Skip to content
← Back to Help Center

Do third parties have access to my data?

privacy-security

Yes, but only the minimum necessary to deliver our services, and never for marketing or training AI models on your data. We carefully limit what information each service receives and use providers with strong privacy commitments.


Third-Party Services We Use and What They Access:

AI Content Generation (Anthropic Claude & OpenAI)

What they do: Generate personalized content for daily prompts, reminders, weekly reviews, and reflections

What data they receive:

  • Your journal entries (when creating personalize Daily Questions)
  • Reminder content and responses
  • Context from your letters and journals to personalize content
  • Customer ID and request IDs for security tracking

What they DON'T receive:

  • Your email address
  • Your phone number
  • Your payment information
  • Your full name (only customer IDs and first name)

Their data governance:

  • Anthropic: Does NOT train models on API customer data. Data retention: 30 days for abuse monitoring only, then permanently deleted
  • OpenAI: Does NOT train models on API customer data as of March 2023. Zero data retention policy for API usage (data not stored beyond processing)

Security measures in our integration:

  • All prompts go through security middleware for content moderation
  • Rate limiting and abuse detection
  • Encrypted transmission (TLS 1.2+)
  • No PII included in prompts where avoidable


SMS/Voice Reminders (Twilio)

What they do: Send SMS reminders and handle check-in responses

What data they receive:

  • Your phone number (encrypted in our database, decrypted only when sending)
  • SMS message content (your reminder text and replies)
  • Delivery status and timestamps

Their data governance:

  • Twilio: GDPR compliant, ISO 27001 certified, SOC 2 Type II
  • Message logs retained for compliance and debugging (90 days default)
  • Phone numbers stored for delivery purposes
  • Subject to TCPA compliance for US messaging

Security measures in our integration:

  • Phone numbers encrypted at rest in our database
  • Webhook signature validation for inbound messages
  • Rate limiting
  • Message content encrypted before storage
  • Opt-in/opt-out compliance via Messaging Service


Email Infrastructure (Gmail API / Google)

What they do: Receive inbound email replies to daily prompts and send outbound emails

What data they receive:

  • Your email address
  • Email content (your replies to daily prompts)
  • Email threading metadata (for conversation tracking)

Their data governance:

  • Google Workspace: GDPR compliant, ISO 27001 certified
  • Email stored in Gmail inbox per Google's retention policies
  • OAuth authentication (no password access)
  • Subject to Google's data processing agreements

Security measures in our integration:

  • OAuth 2.0 authentication (service account)
  • Email content encrypted before storage in our database
  • TLS 1.2+ for all transmissions
  • Email replies processed and encrypted immediately upon receipt


Payment Processing (Stripe)

What they do: Process subscription payments and manage billing

What data they receive:

  • Your name
  • Your email address
  • Billing address
  • Payment method details (card numbers, bank accounts)

What they DON'T receive:

  • Journal entries
  • Letters
  • Reminders
  • Any user-generated content

Their data governance:

  • Stripe: PCI-DSS Level 1 compliant (highest security standard)
  • GDPR, CCPA compliant
  • SOC 1 and SOC 2 Type II certified
  • Data encrypted at rest and in transit

Security measures in our integration:

  • We NEVER store full payment card details (only last 4 digits)
  • All payment processing happens directly with Stripe
  • Customer IDs used to separate billing from content data
  • Webhook signature validation


Image Generation (Replicate)

What they do: Generate AI images for profile avatars and visual content

What data they receive:

  • Image generation prompts
  • Character descriptions (if provided)
  • Source images (for editing/variations)
  • Customer ID for correlation

Their data governance:

  • Replicate: Runs models from various providers (Stability AI, etc.)
  • Generated images stored temporarily for webhook delivery
  • Input prompts processed for generation only
  • Subject to individual model provider policies

Security measures in our integration:

  • Webhook signature validation
  • Timestamp verification
  • Rate limiting
  • No PII in prompts


Infrastructure & Database (Vercel)

What they do: Host our application and database

What data they receive:

  • ALL application data (since they host the database)
  • However, sensitive content is ENCRYPTED before storage

Their data governance:

  • Vercel: GDPR compliant, SOC 2 Type II certified
  • Data centers in US (default)
  • Neon Postgres via Vercel (managed PostgreSQL)
  • Standard Contractual Clauses for EU data transfers

Security measures:

  • Application-level encryption for ALL sensitive content
  • Database encryption at rest (infrastructure level)
  • TLS 1.2+ for all connections
  • Access controls and authentication required

What's encrypted in the database:

  • Journal entries
  • Letter content
  • Reflection content
  • Email content
  • SMS message content
  • Customer names, phone numbers
  • Order content and AI responses


Data We Never Share:

We do NOT:

  • Sell your data to anyone
  • Use your content for advertising
  • Share your data for AI model training
  • Provide your journal entries or any content you create to marketers
  • Share your personal information across services unnecessarily

Your Control:

  • Access Your Data: Request complete export of all your data
  • Delete Your Data: Request deletion (right to be forgotten)
  • Opt-Out: Unsubscribe from emails, disable reminders
  • Export: Download your journals, letters, and reflections

Compliance:

  • We maintain compliance with:
  • GDPR (EU General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • TCPA (Telephone Consumer Protection Act) for SMS
  • PCI-DSS (Payment Card Industry Data Security Standard) via Stripe
  • ISO 27001 and SOC 2 standards through our infrastructure providers

Questions or Concerns?

Contact us at privacy@tomorrowyou.com for:

  • Privacy questions
  • Third-party integration details

Go to Settings in your dashboard to submit:

  • Data access requests
  • Deletion requests


Last Updated: October 30, 2025

This FAQ provides complete transparency about exactly which services access which data, what they do with it, and how we protect it throughout the entire data lifecycle.

Was this article helpful?