45 is built around a simple principle: your focus data is yours, and we shouldn't need to see it to run the product. This policy describes exactly what we collect, why, and what we don't.
What we collect
Account information
When you sign up, we store your email address and a hashed password (or an OAuth token if you use SSO). This is used solely for authentication and billing.
Domain names — at evaluation time only
When you visit a website during an active sprint, 45 intercepts the request and evaluates whether the root domain (e.g. github.com) is relevant to your current task. That domain name is sent to OpenAI's API as part of a short prompt. We do not store this domain, log it, or associate it with your account. It is used for one evaluation and discarded.
Task descriptions — at evaluation time only
The task you type or speak at the start of a sprint is sent to OpenAI alongside the domain being evaluated. This is the only time your task text leaves your device. We do not store task descriptions on our servers. Your full task history is kept in a local JSON file on your machine.
Sprint count — aggregate only
Once per day, the app reports a single integer to our servers: the number of sprints completed. On individual plans this is used only to enforce the daily limit. On team plans, we aggregate this across all seats so admins can see a team-level total (e.g. "42 sprints across 12 seats this month"). There is no per-user breakdown visible to team admins.
Billing data
Payments are handled by Stripe. We receive a customer ID and subscription status. We do not store card numbers or full payment details.
What we never collect
- Camera video or images. The presence check runs entirely on your device using a local model. No video stream, no frames, and no images leave your laptop. Ever.
- Full URLs or page content. We only see root domain names, and only at the moment of a blocking decision.
- Browsing history. We do not log which sites were allowed or blocked during a session.
- Keystrokes, screenshots, or app usage. We are not a monitoring product.
- Per-user sprint history (for team admins). Team administrators cannot see which individuals used the app, when, or what they worked on.
Third-party services
OpenAI
We send two strings to OpenAI's API per blocking decision: your task description and the root domain being evaluated. This is subject to OpenAI's privacy policy. We use the API in a way that disables training on API inputs by default. No persistent user profile is maintained at OpenAI on our behalf.
Stripe
Billing is handled by Stripe. Their privacy policy is available at stripe.com/privacy.
Data storage and security
Your task history, sprint history, and settings are stored locally on your device in plain JSON files. You can read, export, or delete them at any time. The only data we hold on our servers is your email address, hashed password or OAuth token, subscription status, and daily sprint count.
Your rights (GDPR)
If you are in the EU or UK, you have the right to access, correct, or delete the personal data we hold about you. To exercise any of these rights, email hello@45.day. We will respond within 30 days.
Because we do not store browsing data, task descriptions, or camera data on our servers, most deletion requests are satisfied by deleting your account — which removes your email and subscription record. Local data on your device is yours to delete directly.
Cookies
The 45 desktop app does not use cookies. Our website uses only the cookies required to keep you logged in to the account portal. We do not use tracking or advertising cookies.
Children
45 is not directed at children under 16. We do not knowingly collect data from anyone under 16.
Changes to this policy
If we make material changes to this policy, we will notify you by email at least 14 days before the change takes effect.
Contact
Questions about this policy: hello@45.day