Last updated: 2026-04-20

Privacy Policy

This policy explains what Dayfolio collects, what we ingest on your behalf through connectors, and how we handle it. We wrote it to be read, not just filed.

1. Overview and scope

Dayfolio is operated by Orientic Institute Ltd. (“Orientic”, “we”, “our”, “us”), a Canadian company with its registered office at 15 Rue Jos-Montferrand, Gatineau, QC J8X 0C2, Canada. This Privacy Policy covers our use of personal information in connection with:

  • The Dayfolio product · including the daily 6am briefing email, the MCP endpoint that lets authorized agents query your workspace, scheduled and ad-hoc reports, and any related surfaces we may add over time.
  • The orientic.ca web properties and related marketing pages, including forms used to request a demo or contact us.

It applies to restaurant operators, group staff who use Dayfolio on their behalf, and visitors to our web properties. It does not cover third-party services that you separately connect to Dayfolio · those services have their own privacy policies.

2. Data we collect from operators

When you sign up for Dayfolio or interact with our web properties, we collect only what we need to run the service and talk to you about it.

  • Account data. Your name, work email, phone (optional), role, the restaurant or group you represent, and workspace configuration (locations, time zones, business-day cutoffs).
  • Billing data. The billing contact, billing address, tax ID where required, and the last four digits / brand of payment cards. Full card numbers are handled only by our payment processor and never touch our servers.
  • Usage telemetry. Log records of which features you used, when connectors ran, which briefings were opened, and technical signals like IP address and user agent. We use this to keep the product reliable and to investigate incidents.
  • Support and sales correspondence. Any notes, recordings, or transcripts that you explicitly share with us during onboarding, demos, or support.

3. Data we ingest on your behalf

The core of Dayfolio is a set of connectors that pull operational data from the systems you already run. You authorize each connector individually and we only ingest the scopes you explicitly grant. Depending on the connectors you turn on, this can include:

  • Sales transactions and POS exports · check-level detail, menu items, modifiers, discounts, voids, tips, and payment type.
  • Labor records · shifts, clock-ins, roles, wage rates, and schedule variance.
  • Inventory counts, recipes, purchase orders, waste logs, and vendor invoices.
  • Accounting ledgers · chart of accounts, journal entries, AP/AR, and period closes from your GL system.
  • Reservation, booking, and delivery metadata · covers, channel mix, prep time, and service-level signals. We do not seek or store guest payment details.

This data is yours. We treat it as confidential and use it only to run the service you asked for. See Section 4.

4. How we use your data

We use the data described above to:

  • Run the Dayfolio service and keep your workspace operational.
  • Generate and deliver the daily 6am briefing email.
  • Serve the MCP endpoint so agents you have authorized (such as Claude Cowork) can query your workspace on your behalf.
  • Generate scheduled reports and respond to ad-hoc report requests.
  • Improve the reliability of ingestion and normalization · we look at failure modes, schema drift, and reconciliation gaps so connectors keep working as your upstream systems evolve.
  • Communicate with you about service changes, security notices, and billing.

Your data is never used to train machine-learning or large language models · not ours, not our providers'. We contract with third-party model providers on terms that prohibit training on customer data and we do not opt you into any usage that changes that.

5. Third-party processors

We use a small, deliberate set of sub-processors to deliver the service. We list them by category rather than name so this policy does not go stale when we change vendors; the current vendor list is available on request at privacy@orientic.ca.

  • Cloud infrastructure. Compute, storage, and managed database hosted in North American regions.
  • Payment processing. A PCI-compliant payment processor that handles card details end-to-end; we receive only non-sensitive metadata.
  • Email delivery. Transactional email providers used to send the briefings and account messages.
  • Third-party model providers. Large language model providers contracted by Dayfolio to perform inference on your prompts and on the briefing content we generate. Their use of your data is restricted to providing the service; they are contractually prohibited from using it to train their models.
  • Error and performance monitoring. Tools that capture crash reports and slow-request traces so we can fix issues quickly.

6. Data retention

We retain the data we ingest on your behalf for as long as your workspace is active, plus a 30-day windback after termination to give you time to export or restore. After that windback, operational data is deleted from primary systems within 30 days and purged from backups within the following 90 days.

Certain records · invoices, tax documents, security logs · are retained longer where Canadian law, the laws of the province of Quebec, or other applicable law requires. In those cases we retain only the minimum fields necessary to satisfy the obligation.

7. Data location and cross-border transfers

Dayfolio stores and processes data primarily in Canada and the United States. Some third-party processors listed in Section 5 may handle data in other jurisdictions as part of their global infrastructure. When data crosses borders, we rely on contractual protections such as standard contractual clauses and the provider's own compliance programs to keep protection consistent with Canadian law.

8. Security practices

Security is a product feature, not a checklist. Our baseline practices include:

  • Encryption in transit (TLS 1.2 or higher) and at rest for all stored data.
  • Least-privilege access controls · production access is scoped to named engineers and requires separate authentication.
  • Audit logging of administrative actions and sensitive reads.
  • Connector scoping · each connector uses the narrowest set of OAuth scopes or API permissions required to ingest the data you asked for.
  • Incident response playbooks with notification timelines that meet or exceed the requirements of PIPEDA and Quebec's Law 25.

No system is immune from risk. If we learn of a security incident affecting your data, we will notify you without undue delay and share what we know, what we are doing, and what we recommend you do.

9. Your rights

You can exercise these rights by emailing privacy@orientic.ca. We respond within 30 days, or sooner where the law requires.

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to correct information that is inaccurate or incomplete.
  • Deletion. Ask us to delete personal information, subject to the retention obligations described in Section 6.
  • Export. Request a machine-readable export of the data you have entrusted to us. See Section 13 of the Terms for the operator-level export path.
  • Complaint. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of Canada or with your provincial regulator.

Quebec residents. Law 25 gives you additional rights, including the right to know when a decision that affects you is made solely through automated processing. Dayfolio does not make consequential decisions about individuals purely on the basis of automated processing.

EU / UK residents. Where GDPR or UK GDPR applies, you have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent. Our legal bases are the performance of our contract with you and our legitimate interests in operating and securing the service.

10. Cookies and analytics

We use first-party cookies to keep you signed in and to remember preferences. We do not set third-party advertising cookies and we do not sell personal information. If we introduce product analytics that rely on additional cookies, we will ask for your consent before they load.

11. Children

Dayfolio is a workplace tool and is not intended for individuals under 18. We do not knowingly collect personal information from children.

12. Changes to this policy

We will notify you at least 30 days before any change that materially affects how we handle your personal information. Non-material clarifications may be posted with an updated “Last updated” date.

13. Contact

Privacy questions, requests, and complaints can be sent to privacy@orientic.ca.

Orientic Institute Ltd.
15 Rue Jos-Montferrand
Gatineau, QC J8X 0C2
Canada