Privacy Policy

The controller of personal data is the operator of DayProof, an individual resident in Cyprus (EU). Hosting infrastructure is provided by Hetzner Online GmbH, Germany (EU).

Data-protection contact: privacy@dayproof.app.

Personal data is processed on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)): account, trip, ticket and document data, necessary to deliver the service.
• Consent (Art. 6(1)(a)): document processing via artificial intelligence (Google Gemini, Groq) and access to Google Drive.
• Legitimate interest (Art. 6(1)(f)): session cookies, security logs and minimal internal analytics.

Account data: email address, name, avatar URL, preferred language.
Identity documents (encrypted): passport number, national ID, tax ID.
Contact data (encrypted): phone number and address.
Fiscal profile: date of birth, nationality, country of tax residence, country of origin, passport country and day thresholds.
Travel data: travel dates, airports, countries, flight numbers and airlines.
Uploaded documents: boarding passes, flight confirmations and invoices (PDF, JPEG, PNG).
AI processing data: automatically extracted fields (JSONB) and passenger names visible in the documents.
OAuth tokens (encrypted): access and refresh tokens for Google Drive.
Technical data: IP address, user agent, request logs.
Internal analytics: page views and user events.

Processor	Purpose	Data shared	Location
Google Gemini AI	OCR and flight-data extraction	Document images and PDFs, passenger names	USA
Groq AI	OCR and flight-data extraction	OCR text from documents, passenger names	USA
Resend	Transactional email	Email address and email content	USA
Google (OAuth and Drive)	Authentication and file sync	Email, name and file metadata	USA
Hetzner Online GmbH	Infrastructure hosting	All user data	Germany (EU)

Some processors are located in the United States. Transfers are covered by the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

Category	Period
User account	Until deletion request
Trips and tickets	Until deletion request
Uploaded documents	Until deletion request
Google Drive tokens	Until disconnection or deletion
Sessions	30 days of inactivity
Page views	90 days
User events	180 days
Request logs	30 days
Slow-query logs	14 days

Under the GDPR, the user has the right to:

• Access (Art. 15): obtain a copy of their personal data.
• Rectification (Art. 16): correct inaccurate data.
• Erasure (Art. 17): request deletion of their data.
• Portability (Art. 20): download their data in a structured format (JSON).
• Restriction (Art. 18): limit processing in certain circumstances.
• Objection (Art. 21): object to processing based on legitimate interest.
• Withdrawal of consent: consent may be withdrawn at any time without affecting the lawfulness of prior processing.

These rights can be exercised using the "Download my data" and "Delete my account" functions in the profile, or by writing to privacy@dayproof.app.

DayProof uses automated processing (artificial intelligence and OCR) to extract flight data from documents. This processing does not produce legal effects on the user and does not significantly affect them in a similar manner. The user may review and correct all extracted data.

Fiscal alerts shown in the dashboard are informational indicators based on general thresholds and do not constitute automated decisions with legal effect within the meaning of Article 22 of the GDPR.

For details on cookie usage, see the Cookies Policy.

In the event of a security breach affecting personal data, DayProof will notify affected users and the competent supervisory authority within 72 hours, in accordance with Article 33 of the GDPR.

The competent supervisory authority is the Office of the Commissioner for Personal Data Protection of Cyprus. Users in other EU member states may also contact the data-protection authority of their own country.

For any data-protection query: privacy@dayproof.app.