Your Granola API key grants access to your meeting notes — here's exactly how we protect it.
How your API key is protected
Never stored on our servers
Your API key is never saved in any database. It's encrypted and returned to your browser — we don't keep a copy.
Encrypted at rest
Your key is encrypted with AES-256-GCM using a server-side secret before being stored in your browser's local storage. The encrypted value is meaningless without our server.
Bound to your account
The encrypted key is tied to your specific Daylight account. Even if someone obtained the encrypted value, they couldn't use it with a different account.
No mass exposure risk
Because keys live in each user's browser, a server breach can't leak everyone's keys at once — unlike traditional server-side storage.
Decrypted only in transit
Your key is only decrypted momentarily on our server to fetch your Granola data, then immediately discarded. It's never logged or persisted.
What we store
Your email address (for authentication)
Meeting metadata — titles, dates, and attendees
Tasks you create or that are extracted by AI
What we never store
Your Granola API key — encrypted in your browser only
Meeting summaries — accessed in real time, never persisted
Meeting transcripts — never accessed or stored
Infrastructure
Daylight runs on the following services:
Convex — database and backend infrastructure
Vercel — frontend hosting and serverless functions
Cloudflare — DNS, CDN, and DDoS protection
Groq — AI inference for task extraction (content is processed but not stored by us)
Data deletion
You can delete all your data at any time from the Settings page. This permanently removes your tasks, cached meeting metadata, and account. Your locally stored encrypted API key is also cleared.
Questions?
If you have security concerns or questions, reach out at hey@daylight.am.