DayLynx Privacy Policy

1. Two Kinds of Data, Two Legal Frames

DayLynx handles two distinct populations of data subjects, and we apply different rules to each:

• Children under 13 (COPPA scope). Enrolled children do not sign up, log in, or upload anything on their own. Their records are entered and managed by authorized adult staff under the supervision of a licensed childcare operator that has obtained verifiable parental consent. See our COPPA Notice for the specifics.
• Directors, teachers, and parents (general privacy scope). Adults who sign up for or use DayLynx are covered by the sections below. Where applicable, we extend GDPR- and CCPA-style rights (access, correction, deletion, portability) to all account holders regardless of jurisdiction.

2. Information We Collect

From account holders (adults). When you create an account or use DayLynx, we collect information you provide directly: name, email address, phone number, organization name, role, and billing details. We also collect operational data you enter about your center — classroom configuration, staff rosters, and scheduling.

From children (via authorized adults). Your staff enters child records including name, date of birth, photo (with consent), guardian relationships, medical information (allergies, medications, dietary needs), attendance events, and developmental notes. Children themselves never interact with DayLynx.

Automatically collected technical information. When you use the service we record session cookies, IP address, browser type, device identifiers, and error logs, solely for authentication, security, rate-limiting, and debugging. The public marketing site (daylynx.com) additionally uses privacy-preserving analytics as described in Section 7. No behavioral analytics, session replay, or advertising trackers run inside the DayLynx application at app.daylynx.com.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve DayLynx
• Process transactions and send billing notifications
• Send service-related communications (security alerts, policy changes, outages)
• Respond to support requests
• Protect against fraud, abuse, and unauthorized access
• Comply with legal obligations, including childcare licensing reporting

We do not sell, rent, trade, or share personal information — and we never share children's data — with third parties for their own marketing purposes.

4. Data Security

We implement industry-standard security measures to protect your data, including AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access control, rate-limited authentication, and two-factor authentication. All data is stored in SOC 2 compliant infrastructure in the United States.

Security incident notification. If we confirm a security incident that affects your account data or a child's records in your center, we will notify the affected childcare center and verified guardians by email without undue delay, as required by applicable law. The notification will describe what was affected, the steps we have taken in response, and what the center or guardian can do to protect themselves. We cooperate with the childcare center on any additional notifications required by applicable state breach-notification laws.

5. Children's Privacy (COPPA)

DayLynx is used by childcare organizations to manage enrollment, attendance, and communication with families. We do not knowingly collect personal information directly from children under 13. All child data is entered and managed by authorized staff and guardians of the center. Photo sharing features require per-child written media consent and comply with COPPA and FERPA requirements. For a detailed explanation of what we collect about children, how parents provide consent, and parental rights, please review our COPPA Notice.

6. Data Retention and Deletion

Our retention periods by data type:

• Active child records (name, profile, attendance, photos): retained while the child is enrolled at your center.
• Former child records after a child is withdrawn: retained for up to 7 years to satisfy licensing recordkeeping requirements, then deleted or anonymized. Parents may request earlier deletion (see below).
• Account holder data (director, teacher, parent accounts): retained while the account is active; deleted or anonymized within 90 days of account closure.
• Billing records: retained for 7 years to satisfy tax and accounting obligations.
• Security and audit logs: retained for 2 years, then purged.
• Backups: encrypted backups are cycled out within 35 days of the source record being deleted.

How to request deletion. A parent or guardian may request deletion of their child's records at any time by (a) contacting the childcare director who maintains the account, or (b) emailing privacy@daylynx.com with the child's name and the center name. We will honor verified deletion requests within 30 days, except for records we are legally required to retain (e.g., attendance records mandated by state licensing). Account holders may close their account and request deletion of their personal data through the in-app account settings or by emailing the same address.

7. Third-Party Recipients of Data

We use the following service providers to operate DayLynx. Each is bound by a data processing agreement and may only use the data we share for the specific purpose listed. None of them receive children's data for their own marketing or advertising purposes.

• Supabase — primary database, authentication, and file storage. Holds account records and, for paid accounts, child records. US-based infrastructure. Does not access customer data for training or advertising.
• Vercel — application hosting and content delivery. Processes request metadata only (IP, URL, response status). Does not see application data payloads.
• Stripe — payment processing. Receives billing details from account holders only; never receives children's data.
• Google OAuth and Microsoft Entra ID — optional single sign-on for account holders. Used only for authentication of adult staff accounts; never used to authenticate children. We receive the adult's email, name, and a stable OAuth subject identifier.
• Transactional email provider — delivers account-related email (password reset, invitations, billing receipts) to adult account holders. Not used for marketing and not used to email children.
• Google Analytics 4 (marketing site only) — aggregate anonymous traffic analytics on daylynx.com. IP anonymization is enabled. Not loaded on app.daylynx.com. Not loaded on any page that contains children's data.
• Microsoft Clarity (marketing site only) — aggregate session diagnostics on daylynx.com, initialized with Strict input-masking so form contents are never recorded. Not loaded on app.daylynx.com.

No behavioral tracking in the application. We confirm that no analytics, session replay, heatmapping, advertising, or third-party marketing SDKs are active inside the DayLynx application where children's records live. The only cookies set in the application are essential session and CSRF cookies required for authentication.

8. Your Rights

As an account holder you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Export your data in a standard portable format
• Opt out of non-essential communications

Parents and guardians have additional rights with respect to their child's records. See the COPPA Notice for the parental access, correction, and deletion process.

9. Cookies and Tracking

The DayLynx application (app.daylynx.com) uses only essential cookies required for authentication and security. The public marketing site (daylynx.com) groups cookies into three categories that you control from the cookie banner or the Cookie Preferences link in the footer. Your visible cookie-preference choice is stored in your browser (localStorage key cookie-consent-v2) with a version number and timestamp; if we add or change a category, we re-prompt you so each new choice is specific and informed. Separately, when we log a grant, revocation, or update for our consent audit trail, we may set an anonymous consent_session_id cookie on.daylynx.com with a 2-year max-age so the same browser can be matched to later consent changes across daylynx.com and app.daylynx.com.

How the gate works. The banner saves your category choices locally and the marketing site reads that state only after the page has hydrated. That means Google Analytics 4, Microsoft Clarity, and any future marketing pixel stay absent from the page until the matching category is on. Today only the Analytics category has active scripts; Marketing remains a reserved bucket with no shipped tags behind it yet.

• Required (always on). Session and CSRF cookies set by Supabase Auth (names starting with sb-, scoped to .daylynx.com) so that signing in on daylynx.com carries into app.daylynx.com. The marketing site also uses an anonymous consent_session_id cookie, likewise scoped to.daylynx.com, to tie consent grants and withdrawals from the same browser into a single audit trail. Data collected: an encrypted session token, a refresh token, the signed-in user's ID, and a random consent-session identifier. Purpose: authentication, CSRF protection, rate limiting, and consent-audit demonstrability. Retention: until sign-out or session expiry (up to 7 days for access tokens, 30 days for refresh tokens); the anonymous consent_session_idcookie may remain for up to 2 years unless your browser clears it sooner. Processors: Supabase (for auth cookies, US infrastructure) and DayLynx / SHIFT MSP (for the consent-session cookie). These cookies are exempt from the consent requirement because the site cannot function without them and because we need a reliable record of granted or withdrawn consent.
• Analytics (off by default — opt-in). Loaded only after you turn this category on. Two scripts, both scoped to the marketing site:
  • Google Analytics 4. Processor: Google LLC (US). Script: gtag.js. Data collected: anonymized IP, pseudonymous client ID, page URL, referrer, browser / device metadata, event timestamps. IP anonymization is enabled; ad-storage, ad-user-data, and ad-personalization signals are explicitly denied. Purpose: aggregate traffic and conversion analytics. Retention: 14 months at Google, then automatically deleted.
  • Microsoft Clarity. Processor: Microsoft Corporation (US). Script: clarity.js. Data collected: anonymized session interactions (clicks, scrolls, rage clicks) for heatmaps and aggregate diagnostics. Initialized with Strict input masking so typed input values are never captured; sensitive fields (password, email, phone, MFA code, name) also carry data-clarity-mask="True" as a belt-and-braces guard. Purpose: UX diagnostics on the public marketing site only. Retention: Microsoft publishes Clarity's current retention periods in Microsoft's Clarity data retention documentation.
• Marketing (off by default). Reserved for future retargeting and advertising pixels (for example, Meta or LinkedIn remarketing). No marketing scripts are active today — the category is shown in the preferences center so you can pre-set your preference for when it launches. If you choose "Accept all", marketing is turned on, and any future pixel that falls into this category will be permitted; you can turn it off at any time from the Cookie Preferences link.

Revoking consent. Changing Analytics or Marketing from on to off stops the relevant script on your next page load. We also send explicit denial signals on the current page so nothing further is recorded, but the most reliable way to guarantee no additional tracking is to reload after changing your preference. Revoking Analytics or Marketing updates our consent audit log, but it does not delete the anonymous consent_session_id cookie immediately. Because that cookie is scoped to.daylynx.com and can persist for up to 2 years unless your browser clears it sooner, the same browser may still present the same consent-session identifier on other DayLynx subdomains after revocation. That audit cookie does not by itself turn analytics or marketing back on. Neither Analytics nor Marketing scripts run on app.daylynx.com or on any page that contains children's records.

What revocation does not do: Clarity session replays. Microsoft Clarity stores session replays recorded during the consent window for a limited period published in Microsoft's Clarity data retention documentation. Turning Analytics off stops any further recording immediately, but revocation does not retroactively delete replays already captured while consent was granted. Those Microsoft-controlled retention periods are separate from DayLynx's own retention schedule in Section 6. If you want earlier deletion of any replays attributable to you, email privacy@daylynx.com and we will submit a deletion request to Microsoft Clarity on your behalf.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and — for material changes — emailing account holders at least 14 days before the change takes effect. Continued use of DayLynx after changes constitutes acceptance of the updated policy.

11. Operator

DayLynx is developed, operated, and maintained by SHIFT MSP. Your data is processed by SHIFT MSP in accordance with this privacy policy.

12. Contact Us

If you have questions about this privacy policy, our data practices, or you'd like to exercise any of the rights above, contact us at privacy@daylynx.com. Parents seeking to review or delete their child's records should see the COPPA Notice for the dedicated process.