Security
0.Your sync data
Your tasks, notes, projects, and timers live in your browser's localStorage on your own device. Free users keep everything on-device — nothing about your task content ever leaves your browser. Pro users can additionally enable Drive sync, in which case a copy of the state is mirrored to a hidden per-app folder in your own Google Drive (appDataFolder). Aro.day's server never sees, stores, processes, or logs your task content — even in transit.
How Drive sync is gated
Drive sync is a Pro feature. To prevent a patched client from bypassing the entitlement check, the OAuth refresh-token used to talk to Drive is held server-side (in Cloudflare KV, AES-256-GCM encrypted on top of Cloudflare's own at-rest encryption) — not in the user's browser. Every time your browser needs a fresh access-token, our Worker validates your subscription and mints a token scoped to what you're entitled to: free users get tokens without Drive scope; Pro users get tokens that can write to Drive. A leaked access-token from a free user cannot be used to write to Drive, even though Google may have granted Drive consent on the underlying account.
End-to-end encryption (optional)
Pro users can enable end-to-end encryption in Settings → Privacy. The state JSON is encrypted in your browser before upload with a key derived from a passphrase only you know:
- Cipher: AES-256-GCM with a unique nonce per save.
- Key derivation: PBKDF2-HMAC-SHA256, 600,000 iterations (OWASP 2023 minimum).
- Compression: gzip before encrypt — typical 60-80% reduction in upload size.
- Salt: generated per account on first enable, stored inside the encrypted envelope so additional devices derive the same key from the same passphrase.
- What this protects against: our own operators reading your sync data, a KV breach exposing refresh-tokens, anyone with read access to your Drive (e.g., some Workspace admin configurations).
- Trade-off: the passphrase is not recoverable. If you forget it, your encrypted Drive backup is unrecoverable — though your local copies remain intact and you can reset sync to start fresh.
For existing users (signed in before 2026-05-25)
Your sync continues to work exactly as before. End-to-end encryption is opt-in via Settings → Privacy. We didn't force a passphrase prompt on anyone — you decide whether to enable it.
1.Where your card data goes
When you upgrade to Pro, your card details are entered into a checkout overlay
served by Dodo Payments — our payment processor. aro.day's
servers never see, store, or process card numbers. The overlay loads from
checkout.dodopayments.com over HTTPS with 256-bit TLS. Dodo is
PCI-DSS Level 1 certified (the strictest tier of the card
industry's security standard — required for processors handling more than 6
million card transactions per year).
2.Merchant of Record — what that means
Dodo Payments is our Merchant of Record (MoR). That means Dodo is the seller of record on your card statement, not aro.day. The MoR model has three concrete user-facing benefits:
- Taxes (VAT, GST, sales tax) are calculated and remitted by Dodo in your jurisdiction — you don't get a surprise tax bill, and we don't have to maintain tax tables for 100+ countries.
- Refunds are handled directly by Dodo per their refund policy. We don't sit between you and your money.
- Chargebacks go through Dodo's dispute process, which is a regulated card-network procedure — your card issuer's standard consumer protections apply (typically a 60-day window after the disputed charge).
2a.EU 14-day cooling-off (Consumer Rights Directive)
If you're a consumer in the EU/EEA, you have a statutory right to withdraw from the contract within 14 days of purchase under Directive 2011/83/EU (Consumer Rights Directive) and refunded in full. Because Pro is a digital service that starts running immediately, Dodo's checkout collects your express consent to begin performance during the cooling-off period (typically a checkbox at the bottom of the checkout form). Once you tick it and complete payment, you've waived the 14-day withdrawal right for the part of the service already used — Dodo can still issue a partial refund at its discretion, but it's no longer a statutory right.
If you don't see the consent checkbox at checkout, don't tick it, or aren't sure — email support@aro.day and we'll coordinate the withdrawal with Dodo. Outside the EU/EEA this doesn't apply; refer to Dodo's refund policy above.
3.What aro.day actually stores
On our side, we only store what we need to know that you have an active subscription. Specifically:
- Your Google account identifier (Google's
subfield — an opaque immutable per-account number). - Your email address (echoed back from Dodo so we can match the subscription to your sign-in).
- Dodo's customer ID and subscription ID for you (opaque tokens we use to call Dodo's API for renewals, refunds, portal sessions).
- Your subscription status (active / cancelled / expired) and renewal date.
Card numbers, CVVs, billing addresses, and any other payment-instrument data are not stored or transmitted through aro.day's servers. They go directly from your browser to Dodo.
4.Compliance & certifications
- PCI-DSS Level 1 — Dodo Payments. The highest tier of the card industry's security standard.
- SOC 2 Type II — Dodo Payments. Independent audit of security, availability, processing integrity, confidentiality, and privacy controls.
- GDPR-compliant data flows — your card data lives in Dodo's EU-region infrastructure; aro.day's metadata lives on Cloudflare's global network with EU regional cache pinning.
- Cloudflare Workers — aro.day runs on Cloudflare's edge. Cloudflare itself is SOC 2, ISO 27001, FedRAMP, and HIPAA-eligible.
4a.Data deletion (GDPR right to erasure)
You can request deletion of your aro.day account data under GDPR
Article 17. Email support@aro.day
with the subject DELETE MY ACCOUNT and we'll process the
request within 30 days (typically same-day). What gets deleted:
- Your subscription record (current Pro / trial state)
- Any in-flight checkout sessions
- Your focus and break session history
- Server-side caches keyed to your identity
What we retain (legal basis: tax and accounting law, GDPR Art. 6(1)(c)+(f)):
- Webhook event audit trail — retained for 7 years per tax-record law
- Founding-spot record marked as revoked (preserves the 1000-cap accounting)
To delete your payment data on Dodo's side (card-on-file, billing address, etc.), contact Dodo's support directly — Dodo is the Merchant of Record and has its own retention policy.
5.What to do if something looks wrong
- If a charge on your statement looks unexpected, email support@aro.day with the date and amount. We can look up the Dodo subscription record and tell you what it was for; if it's an error we'll refund it via Dodo's portal.
- If you suspect your card was used fraudulently, contact your card issuer immediately — they're the front line for fraud protection. Forward any Dodo-branded receipt to us and we'll work with Dodo's fraud team to cancel the subscription and dispute the charge on your behalf.
- If you want to manage your subscription (update payment method, cancel, change cycle), use the Manage subscription link in your aro.day Account pane — it opens Dodo's hosted customer portal in a new tab.
6.Cancellation & data after cancel
You can cancel any time via the customer portal. Your subscription stays Pro until the end of the current paid period — there's no immediate downgrade. After expiry, your account drops to the free tier; none of your task data is deleted. Free-tier limits (3 active projects, 50 active tasks per project) take effect, but the over-limit items become read-only rather than disappearing, so you can browse / complete / archive them. Re-upgrade at any time to restore full edit access.
7.Questions or concerns
Email support@aro.day. If your question is specifically about Dodo's processing (e.g. "why does my receipt say Dodo Payments?"), Dodo's customer support is at dodopayments.com/support — they'll have direct access to your transaction record.
See also Privacy Policy and Terms of Use.