Privacy Policy

Effective date: 8 June 2026 Last updated: 8 June 2026

This Privacy Policy describes how Lockday (“we”, “the app”, “the service”) handles information when you use the Lockday mobile, desktop, or web application.

1. Summary

Lockday is end-to-end encrypted. The content of your tasks (titles, notes, due dates, project names, labels) is encrypted on your device with AES-256 before it leaves your device. We operate the server that synchronizes your encrypted data between your devices, but we cannot read your task content. We do not sell your data. We do not show ads. We do not run analytics on what you write.

2. Information we collect

We collect the minimum information needed to operate the service.

2.1 Account information

  • Username. Used as your account identifier. No email address is collected.
  • Password. Never stored in plain text. Your password is hashed on your device and again on our server with bcrypt before storage. We cannot recover your password.

2.2 Encrypted task data

Your task content is encrypted on your device before being sent to our server. The server stores and synchronizes this encrypted data but cannot decrypt it. The server can see:

  • Entity IDs (random identifiers, not derived from content)
  • Timestamps (createdAt, updatedAt)
  • Sync metadata (whether an item is deleted, sync status)
  • Foreign-key relationships (which task belongs to which project)

The server cannot see:

  • Task titles, notes, or descriptions
  • Due dates or times
  • Project, section, or label names
  • Recurring schedules
  • Any other user-supplied content

2.3 Push notification token

If you enable notifications, your device generates a push notification endpoint (via UnifiedPush, which on most Android devices uses Firebase Cloud Messaging). The endpoint is sent to our server so we can deliver notifications. The endpoint itself is opaque; the contents of notifications we send through it are intentionally minimal and contain no task content.

2.4 Feedback submissions

If you choose to send feedback from inside the app (Settings → Send feedback), the information you submit is sent to our server in plaintext (not end-to-end encrypted), because the purpose of the submission is for us to read it. Each submission includes:

  • The text description you wrote.
  • The submission type you chose (bug report or feedback).
  • Optionally, a screenshot you attach. Screenshots may show decrypted task content; you control whether to attach one and which image to attach.
  • Optionally, the most recent hour of in-app log entries. These logs contain operational events (sync status, errors, network failures) and do not contain the content of your tasks.
  • Your account identifier (so we can follow up if needed).

Feedback submissions are kept on our server and used only to triage bugs and respond to your message. They are not shared with third parties.

2.5 Server logs

Our server keeps standard operational logs that may include IP addresses, request timestamps, and HTTP status codes. These logs are used for debugging and abuse prevention. They are retained for 30 days and then deleted.

3. What we do not collect

We do not collect:

  • Your name, email address, phone number, address, or other personal identifiers
  • Your location
  • Your contacts, calendar, photos, files, or other device data
  • Analytics on which features you use or how you interact with the app
  • Automatic crash reports (we do not integrate any third-party crash-reporting SDK; we only see issues you actively submit via the in-app feedback form described in §2.4)
  • Advertising identifiers

4. How we use information

We use the information we collect to:

  • Authenticate you (username + password)
  • Synchronize your encrypted task data between your devices
  • Deliver notifications you have enabled
  • Operate, maintain, and secure the service (server logs)

We do not use your information for advertising, profiling, or any purpose unrelated to operating Lockday.

5. How information is shared

We do not sell your data, ever.

We share data only as follows:

  • Push notification provider: When you enable notifications, your push endpoint is used by the underlying push provider (e.g., Firebase Cloud Messaging on Android, Apple Push Notification Service on iOS) to deliver notifications. The provider sees the endpoint and the timing of notifications but not the encrypted content of your tasks.
  • Project collaborators: If you invite another Lockday user to a shared project, they will be able to see the content of tasks within that project (their device will have the decryption key for that project). They cannot see tasks outside the shared project.
  • Legal: We may disclose information if required by valid legal process. Because your task content is end-to-end encrypted, we cannot produce its contents in response to such requests; we can only produce the encrypted ciphertext and associated metadata.

6. Data retention and deletion

  • Your account and encrypted task data are retained for as long as your account is active.
  • You can delete your account at any time from within the app (Settings → Delete Account). Account deletion removes all your encrypted task data, account record, and push endpoint from our servers.
  • Soft-deleted items (tasks you delete from within the app) are retained as encrypted tombstones for a short period to support cross-device sync, and then permanently removed.
  • Server logs are retained for 30 days.

7. Your rights

Depending on your jurisdiction, you may have rights including:

  • The right to access the data we hold about you
  • The right to correct inaccurate data
  • The right to delete your account and associated data
  • The right to export your data in a machine-readable format

Account deletion and data export are available from within the app. For other requests, reach us through the app (Settings → Send feedback).

8. Security

We use industry-standard practices including TLS for all network traffic, AES-256 for client-side encryption of task content, bcrypt for server-side password hashing, and access-controlled infrastructure. No system is perfectly secure; if we discover a security incident affecting your data, we will notify affected users.

9. Children

Lockday is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with information, please contact us and we will remove the account.

10. International users

Our servers are located in Frankfurt, Germany (European Union). By using Lockday you consent to your encrypted data being stored on servers in that region. Because the data is end-to-end encrypted, the server location does not affect the confidentiality of your task content.

11. Third-party services

The app integrates with the following third-party services:

  • UnifiedPush / Firebase Cloud Messaging (for push notifications, optional)

The app does not integrate with any analytics, advertising, or tracking services.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified within the app. The “Last updated” date at the top reflects the most recent revision.

13. Contact

Questions about this Privacy Policy can be sent through the app (Settings → Send feedback).