Sign Up

Privacy Policy

How we protect your data

Last updated: 29 April 2026

Daily Wayfinder is a private journaling app where you write your reflections and receive a personalised Bible verse, prayer, and short pastoral response. The journal entries you write are spiritual and often deeply personal. We take that seriously, and this policy explains in plain language what happens to your data.

If anything here is unclear, email us at dailywayfinder@gmail.com.

1. Who is responsible for your data

The controller of your personal data is Daily Wayfinder, operated by Niklas Wibelius, based in Gothenburg, Sweden. You can reach us at dailywayfinder@gmail.com.

2. What we collect

We collect only what we need to run the service:

  • Account information — your email address, and if you sign in with a third-party provider (such as Google), the basic profile information that provider returns (name, avatar).
  • Journal entries — the text you write, the AI response we generate for you, and timestamps. This is the content of your private journal.
  • Usage data — basic logs needed to operate the service (request times, errors, IP address at the time of a request, browser/device information). We use this to keep the service working and to investigate abuse or bugs.
  • Communications — if you contact us, we keep your message and our reply.
  • Payment data (only if you donate or subscribe) — handled by Stripe. We never see or store your card number; we only see the donation/subscription status and a customer identifier.

We do not buy data about you, and we do not run advertising trackers on the app.

3. Special category data: religious and spiritual content

Because journal entries are about your faith, prayers, doubts, and spiritual life, they qualify as special category personal data under Article 9 GDPR (data revealing religious or philosophical beliefs).

We process this data only on the basis of your explicit consent, which you give when you create an account and write an entry. You can withdraw that consent at any time by deleting your account, which will erase your entries (see Section 8). Withdrawing consent does not affect processing that already happened lawfully before withdrawal.

4. Why we use it (legal bases)

  • To provide the service — running your account, storing your entries, generating AI responses, sending transactional emails. Legal basis: performance of our agreement with you (Art. 6(1) (b) GDPR), and your explicit consent for special category data (Art. 9(2)(a) GDPR).
  • To keep the service safe — preventing abuse, debugging, security. Legal basis: our legitimate interest in operating a secure service (Art. 6(1)(f) GDPR).
  • To improve the service — understanding what features are used, in aggregate. Legal basis: our legitimate interest in improving Daily Wayfinder (Art. 6(1)(f) GDPR). We do not read individual journal entries for product analytics.
  • To communicate with you — replying to support emails, sending essential service notices. Legal basis: performance of our agreement (Art. 6(1)(b) GDPR).
  • To comply with the law. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

5. How AI works in Daily Wayfinder

When you write an entry, we send the text of that entry to OpenAI, our AI provider, which generates the Scripture reference, prayer, and reflection that you see in the app. The response is saved in your account so you can read it again later.

We have a data processing agreement with OpenAI and use their API under terms where:

  • Your entries are notused to train OpenAI's public models.
  • OpenAI processes the text only to generate the response and retains it for a short period for abuse monitoring before deletion.

We do not sell your entries, we do not share them with advertisers or other third parties, and no human at Daily Wayfinder reads your entries except in narrow operational cases such as you asking us for support that requires it, or investigating a serious abuse report.

AI responses can occasionally be wrong, miss context, or misinterpret what you wrote. Treat them as a thoughtful starting point for reflection — not as pastoral counsel, medical advice, mental health care, or theological authority.

6. Who else processes your data (sub-processors)

We use the following sub-processors. Each one is bound by a data processing agreement and either operates inside the EU/EEA or relies on the EU Standard Contractual Clauses for transfers outside it.

  • Supabase — database, authentication, and file storage.
  • OpenAI — generating Scripture, prayer, and reflection responses (United States).
  • Stripe — payment processing if you donate or subscribe (United States/Ireland).
  • Email provider — sending account and transactional emails.
  • Hosting and CDN provider — serving the website and the app.

7. International transfers

Some of our sub-processors are based in the United States. When your data is transferred there, we rely on the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable. We choose providers who maintain strong technical and organisational security measures.

8. How long we keep your data

  • Journal entries and account data — kept while your account is active. When you delete your account, we delete your entries and account data within 30 days from our primary systems and within 90 days from encrypted backups.
  • Server and security logs — kept for up to 90 days, then deleted automatically.
  • Support emails — kept for up to 24 months after the conversation ends.
  • Billing records — kept for 7 years where required by Swedish bookkeeping law.

9. Your rights under the GDPR

You have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Correct data that is wrong or incomplete.
  • Delete your account and your entries (right to erasure).
  • Export your journal entries in a portable, machine-readable format.
  • Restrict or object to certain processing.
  • Withdraw your consent at any time, with no effect on processing that happened before withdrawal.
  • File a complaint with your local data protection authority. In Sweden this is the Swedish Authority for Privacy Protection (IMY) at imy.se.

You can exercise most of these rights inside the app from your account settings, or by emailing us at dailywayfinder@gmail.com.

10. Security

We protect your data with encryption in transit (TLS) and at rest, role-based access controls, and the row-level security features of our database so that one user cannot read another user's entries. We keep the number of people with access to production data as small as possible — currently it is limited to the founder.

No system is perfectly secure. If we ever discover a breach that affects you, we will notify you and the relevant authorities within the timeframes required by law.

11. Cookies

We use a small number of cookies and similar storage to keep you signed in, remember your theme preference, and operate the service. We do not use advertising cookies. For more detail, see our Cookie Policy.

12. Children

Daily Wayfinder is not intended for children under 16. If you are between 13 and 16, you may use the service only with the consent of a parent or guardian, in line with the GDPR and your local law. If we discover that we hold data on a child below the applicable age without proper consent, we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “last updated” date at the top and, where appropriate, notify you in the app or by email before the change takes effect. The current version always lives at this URL.

14. Contact

For any privacy question or to exercise your rights, email dailywayfinder@gmail.com.