Privacy Policy
Last updated: 12 May 2026
1. Data controller
The controller of personal data is the operator of DayProof, an individual resident in Cyprus (EU). Hosting infrastructure is provided by Hetzner Online GmbH, Germany (EU).
Data-protection contact: [email protected].
Data-protection contact: [email protected].
2. Legal bases for processing
Personal data is processed on the following legal bases under the GDPR:
- Performance of a contract (Art. 6(1)(b)): account, trip, ticket and document data, necessary to deliver the service.
- Consent (Art. 6(1)(a)): document processing via artificial intelligence (Google Gemini, Groq).
- Legitimate interest (Art. 6(1)(f)): session cookies, security logs and minimal internal analytics.
3. Categories of personal data
Account data: email address, name, avatar URL, preferred language.
Identity documents (encrypted): passport number, national ID, tax ID.
Contact data (encrypted): phone number and address.
Fiscal profile: date of birth, nationality, country of tax residence, country of origin, passport country and day thresholds.
Travel data: travel dates, airports, countries, flight numbers and airlines.
Uploaded documents: boarding passes, flight confirmations and invoices (PDF, JPEG, PNG).
AI processing data: automatically extracted fields (JSONB) and passenger names visible in the documents.
Technical data: IP address, user agent, request logs.
Internal analytics: page views and user events.
Identity documents (encrypted): passport number, national ID, tax ID.
Contact data (encrypted): phone number and address.
Fiscal profile: date of birth, nationality, country of tax residence, country of origin, passport country and day thresholds.
Travel data: travel dates, airports, countries, flight numbers and airlines.
Uploaded documents: boarding passes, flight confirmations and invoices (PDF, JPEG, PNG).
AI processing data: automatically extracted fields (JSONB) and passenger names visible in the documents.
Technical data: IP address, user agent, request logs.
Internal analytics: page views and user events.
4. Processors and sub-processors
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Google Gemini AI | OCR and flight-data extraction | Document images and PDFs, passenger names | USA |
| Groq AI | OCR and flight-data extraction | OCR text from documents, passenger names | USA |
| Resend | Transactional email | Email address and email content | USA |
| Google OAuth | Authentication | Email and name | USA |
| Hetzner Online GmbH | Infrastructure hosting | All user data | Germany (EU) |
5. International data transfers
Some processors are located in the United States. Transfers are covered by the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
6. Retention periods
| Category | Period |
|---|---|
| User account | Until deletion request |
| Trips and tickets | Until deletion request |
| Uploaded documents | Until deletion request |
| Sessions | 30 days of inactivity |
| Page views | 90 days |
| User events | 180 days |
| Request logs | 30 days |
| Slow-query logs | 14 days |
7. Your rights
Under the GDPR, the user has the right to:
- Access (Art. 15): obtain a copy of their personal data.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17): request deletion of their data.
- Portability (Art. 20): download their data in a structured format (JSON).
- Restriction (Art. 18): limit processing in certain circumstances.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdrawal of consent: consent may be withdrawn at any time without affecting the lawfulness of prior processing.
8. Automated decision-making
DayProof uses automated processing (artificial intelligence and OCR) to extract flight data from documents. This processing does not produce legal effects on the user and does not significantly affect them in a similar manner. The user may review and correct all extracted data.
Fiscal alerts shown in the dashboard are informational indicators based on general thresholds and do not constitute automated decisions with legal effect within the meaning of Article 22 of the GDPR.
Fiscal alerts shown in the dashboard are informational indicators based on general thresholds and do not constitute automated decisions with legal effect within the meaning of Article 22 of the GDPR.
9. Cookies
For details on cookie usage, see the Cookies Policy.
10. Data-breach notification
In the event of a security breach affecting personal data, DayProof will notify affected users and the competent supervisory authority within 72 hours, in accordance with Article 33 of the GDPR.
11. Supervisory authority
The competent supervisory authority is the Office of the Commissioner for Personal Data Protection of Cyprus. Users in other EU member states may also contact the data-protection authority of their own country.
12. Contact
For any data-protection query: [email protected].
13. Google user data
DayProof uses Google OAuth 2.0 exclusively to enable sign-in with a Google account.
Scopes requested:
Data obtained from Google:
Storage: Email address, display name, and profile picture URL are stored in our PostgreSQL database hosted by Hetzner Online GmbH, Germany (EU). OAuth credentials are stored encrypted using Active Record Encryption and are not accessible in plaintext at rest.
Sharing: Google user data is not shared with any third party for commercial, advertising, or marketing purposes. It is not sold or licensed to any party.
Retention: Retained for the lifetime of the account. Upon account deletion, all associated Google user data is permanently and irreversibly erased within 14 days.
Revoking access: Users can revoke DayProof's access to their Google account at any time at myaccount.google.com/permissions. Revoking access prevents future sign-in via Google but does not delete the DayProof account or its data.
Limited Use compliance: DayProof's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes requested:
openid, email, profile — read-only access. Data obtained from Google:
- Email address — used as the unique account identifier and for service communications (fiscal alerts, reports, account notifications).
- Display name — shown in the app interface for personalisation.
- Profile picture URL — displayed as an avatar in the app interface.
Storage: Email address, display name, and profile picture URL are stored in our PostgreSQL database hosted by Hetzner Online GmbH, Germany (EU). OAuth credentials are stored encrypted using Active Record Encryption and are not accessible in plaintext at rest.
Sharing: Google user data is not shared with any third party for commercial, advertising, or marketing purposes. It is not sold or licensed to any party.
Retention: Retained for the lifetime of the account. Upon account deletion, all associated Google user data is permanently and irreversibly erased within 14 days.
Revoking access: Users can revoke DayProof's access to their Google account at any time at myaccount.google.com/permissions. Revoking access prevents future sign-in via Google but does not delete the DayProof account or its data.
Limited Use compliance: DayProof's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.