Your privacy is fundamental to us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights. It has been designed to comply with Brazil's General Data Protection Law (LGPD, Law nº 13.709/2018) and the EU's General Data Protection Regulation (GDPR, Regulation EU 2016/679).
1. Who we are
DaysWithout is operated by Hessel IT Solutions (the "Company", "we"), with registered office at [STREET, NUMBER, POSTAL CODE], Lisbon, Portugal, registered under tax ID (NIF) 517 659 247.
1.1 Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO/Encarregado, per LGPD art. 41 and GDPR art. 37):
- Name: Hessel IT Solutions
- Role: Data Protection Officer
- Direct channel: dpo@hesselitsolutions.com
For any privacy-related questions or to exercise your data subject rights, contact the DPO directly. For general matters, contato@hesselitsolutions.com.
2. Data we collect
2.1 Account data
- Email and password (or Google/Apple credential for social login)
- Display name (optional)
- Preferred language and timezone
2.2 App usage data (habits)
- Habit counters you create (name, icon, start date)
- Relapse records with date, time, and any context you add
- Journal entries (mood, energy, social context, free text)
- Achievements and milestones (streaks, XP, quests)
2.3 AI Companion messages
All messages you send to Atlas/Mira (the AI Companion) are processed in real time. See Section 4 — this is our most sensitive data category.
2.4 Community and Tribes
- Posts and comments you publish in Tribes
- Reactions, mentions, private messages to allies (Ally Mode)
2.5 Payment data
Payments are processed directly by Stripe Inc. We do not store your credit card details. We only receive the subscription identifier (`stripeSubscriptionId`) and subscription state (`active`, `trialing`, `canceled`).
2.6 Technical data
- Push notification tokens (FCM)
- Anonymized error and security event logs
- Aggregated usage metrics (no PII)
3. How we use your data
| Purpose | Legal basis (LGPD / GDPR) |
|---|---|
| Provide the app and features (counters, journal, community) | Contract performance (Art. 7, V LGPD / Art. 6(1)(b) GDPR) |
| Process payments and manage subscriptions | Contract performance |
| Send motivational and re-engagement notifications | Consent (revocable in Settings → Notifications) |
| Automated emotional crisis detection | Protection of life (Art. 7, VII LGPD / Art. 9(2)(c) GDPR — vital interests) |
| Usage analytics to improve the product | Legitimate interest (Art. 7, IX LGPD / Art. 6(1)(f) GDPR) |
| Comply with legal and regulatory obligations | Legal obligation |
4. Sensitive mental health data
⚠️ Important notice. DaysWithout processes data that may qualify as "sensitive personal data" relating to mental health (LGPD Art. 5, II / GDPR Art. 9). This section explains in detail what we do with that data, why, and how we protect you.
4.1 Automated crisis detection
To ensure your safety, every message you send to the AI Companion is automatically analyzed in real time by artificial-intelligence-based systems, aimed at identifying signs of:
- Suicidal ideation or self-harm
- Severe emotional crisis
- Concern for the safety of third parties
The system uses a combination of:
- Deterministic linguistic patterns (term matching)
- Semantic classification via language model (Google Gemini, via OpenRouter gateway)
4.2 Safety event logging
When the system detects a crisis, an anonymized log entry is created in our database for clinical review and audit. This entry contains:
- Event timestamp
- User identifier (hashed)
- Detection method (regex / LLM)
- Classified risk level (low / medium / high)
- Anonymized trigger category (e.g., `suicidal_ideation_backstop`)
The verbatim content of the message is stored in a separate clinical review repository, with access restricted to authorized clinical-review staff, maximum retention of 90 days, after which it is automatically deleted.
4.3 Legal basis and rights
This automated analysis is grounded in protection of life (LGPD Art. 7, VII and Art. 11 II 'f'; GDPR Art. 9(2)(c) — vital interests). It is a non-optional safety measure, active for all users, because we consider the risk of failing to detect an emotional crisis to be disproportionately greater than the discomfort of automated analysis.
Right to human review (LGPD Art. 20): You have the right to request human review of any decision taken solely on the basis of automated processing (including the crisis detection described above). To exercise this right, contact our DPO at dpo@hesselitsolutions.com. We will respond within 15 days (LGPD) or 30 days (GDPR).
You have the right to request access, correction, deletion, or portability of any data, including safety events — see Section 7.
4.4 Important limitations
The AI Companion is not a therapist and does not replace clinical care. Automated crisis detection is a risk-mitigation measure, not an emergency system. In active crisis, contact immediately:
- USA: 988 Suicide & Crisis Lifeline · 911 emergency
- UK: Samaritans 116 123 · 999 emergency
- EU: Local crisis hotlines or 112
- Brazil: CVV 188 · SAMU 192
5. Who we share your data with
We do not sell your data. We do not run targeted advertising. The following processors receive only data strictly necessary for the service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Hosting, authentication, database (Firestore), Cloud Functions | USA + EU |
| OpenRouter | Language model gateway for the AI Companion | USA |
| Google AI (Gemini) | AI Companion message processing | USA |
| Stripe | Payment processing | USA + EU |
| RevenueCat | In-app subscriptions (iOS/Android — when available) | USA |
All processors are bound by data processing agreements (DPAs) and operate under contractual security and confidentiality commitments.
6. Retention and deletion
| Data type | Retention |
|---|---|
| Account and app usage data | Until you delete your account |
| Chat messages (context history) | Last 50 messages, rolling window |
| Safety events (anonymized log) | 365 days |
| Verbatim crisis content (clinical review) | 90 days, automatic deletion |
| Error logs and technical metrics | 30 days |
| Payment data (Stripe references) | Per tax obligations — up to 5 years |
You can delete your account at any time in Settings → Account, and all associated data will be deleted within 30 days (except data we must retain by legal obligation).
7. Your rights
As a data subject, you have the following rights guaranteed by LGPD and GDPR:
- Access: obtain confirmation and a copy of your data
- Correction: rectify incomplete or inaccurate data
- Deletion: erase your data ("right to be forgotten")
- Portability: receive your data in a structured format (JSON)
- Objection: object to processing under legitimate interest
- Consent withdrawal: at any time, without prejudice to processing already performed
- Complaint: lodge a complaint with the competent authority (ANPD in Brazil, CNPD in Portugal, or your country's supervisory authority in the EU)
To exercise any of these rights, contact us at contato@hesselitsolutions.com. We respond within 15 days (LGPD) / 30 days (GDPR).
8. International data transfers
Your data is processed on servers located in the US and EU. For international transfers we apply:
- EU → US: Standard Contractual Clauses (SCCs) approved by the European Commission
- Brazil → abroad: adequate-level safeguards and/or specific contractual clauses per LGPD Art. 33
9. Cookies and similar technologies
The marketing site (dayswithout.life) uses a minimal set of local storage technologies:
9.1 Essential (always on)
- localStorage: theme (light/dark) and language preference. No consent required — strictly functional.
- 1st-party cookie
consent(12 months): records your choice in the cookie banner.
9.2 Analytics — Google Analytics 4 (with consent)
If you accept in the cookie banner, the site loads Google Analytics 4 (operator: Google LLC, USA) configured with:
- Purpose: measure anonymous usage (page views, navigation flow, languages, clicks on the "Open App" CTA) to improve product and copy.
- Legal basis: consent (LGPD Art. 7 I / GDPR Art. 6(1)(a)).
- Mode: Google Consent Mode v2 — denied by default. Analytics cookies set only after explicit acceptance.
- IP anonymization: enabled (GA4 default since Oct/2020).
- No Ads sharing: Google Signals and ad personalization disabled.
- International transfer: data processed by Google in the USA. Transfer covered by Standard Contractual Clauses (SCCs) — see section 8.
- Retention: 14 months (minimum configurable in GA4 — not extended).
- Withdrawal: at any time, via "Cookie preferences" link in the footer.
9.3 What we do NOT use
No Meta Pixel. No Hotjar. No FullStory. No Microsoft Clarity. No advertising cookies. No A/B testing tools. No fingerprinting.
The app (app.dayswithout.life) uses essential cookies to maintain your authentication session. We do not use third-party tracking cookies in the app.
10. Children and minors
DaysWithout is intended exclusively for individuals aged 18 or older. We do not knowingly collect data from minors. If you discover a minor has created an account, contact us for immediate deletion.
11. Security incident notification
In the event of a security incident involving personal data (unauthorized access, loss, destruction, alteration, or improper disclosure), we will act as follows:
- Competent authority: we notify the data protection authority (ANPD in Brazil, CNPD in Portugal, or equivalent EU) without undue delay — within 72 hours after becoming aware of the incident, where applicable (GDPR Art. 33), or within a reasonable timeframe (LGPD Art. 48).
- Affected data subjects: if the incident presents a high risk to your rights and freedoms, we notify you directly (registered email and/or in-app notification) without undue delay (GDPR Art. 34).
- Notification content: nature of the incident, categories and approximate number of affected subjects, possible consequences, measures taken, and DPO contact for clarifications.
12. Changes to this policy
We may update this Policy periodically. The "Last updated" date at the top indicates the current version. Material changes will be communicated at least 30 days in advance via email and/or in-app notification.
13. Contact
For any privacy-related question, data subject right, or complaint:
- General email: contato@hesselitsolutions.com
- Data Protection Officer (DPO): Hessel IT Solutions · dpo@hesselitsolutions.com
- Company: Hessel IT Solutions
- Address: [STREET, NUMBER, POSTAL CODE], Lisbon, Portugal
- Tax ID (NIF): 517 659 247
If unresponsive or unsatisfied, you may lodge a complaint directly with the competent data-protection authority (ANPD/Brazil, CNPD/Portugal, or equivalent in your country).