Privacy Policy

Last updated: 24 May 2026

Who We Are

ZenDays is a weekly planner and time-management web application that helps users plan their week, track execution, and receive AI-powered weekly feedback. Our application URL is https://app.zendays.com.

ZenDays is operated by ZenDays Limited (formerly Forzeit Ltd), a private limited company registered in England and Wales, company number 15605863, registered office 2 Maple Court, Davenport Street, Macclesfield, Cheshire, England, SK10 1JE. We are committed to protecting and respecting your privacy.

Google API Disclosures

This section discloses ZenDays’ use of Google APIs in accordance with the Google API Services User Data Policy.

Google APIs we use

• Google Calendar API — used only for accounts that explicitly connect their Google account from inside the ZenDays app.

OAuth scopes we request

• https://www.googleapis.com/auth/calendar.readonly — read-only access to the user’s calendar events.

What we do with the data

We read calendar events to display them in the user’s ZenDays weekly view, so the user can see their existing schedule alongside the tasks they plan in ZenDays.

What we do NOT do with the data

We do not sell, transfer, or share Google user data with any third party, including our AI provider, our analytics tooling, our email service, or any advertising network. Google Calendar data is not used to train AI models, generate Ava’s weekly feedback, build user profiles for marketing, or for any purpose other than displaying your calendar events in your ZenDays weekly view.

How we store it

Refresh tokens are stored encrypted in our database. Calendar events themselves are imported on-demand and are not retained beyond active use.

How users revoke access

Users can disconnect any connected Google account from the Profile page in the ZenDays app. Disconnecting revokes our access token at Google and removes the connection on our side. You can also revoke access at any time directly from your Google Account permissions page.

Limited Use disclosure

ZenDays’ use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, ZenDays:

1. Only uses Google user data to provide the user-facing calendar-in-weekly-view feature accessible from the ZenDays Profile and weekly board.
2. Does not transfer Google user data to any third party, except as required by law or as necessary to provide the user-facing feature.
3. Does not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
4. Does not allow humans to read Google user data, except (a) with the user’s affirmative consent, (b) as necessary for security purposes, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymised.

Authentication and Account Data

When you create an account, we collect:

• Full name
• Email address
• Encrypted password (if using email/password authentication)
• Authentication tokens and session data

If you sign in with Google OAuth, we also receive:

• Your email address
• Your basic profile information (name and profile picture)

Your authentication credentials are managed by Supabase, our authentication provider, and are stored with industry-standard encryption and security practices.

User Profile and Planning Data

As you use ZenDays, we store the data you create inside the app:

• Profile preferences and account settings
• Weekly plan templates and recurring week structures
• Tasks, goals, and notes
• Execution history (which tasks you completed, when, and any feedback you added)
• Connected calendar metadata (which Google account is connected, last-sync timestamps)

This data is stored securely in our database and is accessible only to you through your account. It is used solely to provide the planning, tracking, and feedback features of the Service.

AI-Powered Features (Ava)

ZenDays includes an AI assistant called Ava, who generates personalised weekly feedback based on your execution data — for example, your completion rate, recurring blockers, and patterns across weeks.

To produce Ava’s output, we send a narrow subset of your ZenDays-owned data to Anthropic, our AI provider, via the Anthropic API. Specifically:

• Your first name
• Aggregated execution metrics derived from tasks and goals you created in ZenDays (e.g. percentage of tasks completed, counts of successes and failures, category-level performance)
• A short summary of the prior week’s report, for week-over-week comparison

We do not send any of the following to Anthropic or any other AI service:

• Google Calendar event titles, descriptions, attendees, locations, or any other Google API user data
• Individual task or goal titles and descriptions
• Email addresses, passwords, or payment details

Anthropic processes this data only to return Ava’s response and does not use it to train its models, in line with Anthropic’s commercial API terms.

Payment Information

ZenDays uses Stripe to process subscription payments. We do not directly store your credit card information or full payment details. When you subscribe:

• Stripe securely processes and stores your payment information
• We store only your Stripe customer ID and subscription ID to manage your subscription status
• We track subscription start dates, status (active, cancelled), and plan information
• Payment history and billing details are managed through Stripe’s secure billing portal

For more information on how Stripe handles your payment data, please review Stripe’s Privacy Policy.

Usage Data and Analytics

To improve the Service and understand how users interact with the app, we collect:

• Page views and navigation patterns
• Feature usage statistics
• Session duration and activity timestamps
• Browser type and device information

This data is used solely to improve our application, identify popular features, and optimise the user experience. It is aggregated and anonymised where possible and is never sold to third parties.

Cookies

We use cookies and similar technologies to manage your session and improve your experience:

Authentication cookies

When you log in, we set authentication cookies to keep you logged in across sessions. These cookies contain session tokens and are essential for the application to function.

Session storage

We use browser localStorage to store your authentication state and preserve your session during payment redirects to Stripe. This ensures you remain logged in after completing a payment.

Embedded Content from Other Websites

Pages on this site or in the app may include embedded content such as YouTube videos. Embedded content from other websites behaves in the exact same way as if you visited that website directly.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction if you have an account and are logged in to that website.

Who We Share Your Data With

Your data is shared only with the following service providers, each of whom receives only the narrowly scoped data set out below:

• Supabase — database hosting, authentication, and file storage. Stores all ZenDays application data, including encrypted Google OAuth refresh tokens.
• Stripe — payment processing and subscription management. Receives billing details only; no Google API user data, no task or calendar content.
• Google — OAuth authentication and (optionally, when you connect a Google account) the Google Calendar API for read-only calendar access.
• Anthropic — generates Ava’s weekly feedback. Receives only the aggregated execution metrics described in the “AI-Powered Features (Ava)” section above. Receives no Google API user data.
• Customer.io — email lifecycle communications. Receives your email address, name, and subscription status only. Receives no Google API user data, task content, or calendar content.
• The ZenDays team — your contact email may be accessed by authorised members of the ZenDays team for customer support and service delivery. Google API user data is never reviewed by the team in the ordinary course of business.

All third-party service providers are contractually obligated to protect your data and use it only for the purposes of providing services to us.

How Long We Retain Your Data

We retain your data for as long as your account is active and for a limited period afterward:

• Active users: all profile, plan, and execution data is retained while your account is active
• Cancelled subscriptions: if you cancel, your account data is retained for 3 months to allow you to reactivate and recover your data
• Deleted accounts: if you request account deletion, all personal data is permanently deleted within 30 days, except for data we are required to retain for legal, administrative, or security purposes (such as payment records for tax compliance)
• Google Calendar events: never persisted — they are read on-demand and discarded after rendering

What Rights You Have Over Your Data

You have the following rights regarding your personal data:

• Access — view all your personal data through your profile settings in the application
• Rectification — edit and update your profile information at any time
• Erasure — request deletion of your account and all associated data by emailing max@zendays.com
• Data portability — request an exported file of all personal data we hold about you
• Restriction — request that we restrict processing of your personal data in certain circumstances
• Objection — object to processing of your personal data for specific purposes
• Revoke Google access — disconnect any connected Google account from the Profile page in the ZenDays app

To exercise any of these rights, please contact us at max@zendays.com. We will respond to your request within 30 days.

How We Protect Your Data

We take data security seriously and have implemented multiple layers of protection:

• Encryption — all data is encrypted in transit using HTTPS/TLS and at rest in our database
• Token encryption — OAuth refresh tokens (including Google Calendar tokens) are encrypted at rest
• Access controls — Row Level Security policies ensure users can only access their own data
• Authentication — industry-standard OAuth 2.0 and secure password hashing
• Regular audits — we regularly review and update our security measures
• Limited access — only authorised personnel have access to production systems and data

Statement of GDPR Compliance

ZenDays Limited is committed to protecting and respecting the privacy of our users and ensuring the security of their personal data. We process personal data in accordance with the United Kingdom’s Data Protection Act 2018 and the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679.

We have implemented appropriate technical and organisational measures to safeguard personal data, including encryption, access controls, Row Level Security policies, and regular security audits. We collect and process personal data only for specified, explicit, and legitimate purposes, and we do not process data in a manner incompatible with those purposes. We retain personal data for no longer than is necessary for the purposes for which it was collected, and we ensure that personal data is accurate and kept up to date.

We recognise and respect the rights of our users under GDPR, including the right to access, rectify, erase, restrict processing, object to processing, and data portability. We have established procedures for users to exercise their rights and provide a timely response to such requests.

We are transparent about our data processing activities and provide clear information to users about the types of personal data we collect, the purposes for which it is collected, and the circumstances under which it may be shared with third parties.

Children’s Privacy

ZenDays is not directed to children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact us at max@zendays.com and we will promptly delete the information.

International Data Transfers

ZenDays is operated from the United Kingdom. Our service providers (including Supabase, Stripe, Google, and our AI provider) may process data outside the UK and the European Economic Area. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses to ensure your data continues to be protected.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make changes, we will update the “Last updated” date at the top of this page.

If we make material changes to how we handle your personal data, we will notify you by email or through a prominent notice within the application. We encourage you to review this privacy policy periodically to stay informed about how we are protecting your data.

Contact Us

If you have any questions, concerns, or requests related to this privacy policy or our data processing activities, please contact us at max@zendays.com.

Operated by ZenDays Limited (formerly Forzeit Ltd), a private limited company registered in England and Wales, company number 15605863, registered office 2 Maple Court, Davenport Street, Macclesfield, Cheshire, England, SK10 1JE.