Privacy Policy
Last updated: February 18, 2026
GoNow is an AI productivity coaching service operated by Daniel AI LLC, a Delaware corporation. We believe privacy is a fundamental right — not a feature. This policy explains in plain language what data we collect, why we collect it, how we protect it, and what control you have. It covers our obligations under the GDPR, UK GDPR, CCPA/CPRA, South Korea’s PIPA, Japan’s APPI, Brazil’s LGPD, Canada’s PIPEDA, Illinois BIPA, the EU AI Act, the Colorado AI Act, and all other applicable privacy and AI transparency laws.
1. Data We Collect
When you use GoNow, we collect only what is necessary to deliver your coaching experience. Account data: your email address and display name when you sign up. Coaching conversations: the text content of your exchanges with our AI coach, used to personalize your experience over time. If your conversations touch health-related topics such as ADHD or mental wellness, this may constitute special category data under GDPR Article 9 or sensitive personal information under CPRA, processed only on the basis of your explicit consent through continued voluntary use of those features. Voice data: audio from voice coaching sessions is processed in real-time for speech-to-text conversion only. We do not create, store, or derive voiceprints, biometric templates, or any persistent voice identifiers. Audio is discarded immediately after transcription completes — it is never written to permanent storage. This approach complies with Illinois BIPA Section 15, Colorado biometric privacy requirements effective July 2025, and equivalent biometric data protection laws. Payment data: handled entirely by Stripe under PCI DSS Level 1 standards. We never see, access, or store your card numbers. Automatic data: device type, browser version, IP address, approximate geographic location, and session usage patterns collected for security and service improvement. We use only essential first-party cookies for authentication — no advertising trackers, no analytics pixels, no fingerprinting, no third-party tracking of any kind.
2. Why We Use Your Data
Every piece of data we collect serves a specific, documented purpose: delivering the coaching service, remembering your conversation context across sessions, processing payments, communicating essential service updates, and meeting legal obligations. We do not sell your data. We do not share it for advertising. We do not use it to train general-purpose AI models. Legal bases by region: EU and UK under GDPR — contract performance (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)) consistent with the EDPB March 2025 opinion confirming legitimate interest may apply to AI processing with appropriate safeguards, legal obligation (Art. 6(1)(c)), and explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) for voice processing and any health-related data. UK users additionally benefit from the Recognised Legitimate Interest basis introduced by the Data Use and Access Act 2025. California under CCPA/CPRA — business purpose only with no sale or sharing; we honor Global Privacy Control (GPC) signals as required by California, Colorado, and Connecticut joint enforcement actions. Effective January 2026, we comply with CPRA automated decision-making technology (ADMT) transparency and opt-out requirements. Colorado — Colorado Privacy Act rights plus Colorado AI Act consumer AI interaction disclosure effective June 2026. South Korea under PIPA — collection with informed consent per Article 15; automated decision explanation and refusal rights under the 2023 amendment; data portability effective March 2025. Japan under APPI — processing within disclosed and specified purposes per Article 17; third-party provision restrictions per Article 27. Brazil under LGPD — necessity for contract execution (Art. 7(V)) and consent (Art. 7(I)); international transfer compliance per ANPD rules effective August 2025. Canada under PIPEDA — meaningful consent with purpose limitation per Principles 3 and 4; collection limited to stated purposes per Principle 5. We conduct Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35, CPRA, and Colorado privacy law for all AI processing activities involving personal data.
3. Who We Share With
Daniel AI LLC acts as the data controller (GDPR/UK GDPR), business (CCPA/CPRA), or personal information handler (PIPA/APPI) for your data. We share the minimum necessary with five service providers, each bound by a Data Processing Agreement with appropriate security and confidentiality obligations. Google Gemini API: processes coaching conversations for AI text generation. ElevenLabs: converts text to speech for voice coaching in real-time with no permanent audio storage on their servers. Stripe: handles all payment processing under PCI DSS Level 1 standards; we never access your card details. Supabase: hosts account and conversation data with row-level security ensuring complete data isolation between users. Cloudflare: provides hosting, content delivery, and AI embedding services for semantic search. That is the complete and exhaustive list. We do not sell, rent, or trade your personal information to any third party for any purpose. We do not participate in data broker networks or behavioral advertising ecosystems. For Korean users under PIPA Article 26: these five providers act as personal information processing delegates with documented delegation agreements covering AI processing, voice synthesis, payment handling, data hosting, and content delivery respectively.
4. Storage, Security & Transfers
Your data is encrypted in transit using TLS 1.3 and protected at rest by row-level security in Supabase, ensuring no user can access another user’s data. Conversation summaries are vectorized in Cloudflare for personalized coaching retrieval using privacy-preserving embeddings. Voice audio is processed in real-time memory only and never written to permanent storage. We conduct regular Data Protection Impact Assessments and maintain documented security measures proportionate to the sensitivity of data processed. Our service providers are primarily US-based. International transfer safeguards by region: EU and UK — Standard Contractual Clauses (SCCs) with supplementary Transfer Impact Assessments; the European Commission extended the UK adequacy decision in December 2025. South Korea — informed consent for overseas transfer per PIPA Article 17; we are reviewing domestic representative designation requirements under the October 2025 amendment. Japan — mutual adequacy arrangement with the EU under APPI; third-party provision rules per Article 28. Brazil — compliance with LGPD Article 33 and ANPD’s international data transfer regulation effective August 2025. Canada — PIPEDA cross-border transfer accountability per Principle 1. Upon account deletion, all personal data including conversation history and vector embeddings is retained for 30 days to allow recovery, then permanently and irreversibly deleted from all systems. Billing records are retained only for the minimum period required by applicable tax law.
5. Cookies
We use only essential cookies for authentication and session management. Nothing else. No advertising cookies, no analytics, no tracking pixels, no fingerprinting, no cross-site tracking. Since we use only strictly necessary cookies, no consent banner is required under the EU ePrivacy Directive. We honor Global Privacy Control (GPC) signals. We do not participate in data broker networks or behavioral advertising.
6. Your Privacy Rights
Your privacy rights depend on where you live, and we respect every one of them without discrimination. EU and UK (GDPR): access, rectification, erasure, data portability, restriction of processing, objection, and the right not to be subject to solely automated decisions producing legal or similarly significant effects (Art. 22). Our AI generates coaching suggestions but does not make decisions with legal or equivalent impact on you. California (CCPA/CPRA): right to know, delete, correct, opt out of sale (we never sell), and limit sensitive data use. Effective January 2026, you have expanded rights regarding automated decision-making technology (ADMT) including the right to opt out of profiling, to receive meaningful information about the logic involved, and to question automated outputs. No discrimination for exercising any right. Colorado: access, correction, deletion, data portability, and opt-out of profiling under the Colorado Privacy Act; under the Colorado AI Act effective June 30, 2026, you have the right to be informed when interacting with AI and to receive notice before any consequential AI-assisted decision. South Korea (PIPA): access, correction, deletion, processing suspension, automated decision explanation and refusal rights, and data portability in machine-readable format effective March 2025. Japan (APPI): disclosure, correction, deletion, and cessation of use per Articles 28-34; the triennial review may expand these rights by 2027. Brazil (LGPD): confirmation of processing, access, correction, anonymization, portability, deletion, information about shared entities, consent withdrawal, and automated decision review under Article 20. Canada (PIPEDA): access to your personal information, accuracy challenge, and consent withdrawal per Principles 9 and 3. Indiana, Kentucky, and Rhode Island (effective January 2026): access, deletion, correction, data portability, and opt-out of targeted advertising under new comprehensive privacy laws. Data breach notification: we notify relevant supervisory authorities within 72 hours (GDPR, LGPD) and affected individuals without undue delay, complying with all applicable breach notification laws including US state-specific requirements. Contact privacy@gonowtimesaver.com for any privacy request. We respond within 30 days, or 45 days with extension notice for CCPA requests.
7. How Our AI Processes Your Data
We believe you deserve to understand exactly how your data moves through our AI systems. When you send a text message, it is sent to Google Gemini along with relevant context from your past conversations. To find that context, we use a technique called retrieval-augmented generation: your previous conversation summaries are stored as mathematical vector representations in Cloudflare, and we search these vectors to find the most relevant past context for your current message. The AI never sees your complete conversation history — only the summaries most relevant to what you are discussing right now. Your conversations are stored in three layers: the original text in our encrypted database, an AI-generated natural language summary for efficient context retrieval, and a vector embedding for semantic search. This layered architecture lets the AI remember what matters while minimizing the raw data it accesses at any given time. For voice coaching, your audio is streamed to Google Gemini for real-time speech-to-text transcription. The audio exists only in temporary processing memory and is never written to any disk or permanent storage. Once transcription is complete, the audio data ceases to exist. The resulting text is then processed identically to typed messages. We do not analyze voice characteristics, create speaker profiles, or derive any biometric data from your voice. The AI does not make autonomous decisions about your life, career, health, or finances. It generates coaching suggestions based on patterns in your conversations and general productivity psychology. You always decide whether and how to act on any suggestion. No AI output from GoNow has legal, financial, medical, or similarly consequential effect on you. This transparency disclosure satisfies the requirements of EU AI Act Article 13, South Korea’s AI Framework Act effective January 2026, the Colorado AI Act effective June 2026, and CPRA’s automated decision-making technology provisions effective January 2026.
8. Data Retention
We retain your data only as long as necessary for its stated purpose, and we are specific about how long that is. Account information including your email and profile: retained while your account is active and for 30 days after you request deletion, allowing time to recover from accidental deletion. After 30 days, permanently erased. Coaching conversations and AI-generated summaries: retained according to your subscription tier. Free accounts have no persistent conversation memory — each session starts fresh. Standard subscribers retain conversation context for 30 days. Pro subscribers retain context for 365 days. Ultra subscribers retain context indefinitely while their subscription is active. When you downgrade or cancel, any conversation data exceeding your new tier’s retention window is deleted within 30 days. Vector embeddings used for semantic context retrieval follow the same tier-based schedule and are purged on the same timeline. Voice audio: never stored at any tier. Audio exists only in temporary processing memory during real-time transcription and is discarded immediately upon completion. No audio recording is ever written to disk. Payment and billing records: transaction history is retained for the minimum period required by applicable tax and accounting law — typically 7 years for US federal tax purposes and equivalent periods in other jurisdictions. Server and security logs: IP addresses, access timestamps, and error logs are retained for a maximum of 90 days for security monitoring and incident response, then automatically and permanently purged. Authentication cookies: session cookies expire when you close your browser. Authentication tokens expire after 30 days of inactivity. When any data reaches the end of its defined retention period, it is permanently and irreversibly deleted from all systems including database replicas and backup snapshots within 30 days. This schedule satisfies the data minimization and storage limitation requirements of GDPR Article 5(1)(e), CCPA/CPRA purpose limitation, PIPA retention principles, and APPI utilization purpose restrictions.
9. Children’s Privacy
GoNow is not designed for, marketed to, or intended for use by children. We take this seriously. Users under 13 years old are strictly prohibited from using GoNow in all jurisdictions, in compliance with the US Children’s Online Privacy Protection Act (COPPA) and equivalent laws worldwide. Users aged 13 to 15 require verifiable parental or guardian consent under GDPR Article 8, South Korea’s Act on Promotion of Information and Communications Network Utilization, and equivalent laws in Japan, Brazil, and other applicable jurisdictions. Users 16 and older may create accounts and use GoNow independently. We do not knowingly collect, use, or disclose personal information from children under 13. We do not use age-targeted advertising or profiling of any kind. If we discover that a child under 13 has created an account or that we have inadvertently collected data from a child, we will promptly delete the account and permanently erase all associated data — including conversations, profile information, and any vector embeddings — without requiring a parental request. Parents or guardians who believe their child may have provided personal information to GoNow should contact us immediately at privacy@gonowtimesaver.com and we will act within 48 hours.
10. Policy Changes
We may update this policy for legal, operational, or technological reasons. For material changes, we provide at least 30 days advance notice via email and website posting. The date at the top reflects the latest revision. Continued use after the effective date constitutes acceptance.
11. Contact
Email: privacy@gonowtimesaver.com. Daniel AI LLC, United States. Our privacy team reviews and responds to all inquiries within legally required timeframes. You have the right to lodge complaints with the following supervisory authorities: EU — your local Data Protection Authority in any member state. UK — Information Commissioner’s Office (ICO). South Korea — Personal Information Protection Commission (PIPC). Japan — Personal Information Protection Commission (PPC). Brazil — Autoridade Nacional de Proteção de Dados (ANPD), now operating as an independent regulatory agency with full enforcement authority. California — California Privacy Protection Agency (CPPA) and Attorney General. Colorado — Attorney General, including AI Act enforcement beginning June 2026. Connecticut — Attorney General. Canada — Office of the Privacy Commissioner (OPC). US Federal — Federal Trade Commission (FTC) for deceptive or unfair practices. For EU data subject requests, we act as the data controller. For Korean inquiries regarding domestic representative designation, contact us at the email above.