Privacy Policy — Daily AI Agents
Effective: 2026-07-07. This page replaces the policy previously published at usedailyai.com/legal/privacy-policy.html (effective April 15, 2026). Contact for anything on this page: [email protected].
"We" is Daily AI Agents LLC, a Texas limited liability company (formed April 2026), operating usedailyai.com. As of the effective date, account access is limited as described in the Security section.
What we collect, and why
- Email address — when you join the newsletter, request a free AI-visibility scan, buy a product, or contact us. Used for: delivering what you requested, replying to you, managing your subscription (including unsubscribe), basic fraud and abuse checks, required accounting records for purchases, and legal compliance where applicable.
- Free-scan request data — the domain you submit, up to 5 prompts, and your email. Used to run the scan, generate and deliver the report, handle support or deletion requests about that scan, maintain security logs, and comply with legal obligations.
- Scan artifacts — captured public AI-engine answers about the domain you submitted, fetched copies of publicly cited pages, and the rendered report. These derive from public web content plus your submitted inputs.
- Payment data — processed entirely by Stripe or Gumroad. We never see or store card numbers. We receive transaction metadata (what was bought, when, the buyer email) to deliver purchases and keep required accounting records.
- Consulting inquiry data — name, company, and message when you submit the contact form or book a call.
What we commit NOT to do
- No third-party advertising pixels or ad-network scripts on usedailyai.com pages we serve.
- We do not sell personal data, and we do not share it for cross-context behavioral advertising (in the sense those terms are used by U.S. state privacy laws such as the California CCPA/CPRA and the Texas Data Privacy and Security Act). Based on our current service design, the subprocessors we use for the data categories described in this policy are listed in the table below, for the purposes stated there.
- No newsletter enrollment unless you submit or confirm the signup yourself.
- Exceptions to be aware of: checkout and newsletter run on Stripe, Gumroad, and Beehiiv pages or embeds, and those providers set their own cookies under their own policies; links in our emails and posts carry UTM parameters so we can count clicks.
Measurement — exactly what a click logs
When you follow one of our redirect links, we record: timestamp, campaign name, traffic source and medium (from the UTM parameters), a coarse user-agent class (bot / mobile / desktop — not the raw user-agent string), and the referring page truncated to 120 characters. Our redirect-click application does not store your IP address, set any application cookie, or store your email with the click; we configure click records for 90-day automatic expiry and periodically check that the expiry is working. We do not use these click records to build per-person profiles; some fields could in principle be linkable in limited circumstances (e.g. very low-volume traffic), which is why we keep the fields coarse and the retention short. Separately, our hosting provider (Cloudflare) keeps its own standard request logs (IP address, user agent) for security and delivery under its own policy; we do not export those logs into marketing systems.
Retention
- Free-scan request data and reports: 12 months, then deleted, or earlier on request. Storage locations covered: the founder-controlled scan machine (disk-encrypted), Cloudflare KV (form submissions), and the Gmail account used to deliver reports.
- Click records: 90 days (automatic expiry, see Measurement).
- Newsletter email: for as long as you stay subscribed (every email has an unsubscribe link).
- Transaction records: 7 years, unless a longer legal hold applies.
- Consulting inquiries: 24 months, then deleted.
- Backups and security logs: for systems we control, retention is configured for no more than 90 days; provider-managed logs follow the provider's own policies.
Deletion and your rights
Email [email protected] from the address your data is under (or, if you no longer control it, provide enough detail for us to verify the request, e.g. transaction ID or scan request ID). We will:
- verify the request came from the data subject,
- delete your personal data from our systems within 30 days — this covers scan requests and rendered reports (local files and Cloudflare KV entries), consulting-inquiry records, contact records, click records tied to a token you identify, and our newsletter records; Gmail message copies are deleted from the founder mailbox as part of the same pass,
- where a subprocessor holds your data on our behalf, submit the matching deletion there too — Beehiiv for newsletter records, Cloudflare KV for form submissions, SendGrid for notification history, Google for mailbox copies — and confirm each in our reply (Stripe and Gumroad transaction records are excluded: they retain payment records under their own legal obligations),
- confirm by reply what was deleted and what was retained.
What may be retained after a deletion request: transaction records we are legally required to keep (excluded from any further use), records Stripe, Gumroad, or Google retain under their own legal obligations (outside our control; see their policies), and backup copies that expire within the 90-day rotation window above.
Subprocessors
These are the third parties that process personal data on our behalf:
| Subprocessor | What it processes | Why |
|---|---|---|
| Cloudflare (Pages, Workers, KV) | site requests, form submissions, click counts | hosting and request capture |
| Google (Gmail) | email you send us and reports we send you | founder-operated email |
| SendGrid | signup notification emails | transactional email delivery |
| Stripe | payment and subscription data | payment processing |
| Gumroad | digital product purchases | product delivery and payment |
| Beehiiv | newsletter subscriber list | newsletter delivery |
Change control: the founder is the accountable owner of this table. A subprocessor change is made by updating this page (the effective date at the top changes with it). For a new subprocessor that would process free-scan or paid-scan customer data, we email affected scan customers at least 7 days before it starts processing that data; for urgent security-driven replacements (e.g. replacing a compromised provider), protecting the data comes first: the replacement may begin processing immediately and we notify within 7 days after the change, explaining why notice was retroactive.
Security
Scan data and reports are stored on a disk-encrypted, founder-controlled machine and in the Cloudflare services named above. The accounts with access are the founder's own provider accounts and the scan automation's service credentials; both are stored in a commercial password/secrets manager, and provider accounts use multi-factor authentication where the provider supports it. There are no employee or contractor accounts; vendor support staff can only act within their own platforms under the subprocessor policies above, and if helper access is ever added this section and the subprocessor table change first. If we confirm that personal data was accessed or disclosed without authorization, we will notify affected people at the email address we hold for them within 72 hours of confirming the breach, including what was affected and what we did about it, and will make any regulator notifications required by applicable law. Exceptions: where we hold no working contact address, where law enforcement asks us in writing to delay, or where jurisdiction-specific rules require a different sequence — in those cases we notify as soon as those constraints lift.
Scan-specific commitments
- Your domain, prompts, and this report are never published or added to any public report without your explicit prior OK.
- Verification dataset: to improve citation-verification quality we may retain, past the 12-month window, only these fields — the checked claim text from a public AI-engine answer, the cited public URL, the fetched public-page evidence, and the support verdict. Excluded: your email, your identity as the requester, and your submitted prompt text. Because the retained fields are public web content, they may still reveal which domain was discussed — but not that you requested a scan of it. The separation is mechanical: retained rows are written to a distinct dataset that never contains requester fields, and the 12-month deletion pass covers everything outside it. If you want scan-derived rows about your domain removed from the verification dataset too, say so in your deletion request and we will remove them.
Children
Our services are for businesses and are not directed at children under
- We do not knowingly collect children's data.
Changes
Changes are posted on this page with a new effective date. "Material changes" means changes to what we collect, retention periods, or the subprocessor list affecting free-scan or paid-tier data. Material changes are emailed to scan customers with a scan request or active subscription in the past 12 months, at least 7 days before they take effect — except urgent legal or security changes, which are notified as soon as practicable.