digitalagenda-privacy

DailyAgenda — Privacy Policy

Last updated: 2026-04-22

Who we are

DailyAgenda is a personal planning and private messaging app for small groups (family, housemates, invited teams). It is developed and operated by Alexandru Vlad Tanasescu. If you have any questions about this policy or the data we hold about you, contact the developer at the email address associated with this app on the App Store.

What we collect and why

Data	When we collect it	Why	Where it is stored
Display name	Sign-up	Identifies you to other group members	Supabase Postgres (EU / Frankfurt)
4-digit PIN	Sign-up	Your private login secret. We never store the plaintext — only a bcrypt hash.	Supabase Postgres
Phone number (optional)	If you set it	Lets the admin reach you out of band	Supabase Postgres
Avatar emoji	Auto-assigned, editable	Cosmetic	Supabase Postgres
Device identifier	On first launch	Stable per-install UUID used for rate-limiting and for the `device_id` field — NOT the IDFA or any Apple advertising identifier	UserDefaults (on device) + Supabase
Session token	On login	64-char random string proving your identity between requests	iOS Keychain (device) + Supabase
Your agenda tasks	As you create them	Day-based planning	Supabase Postgres (+ a UserDefaults cache on device when offline)
Chat messages	As you send them	The core messaging feature	Supabase Postgres. Images are uploaded to a Supabase Storage bucket (`chat-images`) and shown inline.
Device Contacts (optional)	Only if you grant iOS Contacts permission	So the group admin can coordinate plans and match chat participants to real people you already know. Only the contact’s display name and phone number are uploaded — no emails, no addresses, no photos, no other fields.	Supabase Postgres (`user_device_contacts`)
Report records	When you tap “Report message”	So the admin can review flagged content within 24 hours	Supabase Postgres (`message_reports`)
Block records	When you block another user	To hide that user’s content from you	Supabase Postgres (`blocked_users`)
EULA acceptance timestamp	When you tap “I Agree”	Legal record	Supabase Postgres
Audit log	Every admin action (list users, view agenda, delete message, ban)	Accountability for the oversight role	Supabase Postgres (`admin_audit_log`)

We do not collect:

Email addresses
Apple advertising identifier / IDFA
Location data
Full Contacts records (we drop every field except display name and phone)
Analytics / tracking SDKs of any kind
Any data from outside the app

Who can see your data

You — your own session, your own tasks, your own messages.
Your chat partners — the messages you send them (standard messaging).
The designated group admin — exactly one is_admin=true user per deployment, enforced by a database-level unique index. The admin can read all messages (for oversight — this is the app’s core premise), your agenda (only if you left agenda_consent enabled), and your uploaded contacts. Every admin access to another user’s data is logged in an immutable audit table.
Supabase (our database and storage provider) — as the infrastructure host. See Supabase’s privacy policy at https://supabase.com/privacy.
Nobody else.

What the admin cannot do

The admin cannot see your PIN (we only store its bcrypt hash; even the admin role cannot reverse it).
The admin cannot see your agenda if you have toggled agenda_consent off.
The admin cannot send messages on your behalf or log in as you.

Retention

Messages, agenda tasks, contacts, and reports are retained until you delete them or your account is banned by the admin.
If the admin bans a user via the Reports workflow, every message that user ever sent is permanently deleted, their session is invalidated, and their chat_users row is removed. This is irreversible.
Rate-limit records (auth_attempts) are auto-pruned after 24 hours.
Audit log entries have no automatic retention limit at this time.

Your rights

You can:

Delete your tasks individually in the app.
Report messages that violate the EULA.
Block other users at any time.
Toggle agenda sharing with the admin (Agenda sharing OFF).
Request full account deletion by contacting the developer. This removes everything: your user row, messages, tasks, contacts, sessions.

Security

All network traffic is HTTPS.
PINs are stored only as bcrypt hashes.
Row-level security is enabled on every user-data table. The app ships only a Supabase anon key; privileged operations go through SECURITY DEFINER RPCs that enforce per-user scoping.
The session token is stored in the iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly).
The chat screen is wrapped in a secure-text-entry layer on iOS to prevent screenshots and screen recordings.
Login is rate-limited (10 attempts / 15 minutes per device) to resist brute force.

Children

DailyAgenda is not intended for children under 13. We do not knowingly collect data from children.

Changes to this policy

We will update this policy and the in-app EULA when we change how the app handles data. Material changes will trigger a re-prompt for EULA acceptance.