Privacy

DayReplay Privacy Policy

Last updated: June 1, 2026

DayReplay reconstructs your day from local browser and application activity. This page describes exactly what's captured, where it's stored, and what crosses the network.

The short version

Captured activity stays on your device. Two things cross the network: a small update-check GET, and license activation/revalidation calls to Lemon Squeezy when you have a Pro key. Neither sends any captured activity, identifier, or fingerprint.

What DayReplay captures

Every 5 seconds, the foreground window snapshot includes:

The active application's process name (e.g. Code, Chrome, Slack)
The window title of the active window
For tracked browsers (Chrome, Microsoft Edge, Firefox on Windows; Chrome, Safari, Firefox on macOS):
- The active tab's URL
- The titles of all open tabs in the active window
Whether the foreground window is minimized
A UTC timestamp for the snapshot

That's the entire data model.

What DayReplay does NOT capture

Keystrokes — there's no keylogger
Screenshots or screen recordings — no pixel data is read
Clipboard contents — never accessed
File contents — only the names of windows/tabs, not what's inside them
Audio or video — no microphone or camera access
Mouse positions or click coordinates
Form data inside browser tabs — only the page URL

Where data is stored

All activity data lives in a single SQLite database file on your computer:

Platform	Path
Windows	`%AppData%\DayReplay\dayreplay.db`
macOS	`~/Library/Application Support/DayReplay/dayreplay.db`

On macOS, the database file is set to mode 0600 (owner read+write only). On Windows, the file lives under your per-user AppData directory whose default ACL already restricts access to your account.

Retention

Old events are pruned automatically:

Free tier: 1 day
Pro tier: 30 days

Pruning runs on every app startup and again whenever you activate or change your license tier.

Manual deletion

You can delete all captured data at any time by quitting DayReplay and removing the database file. Uninstalling the app does not remove the database — that's so an accidental uninstall doesn't lose your history. To wipe everything: quit, delete dayreplay.db, then uninstall.

License key storage

If you're on the Pro tier, your license key — together with the per-device activation ID Lemon Squeezy returns and the timestamp of the most recent successful online validation — is stored in platform-secret storage, not in the activity database:

Windows: DPAPI-encrypted blob in the database's settings table. The encryption is bound to your Windows user profile; another user on the same machine cannot decrypt it.
macOS: the system Keychain, under service=DayReplay, account=license_key, with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly (never synced to iCloud).

Deactivating the license through the app removes the bundle from secret storage and tells Lemon Squeezy to free up the activation slot. On Windows, deleting the database file also removes the encrypted blob; on macOS, the Keychain entry survives a database wipe — remove it through Keychain Access if needed.

Logs

DayReplay writes daily log files for actionable diagnostics (capture failures, update errors, missing UI components):

Platform	Path
Windows	`%AppData%\DayReplay\dayreplay-*.log`
macOS	`~/Library/Application Support/DayReplay/dayreplay-mac-*.log`

Logs are kept for seven days, then deleted automatically. The routine capture path does not write URLs, window titles, or tab data into the log — only stage breadcrumbs (e.g. chrome:tab_strip_found). Window titles or URLs may appear in log lines only when an actionable failure occurs and they help diagnose it.

The Diagnostics dialog (available on every tier) shows the latest log file. Copying it to share with support is always a manual action — nothing is sent automatically.

What crosses the network

DayReplay makes two kinds of outbound request: update checks and license activation / revalidation (Pro only).

Update check

Endpoint	`https://dayreplay.app/api/updates`
Frequency	Once at app startup, plus whenever you click “Check for Updates”
Sent	`platform` (`windows` / `macos`), `channel` (`stable`), `version` (your current app version)
Not sent	User identifier, license key, captured activity, machine fingerprint
Allowed download hosts	`*.dayreplay.app` only (enforced by HTTPS + suffix allowlist)
Integrity check	SHA-256 verified at download and again immediately before launching the installer. On macOS, the extracted `.app` is also re-verified with `codesign --verify --deep --strict` and `spctl --assess` immediately before the atomic swap — Apple's notarization ticket is re-validated offline pre-launch, closing the time-of-check / time-of-use window between download and execution.

The request includes only the three URL parameters above. There is no request body and no session cookie.

License activation and revalidation

License keys are issued and validated by Lemon Squeezy (lemonsqueezy.com), DayReplay's payment processor and Merchant of Record. Three calls go to https://api.lemonsqueezy.com/v1/licenses/:

Call	When it fires	Sent	Returned
`/activate`	When you click Activate License and submit a key	License key + this device's hostname (used as the device label in your LS account)	An activation UUID for this device
`/validate`	At most once every 24 hours from app startup, in the background	License key + activation UUID	Whether the key is still valid
`/deactivate`	When you click Deactivate License (best-effort)	License key + activation UUID	Confirmation the slot is freed

If the network is unavailable, the app trusts the cached state for up to seven days; past that point, Pro features pause until the next successful online revalidation. The cached bundle is kept on disk so you do not need to re-enter your key once connectivity returns.

Lemon Squeezy's privacy policy applies to data they receive: lemonsqueezy.com/privacy. DayReplay does not send your captured activity, configuration, or any other data to Lemon Squeezy beyond the fields listed above.

What DayReplay does NOT do

No analytics. No first- or third-party analytics tooling.
No telemetry. No usage events, feature pings, or aggregate statistics are sent anywhere.
No remote crash reporting. Crashes are logged locally only.
No advertising. No ad SDKs.
No third-party SDKs that contact a server for any purpose.

Permissions DayReplay needs

Platform	Permission	Why
macOS	Accessibility (System Settings → Privacy & Security)	Required to read the foreground window title and walk browser tab elements via the AX API. Denied → DayReplay still runs but can only see process names.
Windows	None beyond standard user account	UI Automation (UIA) is available to any process; foreground window enumeration uses Win32 APIs that don't require elevation.

Your rights

Inspect everything: dayreplay.db is a standard SQLite file. Open it with any SQLite browser to see the raw activity_events and settings tables.
Delete everything: quit the app, delete the database file. On macOS, also remove the Keychain entry if you want to forget your license key.
Stop capturing: quit DayReplay. There's no background service that survives the process — when the app isn't running, nothing is captured.

GDPR (EU / UK)

For users in the European Economic Area or the United Kingdom, the rights of access, rectification, erasure, portability, and restriction of processing under the GDPR apply. Because DayReplay's captured activity lives only on your device, those rights are exercised directly by you using the steps above — your data is yours to inspect, modify, or delete at will, without our involvement. For the small amount of personal data Lemon Squeezy holds on the billing side (your email, billing address, and license-issuance metadata), exercise GDPR rights via Lemon Squeezy's privacy contacts or email support@dayreplay.app and we'll facilitate.

Data controller: Zaahr Inc., 14-413 Elgin Street, Ottawa, Ontario K2P 1N4, Canada. Contact: support@dayreplay.app. Zaahr Inc. has not designated a representative in the EU/UK; for in-jurisdiction regulatory contact, email the same address.

CCPA / CPRA (California)

California residents have the right to know what personal information is collected, to delete personal information, to correct inaccurate personal information, and to opt out of the sale or sharing of personal information. DayReplay does not sell or share personal information — we run no analytics, no ad networks, and no third-party SDKs that would create such a flow, so the opt-out mechanic is not applicable to our product. The right-to-know and right-to-delete are exercised directly via the steps above (your captured activity is locally stored and yours to inspect or delete).

Website data

The dayreplay.app website is a static site served through Cloudflare. Cloudflare processes request metadata (IP address, user agent) at the edge for DDoS protection and routing — see Cloudflare's privacy notice for what they retain. DayReplay does not persist its own access logs, does not run first- or third-party analytics, and does not run advertising scripts.

Cookies: the site sets no first-party cookies. Cloudflare may set short-lived security cookies (e.g. __cf_bm) for bot mitigation; these are strictly necessary and not used for tracking or advertising. We do not display a cookie banner because there are no consent-required cookies in use.

Changes to this policy

Material changes to data handling will be reflected here and noted in release notes. This revision corresponds to DayReplay v1.0.0; the app version associated with each subsequent revision will appear in the changelog and in the “Last updated” date at the top of this page.

For questions: support@dayreplay.app. See also Security & Privacy Details and Legal & Trademark Notices.