Effective date: June 28, 2026. Last updated: June 28, 2026.

This Privacy Policy explains how Shareday collects, uses, discloses, and protects information when people use the Shareday mobile app, the Shareday backend API at api.shareday.net, and Shareday public web routes such as email verification and family invite pages on shareday.net.

Shareday is the operator of the service. Privacy requests may be sent to support@shareday.net.

1. What Shareday Does

Shareday helps families coordinate shared family life. The product includes account sign-in, family onboarding, family profiles, planned items, birthdays, gift-related shopping lists, a family chat, mood check-ins, notification reminders, and Apple/Google calendar integrations.

Family data is shared inside the family group. When you create, upload, or submit family content, other active family members may be able to see it depending on the feature.

2. Information We Collect

We collect information you provide directly, information generated while you use Shareday, and information received from service providers or platform services that you choose to use.

Account and authentication information

We collect information used to create and secure your account, including:

  • email address;
  • display name;
  • profile photo or avatar;
  • password credential data for email/password accounts, stored as password hashes on the server;
  • Sign in with Apple or Google Sign-In identity information, such as provider subject identifiers, email claims when available, and provider verification metadata;
  • session data, including access tokens sent to the app, hashed refresh-token records on the server, device session identifiers, platform, device name, timestamps, and revocation state.

Family profile and household information

We collect family data needed to operate shared family features, including:

  • family name and family photo;
  • adult family member records, roles, membership status, visible names, avatars, and family-visible color;
  • invite codes, invite status, invite channel, invite creator, optional invite recipient email and recipient name;
  • family settings, approvals, entitlements, and sync metadata;
  • child profiles created by adults, including child name, optional email, avatar, family-visible color, and assignment relationships.

Family calendar, tasks, shopping, birthdays, and documents

We collect family content entered by users, including:

  • tasks, events, shopping lists, shopping list items, notes, titles, dates, times, durations, assignees, child assignees, completion state, and deleted-state metadata;
  • birthdays, person names, month/day, optional year, optional phone number, reminder preferences, and birthday gift rows;
  • documents, file names, file metadata, notes, and uploaded file contents when documents or file attachments are used.

Family Chat content

Family Chat is one shared thread for the active family. We collect:

  • text messages;
  • sender, family, member, timestamp, delivery, and read-state metadata;
  • photos, videos, audio/voice messages, and file attachments you send;
  • attachment metadata such as file name, MIME type, byte size, duration, and sort order;
  • local client message identifiers used to prevent duplicate sends.

The first-release chat does not include message deletion, disappearing messages, reactions, or private direct messages. Family Chat content is family-scoped and may remain visible to other family members as shared family history unless removed under a supported product or privacy process.

Mood Check-In information

Shareday includes a family wellness Mood Check-In feature. We collect:

  • daily answers for five wellness questions;
  • local date, timezone identifier, answered-at timestamp, member and user identifiers;
  • computed daily score;
  • personal history, family aggregates, and member series used to display wellness trends;
  • privacy-safe repeated-low-mood alert records and delivery diagnostics.

Mood Check-In is a wellness feature only. Shareday is not a medical, mental-health, diagnosis, therapy, emergency, or crisis-response service. Do not use Shareday as a substitute for professional care or emergency support.

Calendar integration information

If you enable calendar integrations, we collect and process related information.

For Google Calendar, Shareday uses Google Sign-In for interactive authorization and sends a server authorization code to the backend. The backend stores connection state, connected Google account email, granted scopes, import/export settings, sync status, sanitized errors, encrypted Google Calendar refresh-token material, and provider link metadata. Shareday imports and exports supported calendar events according to your settings.

For Apple Calendar, Shareday uses device-local Apple EventKit access after you grant permission. Apple Calendar import/export is handled on the device and does not require Shareday to store Apple Calendar account credentials on the backend.

Device, notification, and permission information

We collect or process:

  • APNs push tokens and token hashes;
  • token environment, platform, timezone identifier, token retirement state, and delivery diagnostics;
  • notification routing metadata for birthdays, planned items, family chat, and mood alerts;
  • local notification scheduling data on the device;
  • camera, microphone, photo library, photo-library save, calendar, and notification permission state as needed for features you use.

The backend includes a member-location data model. During the reviewed implementation, the Apple app permission file did not include a location permission string. Do not publish claims that Shareday collects precise device location unless and until a location-sharing client feature is enabled and the policy is updated.

App, site, analytics, and diagnostics information

We collect operational data needed to run, secure, and improve Shareday, including:

  • request identifiers, timestamps, endpoint and error metadata;
  • server logs for API, PHP runtime, and websocket operations;
  • app and site usage analytics through Google/Firebase analytics for app and public-site usage measurement;
  • device, app, and technical metadata needed for analytics and troubleshooting;
  • support communications and information you provide when contacting support.

Server logs are designed to redact or omit sensitive values such as passwords, tokens, authorization headers, secrets, emails, free-form message/note content, base64 payloads, file contents, verification links, raw provider responses, and raw APNs token values.

3. How We Use Information

We use information to:

  • create, authenticate, and secure accounts;
  • verify email addresses and process email sign-in;
  • support Sign in with Apple and Google Sign-In;
  • provide family onboarding, family membership, invites, approvals, profile completion, and family switching;
  • store and synchronize family content across authorized family members and devices;
  • operate family calendar, tasks, shopping lists, birthdays, gifts, documents, chat, mood check-ins, and reminders;
  • upload, store, display, and authorize access to avatars, chat media, documents, and attachments;
  • send service emails such as email verification, family invites, and password-change notifications;
  • send push notifications and local notifications when enabled;
  • connect, sync, and disconnect Google Calendar and Apple Calendar integrations;
  • provide realtime update signals through websockets and restore durable state through REST APIs;
  • debug, secure, monitor, and improve the service;
  • measure app and site usage through Google/Firebase analytics;
  • respond to support, privacy, security, and legal requests;
  • comply with applicable law and enforce service rules.

4. Legal Bases for Processing

Where GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:

  • Contract: to provide Shareday features you request, including account access, family sharing, synchronization, chat, notifications, and calendar integration.
  • Consent: for optional permissions and integrations, such as notifications, camera, microphone, photo library, Apple Calendar, Google Calendar, and certain analytics or cookie choices where required.
  • Legitimate interests: to secure the service, prevent abuse, troubleshoot issues, improve reliability, maintain logs, measure usage, and support users, unless your rights override those interests.
  • Legal obligation: where processing is required to comply with law, regulatory duties, court orders, or valid legal process.
  • Vital interests: only if necessary in a genuine emergency. Shareday's ordinary wellness features are not emergency services.

You can withdraw consent for optional permissions through device settings, Google account controls, Apple settings, or by contacting us, depending on the feature.

5. How Information Is Shared

We do not sell personal information. We do not use personal information for targeted advertising unless this policy and the app's consent flows are updated.

We may share information in the following ways:

  • With family members: family content is shared with active members of the same family group as needed to provide the product.
  • With service providers: we use providers that help operate Shareday, including hosting/infrastructure providers, Mailgun for email delivery, Apple/APNs for push notifications, Google for Google Sign-In, Google Calendar, and Google/Firebase analytics.
  • With platform providers: Apple and Google process information according to their own terms and privacy policies when you use their sign-in, calendar, app store, device permission, notification, or analytics services.
  • With support and operations personnel: limited personnel may access information when needed for support, debugging, security, or legal compliance.
  • For legal and safety reasons: we may disclose information if required by law, valid legal process, security investigation, or to protect rights, safety, and service integrity.
  • In a business transfer: information may be transferred if Shareday is involved in a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate protections.

6. Children and Child Profiles

Shareday is intended for family organization and is not directed to children creating their own accounts. Adults, parents, or guardians may create child profiles and enter child-related family information such as a child's name, optional email, avatar, color, and assignments.

Adults are responsible for having the right to provide child profile information. If you are a parent or guardian and want to access, correct, or delete child profile information, contact support@shareday.net.

If Shareday later allows children to create their own accounts or directly provide personal information, Shareday must update this policy and implement any required parental notice, consent, access, and deletion controls before launch.

7. Permissions and Device Controls

Shareday requests device permissions only when needed for specific features:

  • Camera: to scan family invitation QR codes and take photos or videos for Family Chat.
  • Microphone: to record voice messages in Family Chat.
  • Photo Library: to choose family photos, profile photos, and chat photos/videos.
  • Photo Library Add: to save selected chat photos or videos to your photo library when you choose a save action.
  • Calendar: to import and export Shareday planned items with Apple Calendar.
  • Notifications: to receive reminders and push notifications for supported Shareday features.

You can manage these permissions in your device settings. If you disable a permission, the related feature may not work.

8. Analytics and Tracking

Shareday uses Google/Firebase analytics for app and public-site usage measurement. Analytics may include technical information such as app version, device type, operating system, interactions with app or site features, crash or diagnostic metadata if enabled, and pseudonymous identifiers used for measurement.

Shareday does not use analytics for targeted advertising and does not sell or share personal information for cross-context behavioral advertising.

If Shareday later enables advertising identifiers, Google Signals, cross-app tracking, targeted advertising, or third-party ad measurement, Shareday must update this policy, App Store privacy disclosures, and any required consent or opt-out controls before using those features.

9. Retention and Deletion

We keep information for as long as needed to provide Shareday, maintain family history, secure the service, comply with legal obligations, resolve disputes, and enforce agreements.

Current retention practices include:

  • account, family, and shared family content: generally retained while the account or family content remains active, unless deleted or changed through the app or a verified privacy request;
  • server logs: default retention is 14 days where the configured pruning job is used;
  • sync events: default retention is approximately 7 days for sync cursor recovery where configured;
  • email verification tokens and invite tokens: stored as hashes and expire according to backend rules;
  • refresh tokens: stored as hashes and expire or are revoked according to session rules;
  • Google Calendar tokens: encrypted refresh-token material is cleared when you disconnect Google Calendar;
  • APNs push tokens: can be deleted or retired when you log out, revoke permission, delete a token, or when APNs reports token invalidation;
  • local device data: may remain on your device until you log out, delete the app, clear app data, or until the app's local cleanup rules remove temporary files.

You may request deletion of your account and personal data by emailing support@shareday.net. We will verify the request and delete or de-identify account-level personal data within 14 days, unless we need to retain limited information for legal, security, fraud-prevention, dispute, backup, or legitimate operational reasons.

Because Shareday is a shared family product, deleting one account does not automatically delete all shared family content that other family members rely on, such as family calendar items, shopping lists, chat history, documents, birthdays, child profiles, or shared files. Where practical, we will delete or de-identify the requesting user's account/profile identifiers while preserving shared family continuity. If you need shared family content deleted, describe the specific content in your request.

10. Your Privacy Choices and Rights

Depending on where you live, you may have rights to:

  • access the personal information we hold about you;
  • receive a copy of your information;
  • correct inaccurate information;
  • delete information;
  • object to or restrict certain processing;
  • withdraw consent for optional processing;
  • opt out of sale, sharing, targeted advertising, or certain profiling if those activities ever apply;
  • appeal or complain to a privacy regulator.

To exercise rights, email support@shareday.net. We may need to verify your identity and authority before acting on a request, especially for account deletion, child profile requests, family data, or shared content.

11. California Notice at Collection and Privacy Rights

This section is intended to serve as a California notice at collection where applicable.

Categories of personal information collected may include:

  • identifiers, such as email address, account id, provider subject id, device/session identifiers, push tokens, and IP-derived request metadata;
  • customer records information, such as account contact information;
  • protected classification or sensitive information only if voluntarily entered in family content;
  • commercial or transaction-like information related to subscriptions, entitlements, or family service state if enabled;
  • internet or electronic network activity, such as app/site usage, API requests, logs, and analytics;
  • geolocation information only if a location-sharing feature is enabled in the client and this policy is updated;
  • audio, electronic, visual, and similar information, such as voice messages, photos, videos, avatars, and uploaded files;
  • professional or education information only if voluntarily entered in free-form family content;
  • sensitive personal information, such as account credentials, calendar content, child profile data, wellness check-in information, and precise location if later enabled;
  • inferences, such as family wellness aggregates and unread/read status.

We collect these categories for the purposes described in this policy, including service delivery, authentication, family sharing, synchronization, notifications, analytics, security, support, and legal compliance.

We do not sell personal information or share it for targeted advertising under the current product assumptions. If that changes, Shareday must provide a clear opt-out mechanism and update this policy before the change.

California residents may request to know, access, delete, correct, and opt out of applicable sale/share uses. California residents also have the right not to be discriminated against for exercising privacy rights. Submit requests to support@shareday.net.

12. International Transfers

Shareday may process information in countries other than where you live. Service providers such as hosting, email, analytics, Apple, and Google may process information in the United States and other countries. Where required, Shareday will rely on appropriate transfer mechanisms, safeguards, or derogations for international transfers.

13. Security

Shareday uses technical and organizational measures designed to protect information, including:

  • TLS for production API and websocket traffic;
  • JWT access tokens and rotating hashed refresh-token storage;
  • Keychain storage for auth state on Apple devices;
  • encrypted backend storage of Google Calendar refresh tokens;
  • public DTO boundaries that avoid exposing internal hashes, storage paths, raw provider responses, and token material;
  • authorization checks for family-scoped data;
  • server-side log redaction and retention controls;
  • private local filesystem storage for uploaded family files on the backend;
  • no public access to backend logs, storage directories, runtime secrets, or direct admin scripts in production.

No system is perfectly secure. You are responsible for keeping your device, email account, app store account, and Shareday credentials secure.

14. Changes to This Policy

We may update this Privacy Policy when Shareday changes or when legal, security, or operational requirements change. If we make material changes, we will provide notice through the app, website, email, or another appropriate method.

16. Contact

For privacy questions, access requests, deletion requests, child profile requests, or California/EU/UK privacy rights requests, contact:

support@shareday.net