Skip to content
skeddiSign in

Legal

Privacy Policy

Effective date: May 14, 2026

This Privacy Policy explains how skeddi ("we," "us," or "our") collects, uses, stores, and shares information when you use the skeddi web application, iOS application, and related services (collectively, the "Service"). By accessing or using the Service, you agree to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect the following information through Google Sign-In for your school account:

  • Email address
  • Display name
  • Profile photo URL (if provided by your identity provider)
  • Account role (teacher or student)
  • School affiliation

1.2 Service Usage Data

As you use skeddi, we collect information that you provide directly:

  • Help slots you create (including date, time, location, subject, and notes)
  • Slot sign-ups and attendance records
  • Teacher follow preferences
  • Notification preferences and read/unread status

1.3 Device Information

If you enable push notifications in the iOS app, we collect a device push token from Apple Push Notification service (APNs). This token is used solely to deliver notifications you have opted into.

1.4 Automatically Collected Information

Our hosting infrastructure automatically receives standard technical information when you access the Service, including your IP address, browser type, operating system, referring URL, and access timestamps. This information is processed by our hosting providers (described in Section 4) as part of normal web operations. We do not use third-party analytics or tracking tools.

2. How We Use Your Information

We use your information for the following purposes:

  • To authenticate you and maintain your account
  • To display help slots to students and associate them with teachers
  • To show students which teachers are available and when
  • To send notifications you have opted into (such as new slot postings from teachers you follow)
  • To process account deletion requests
  • To maintain the security and integrity of the Service
  • To comply with legal obligations

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising. We do not build user profiles for marketing purposes.

3. Legal Basis for Processing

We process your personal information based on the following legal grounds:

  • Contract performance: Processing necessary to provide the Service you have signed up for, including account management and core scheduling features.
  • Consent: Processing that requires your opt-in, such as push notifications. You may withdraw consent at any time.
  • Legitimate interest: Processing necessary for security monitoring, fraud prevention, and service improvement, balanced against your privacy rights.
  • Legal obligation: Processing required to comply with applicable laws.

4. Service Providers and Data Sharing

We share your information with the following categories of service providers, strictly as needed to operate the Service:

4.1 Infrastructure Providers

  • Supabase (database hosting): Stores user accounts, profiles, help slots, sign-ups, notifications, and all application data in a hosted PostgreSQL database. Data is encrypted at rest and in transit.
  • Vercel (web hosting): Hosts and serves the web application. Receives standard HTTP request data (IP address, headers) as part of normal web serving operations.

4.2 Authentication Providers

  • Google(OAuth): If you sign in with Google, your authentication is handled through Google's OAuth 2.0 protocol. We receive your email address, display name, and profile photo URL. We do not receive or store your Google password.

4.3 Notification Providers

  • Apple Push Notification service (APNs): Device tokens are shared with Apple solely to deliver iOS push notifications. Apple does not have access to notification content beyond what is included in the push payload.

4.4 Google API Services User Data (Google Calendar Integration)

Connecting Google Calendar is optional and disabled by default. When a teacher or student explicitly clicks Connect Google Calendar in Settings, skeddi requests the https://www.googleapis.com/auth/calendar.events OAuth scope. This subsection describes exactly how that integration handles your Google data.

What we access. Only the events skeddi itself creates on your primary Google Calendar. We do not read any other events on your calendar, do not read your other calendars, do not modify calendar sharing, ACLs, or settings, and do not access any other Google product.

What we do with that access. For teachers, every help slot you publish in skeddi is mirrored as a Google Calendar event so it appears alongside your other meetings. Edits to a slot patch the corresponding event; deletes remove it. For students, signing up to a slot creates a Google Calendar event on your calendar so the session shows up next to your classes; cancelling a sign-up removes it. The event title, time, location, and signup count are mirrored from skeddi.

What we store. Your Google OAuth refresh token, the most recent access token, the expiry timestamp, the calendar ID (defaults to primary), and the Google event ID for each event we created. Tokens are stored in our Supabase database with row-level security so only the corresponding user can read them.

How long we keep it. Until you click Disconnect in Settings or delete your skeddi account. On disconnect, we delete every Google Calendar event skeddi previously created for you, wipe the stored refresh and access tokens from our database, and revoke the OAuth grant at Google.

How to revoke. Either click Disconnect on the Google Calendar card in Settings, or revoke the skeddi grant directly at myaccount.google.com/permissions.

Limited Use disclosure.skeddi's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data; we do not use it for serving advertisements; we do not use it to train AI/ML models; and no humans read your Google user data except (a) with your explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) when the data has been aggregated and anonymized and is used for internal operations.

We do not share your personal information with any other third parties. We do not use advertising networks, data brokers, or social media tracking pixels.

5. Cookies and Local Storage

skeddi uses secure, HTTP-only cookies for authentication session management. These cookies are essential for the Service to function and cannot be disabled while using skeddi. We do not use advertising cookies, tracking cookies, or any non-essential cookies.

We may use browser local storage to save user interface preferences (such as theme selection). This data stays on your device and is not transmitted to our servers.

6. Data Retention

We retain your account information and associated data for as long as your account is active. If you delete your account (see Section 7), we permanently delete the following data:

  • Your profile (name, email, role, school affiliation)
  • Help slots you created
  • Your slot sign-ups
  • Your teacher follow preferences
  • Your notifications
  • Your device push tokens
  • Your authentication account

Deletion is performed immediately upon request. Backup copies held by our infrastructure providers may persist for up to 30 days before being automatically purged according to their retention policies.

7. Your Rights and Controls

You have the following rights regarding your personal information:

7.1 Access and Portability

You may request a copy of all personal data we hold about you. Contact us at the email address listed in Section 12 to submit a data access request. We will respond within 30 days.

7.2 Correction

You can update your display name and profile information through the Settings page. For corrections to other data, contact us at the email address below.

7.3 Deletion

You may delete your account at any time through the Settings page or by contacting us. Account deletion is permanent and removes all data described in Section 6. This action cannot be undone.

7.4 Withdraw Consent

You can disable push notifications at any time by revoking notification permissions on your device or through your device settings.

7.5 Sign Out

You can sign out of the Service at any time from the Settings page or the sidebar navigation. Signing out clears your authentication session.

8. Data Security

We implement the following security measures to protect your information:

  • All data in transit is encrypted using TLS (HTTPS)
  • Database data is encrypted at rest
  • Authentication tokens are stored in secure, HTTP-only cookies that are inaccessible to client-side JavaScript
  • Account deletion cascades through all related data tables to ensure complete removal
  • Administrative access requires separate authentication

While we take reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

9. Children's Privacy

skeddi is designed for use in schools by students and teachers. We recognize that some users may be under the age of 18.

Children under the age of 13 may only use skeddi if their school has authorized the use of the Service and has obtained any required parental consent in accordance with the Children's Online Privacy Protection Act (COPPA) and applicable state laws. We rely on schools to provide appropriate notice and obtain consent from parents or guardians before allowing children under 13 to use the Service.

We do not knowingly collect personal information from children under 13 without school authorization. If you believe a child under 13 has provided us with personal information without proper authorization, please contact us immediately and we will take steps to delete that information.

For users between 13 and 18, schools may choose to authorize use of the Service without additional parental consent, consistent with applicable law.

10. International Data Transfers

Our service providers (Supabase, Vercel, Google) may process data in the United States and other countries. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective date" at the top of this page. If we make material changes that significantly affect how we handle your personal information, we will notify you through the Service before the changes take effect.

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your account.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled, please contact us at:

chrakeoverwatch@gmail.com

We will respond to all privacy-related inquiries within 30 days.