· PRIVACY POLICY

Privacy Policy

Last updated · April 25, 2026

This policy explains what data Dagur collects, how it's used, and your rights. Plain English. If anything is unclear, email hello@dagur.co.

1. Who we are

"Dagur" ("we", "us", "our") is the data controller responsible for processing your personal data under this policy. For privacy questions or to exercise your rights under GDPR or other applicable laws, contact hello@dagur.co. Full operator details are available on request.

2. What we collect

2.1 Stored locally on your device only

Your widget layout, notes, todos, captures, AI conversation threads, settings, and (if you provide one) your own AI API key are stored in your browser's localStorage and IndexedDB. We do not have access to this data unless you explicitly enable cloud sync by signing in.

2.2 Stored on our servers (only if you create an account)

  • Email address — for sign-in and account recovery
  • Hashed password (we never see the plaintext) — handled by Supabase Auth
  • Subscription tier, Stripe customer ID, and billing status
  • If you enable cloud sync: your synced widgets, captures, threads, and notes
  • If you connect Google: encrypted OAuth refresh tokens (server-side only)
  • Server logs (request metadata, IP, user agent) retained up to 30 days

2.3 Anonymous analytics

We use PostHog (EU-hosted) to understand which features are used. We capture page views, feature interactions, and errors. We never capture the content of your notes, todos, captures, or AI prompts. You can disable analytics in Settings.

3. Legal basis for processing (GDPR)

Where GDPR applies, we process your personal data under the following legal bases:

  • Contract — to provide the service you signed up for (account, sync, subscription)
  • Legitimate interest — to keep the service secure, prevent abuse, and improve the product through anonymized usage analytics
  • Consent — for optional integrations (Google Calendar, Gmail) and any non-essential analytics. You can withdraw consent at any time
  • Legal obligation — to retain billing records as required by tax law

4. Third-party processors (sub-processors)

To operate the service, we use the following providers. Each is bound by contract to use your data only to deliver their service to us, and each maintains its own privacy and security commitments:

  • Supabase — database, authentication, and cloud sync (EU region)
  • Vercel — web hosting and serverless functions
  • Stripe — payment processing. We never see your card details. Stripe's privacy policy applies to checkout
  • Anthropic, OpenAI — AI inference. Your prompts and conversation context are sent to these providers solely to generate responses. Per their API terms, your data is not used to train their models
  • Google — only if you opt in to Calendar or Gmail integration. Read-only scopes, minimum required tokens stored server-side
  • PostHog — anonymous product analytics, EU-hosted

5. International data transfers

Most processing happens in the EU. Some providers (Anthropic, OpenAI, Stripe) may process data in the United States. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

6. What we do not do

  • We do not sell your personal data to anyone
  • We do not share your data with advertisers or data brokers
  • We do not train AI models on your content
  • We do not read your synced data unless required for technical support and only with your explicit consent, or as legally compelled
  • We do not track you across other websites

7. Data retention

  • Account data — kept while your account is active. Deleted within 30 days of account deletion request
  • Cloud-synced content — same as above
  • Billing records — retained for 10 years to comply with Czech tax law
  • Server logs — up to 30 days, then deleted
  • Backups — encrypted, rotated within 30 days

8. Your rights

Under GDPR and similar laws (including UK GDPR, CCPA, and Brazil's LGPD), you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — delete your account and associated data ("right to be forgotten")
  • Portability — receive your data in a portable format. Use Settings → Export Layout for local data, or email us for cloud data
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior lawful processing
  • Lodge a complaint — with your local data protection authority. In the Czech Republic, that's the Úřad pro ochranu osobních údajů

To exercise any right, email hello@dagur.co. We respond within 30 days.

9. Cookies and similar technologies

We use cookies and localStorage only for essential functions: authentication, session management, and remembering your settings. We do not use advertising or cross-site tracking cookies.

10. Security

HTTPS everywhere. Database row-level security (RLS) enforced by Postgres so users can only read their own rows. Passwords hashed via Supabase Auth. OAuth tokens encrypted server-side. We can never view your password or local-only data.

Despite reasonable safeguards, no system is fully secure. Report vulnerabilities to security@dagur.co.

11. Children

Dagur is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have, email hello@dagur.co and we will delete it.

12. Changes to this policy

If we make material changes, we'll notify account holders by email at least 14 days before the change takes effect. Minor edits (typos, clarifications) just bump the "last updated" date above.

13. Contact

Privacy questions, data requests, or concerns: hello@dagur.co.