OwnDay Sign in

Legal

Privacy Policy

Effective June 16, 2026 · Last updated May 24, 2026

1.About this policy

OwnDay is a routine app for children aged 5–9, set up and supervised by a parent or guardian. This policy explains what information we keep about you and your child, how we use it, and the choices you have. We've tried to keep it short and direct — if anything is unclear, write to us at [email protected].

OwnDay is operated by the OwnDay team (the "we" or "us" in this policy). When we refer to "you", we mean the parent or guardian who created the account. When we refer to "your child", we mean a child whose routines you set up inside your account.

2.What we collect

We collect the minimum needed to run a routine app for a family. There is no marketing data, no behavioural profile, no third-party data enrichment.

Parent account
Your email address, a display name, and your hashed password.
Parent PIN
A 4-digit PIN that locks the parent area on a shared device. Stored as a salted hash; we cannot see or recover the value.
Child profile
The first name you give your child, an age, and a single avatar emoji you pick during setup. We do not ask for last names, photos, or contact details.
Routines & steps
The names of routines you create ("Morning routine", "Bedtime routine") and the steps inside them ("Brush teeth").
Completions
Which steps were marked done, skipped, or paused, and the date and local time. We keep this so the dashboard and history can show what happened.
Technical logs
Server logs of requests, IP address, and user-agent string. Used only to keep the service running and to investigate abuse. Rotated and deleted within 30 days.

3.What we don't collect

These categories are not part of OwnDay and never will be while this policy is in force:

  • No advertising trackers, pixels, or audience SDKs.
  • No third-party analytics (Google Analytics, Meta, Mixpanel, Amplitude, Segment, etc.).
  • No precise or coarse geolocation. We do not ask for or store device location.
  • No access to your contacts, photos, microphone, or camera.
  • No browsing history outside OwnDay.
  • No biometric data of any kind, for either parent or child.
  • No data purchased from or sold to brokers, ad networks, or data exchanges.

4.How we treat child data

This is the section that matters most to us. OwnDay is built around a single rule: your child's data is yours and your child's, not ours to monetise.

Our promise

We never sell child data. We never share child data with advertisers, data brokers, or AI training providers. We do not build behavioural profiles of children. Child profile data, routines, and completion history exist only to operate the app inside your household — nothing else.

Concretely, this means:

  • A child profile is visible only to you, the parent, after you sign in or unlock the parent area with your PIN.
  • Child names and routine content are never shown to other OwnDay users.
  • Aggregate counts (e.g. "how many routines were completed across the service this week") are computed in-house only, on de-identified server-side counters, and are never tied back to an individual child.
  • If you delete a child profile, every routine, step, and completion belonging to that child is deleted from our production database within 30 days, and from encrypted backups on their normal rotation (no more than 90 days).

OwnDay is designed to operate without identifying a child to the outside world. The only adult who can see anything about your child inside OwnDay is you.

5.How we use the data

We use what we collect for three things, and nothing else:

  1. To run the app. Show you the parent dashboard, show your child the next step, sync state between your devices.
  2. To keep the service safe. Detect abuse, fix bugs, recover from outages. Technical logs are used here.
  3. To contact you about your account. Password resets, security notices, material changes to these policies, and (only if you've opted in) early-access product updates.

We do not use your data, or your child's data, to train machine-learning models, generate recommendations to other families, target advertising, or rank you against other users.

6.Legal bases (GDPR / GDPR-K)

Under the EU General Data Protection Regulation and its rules for children's data (often called "GDPR-K"), we process data on these legal bases:

  • Performance of a contract. Running the service you signed up for. Applies to the parent account, profiles, and routine data.
  • Parental consent. You consent on your child's behalf when you create a child profile inside your account. You can withdraw consent at any time by deleting the profile.
  • Legitimate interests. Keeping the service secure and free of abuse. Applies only to short-lived technical logs.
  • Legal obligation. Where we have to retain or disclose data under applicable law.

We do not rely on legitimate interests for any processing of child data. Child data is handled on the basis of your parental consent, full stop.

7.Your rights as a parent

Under COPPA in the United States and the GDPR / GDPR-K in the EU and UK, you have these rights for yourself and on behalf of your child. OwnDay supports each one directly inside the app, with no support ticket required:

  • Access. See everything we hold for your account in Settings → Your data.
  • Export. Download a machine-readable JSON file of all of it from Settings → Export data. This includes every child profile, every routine, and every completion record.
  • Correction. Edit your name, your child's name, age, and avatar at any time from the parent area.
  • Deletion. Delete a single child profile, or your entire account, from Settings → Delete account. Deletion is final — we cannot recover deleted data, and we do not retain shadow copies.
  • Restriction and objection. Ask us to pause processing while you investigate a concern. Email [email protected].
  • Withdraw consent. Revoke consent for child data processing by deleting the child profile.
  • Complain to a regulator. You can lodge a complaint with your local data-protection authority if you believe we've handled your data unlawfully.

We respond to verified requests within 30 days. We don't charge for any of these requests and we don't ask for extra information beyond what's needed to confirm you control the account.

8.Cookies

OwnDay uses one cookie: a first-party session cookie that keeps you signed in between page loads. It contains a signed session identifier and nothing else. We do not use third-party cookies, analytics cookies, or advertising cookies.

Because the only cookie we set is strictly necessary to provide the service you asked for, we don't show a cookie consent banner — there's nothing to consent to that you haven't already consented to by signing in.

9.Data retention

  • Account and profile data — retained for as long as your account is active.
  • Routine and completion history — retained for as long as the relevant child profile exists. You can delete history yourself from Settings → Your data.
  • Technical logs — rotated and deleted within 30 days.
  • Encrypted backups — rotated on a schedule no longer than 90 days. Deleted data disappears from backups within that window.
  • After account deletion — production data is removed within 30 days; backups follow the 90-day rotation above. We may keep minimal records (an email hash, the date of deletion) for up to 12 months where we're legally required to demonstrate compliance.

10.Security

We use industry-standard safeguards: TLS for all traffic, encryption at rest for the database, salted-hash storage for passwords and PINs, and least-privilege access controls on the small team that operates the service. We do not promise that any system is unbreakable — no one honestly can — but we treat a child-data breach as the most serious possible failure mode and design with that in mind.

If we ever experience a data breach that affects your account or your child's profile, we will notify you by email within 72 hours of confirming the incident, in line with GDPR Article 33.

11.Where the data lives

OwnDay's production database and backups are hosted in EU/EEA-preferred regions provided by our hosting partner. Where this changes, we will update this policy first, identify any cross-border transfer safeguards (such as Standard Contractual Clauses) in plain language, and notify existing users by email before any transfer takes place.

12.Changes to this policy

We update this policy when we change how OwnDay handles data. For material changes — anything that expands what we collect, how we use it, or who we share it with — we'll email every account holder at least 30 days before the new policy takes effect, and post a clear summary at the top of this page. The "Last updated" date above always reflects the latest revision.

13.Contact us

Questions, concerns, or formal data requests — write to us at [email protected]. A real person on the OwnDay team reads every message; we aim to respond within two business days, and always within thirty.

For postal correspondence and the name of our EU representative, see the Terms of Service.