Privacy Policy
1.About aro.day
aro.day is a personal task-management web app available at https://aro.day/. This Privacy Policy describes what data aro.day accesses, when it accesses it, and where that data lives.
The free tier requires no account. You can use aro.day without signing in, without connecting any Google service, and without identifying yourself in any way. All Google-related sections below apply only if you choose to sign in or connect a Google service.
2.Where your task data lives
Your tasks, projects, sessions, and settings are stored in your browser's localStorage on your own device. On the free tier, with no sign-in, none of this data ever leaves your browser — aro.day has no way to identify you and no record of your tasks on its servers.
If you sign in with Google or purchase a paid plan, aro.day's server (a Cloudflare Worker backed by a D1 database) stores a small amount of account and subscription metadata needed to operate billing and entitlements: your Google account identifier (sub), email address, subscription status, renewal/end dates, and your Dodo Payments customer/subscription IDs. This metadata does not include your task content, calendar events, or any other app data — only what is required to know whether your account is on the free tier, trial, or Pro plan.
If you upgrade to a paid plan and turn on cross-device sync, your state JSON is synced into a hidden per-app folder in your own Google Drive (the Drive appDataFolder). It is not stored on an aro.day server. See section 4 for the exact scope and behaviour.
3.Google sign-in and OAuth scopes
Where aro.day uses Google APIs it requests scopes incrementally — each scope is requested only at the moment you opt into the feature that needs it, never upfront as one big consent wall. The full list:
- Identity —
openid,email,profile. Requested only when you click "Sign in with Google" (for example, to start a paid plan). Used to identify your account so we know which entitlement to apply. Your email address is the identity key; no password is ever set or stored. - Drive app-data —
https://www.googleapis.com/auth/drive.appdata. Requested only if you enable cross-device sync. This is a Google-restricted scope that lets aro.day read and write inside a single hidden per-app folder in your own Drive. aro.day cannot see, list, read, or modify any other file in your Drive — only the state file it created. It cannot access Docs, Sheets, photos, shared drives, or anything else. - Calendar read-only —
https://www.googleapis.com/auth/calendar.readonly. Requested only when you connect a calendar in Settings → Calendar. Lets aro.day read your calendar list and the events on the calendars you choose to display, so they appear alongside your tasks. Read-only — aro.day never writes to, edits, or deletes any calendar or event in this phase.
aro.day does not request, and has no way to access: your Gmail, your contacts, your other Drive files, your Photos, your Workspace admin data, or any other Google service or scope not listed above.
4.How synced data is handled
When sync is on, the code running in your browser reads and writes a single state JSON to your Drive's appDataFolder via Google's Drive API. The file is invisible in the normal Drive UI — it is scoped to aro.day and only aro.day can see it. Google keeps its own revision history of that file under your account, so you can roll back through Google if needed.
Your task content never transits aro.day's server. The Drive read and write goes directly from your browser to Google's servers. We deliberately do not have an endpoint that accepts or returns the contents of your sync file.
What aro.day's server (a Cloudflare Worker) does hold on your behalf, encrypted at rest, is a Google OAuth refresh-token used to mint short-lived access-tokens for your browser. We hold this token for two reasons: (1) to validate your Pro subscription each time your client asks for a new access-token, and (2) so that a copy of the token does not need to live in your browser's localStorage, which closes a class of token-extraction attacks. See section 4a for the full data-flow.
Calendar events are fetched directly from Google's servers by the code in your browser and cached in your browser's localStorage. They never transit aro.day's server.
4a.End-to-end encryption (optional)
If you turn on end-to-end encryption in Settings → Privacy, the state JSON that goes to your Drive is encrypted on your device before upload. The encryption key is derived from a passphrase you choose — only you ever know it. aro.day's servers and Google's storage layer see opaque ciphertext only.
- Algorithm: AES-256-GCM with a key derived from your passphrase via PBKDF2-SHA256 (600,000 iterations, per OWASP 2023 guidance). A unique nonce is used for every save (catastrophic key reuse is prevented at the protocol level).
- What we cannot do: read your task content. With end-to-end encryption on, even if our token-storage were compromised the attacker recovers ciphertext only.
- What you must remember: the passphrase. We cannot recover it for you. If you forget it, your encrypted Drive backup is unrecoverable (your local copy on whichever device you're using is intact, and you can "Reset sync" from Privacy settings to start fresh with a new passphrase).
- Default for existing users: off. We don't force a passphrase prompt on accounts that signed in before the 2026-05-25 rollout. You can opt in any time.
When end-to-end encryption is off: your sync data is still secured by Google's transport (TLS) and at-rest encryption on Google's infrastructure, and by Cloudflare's encryption of our refresh-token storage. The thing it doesn't have, with E2EE off, is a guarantee that aro.day's operators couldn't read your sync data — we wouldn't and don't, but with the refresh-token in our possession the technical capability exists. E2EE removes that capability.
5.How we use your information
Your task data, calendar data, and Drive state file are used only to render the app for you in your own browser. aro.day does not analyse your data, build behavioural profiles, train any models, generate advertising signals, or share insights with anyone.
6.Anonymous usage analytics
aro.day records a small, anonymous record of which screens are opened and which features are used (for example: page views, task created, panel opened, theme changed). Each record is tagged with an opaque visitor_id — a UUID generated in your browser the first time you load the app and stored in localStorage. This ID is never linked to your name, email, IP address, or any Google account; it resets the moment you clear your browser's site data for aro.day. Analytics records are stored in a Cloudflare D1 database we operate, used only to understand which features are worth keeping and which are unused, and are never sold, traded, or shared with third parties.
7.Sharing and disclosure
aro.day does not sell, share, transmit, or transfer Google user data to any third party. The only third party that ever sees your Google data is Google itself, when your browser calls their APIs. There are no advertising SDKs and no third-party trackers. The only payment data leaving the app goes to our payments provider (Dodo Payments, a Merchant-of-Record handling checkout, tax, and billing); see the Terms of Service.
8.Limited Use disclosure (Google API)
aro.day's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertisements, we do not allow humans to read it, and we do not transfer it to others except as necessary to provide or improve user-facing features that are prominent in the aro.day user interface.
9.Data retention and deletion
You can remove your data from aro.day at any time, and you control retention entirely:
- Disconnect a single integration: open Settings → Calendar → Disconnect Google Calendar (or the equivalent for Drive sync). This clears the matching access token, refresh token, and cached data from your browser.
- Clear everything in this browser: clear site data for
aro.day. This removes every task, every cache, every token, and the analytics visitor_id. - Revoke at Google: visit https://myaccount.google.com/permissions to revoke aro.day's access to your Google account. This invalidates every refresh token aro.day holds and prevents any further Google API call.
- Delete the synced Drive file: Drive's storage UI lets you delete the aro.day
appDataFolderfile directly under your account's "App data" management. - Request server-side account deletion: if you have signed in or purchased a paid plan, email support@aro.day or use the in-app feedback form (Settings → Help & feedback) and ask us to delete your server-side records. We will remove your subscription row from our D1 database, delete your encrypted OAuth refresh token from Cloudflare KV, and purge any associated subscription-event audit rows. This does not delete your local browser data or your Drive sync file — use the steps above for those.
If you have not signed in, there is no server-side account record to delete. If you want the anonymous analytics rows associated with your specific visitor_id removed, contact us via in-app feedback with your visitor_id (visible in Settings) and we will purge them.
10.Security
aro.day uses a defence-in-depth model for OAuth tokens. After you sign in, your refresh-token is sent to our Cloudflare Worker over TLS and stored encrypted in Cloudflare's KV (envelope encryption with AES-256-GCM and a key derived from a Worker secret, on top of Cloudflare's own at-rest encryption). The browser never persists the refresh-token in localStorage past the OAuth callback — only a short-lived (~1 hour) access-token. This protects against token-extraction attacks (e.g., a malicious browser extension reading your storage) and against the previous design's tier-bypass class of attack.
For everyday Google API calls (calendar polling, identity refresh), your browser requests a fresh access-token from our Worker. The Worker returns a token whose scope is limited to what you're entitled to: for free users, calendar and identity only — never Drive. For Pro users, full scope including the hidden Drive app-folder. This means a leaked access-token from a free user cannot be used to write to Drive, even though their underlying Google consent may include Drive scope.
For task content itself, see section 4a (end-to-end encryption). With E2EE on, your sync data is unreadable by anyone holding the tokens, including us. With E2EE off, your data is secured by transport + at-rest encryption only — strong against external attackers, but not against an aro.day operator with KV access.
All client ↔ server traffic and client ↔ Google traffic uses TLS. Communications between Google and Cloudflare's worker infrastructure are also TLS-encrypted at the transport layer.
11.Children's privacy
aro.day is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has connected a Google account to aro.day, please send a message via the in-app feedback form (Settings → Help & feedback) and we will remove any associated information.
12.Changes to this policy
We may update this Privacy Policy from time to time. Any material change will be reflected in the Effective date at the top of this page. Because aro.day has no required user accounts, we cannot notify every user individually — checking this page is the canonical way to see the current version. Continued use of aro.day after changes constitutes acceptance of the updated policy.
13.Contact
For privacy questions, deletion requests, or to report a concern, email support@aro.day or send a message via the in-app feedback form: open Settings → Help & feedback → Send feedback.
Effective: 2026-05-27 · Contact: support@aro.day or in-app feedback (Settings → Help & feedback) · See also: Terms of Service