Privacy Policy for Hey Today

Last Updated: February 4, 2026

Introduction

Hey Today ("we", "our", or "us") operates the Hey Today day planner application at app.heytoday.co (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

By using Hey Today, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Information You Provide

Account Information

• Email address (via Google OAuth)

• Full name (via Google OAuth)

• Profile picture (via Google OAuth)

Content You Create

• Tasks you create (name, duration, scheduled time, completion status)

• Categories you create (name, color, settings)

• Day planning preferences (day start/end hours)

• Google Calendar selections (which calendars you choose to display)

Calendar Data (When Connected)

• Calendar event details (title, time, location, attendees, description)

• Calendar metadata (calendar names, colors)

• This data is cached temporarily to display in the app

Automatically Collected Information

Usage Data

• Pages visited and features used

• Actions taken within the app (via Posthog analytics)

• Session duration and frequency

• Device type and browser information

• Approximate geographic location (country/city level)

Technical Data

• IP address

• Browser type and version

• Operating system

• Referring URL

• Access times and dates

How We Use Your Information

We use the collected information for the following purposes:

Core Functionality

• Provide and maintain the Hey Today service

• Authenticate your account via Google OAuth

• Store and sync your tasks, categories, and settings

• Display your Google Calendar events alongside your tasks

• Enable cross-device access to your data

Service Improvement

• Analyze usage patterns to improve features

• Monitor and analyze app performance

• Troubleshoot technical issues

• Develop new features based on user behavior

Communication

• Send important service announcements

• Respond to support requests

• Notify you of updates or changes to the Service

We will never:

• Sell your personal information to third parties

• Use your data for advertising purposes

• Share your tasks or calendar data with anyone without your consent

• Send marketing emails (we don't do marketing emails)

Data Storage and Security

Where Your Data Is Stored

Database: Supabase (PostgreSQL database hosted on AWS)

• Tasks, categories, and settings

• Calendar connection tokens (encrypted)

• Cached calendar events

Analytics: Posthog

• Anonymized usage events

• Session information

• Feature engagement metrics

Authentication: Supabase Auth

• Managed by Supabase's secure authentication system

• OAuth tokens handled according to OAuth 2.0 standards

Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmission uses HTTPS/TLS encryption

• Encryption at Rest: Database is encrypted at rest

• Row Level Security: Database policies ensure users can only access their own data

• OAuth Security: Google OAuth tokens are securely stored and never exposed to the frontend

• Token Refresh: Automatic token refresh to maintain secure access

• Regular Updates: Dependencies and security patches are regularly updated

Data Retention

• Active Accounts: Your data is retained as long as your account is active

• Inactive Accounts: We may delete accounts inactive for 12+ months after notification

• Deleted Accounts: Upon account deletion, all personal data is permanently removed within 30 days

• Calendar Cache: Calendar events are refreshed regularly and deleted when you disconnect your calendar

Google Calendar Integration

What We Access

When you connect your Google Calendar, we request permission to:

• Read your calendar list

• Read calendar events (title, time, location, attendees, description)

What We Don't Do

• We do not modify, create, or delete events in your Google Calendar

• We do not share your calendar data with third parties

• We do not store your complete calendar history (only events relevant to your current view)

How It Works

• Calendar events are fetched from Google's API and cached temporarily

• Events are displayed read-only in Hey Today

• You can disconnect your calendar at any time from Settings

• Disconnecting removes all cached calendar data

Revoking Access

You can revoke Hey Today's access to your Google Calendar at any time by:

1. Disconnecting in Hey Today Settings, OR

2. Visiting your Google Account Permissions and removing Hey Today

Third-Party Services

We use the following third-party services:

Supabase

• Purpose: Database, authentication, and backend infrastructure

• Data Shared: All account and content data

• Privacy Policy: https://supabase.com/privacy

• Location: AWS data centers (primary: US-East)

Posthog

• Purpose: Product analytics and usage tracking

• Data Shared: Anonymized usage events, session data

• Privacy Policy: https://posthog.com/privacy

• Data Control: We do not track personally identifiable information beyond user ID

Google OAuth & Calendar API

• Purpose: Authentication and calendar integration

• Data Shared: Handled by Google's OAuth flow

• Privacy Policy: https://policies.google.com/privacy

• Scope: Email, profile, calendar read-only access

Railway

• Purpose: Frontend hosting

• Data Shared: None (hosting only)

• Privacy Policy: https://railway.app/legal/privacy

Your Rights and Choices

Access and Control

You have the right to:

• Access all personal data we store about you

• Update or correct your information

• Delete your account and all associated data

• Export your data (tasks, categories, settings)

• Disconnect third-party integrations (Google Calendar)

How to Exercise Your Rights

• Update Information: Edit directly in the app Settings

• Delete Account: Contact us at [your-email@example.com] (we'll add account deletion to Settings in the future)

• Export Data: Contact us at [your-email@example.com] for a data export

• Disconnect Calendar: Use Settings > Google Calendar > Disconnect

Cookie Policy

We use minimal cookies for:

• Authentication session management (essential)

• Preferences storage (essential)

• Analytics (Posthog, can be opted out)

We do not use cookies for advertising or tracking across websites.

Do Not Track

We respect Do Not Track (DNT) browser settings. When DNT is enabled, we disable non-essential analytics.

Children's Privacy

Hey Today is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

International Data Transfers

Hey Today is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States where our servers and service providers are located.

By using the Service, you consent to the transfer of your information to the United States, which may have different data protection rules than your country.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by:

• Updating the "Last Updated" date at the top of this policy

• Posting a notice in the app (for material changes)

• Sending an email notification (for significant changes)

We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when posted.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know

You can request information about:

• Categories of personal information we collect

• Sources of personal information

• Purpose for collecting personal information

• Categories of third parties we share data with

Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out

You have the right to opt-out of the sale of personal information. We do not sell personal information.

Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at [your-email@example.com].

European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process your personal data based on:

• Contract: To provide the Service you've agreed to use

• Legitimate Interest: To improve and secure the Service

• Consent: For Google Calendar integration (you can withdraw anytime)

Your GDPR Rights

• Right to access your personal data

• Right to rectification (correction)

• Right to erasure ("right to be forgotten")

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Right to withdraw consent

To exercise these rights, contact us at [your-email@example.com].

Data Protection Officer

For GDPR-related inquiries, contact: [your-email@example.com]

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovering the breach

• Describe the nature of the breach

• Explain steps we're taking to address the breach

• Provide recommendations for protecting your information

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: [your-email@example.com]

Website: app.heytoday.co

Mailing Address:

[Your Name/Company Name]

[Street Address]

[City, State ZIP]

[Country]

Consent

By using Hey Today, you consent to this Privacy Policy and agree to its terms.

For Legal Reference:

• Service Provider: [Your Legal Entity Name]

• Jurisdiction: [Your State/Country]

• Effective Date: February 4, 2026