Privacy Policy

Last updated: April 26, 2026

This page explains what Hidden Days collects, why, and what choices you have. We aim to keep it short and readable.

What we collect

We keep things minimal. The information we hold falls into three buckets:

Account info — your email address, password (hashed), and the display name you choose.
Calendar content — titles, recipient names, door text, captions, photos, and short videos you upload to the app.
Activity — which doors have been opened, by whom (your account or an anonymous device key), and when. Owners on Pro can see aggregated viewer analytics for their own calendars.
Device info — your platform (iOS / Android), app version, and (if you opt in to push notifications) an Expo push token tied to this device.

How we use it

We use what we collect to run the service: signing you in, storing and rendering the calendars you create, delivering recipient reactions back to you, and — if you opt in — sending the daily "door is ready" push. We do not sell your data.

Where it's stored

Account data, calendars, and door content live in Supabase (our hosted Postgres + Storage provider). Subscription state is managed by RevenueCat. Push tokens, when you opt in, are stored alongside your account and used by our daily reveal job. All of these providers process data on our behalf under their own security commitments.

Sharing with others

Two cases:

When you publish a calendar, anyone with the share link (and the password, if you set one) can view its cover and open doors as their reveal dates arrive. The recipient sees the calendar's title, your display name, and the content you've added to each door.
We use service providers (Supabase, RevenueCat, Expo, Apple, Google) to host data, process payments, deliver pushes, and review the app. We share only what each provider needs to do its job. We do not sell your personal information.

Anonymous viewers

Recipients who open a calendar without an account get a randomly-generated device key stored locally on their device, so the app can remember which doors they've opened. This key is not tied to a name, email, or phone number, and it stays on the recipient's device.

Children

Hidden Days is not directed to children under 13. If you believe a child has signed up, contact us and we will remove the account.

Security

Data is encrypted in transit and at rest. Calendar passwords (if you set one) are hashed server-side and never round-trip to the client in clear or hashed form. Even with that, no system is perfectly secure, so please don't share content through Hidden Days that you would not be comfortable seeing in a worst-case data leak.

Your choices and rights

You can:

Edit your display name at any time in Settings.
Unpublish a calendar to immediately stop the share link from working.
Delete a door's content from the door editor.
Turn off push notifications in your device's system settings.
Request a copy of your data, or full account deletion, by emailing us. We will respond within 30 days.

Retention

We keep your calendars and account info for as long as your account is active. When you delete your account, we remove your calendars, doors, openings, reactions, and push tokens. Backups may retain copies for up to 30 days.

International transfers

Our providers operate globally. By using Hidden Days you consent to your information being processed in the United States and other countries where our providers operate.

Changes to this policy

We may update this policy from time to time. When we do, we'll update the "Last updated" date above and, for material changes, give you reasonable notice in the app.

Contact

Questions, requests, or concerns? Email us at support@hiddendays.com.