Privacy Policy — Kindle by Dayko

1. Privacy at a glance

Kindle is built on a simple principle: your relationship data belongs to you and your organisation, not to us.

On-device first. Audio recording, transcription, and business card OCR happen on your device. Nothing uploads unless you explicitly choose to.
Your infrastructure for enterprise customers. Enterprise plans deploy AI processing on the customer's own servers. Dayko has no read access to that data.
End-to-end encryption. Audio, transcripts, and contact records are encrypted at rest (AES-256) and in transit (TLS 1.3).
No advertising. We do not sell, rent, or share your personal data for advertising. We do not embed third-party advertising SDKs.
No tracking across apps. Kindle does not track you across other apps or websites. We do not use IDFA or GAID for tracking.
One-tap delete. You can delete any meeting, contact, or your entire account from inside the app. Deletion is permanent within 24 hours.

2. Who we are

Kindle is operated by Dayko, Inc. ("Dayko", "we", "us", "our"), a Delaware corporation with offices in [Address to be confirmed].

For the purpose of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Dayko is the data controller for personal data of individual users on Free and Pro plans. For Team and Enterprise customers, Dayko acts as a data processor on behalf of the customer organisation, which is the controller of its employees' and contacts' personal data.

Our Data Protection Officer can be reached at dpo@dayko.ai.

3. What we collect

We collect only what we need to make Kindle work. Here is the complete list:

3.1 Information you give us directly

Account details — name, work email address, organisation name, role, and password (stored as a salted hash; we never see your plain-text password).
Profile information — your photo, time zone, and language preference if you choose to add them.
Contacts you save — names, titles, companies, email addresses, phone numbers, and any notes you write about people.
Voice notes and audio recordings — when you choose to record a meeting or leave a voice note. Recording requires explicit microphone permission, requested only the first time you use this feature.
Photos you capture — business cards or other images you scan. Camera permission is requested only at the moment of capture.
Notes and transcripts — text content you create or that Kindle generates from your audio.

3.2 Information from connected services (optional)

Calendar events — if you connect Outlook or Google Workspace, we read upcoming meeting details to power Whisper Brief.
Address book contacts — if you grant contact access, we read names and email addresses to match them with people in Kindle. We do not import your contacts to our servers without your explicit confirmation.

3.3 Information collected automatically

Diagnostic data — anonymised crash reports and performance telemetry, used to fix bugs.
Device information — operating system version, device model, and app version. Used for compatibility and support.
Authentication metadata — IP address and approximate region at the time of sign-in, kept for 30 days to detect suspicious activity.

3.4 What we do NOT collect

Precise GPS location
Health, fitness, or biometric data
Financial account numbers or bank details
Browsing history outside the Kindle app
Advertising IDs (IDFA, GAID) for tracking
Social media profiles or posts beyond what is publicly visible to the Research Agent
Sensitive categories such as race, religion, sexual orientation, or political opinions

4. How we use your data

We use your data only for the purposes listed below. We will never use your data for any other purpose without asking you first.

To deliver the service — saving your contacts, transcribing your meetings, generating briefs, syncing your calendar.
To run AI features — on-device for free and pro plans; on your organisation's infrastructure for enterprise plans. We do not use your content to train any AI model — yours, ours, or any third party's.
To support you — replying to support requests, helping with sign-in issues, recovering deleted data within the recovery window.
To keep the app secure — detecting fraudulent sign-ins, blocking abuse, complying with legal obligations.
To improve the product — anonymised, aggregated usage patterns. You can opt out in Profile → Privacy.
To communicate — service notifications (account changes, security alerts), and product updates if you opt in. We do not send marketing email without consent.

We do not use your contacts, transcripts, notes, or any other content you create to train AI models. Your relationships will never become someone else's training data.

5. Legal basis (GDPR & UK GDPR)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under Article 6 of the GDPR:

Contract — to provide the service you signed up for. This covers most processing of account, contact, meeting, and transcript data.
Legitimate interests — to keep the service secure, prevent fraud, and improve the product through anonymised analytics. We balance these interests against your rights and you can object at any time.
Consent — for optional features such as marketing email, beta program participation, and connecting third-party services. You can withdraw consent at any time without affecting the service.
Legal obligation — to respond to lawful government requests and tax or financial reporting requirements.

6. Who we share data with

We share your personal data only with the parties below, only for the purposes stated, and only under contracts that require them to protect your data to the same standard we do.

6.1 Service providers (sub-processors)

Provider	Purpose	Region
Amazon Web Services	Encrypted cloud storage for free and pro accounts	US, EU
Auth0 (Okta)	Authentication and single sign-on	US, EU
SendGrid (Twilio)	Transactional email (sign-in, receipts)	US
PostHog (self-hosted)	Anonymised product analytics	Dayko-controlled servers
Sentry (self-hosted)	Crash reporting	Dayko-controlled servers

6.2 Within your organisation

If your account is part of a Team or Enterprise workspace, your contacts, meetings, and transcripts may be visible to other authorised members of your organisation as configured by your administrator. Administrators can set role-based access controls in the workspace settings.

6.3 With your explicit instruction

When you share a brief, transcript, or contact with someone outside Kindle (for example by email export or generating a public link), we will share only what you direct us to share.

6.4 Legal requirements

We may disclose data if required by a valid legal process, but only after careful review. We will challenge overbroad requests, notify you wherever the law allows us to, and publish an annual transparency report listing aggregate request volumes.

6.5 Business transfers

If Dayko is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before any transfer and you will have an opportunity to delete your account before it occurs.

6.6 What we never do

We never sell your personal data.
We never rent your contacts or transcripts to data brokers.
We never share your content for advertising targeting.
We never use your data to train AI models for ourselves or third parties.

7. Where your data lives

Where your data is stored depends on your plan:

Free and Pro plans — encrypted on-device for media (audio, photos), with structured data (contacts, transcripts, notes) stored on Dayko-managed AWS infrastructure in your region of choice (US, EU, or APAC).
Team plan — same as Pro, with workspace data stored in the region selected by the workspace administrator.
Enterprise plan — fully on the customer's own infrastructure (private cloud, on-premise, or hybrid). Dayko has no read access to enterprise content.

You can see which region your data is in at any time under Profile → Privacy → Data residency.

8. How long we keep your data

Account data — kept while your account is active.
Content (contacts, transcripts, notes) — kept until you delete it. Deleted items move to a trash bin for 30 days, then are permanently erased.
Audio recordings — by default kept 90 days after transcription, then automatically deleted unless you mark them as starred. Adjustable in settings.
Diagnostic data — 30 days, anonymised.
Authentication logs — 30 days.
Billing records — 7 years (US tax law requirement).
Backups — encrypted backups are retained for 30 days, then overwritten.

When you delete your account, we permanently erase your content within 24 hours. Backups containing your data are overwritten within 30 days.

9. Security

We take security seriously. Specific protections include:

Encryption in transit — TLS 1.3 for all network traffic.
Encryption at rest — AES-256 for all stored content and backups.
Authentication — Auth0-managed sign-in with optional multi-factor authentication and SSO (SAML, OIDC) on Team and Enterprise plans.
Access controls — Dayko employees can access customer data only with documented justification, time-limited credentials, and logged audit trails.
Independent audits — SOC 2 Type II audit in progress; results published when available.
Bug bounty — security researchers can report vulnerabilities at security@dayko.ai. We respond within 24 hours.
Breach notification — if we ever experience a breach affecting your personal data, we will notify you and the relevant authorities within 72 hours, as required by GDPR.

No system is 100% secure. We cannot guarantee absolute security, but we apply the standards above and continuously improve them.

10. Your rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Correction — fix anything that is inaccurate. Most fields are editable directly in the app.
Deletion — erase your account and all associated content. Available in-app under Profile → Delete Account.
Portability — export your data in a structured, machine-readable format (JSON or CSV).
Restriction — ask us to limit how we process your data while a query is being resolved.
Objection — object to processing based on legitimate interests.
Withdraw consent — for any processing based on consent, you can withdraw consent at any time without affecting service availability.
Complain to a supervisory authority — if you are in the EEA, UK, or Switzerland, you have the right to complain to your local data protection authority.

To exercise any of these rights, email privacy@dayko.ai. We respond within 30 days. There is no charge for reasonable requests.

11. Children

Kindle is a business product designed for adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, please contact privacy@dayko.ai and we will delete it promptly.

12. International data transfers

If we transfer your personal data outside your home country (for example, between EU and US infrastructure), we use appropriate safeguards required by law:

Standard Contractual Clauses — for transfers from the EEA, UK, and Switzerland to the United States and other countries.
Data Privacy Framework — Dayko participates in the EU-US, UK-US, and Swiss-US Data Privacy Frameworks where applicable.
Regional storage — you can choose to keep your data inside the EEA, US, or APAC under Profile → Privacy → Data residency.

13. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

The right to know what personal information we collect, use, disclose, and sell or share.
The right to delete personal information we hold about you.
The right to correct inaccurate personal information.
The right to opt out of the sale or sharing of personal information.
The right to limit use and disclosure of sensitive personal information.
The right to non-discrimination for exercising these rights.

We do not sell or share your personal information in the sense defined by the CCPA. We do not engage in cross-context behavioural advertising. There is no need for a "Do Not Sell or Share My Personal Information" link, but if you would like written confirmation of this, email privacy@dayko.ai.

14. Changes to this policy

We may update this Privacy Policy as the product evolves or as regulations change. When we do:

We will update the "Last updated" date at the top of this page.
For material changes (anything that affects how we collect, use, or share your data), we will notify you in-app and by email at least 30 days before the change takes effect.
We will keep an archive of previous versions available at kindle.dayko.ai/privacy/archive.

15. Contact us

Questions about this policy or how we handle your data? Reach out:

Privacy questions

privacy@dayko.ai

Data Protection Officer

dpo@dayko.ai

Security disclosures

security@dayko.ai

General support

hello@dayko.ai

Postal address: Dayko, Inc., [Address to be confirmed], United States.

EU representative (per Art. 27 GDPR): [To be appointed before EU launch].