Privacy Policy
Effective: March 2026 ยท Version 1.0
1. Data Controller
dailyOps is operated by the dailyOps team. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the dailyOps platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Personal Data We Collect
We collect the following categories of personal data:
Account Data
Full name, email address, hashed password, country, and language preference โ provided at registration.
Organization Data
Restaurant/business name, country, and locale โ provided during setup.
Session & Technical Data
IP address, user agent, and session tokens (HTTP-only session cookies) โ logged during authentication.
Operational HACCP Data
All operational data linked to your user ID and organization: temperature logs, lot records, cleaning completions, non-conformity incidents, preparations, training records, cooking logs, calibration logs, pest control records, supplier records, and product records.
AI Interaction Data
Label images sent to AI for data extraction (processed ephemerally, not stored by the AI provider). Chat conversations stored in your organization's database. AI scan usage counts for quota enforcement.
Payment Data
Stripe customer ID, subscription ID, price ID, and subscription status stored locally. Card details are handled entirely by Stripe and never touch dailyOps servers.
Push Notification Data
Browser push subscription endpoint URL and encryption keys, stored server-side and linked to your user ID.
Audit Logs
Action type, entity type and ID, change snapshot (JSON), timestamp, and user ID. Audit logs are append-only and immutable.
3. How We Use Your Data
We process your data for specific purposes with clear legal bases:
| Purpose | Legal Basis |
|---|---|
| Provide the dailyOps service | Contract performance (Art. 6(1)(b)) |
| Process payments via Stripe | Contract performance (Art. 6(1)(b)) |
| AI label scanning and chat assistant | Contract performance (Art. 6(1)(b)) |
| Transactional emails (invites, password resets) | Contract performance (Art. 6(1)(b)) |
| Push notifications (task reminders, alerts) | Consent (Art. 6(1)(a)) |
| Maintain audit trail for compliance | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
We do not use your data for advertising, marketing profiling, selling to third parties, training AI models, or behavioral tracking.
4. Third-Party Processors
We share data with the following processors, each bound by data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude AI) | Label extraction, chat assistant (ephemeral processing) | United States |
| Stripe | Payment processing, subscription management | United States / EU |
| Resend | Transactional email delivery | United States |
| OAuth authentication (optional) | United States |
5. International Data Transfers
Your data may be transferred to processors in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring GDPR Chapter V compliance.
6. Data Retention
We retain your data according to the following schedule:
| Data Type | Retention Period |
|---|---|
| Account and operational data | While account is active; deleted upon request |
| Audit logs | While account is active (regulatory compliance) |
| AI chat conversations | While account is active; deleted with account |
| Payment records | 7โ10 years (tax/accounting regulations) |
| Push notification subscriptions | Deleted on unsubscribe or account deletion |
7. Your Rights (GDPR)
As an EU/UK data subject, you have the following rights under GDPR Articles 15โ22:
- Access (Art. 15) โ Request a copy of your personal data
- Rectification (Art. 16) โ Correct inaccurate personal data
- Erasure (Art. 17) โ Delete your personal data
- Restriction (Art. 18) โ Limit processing of your data
- Portability (Art. 20) โ Receive data in machine-readable format
- Objection (Art. 21) โ Object to processing based on legitimate interest
- Automated decisions (Art. 22) โ Not be subject to solely automated decision-making
To exercise your rights, contact our data protection team. We will respond within 30 days as required by GDPR.
8. Cookies & Session Management
dailyOps uses a single HTTP-only session cookie for authentication. No analytics cookies, tracking pixels, or third-party advertising cookies. See our Cookie Policy for full details.
9. Data Security
We implement encryption in transit (TLS 1.3), encryption at rest, cryptographic password hashing, multi-tenant data isolation, role-based access control, Zod input validation, parameterized queries via Prisma ORM, Stripe webhook signature verification, and immutable audit trails.
10. Children
dailyOps is a business service not directed at children under 16. We do not knowingly collect data from children under 16.
11. Changes to This Policy
Material changes will be notified via email with at least 30 days' notice. Continued use after the effective date constitutes acceptance.
12. Contact Us
For privacy questions or data subject requests, contact our data protection team. You also have the right to lodge a complaint with your local Data Protection Authority.