Tomorrow You Privacy Policy
Last updated: 2025-11-17
Tomorrow You, Inc. (“Tomorrow You”, “we”, “our”, or “us”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what information we collect, why we collect it, how we use it, and your choices regarding your information. It is designed to comply with:
- Telephone Consumer Protection Act (TCPA)
- CTIA Messaging Principles & Best Practices
- Twilio A2P Messaging Policies
- Stripe Data Security & Privacy Guidelines
- EU General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA) & CPRA
- Other applicable global privacy laws
We do NOT sell, rent, or share your personal information with third parties for their own marketing purposes.
1. Information We Collect
Category | Examples | Purpose |
|---|---|---|
Identifiers | Name, email address, phone number | Account creation, authentication, SMS/voice reminders, customer support |
Profile Information | Username, timezone, preferences | Personalized experience, reminder scheduling |
Commercial Information | Subscription tier (Basic/Premium), purchase history, payment status | Payment processing, subscription management, invoices |
Internet / Device Data | IP address, browser type, device identifiers, timezone, user agent | Security, fraud prevention, user experience optimization |
Usage Data | Feature interactions, journal entries, reminder responses, letter creation, reflection views | Service delivery, analytics, product improvements |
Web Analytics Data | Page URLs and routes, referrer, filtered query parameters, approximate location (city/region/country), device/OS/browser type and version, device type (desktop/mobile/tablet), event timestamps | Privacy-focused, aggregated analytics via Vercel Web Analytics to understand traffic patterns and improve the platform (only after consent) |
Communications | SMS message content, voice call recordings, email content, phone number opt-in/opt-out status | Deliver reminders, verify consent, comply with TCPA & carrier rules, customer support |
User-Generated Content | Journal entries, letters to future self, reflections, reminder responses | Core service functionality, AI-powered insights |
Payment Data | Last 4 digits of card, billing address (processed by Stripe) | Payment processing, refunds, subscription management |
Consent Records | Consent timestamps, IP addresses, consent method, consent version, consent history | Legal compliance (GDPR Article 7), audit trails |
Important: Sensitive payment details (full card numbers, CVV/CVC) are handled solely by Stripe and never stored on Tomorrow You servers. We receive only tokenized payment references and the last 4 digits for display purposes.
For Web Analytics Data, we use Vercel Web Analytics, a privacy-focused, cookie-less analytics service provided by our hosting provider Vercel. The data points are recorded in an anonymous, aggregated form that is not tied to an individual or IP address and cannot be used to reconstruct a specific user’s browsing session.
2. How We Collect Information
Directly from you – when you create an account, write journal entries, create letters, set up reminders, respond to SMS messages, or communicate with customer support.
Automatically – when you use our web application, through:
- Cookies and similar technologies for essential functionality and (if you consent) analytics. We use Klaro (self-hosted, open-source) for cookie and consent management.
- Vercel Web Analytics, which runs on our own domain and does not use third-party cookies. It collects a minimal set of usage data such as page paths, referrers, filtered query parameters, approximate location (city/region/country derived from the incoming request), device and browser type/version, device type, and timestamps to generate aggregated traffic statistics. End users are identified only via a short-lived hash derived from the request, and visitor sessions are automatically discarded after 24 hours.
- Server and infrastructure logs from our hosting provider (Vercel), which may include IP address, requested URL, and user agent information for security, reliability, and abuse prevention.
From third-party processors – payment details from Stripe; phone number verification from Twilio Lookup & Verify; AI-generated content from Anthropic (Claude), OpenAI (GPT models), and Replicate.
From AI processing – when you use AI-powered features (journal prompts, weekly reviews, reminders), we send your content to our AI service providers for processing.
3. Legal Bases for Processing (GDPR)
Where GDPR applies, we rely on the following legal bases:
- Contract – to deliver the services you request (journal prompts, reminders, letters, reflections).
- Legitimate Interest – to improve and secure our platform, prevent fraud, and optimize user experience (for example, basic security logging and high-level service performance metrics).
- Consent – for SMS/voice reminders, marketing communications, analytics technologies (including Vercel Web Analytics), and AI-powered personalization features. We only run non-essential analytics when you have given consent via our Klaro-based cookie and consent banner.
- Legal Obligation – to comply with tax, accounting, telecom regulations, and data protection laws.
4. How We Use Information
We use the information we collect for the following purposes:
- Account Management: Create and maintain your account, authenticate logins, manage subscriptions.
- Core Services: Deliver journal prompts, schedule and send reminders, store letters to future self, generate weekly reflections.
- AI-Powered Features: Generate personalized journal prompts, create insights from your reflections, analyze reminder responses, provide weekly review summaries. Your content is processed by Anthropic Claude, OpenAI GPT models, and Replicate for image generation.
- SMS/Voice Reminders: Send A2P SMS or voice reminders only after you provide explicit, documented consent (“prior express written consent” under TCPA). We maintain detailed audit trails including timestamp, IP address, and consent method.
- Payment Processing: Process payments and manage subscriptions via Stripe (PCI DSS Level 1 compliant).
- Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance.
- Security & Fraud Prevention: Detect, prevent, and respond to fraud, abuse, or security incidents.
- Product Improvement: Analyze usage patterns, test new features, improve service quality.
Web Analytics (Vercel Web Analytics):
- We use Vercel Web Analytics to understand how visitors interact with our website in a privacy-preserving way.
- Vercel Web Analytics records anonymous data points (such as page paths, referrers, approximate location, device and browser information, device type, and timestamps) and uses a short-lived hash for visitor identification, without storing IP addresses or other personal identifiers in the analytics dataset.
- The data is processed only as aggregated statistics; it does not allow us or Vercel to reconstruct individual browsing sessions across different websites or personally identify an end user.
- We configure analytics to avoid sending any URL segments, query parameters, or custom event payloads that could reasonably identify an individual (for example, user IDs, email addresses, tokens, or invoice numbers).
- We only activate Vercel Web Analytics if you have given consent for analytics via Klaro; if you opt out, we prevent the analytics script from running and no analytics events are sent.
Legal Compliance: Comply with legal obligations, enforce our terms, protect rights and safety.
5. Data Encryption & Security
We implement multiple layers of technical and organizational safeguards to protect your information, with a particular focus on the privacy of your journal content, letters, and reflections.
Content Encryption
The following content types are encrypted at rest using industry-standard encryption algorithms before being stored in our database:
- Journal Entries: All journal content, prompts, and your responses
- Letters to Future Self: Complete letter content
- Reflections: AI-generated reflections (e.g. weekly review) and your personal reflections
- Reminder Messages: SMS message content and conversation history
- Email Content: Inbound email content processed by the system
- Orders & Deliveries: Processed content and AI responses
Personal Information Encryption
We also encrypt key personal data at rest, including:
- Name, First Name, Last Name, Username
- Phone Numbers (decrypted only when needed for delivery)
- Customer Content (all user-generated content stored in your account)
Data in Transit
All data transmitted between your device and our services is protected using modern transport-layer security (TLS) to help prevent interception or tampering while in transit.
Additional Security Measures
We use a combination of technical and administrative controls to protect your data, including:
- Role-based access controls and multi-factor authentication for administrative access
- Strict access limitations to production systems, with logging and monitoring of administrative activity
- Regular security reviews and testing of our infrastructure and application
- An incident response process aligned with applicable data protection laws, including a 72-hour breach notification commitment where required
- Encrypted backups and disaster recovery procedures designed to maintain availability and integrity of your data
Encryption keys and other sensitive secrets are managed using secure secret management practices and are never committed to version control. We follow widely recognized security best practices (such as those published by OWASP) and periodically review and update our controls as our services and the threat landscape evolve.
6. Opt-In & Consent Management
SMS/Voice Reminders (TCPA & Twilio A2P Compliance)
- Double Opt-In: We require explicit affirmative action (checking an unchecked checkbox AND replying “YES” to a verification SMS) before sending recurring messages.
- Message Frequency Disclosure: We clearly disclose expected frequency (“Message frequency varies based on your reminder schedule”).
- Mandatory Disclaimers: All SMS templates include “Reply STOP to opt out. Message & data rates may apply.”
- Opt-Out Handling: Keywords such as STOP, UNSUBSCRIBE immediately halt all messages, and we confirm opt-out via one-time reply.
- Audit Trail: We log timestamp, IP address, consent method, and consent UI state per user, retained for at least 5 years (or longer if required by law).
- Phone Number Verification: We use Twilio Lookup & Verify to validate phone numbers before sending messages.
Cookie & Analytics Consent (Klaro – Self-Hosted)
We use Klaro, a self-hosted, open-source consent manager that respects your privacy:
- Essential Cookies/Technologies: Required for core functionality (session management, security, navigation). Cannot be disabled.
- Analytics Technologies (including Vercel Web Analytics):
- Optional and disabled by default.
- Used to understand usage patterns and improve the platform.
- We treat Vercel Web Analytics as an “Analytics” category within Klaro.
- We only load and run the Vercel Web Analytics script if you explicitly opt in to analytics in the cookie/consent banner or settings. If you opt out, we prevent the script from running and no analytics events are sent.
- No Marketing Cookies: We do not use third-party advertising or marketing cookies.
- Granular Control: You can change your consent preferences at any time via the cookie banner or privacy settings.
- Consent Storage: Your consent preferences are stored locally in your browser in accordance with Klaro’s configuration.
AI Processing Consent
By using AI-powered features (journal prompts, reflections, insights), you consent to:
- Sending your content to our AI service providers (Anthropic, OpenAI, Replicate)
- Processing your content to generate personalized responses
- Storing AI-generated content in your account
7. Data Sharing & Disclosure
We share data only with service providers under contracts that:
- Limit processing to our documented instructions
- Use reasonable security measures
- Prohibit use for their own purposes
- Comply with GDPR data processing requirements
Recipient | Purpose | Safeguards | Data Shared |
|---|---|---|---|
Stripe, Inc. | Payment processing, subscription management, invoicing | PCI DSS Level 1 compliance, separate customer IDs, tokenized payments | Billing information, payment method (last 4 digits), subscription status |
Twilio, Inc. | SMS/Voice delivery, phone number verification | TLS encryption in transit, A2P campaign approval, TCPA compliance | Phone numbers (encrypted), message content, delivery status |
Anthropic (Claude) | AI-powered journal prompts, reflections, insights | Data not used for model training, API-only access | Journal entries, letters, reminder responses (for AI processing only) |
OpenAI (GPT models) | AI-powered content generation, embeddings for search | Data not used for model training, API-only access | User content for AI processing, embeddings for search |
Replicate | AI-powered image generation, using models available on the Replicate platform, for profile pictures | API-based processing, temporary storage only | Image generation prompts, profile images |
Vercel (Hosting & DB) | Cloud hosting, database storage, edge functions | ISO 27001 / SOC 2 Type II compliance, encryption at rest and in transit | All application data (encrypted) |
Vercel Web Analytics | Privacy-focused, cookie-less web analytics | Privacy-focused design, anonymized and aggregated data, no personal identifiers or IPs stored in analytics dataset | Anonymous analytics data points such as page paths, referrer, approximate location, device/browser type/version, device type, timestamps |
Gmail API (Google) | Email delivery (notifications, resets, prompts) | OAuth 2.0 authentication, TLS encryption, GDPR-compliant infrastructure | Email addresses, email content, thread information |
When We May Disclose Data Without Consent
We may disclose personal information when:
- Required by law: Court orders, subpoenas, legal processes
- To protect rights and safety: Fraud prevention, security incidents, terms enforcement
- Business transfers: Mergers, acquisitions, or asset sales (with notice to you)
We never share data for third-party advertising or marketing purposes.
8. International Transfers
We store data on servers in the United States (Vercel infrastructure). When we transfer personal data from the EU/UK or other regions with data-transfer restrictions, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplemental technical measures: Encryption at rest and in transit, access controls, audit logging
- Supplemental organizational measures: Data processing agreements, regular compliance audits, incident response procedures
Our AI service providers (Anthropic, OpenAI) also comply with GDPR requirements and use appropriate safeguards for international data transfers.
Where Vercel Web Analytics is used, analytics data is handled in line with Vercel’s Web Analytics privacy and compliance documentation and is processed as anonymized, aggregated data.
9. Data Retention
We retain personal information no longer than necessary for the purposes described in this policy or as required by law:
Data Type | Retention Period | Reason |
|---|---|---|
Account Information | Duration of account + 30 days after deletion | Service delivery, account recovery |
Journal Entries, Letters, Reflections | Duration of account + 30 days after deletion | Core service functionality |
SMS Consent Records | 5 years minimum from last interaction | TCPA compliance (4 years statute of limitations + 1 year buffer) |
Payment Records | 7 years from transaction date | Tax, accounting, and legal requirements |
Audit Logs & Security Events | 2 years | Security investigations, compliance audits |
Analytics Data (Aggregated) | Indefinitely | Product improvement (aggregated and anonymized; cannot identify individuals; includes data from Vercel Web Analytics) |
Deleted Account Data | 30-day grace period, then permanent deletion | Account recovery window, legal compliance |
Account Deletion Process
When you request account deletion:
- Immediate: All consent is withdrawn, no further communications sent
- Within 5–10 business days: Admin review and verification
- Within 30 days: Complete data deletion (except legally required records)
- Permanent: Encrypted backups overwritten within 90 days
10. Your Rights & Choices
Depending on your location, you may have the following rights:
Right | Description | How to Exercise |
|---|---|---|
Access / Portability | Request a copy of your data in machine-readable format (JSON) | Email privacy@tomorrowyou.com or use “Export My Data” in account settings |
Rectification | Correct inaccurate or incomplete information | Update in account settings or email help@tomorrowyou.com |
Deletion / Erasure | Request deletion of your account and personal data (GDPR Article 17) | Use “Delete Account” in settings or email privacy@tomorrowyou.com |
Opt-Out of SMS/Voice | Stop receiving reminder messages | Reply STOP to any text message or disable in reminder settings |
Opt-Out of Marketing | Unsubscribe from promotional emails | Click “unsubscribe” in emails or adjust preferences in settings |
Opt-Out of Analytics | Disable analytics technologies (including Vercel Web Analytics) | Adjust consent preferences in the cookie/consent banner or privacy settings |
Restrict Processing | Limit how we use your data | Email privacy@tomorrowyou.com with specific restrictions |
Object to Processing | Object to processing based on legitimate interests | Email privacy@tomorrowyou.com with objection details |
Withdraw Consent | Withdraw consent for SMS or analytics (AI personalization is core) | Adjust preferences in account settings and the cookie/consent banner |
CCPA “Do Not Sell/Share” | We do not sell or share personal information | No action needed (we don’t sell data) |
Lodge a Complaint | File complaint with data protection authority | Contact your local DPA (EU) or Attorney General (US) |
Verification Process
To protect your privacy, we will verify your identity before fulfilling data rights requests:
- Email verification: We’ll send a confirmation link to your registered email
- Account authentication: You may need to log in to verify your identity
- Additional verification: For sensitive requests (deletion, export), we may request additional information
Response Timeframes
- GDPR requests: Within 30 days (may extend to 60 days for complex requests)
- CCPA requests: Within 45 days (may extend to 90 days for complex requests)
- TCPA opt-out: Immediate (within 24 hours)
11. Children’s Privacy
Our services are not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we learn we have collected data from a child without parental consent, we will delete it immediately. If you believe we have inadvertently collected information from a child, please contact us at privacy@tomorrowyou.com.
12. AI-Specific Privacy Considerations
How We Use AI
Tomorrow You uses AI to enhance your personal growth experience:
- Journal Prompts: AI generates personalized daily prompts based on your history and preferences
- Reflections: AI analyzes your journals and letters to create weekly insights
- Reminder Responses: AI processes your SMS responses to understand context and sentiment
- Profile Images: AI generates personalized profile images (Replicate)
AI Service Providers
We work with a small set of specialized AI infrastructure providers to deliver Tomorrow You’s core features (journal prompts, reflections, insights, and image generation). The specific model versions we use may change over time as we upgrade to newer, safer, and more capable systems, but we commit to staying within the same class of providers and models:
- State-of-the-art large language and image models appropriate for the intended use.
- Enterprise-grade APIs with strong security, access controls, and compliance commitments.
- Contractual assurances that your data is **not** used to train foundation models.
- Configurations that minimize the amount of personal data sent and retain it only as needed to provide the service.
Below is an overview of our current AI service providers and how we use them:
Provider | Models Used | Data Usage | Retention |
|---|---|---|---|
Anthropic | State-of-the-art large language models from Anthropic | Content generation, Journal prompts, reflections, insights | Not used for training, processed via API only |
OpenAI | State-of-the-art large language and embedding models | Content generation, semantic search embeddings, content moderation | Not used for training, embeddings stored in our database |
Replicate | Modern image generation models | Profile image generation | Temporary processing only, images stored in our infrastructure |
Your AI Privacy Rights
- Core Service: AI personalization is a core component of Tomorrow You and cannot be disabled in the current version. The service is designed around AI-powered journal prompts, reflections, and insights.
- Future Options: A version of the service without AI personalization may be considered in the future but is not currently available.
- Data Minimization: We only send necessary context to AI providers for generating your personalized content.
- No Training: Your data is not used to train AI models (per our agreements with providers).
- Human Review: You can contact support for human review of AI-generated insights if you have concerns.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Categories of Personal Information Collected: We collect the categories listed in Section 1 of this policy.
- Business Purposes for Collection: We use personal information for the purposes listed in Section 4 of this policy.
- Categories of Third Parties: We share data with the service providers listed in Section 7 of this policy.
Your CCPA Rights
- Right to Know: Request disclosure of personal information collected, used, or shared
- Right to Delete: Request deletion of personal information (subject to legal exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: We do not sell or share personal information, so opt-out is not applicable
- Right to Limit Use of Sensitive Personal Information: We only use sensitive information for disclosed purposes
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
How to Exercise CCPA Rights
Email privacy@tomorrowyou.com or use the data export/deletion features in your account settings. We will verify your identity and respond within 45 days.
Authorized Agent
You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service features. When we make changes:
- Notice: We will post the updated policy on this page with a new “Last updated” date
- Material Changes: For significant changes, we will provide additional notice via:
- Email notification to your registered email address
- In-app notification when you log in
- Prominent banner on our website
- Continued Use: Your continued use of Tomorrow You after the effective date constitutes acceptance of the updated policy
- Review: We encourage you to review this policy periodically
Policy Version History
- v1.0 (2025-10-31): Initial privacy policy with comprehensive GDPR, CCPA, and TCPA compliance
- v1.1 (2025-11-17): Updated to document use of Vercel Web Analytics and clarify analytics/consent handling
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
- Privacy Email: privacy@tomorrowyou.com
- Support Email: help@tomorrowyou.com
- Mail: Tomorrow You LLC, 2648 International Blvd Ste 301 #276, Oakland, CA 94601, USA
Data Protection Officer
For GDPR-related inquiries, you may contact our Data Protection Officer at privacy@tomorrowyou.com.
Response Time
We aim to respond to all privacy inquiries within 5 business days. For formal data rights requests, see Section 10 for specific timeframes.
16. Additional Resources
- Terms of Use
- Cookie Policy: Managed via Klaro cookie banner
- Security Practices: See Section 5 of this policy
- Data Processing Agreement: Available upon request for business customers
By using Tomorrow You, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with this policy, please do not use our services.
This privacy policy is designed to be transparent, comprehensive, and compliant with global privacy regulations. We are committed to protecting your privacy and earning your trust.