Last updated: April 2026
When you sign in with Google, we receive your name, email, profile picture, and OAuth tokens for Google Calendar (read/write). If you connect RMIT Canvas, we store your Canvas API token. If you subscribe, Stripe stores your payment details (we never see or store your card number). All tokens are encrypted at rest using AES-256-GCM.
Your Google Calendar events and Canvas data (assignments, quizzes, announcements, key dates) are fetched to render your schedule and, if you explicitly ask, to generate AI briefings, nudges, and plans. AI processing uses the Anthropic Claude API — the relevant context slice is sent to Anthropic and is subject to their data usage policy. We do not sell, share, or use your data for advertising.
All data is stored in Supabase (PostgreSQL) hosted in a secure cloud region. Google OAuth tokens and Canvas API tokens are encrypted with AES-256-GCM before storage. The encryption key is a server-side environment variable and never exposed to clients. Payment details are held by Stripe and never touch our servers.
We use: Google OAuth for authentication; Google Calendar API for calendar data; Anthropic Claude API for AI processing; Stripe for payments; Supabase for database + storage; Vercel for hosting. Each service has its own privacy policy governing the data they receive.
Your data is retained while your account is active. Cached data (calendar, Canvas) is refreshed regularly and old caches overwritten. AI interaction logs are kept for 30 days. When you delete your account, all data is wiped within 24 hours.
You can view all data we hold, export your task history, delete your account and all associated data permanently, revoke Google access from your Google Account settings, and disable push notifications. Under the Australian Privacy Act 1988 and GDPR (if applicable), you have the right to access, correct, and delete your personal information.
You can delete your account from Settings → Delete account. This permanently removes all your data from our database, including tokens, settings, cached data, plans, and interaction history. Your Stripe subscription is also cancelled.
We use a secure HTTP-only session cookie for authentication (managed by NextAuth.js), plus small preference cookies for theme + density. We do not use tracking cookies, third-party analytics cookies, or advertising cookies.
For privacy inquiries, contact us at hello@mrgren.store.