Privacy Policy
0Day is a security intelligence app for software developers. We take the minimum amount of data we need to run the service and we do not sell, rent, or share personal data with advertisers or analytics companies.
This policy explains exactly what we collect, why we collect it, where it is stored, and how you can delete it. If anything here is unclear, email us at 0day@lous.nl.
1. Who we are
0Day is operated as an independent project by the developer behind 0day.lous.nl. For the purposes of the EU General Data Protection Regulation (GDPR) we are the data controller for any personal data described in this policy.
Contact for privacy questions or data requests: 0day@lous.nl
2. What we collect
We collect only what the app needs to authenticate you, deliver notifications to your device, and remember your preferences. A full list:
| What | Why | Source |
|---|---|---|
| Email address | Create and secure your account, sign you in on other devices | You, via Sign in with Apple / Google / email |
| Firebase user ID | Opaque identifier used internally; never shown to other users | Firebase Authentication |
| Display name | Shown on the welcome screen when you sign in | Apple / Google, if you sign in with those providers |
| Tech stack selections | Filter the threat feed to tools you actually use | You, during onboarding and in Settings |
| Notification preferences | Decide which push notifications to send you | You, in Settings |
| APNs device token | Send you push notifications when new threats match your stack | Apple Push Notification service on your device |
| Subscription transaction metadata | Verify your Pro subscription status and grant access | Apple App Store Server Notifications |
| Apple refresh token | Required by Apple to revoke your session when you delete the account (App Store Review Guideline §5.1.1) | Apple, if you signed in with Apple |
3. What we do not collect
- No analytics, no event tracking, no behaviour profiling
- No crash reporting SDKs (no Sentry, no Crashlytics)
- No advertising identifiers (IDFA), no cross-app tracking
- No location data, no contacts, no calendar, no photos, no health data
- No microphone or camera access
- No third-party advertising networks
- No sale of any data to any third party, ever
4. How we use your data
- Authenticate you when you open the app.
- Deliver push notifications about new threats that match your saved stack or are otherwise relevant to your subscription tier.
- Remember your preferences (stack, notification toggles, excluded categories) across devices and sessions.
- Verify your subscription via the Apple App Store Server Notifications webhook, so we know whether you are Pro or free.
- Diagnose server errors via aggregated CloudWatch logs. These logs do not include your email or any identifying data beyond the opaque Firebase user ID and are retained for 30 days.
We do not use any of your data to train machine learning models. The Claude / Amazon Bedrock models used for threat classification only see the text of public security articles from our source list — never any user data.
5. Where your data lives
We run 0Day on the following third-party services. All user data is stored in the European Union (eu-west-3, Paris, France) on Amazon Web Services infrastructure. Firebase Authentication is a Google Cloud service and may transit through Google’s global infrastructure for authentication purposes, but we never send your preferences, stack, devices, or subscription state to Firebase.
| Service | Purpose | Data sent |
|---|---|---|
| Amazon Web Services (eu-west-3) | Hosting, databases, push notification endpoints, threat classification | All user data except authentication credentials |
| Firebase Authentication (Google LLC) | Identity and session management | Email address, Firebase UID, display name |
| Apple (App Store / APNs / StoreKit) | Subscription billing, push delivery, sign-in with Apple | Subscription transactions, anonymous push tokens |
6. How long we keep your data
- Account data (email, stack, preferences, devices): kept as long as your account exists. Deleted immediately when you delete your account from Settings.
- Subscription metadata: kept for 24 months after cancellation or expiry so we can honour refunds and respond to billing disputes.
- Threat alerts in the feed: automatically expire 30 days after creation via database TTL.
- Server logs: CloudWatch logs retained for 30 days, then automatically deleted.
7. Your rights under GDPR
If you are in the EU, EEA, UK, or Switzerland you have the following rights under GDPR and equivalent laws:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — delete your account and all associated data (available instantly in-app: Settings → Delete Account)
- Restriction — ask us to pause processing
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — turn off push notifications in Settings or iOS Settings at any time
To exercise any of these rights, email 0day@lous.nl. We aim to respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In the Netherlands that is the Autoriteit Persoonsgegevens.
8. Lawful basis for processing (GDPR)
We process personal data on the following GDPR lawful bases:
- Contract (Art. 6(1)(b)) — to provide the service you signed up for: authentication, preference storage, subscription management, push delivery.
- Legitimate interests (Art. 6(1)(f)) — server logs used strictly for security and reliability. We do not use legitimate interests for anything resembling profiling or marketing.
- Legal obligation (Art. 6(1)(c)) — retaining minimal billing metadata to comply with tax and consumer protection laws.
9. Children
0Day is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
If we make material changes to this policy, we will update the effective date at the top of this page and push a notification to your device before the change takes effect.
11. Contact
Data protection questions, data requests, or anything else privacy-related: 0day@lous.nl