Account & Billing5 min readMediumUpdated Apr 27, 2026

Account

Privacy & data — what we collect and how it's protected

A complete guide to what Daybreak collects, how it's encrypted, what we never do, and your rights under GDPR and CCPA.

Quick answer

We collect what the product needs (account, check-ins, Dawn conversations, Focus settings) and protect it with TLS in transit + AES-256 at rest. We don't sell data, don't use your conversations for AI training, and you can export or delete everything any time.

privacydataencryptiongdprccpa

ShareX LinkedIn

Recovery data is more sensitive than typical app data. This page is the full picture of how it's handled.

What we collect

Account data

Email address and display name.
Onboarding answers (addiction type, severity assessment, goals).
Subscription status (Stripe is the source of truth for payment details).

Recovery data

Check-in responses (mood, cravings, triggers, sleep, notes).
Journal entries.
Dawn AI conversation history.
Companion memories (facts Dawn extracts from conversations).
Recovery plan configurations.
Goal tracking data.

Focus extension settings

Custom block lists and keywords you set.
Active focus modes.
Strict mode timers.
Aggregated block counts (if you opt in to analytics).

The extension does not collect URLs you visit, time spent on pages, or any browsing telemetry. All filtering happens locally on your device.

Time Vault configurations

Apps and websites you've locked.
Schedules and accountability partner settings.

Technical data

Anonymous usage analytics (page views, feature adoption rates).
Error reports for debugging.
Device type and browser version.

How it's protected

Encryption

Data type	In transit	At rest
Account data	TLS 1.3	AES-256
Check-ins & journal	TLS 1.3	AES-256
Dawn conversations	TLS 1.3	AES-256 (per-user keys)
Time Vault configs	TLS 1.3	AES-256
Focus settings (sync)	TLS 1.3	AES-256

Per-user keys mean a database leak doesn't reveal everyone's conversations — each user's data is encrypted with a different key derived from their account.

Access controls

Engineers cannot access individual user data without an explicit audited support ticket signed off by the user.
Production database access is logged and reviewed monthly.
All employee accounts require 2FA + hardware keys.

What we never do

Sell data to third parties. Not now, not ever — it's not in our business model.
Share data with advertisers. We don't run ads.
Use your conversations for AI training. Dawn uses pre-trained foundation models; your data does not feed back into model weights.
Store passwords in plain text. Passwords are hashed with a salted, slow hash function (Argon2).
Read your journal or Dawn conversations — except when you explicitly attach them to a support ticket and ask us to.

Your rights

You can do all of these from Settings:

Right	How
Access	Data export
Rectification	Edit profile, check-ins, and journal entries
Erasure	Delete account
Portability	Data export (JSON)
Objection	Settings → Privacy → Opt out of analytics

For requests we don't yet have UI for (specific format, third-party share request, etc.), email [email protected].

Third-party services

We use the smallest set of external services that lets us run.

Service	Purpose	Data shared
AWS	Cloud hosting	Encrypted data only
Stripe	Payment processing	Email + payment method
OpenAI	Dawn AI conversations	Conversation text (anonymized)
Sentry	Error tracking	Anonymous error reports
Better Stack	Status page / uptime	None

About OpenAI

When you message Dawn, the conversation is sent to OpenAI's API for the model to generate a reply. Before sending:

Your email, name, and account ID are stripped.
A hashed pseudo-ID replaces them so OpenAI can apply rate limits per user without knowing who you are.
OpenAI's API has a 30-day no-training, no-retention setting that we use for all Daybreak traffic.

If you don't want any third party processing your conversations, turn off Dawn from Settings → Dawn → Disable. Other features still work without it.

Compliance

GDPR (EU) — full compliance: rights to access, rectify, erase, port, and object are all supported.
CCPA / CPRA (California) — full compliance with right-to-know and right-to-delete.
HIPAA — Daybreak is not a covered entity. We follow HIPAA-style controls (encryption, access logging, minimum necessary access) but we don't claim HIPAA compliance and you shouldn't treat us as a HIPAA-compliant service for your own compliance needs.

Common questions

Can my therapist see my data?

Only if you explicitly export and share it. Dawn is not connected to any health record system.

Can a partner / family member see my activity?

Only if you set them up as an accountability partner and choose what to share. The default is private.

What if Daybreak gets acquired?

In the event of a sale, our user agreement requires the buyer to honor the existing privacy commitments. You'd be notified and given the option to export and delete before any transfer.

Next steps

Export your data at any time to keep a copy.
Turn on two-factor auth — privacy doesn't help if your account itself is compromised.
Read the full legal policy at daybreakpath.com/privacy.

Still need help?

Pick whichever way of getting help works best for you.

Submit a ticketWe typically reply within a day Contact usSee all the ways to reach us

Was this article helpful?

Account

Still need help?

Related articles

Delete your account

Data export

What the extension tracks