Privacy Policy

Last updated: March 2026

Daymora ("we," "us," or "our") is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR), applicable data protection laws, and ISO 27001 information security principles. This policy explains how we collect, use, store, and protect your information when you use our AI API service.

1. Data Controller

Daymora is the data controller for the personal data processed in connection with our services. You can contact us via our contact page.

2. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)): To provide our AI API service, manage your account, process payments, and fulfill our contractual obligations.
  • Legitimate interests (Art. 6(1)(f)): To improve our service, ensure security, prevent fraud, and communicate service-related updates.
  • Legal obligation (Art. 6(1)(c)): Where we must retain or disclose data to comply with applicable law.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing (e.g., marketing communications, where applicable).

3. Categories of Personal Data We Collect

We collect and process the following categories of data:

  • Account data: Email address, display name, hashed password, and account creation/update timestamps.
  • Payment data: Payment method identifiers (e.g., PayPal account linkage), last four digits of payment methods where applicable, and transaction records. Full payment details are handled by our payment processor (PayPal) and are not stored by us.
  • Service usage data: API key identifiers, usage metrics, activity logs (e.g., key creation, regeneration, deletion), and timestamps.
  • Technical data: IP address, browser type, device information, and session data necessary for authentication and security.

4. Purposes of Processing

We use your data to:

  • Create and manage your account
  • Provide unlimited AI API access and related features
  • Process payments and manage subscriptions
  • Send password reset and essential service communications
  • Monitor usage, prevent abuse, and ensure service integrity
  • Improve our service and user experience
  • Comply with legal obligations and enforce our terms

We apply data minimization and only collect data necessary for these purposes.

5. Recipients and International Transfers

Your data may be shared with:

  • Payment processors (e.g., PayPal): For payment processing. Their privacy policies apply to their handling of your payment data.
  • Infrastructure providers: Hosting, database, and email delivery services that process data on our behalf under contractual safeguards.

If we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards (e.g., adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules) as required by GDPR Chapter V.

6. Retention Periods

We retain your data only as long as necessary for the purposes described:

  • Account data: Until account deletion plus any period required by law (e.g., tax, legal claims).
  • Activity logs: As needed for security, fraud prevention, and service operation, typically up to 24 months.
  • Payment records: As required by financial and tax regulations (typically 7 years where applicable).

After retention periods expire, we securely delete or anonymize your data.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation and a copy of your personal data.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data where legally applicable.
  • Right to restriction (Art. 18): Request limitation of processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us via our contact page. We will respond within one month. You also have the right to lodge a complaint with a supervisory authority in your country of residence (e.g., your national data protection authority).

8. Security Measures (ISO 27001 Alignment)

We implement technical and organizational measures to protect your data, aligned with information security best practices:

  • Encryption of data in transit (TLS) and at rest where applicable
  • Secure password hashing (bcrypt) for credentials
  • Access controls and authentication (e.g., JWT, httpOnly cookies)
  • Regular security reviews and monitoring
  • Incident response procedures for data breaches

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay, as required by GDPR Articles 33 and 34.

10. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you.

11. Children

Our service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us so we can delete it.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of our service after changes constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, to exercise your rights, or to contact our data protection contact, please use our contact page.