limited access controls.

Authentication & Access Control

Magic Link Login: We use passwordless authentication via email magic links. No passwords means no password databases to breach and no forgotten password vulnerabilities.

Session Management: Sessions expire after a period of inactivity and use secure, httpOnly cookies to prevent XSS attacks.

Account Isolation: Your data is strictly isolated from other users. Our database queries enforce user-level access controls at every layer.

Infrastructure Security

Cloud Provider: We host on Vercel and use Supabase for database management, both of which maintain SOC 2 compliance and industry-leading security standards.

Network Security: All services run behind firewalls with strict access controls. Only necessary ports are exposed, and all services use the principle of least privilege.

DDoS Protection: Our infrastructure includes DDoS mitigation and rate limiting to prevent service disruption.

AI & Third-Party Security

OpenAI Integration: We use OpenAI's API to generate insights. Under our agreement, OpenAI does not use your data to train models. All API requests are encrypted in transit.

Limited Data Sharing: We only share the minimum necessary data with third parties (OpenAI for AI features). We never sell or share your journal entries with marketers, advertisers, or data brokers.

Email Service: We use Resend for transactional emails (magic links, summaries). They process emails securely but do not have access to your journal content.

Code & Application Security

Dependency Management: We regularly update all dependencies and monitor for known vulnerabilities using automated security scanners.

Input Validation: All user input is validated and sanitized to prevent SQL injection, XSS, and other common attacks.

Error Handling: Error messages never expose sensitive information or system details that could aid attackers.

What We Don't Do

We never sell your data

Your journal entries are yours. We don't monetize your personal information or share it with advertisers.

We don't train AI models on your entries

Neither we nor OpenAI use your journal content to train machine learning models.

We don't read your journal

Our team does not access or read your personal entries unless you explicitly request support and grant permission.

We don't share data without consent

We will never share your information with law enforcement or third parties without your consent, except when legally required (e.g., valid subpoena).

How You Can Stay Secure

While we handle security on our end, here are some best practices to keep your account secure:

Use a secure email: Your email is your login credential. Use a strong, unique password for your email account and enable two-factor authentication if available.
Don't share magic links: Magic link emails are like temporary passwords. Don't forward them or share them with anyone.
Log out on shared devices: If you access Dayora on a public or shared computer, always log out when finished.
Keep your device secure: Use a screen lock on your phone and laptop to prevent unauthorized physical access.
Report suspicious activity: If you notice anything unusual with your account, contact us immediately at human@dayora.ai.

Questions About Security?

We're committed to transparency about our security practices. If you have questions, concerns, or want to report a security issue, please contact us at human@dayora.ai.

For more information about how we handle your data, read our Privacy Policy and Terms of Service.

Security Disclosure

If you discover a security vulnerability, please report it responsibly to human@dayora.ai. We'll work with you to understand and address the issue promptly.

Your journal is safe with us

Start journaling with confidence knowing your data is encrypted, private, and secure.