Privacy Policy
Last updated: March 25, 2026
ichi.day ("we", "us", or "the Service") is a timeboxing application built with a local-first architecture. This Privacy Policy explains how we handle your information.
1. Our Approach to Privacy
ichi is designed to keep your data on your device by default. We do not require an account to use the core features. Your tasks, routines, and plans are stored locally in your browser using Origin Private File System (OPFS) and are never sent to our servers unless you explicitly enable cloud sync.
2. Data We Collect
2.1 Without an Account (Default)
When you use ichi without creating an account, we collect no personal data. All your information stays entirely on your device.
2.2 With an Account (Optional)
If you create an account for cloud sync, we collect:
- Authentication information: Email address and password (hashed and stored securely). Your password is never stored in plain text.
- Task data: Sensitive content - such as task titles, notes, tag names, and group names - is encrypted with AES-256 on your device before being sent to our servers. Metadata such as status, timestamps, time estimates, and sort order is stored unencrypted to enable sync functionality.
2.3 Google Calendar Integration (Optional)
If you connect Google Calendar, we request read-only access (calendar.readonly scope) to your calendar events. Here is how we handle your Google Calendar data:
- Access: We retrieve your calendar events via the Google Calendar API with read-only permission. We do not modify your Google Calendar.
- Use: Calendar events are imported into ichi as tasks, allowing you to plan your day alongside your existing schedule.
- Storage: Imported calendar data is encrypted with AES-256 on your device before being stored. If cloud sync is enabled, only encrypted data is sent to our servers.
- Sharing: Your Google Calendar data is not shared with, sold to, or transferred to any third party.
- Deletion: You can disconnect Google Calendar at any time in settings. When you delete your account, all associated calendar data is permanently deleted from our servers.
We do not use your Google Calendar data for advertising, analytics, AI/ML model training, or any purpose other than providing the calendar import feature described above.
ichi.day's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare Pages / Workers | Hosting and API | Standard web request data (IP address, user agent) |
| Turso (LibSQL) | Cloud database for sync | Encrypted task data (only if sync is enabled) |
| Cloudflare Web Analytics | Privacy-first analytics | Page views, referrers (no cookies, no fingerprinting) |
| Sentry | Error tracking | Error reports, stack traces (no personal task data) |
| Resend | Transactional email delivery | Email address (only if you create an account) |
| Google OAuth | Google Calendar authentication | Google account email (only if you connect Google Calendar) |
| Google Calendar API | Calendar import | Calendar events (only if you connect your calendar) |
4. End-to-End Encryption
When cloud sync is enabled, sensitive content (task titles, notes, tag names, group names, and Google Calendar identifiers) is encrypted using AES-256 on your device before being transmitted. The encryption key is derived from your recovery phrase, which only you possess. We cannot decrypt or read your content. Structural metadata (status, timestamps, time estimates, sort order, and app settings) is not encrypted and is used to provide sync functionality.
5. Data Retention
- Local data: Stored on your device until you clear your browser data or delete it within the app.
- Cloud sync data: Retained as long as your account is active. You can delete your account and all associated data at any time.
- Error logs (Sentry): Automatically deleted after 90 days.
6. Your Rights
You have the right to:
- Access your data - all your data is visible within the app
- Export your data - use the backup feature to download your data
- Delete your data - delete your account to remove all server-side data
- Opt out of cloud sync - use ichi entirely offline with no data leaving your device
7. Cookies and Analytics
We do not use cookies for advertising purposes. We use Cloudflare Web Analytics to understand general usage patterns. Cloudflare Web Analytics is a privacy-first analytics service that does not use client-side state (such as cookies or localStorage), does not fingerprint users, and does not track individuals across sites. The only cookies used are essential authentication cookies when you sign in to your account.
8. Children's Privacy
ichi is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date at the top of this page.
10. Contact
If you have questions about this Privacy Policy, please contact us at privacy@ichi.day.