← Back to aro.day

Privacy Policy

1.About aro.day

aro.day is a personal task-management web app available at https://aro.day/. This Privacy Policy describes what data aro.day accesses, when it accesses it, and where that data lives.

The free tier requires no account. You can use aro.day without signing in, without connecting any Google service, and without identifying yourself in any way. All Google-related sections below apply only if you choose to sign in or connect a Google service.

2.Where your task data lives

Your tasks, projects, sessions, and settings are stored in your browser's localStorage on your own device. On the free tier, with no sign-in, none of this data ever leaves your browser — aro.day has no way to identify you and no record of your tasks on its servers.

If you sign in with Google or purchase a paid plan, aro.day's server (a Cloudflare Worker backed by a D1 database) stores a small amount of account and subscription metadata needed to operate billing and entitlements: your Google account identifier (sub), email address, subscription status, renewal/end dates, and your Dodo Payments customer/subscription IDs. This metadata does not include your task content, calendar events, or any other app data — only what is required to know whether your account is on the free tier, trial, or Pro plan.

If you upgrade to a paid plan and turn on cross-device sync, your state JSON is synced into a hidden per-app folder in your own Google Drive (the Drive appDataFolder). It is not stored on an aro.day server. See section 4 for the exact scope and behaviour.

3.Google sign-in and OAuth scopes

Where aro.day uses Google APIs it requests scopes incrementally — each scope is requested only at the moment you opt into the feature that needs it, never upfront as one big consent wall. The full list:

aro.day does not request, and has no way to access: your Gmail, your contacts, your other Drive files, your Photos, your Workspace admin data, or any other Google service or scope not listed above.

4.How synced data is handled

When sync is on, the code running in your browser reads and writes a single state JSON to your Drive's appDataFolder via Google's Drive API. The file is invisible in the normal Drive UI — it is scoped to aro.day and only aro.day can see it. Google keeps its own revision history of that file under your account, so you can roll back through Google if needed.

Your task content never transits aro.day's server. The Drive read and write goes directly from your browser to Google's servers. We deliberately do not have an endpoint that accepts or returns the contents of your sync file.

What aro.day's server (a Cloudflare Worker) does hold on your behalf, encrypted at rest, is a Google OAuth refresh-token used to mint short-lived access-tokens for your browser. We hold this token for two reasons: (1) to validate your Pro subscription each time your client asks for a new access-token, and (2) so that a copy of the token does not need to live in your browser's localStorage, which closes a class of token-extraction attacks. See section 4a for the full data-flow.

Calendar events are fetched directly from Google's servers by the code in your browser and cached in your browser's localStorage. They never transit aro.day's server.

4a.End-to-end encryption (optional)

If you turn on end-to-end encryption in Settings → Privacy, the state JSON that goes to your Drive is encrypted on your device before upload. The encryption key is derived from a passphrase you choose — only you ever know it. aro.day's servers and Google's storage layer see opaque ciphertext only.

When end-to-end encryption is off: your sync data is still secured by Google's transport (TLS) and at-rest encryption on Google's infrastructure, and by Cloudflare's encryption of our refresh-token storage. The thing it doesn't have, with E2EE off, is a guarantee that aro.day's operators couldn't read your sync data — we wouldn't and don't, but with the refresh-token in our possession the technical capability exists. E2EE removes that capability.

5.How we use your information

Your task data, calendar data, and Drive state file are used only to render the app for you in your own browser. aro.day does not analyse your data, build behavioural profiles, train any models, generate advertising signals, or share insights with anyone.

6.Anonymous usage analytics

aro.day records a small, anonymous record of which screens are opened and which features are used (for example: page views, task created, panel opened, theme changed). Each record is tagged with an opaque visitor_id — a UUID generated in your browser the first time you load the app and stored in localStorage. This ID is never linked to your name, email, IP address, or any Google account; it resets the moment you clear your browser's site data for aro.day. Analytics records are stored in a Cloudflare D1 database we operate, used only to understand which features are worth keeping and which are unused, and are never sold, traded, or shared with third parties.

7.Sharing and disclosure

aro.day does not sell, share, transmit, or transfer Google user data to any third party. The only third party that ever sees your Google data is Google itself, when your browser calls their APIs. There are no advertising SDKs and no third-party trackers. The only payment data leaving the app goes to our payments provider (Dodo Payments, a Merchant-of-Record handling checkout, tax, and billing); see the Terms of Service.

8.Limited Use disclosure (Google API)

aro.day's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertisements, we do not allow humans to read it, and we do not transfer it to others except as necessary to provide or improve user-facing features that are prominent in the aro.day user interface.

9.Data retention and deletion

You can remove your data from aro.day at any time, and you control retention entirely:

If you have not signed in, there is no server-side account record to delete. If you want the anonymous analytics rows associated with your specific visitor_id removed, contact us via in-app feedback with your visitor_id (visible in Settings) and we will purge them.

10.Security

aro.day uses a defence-in-depth model for OAuth tokens. After you sign in, your refresh-token is sent to our Cloudflare Worker over TLS and stored encrypted in Cloudflare's KV (envelope encryption with AES-256-GCM and a key derived from a Worker secret, on top of Cloudflare's own at-rest encryption). The browser never persists the refresh-token in localStorage past the OAuth callback — only a short-lived (~1 hour) access-token. This protects against token-extraction attacks (e.g., a malicious browser extension reading your storage) and against the previous design's tier-bypass class of attack.

For everyday Google API calls (calendar polling, identity refresh), your browser requests a fresh access-token from our Worker. The Worker returns a token whose scope is limited to what you're entitled to: for free users, calendar and identity only — never Drive. For Pro users, full scope including the hidden Drive app-folder. This means a leaked access-token from a free user cannot be used to write to Drive, even though their underlying Google consent may include Drive scope.

For task content itself, see section 4a (end-to-end encryption). With E2EE on, your sync data is unreadable by anyone holding the tokens, including us. With E2EE off, your data is secured by transport + at-rest encryption only — strong against external attackers, but not against an aro.day operator with KV access.

All client ↔ server traffic and client ↔ Google traffic uses TLS. Communications between Google and Cloudflare's worker infrastructure are also TLS-encrypted at the transport layer.

11.Children's privacy

aro.day is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has connected a Google account to aro.day, please send a message via the in-app feedback form (Settings → Help & feedback) and we will remove any associated information.

12.Changes to this policy

We may update this Privacy Policy from time to time. Any material change will be reflected in the Effective date at the top of this page. Because aro.day has no required user accounts, we cannot notify every user individually — checking this page is the canonical way to see the current version. Continued use of aro.day after changes constitutes acceptance of the updated policy.

13.Contact

For privacy questions, deletion requests, or to report a concern, email support@aro.day or send a message via the in-app feedback form: open Settings → Help & feedback → Send feedback.