School Buddy

Privacy Policy

Effective: May 19, 2026

A note from the founder. I built School Buddy because I was drowning in school emails about my own kids. I know you're trusting me with your inbox, and I take that seriously. This policy is written in plain language so you can actually read it. If anything here isn't clear, email me at julie@theschoolbuddy.ai and I'll answer personally.

If you want the short version, read the What We Never Do page at theschoolbuddy.ai/promise. The legal version is below.

1. Who we are

School Buddy ("we," "us," or "the Service") is operated by Julie McLelland, a sole proprietor based in Houston, Texas. You can reach us at:

  • Email: julie@theschoolbuddy.ai
  • Address: Available on request to verified subscribers (we are a small operation; we do not publish a residential address)

We are the data controller for the personal information described in this policy.

2. What this Service does

School Buddy connects to your Gmail account with your permission, scans your incoming emails for school-related content, sends you a weekly digest by SMS or WhatsApp, and (optionally) creates Google Calendar events for dates and deadlines we find in those emails. That is the entire purpose of the Service.

3. Information we collect

We collect only what we need to deliver the Service. Specifically:

Information you give us:

  • Your name and email address (to identify your account).
  • Your mobile phone number (to deliver the SMS or WhatsApp digest).
  • Your timezone and preferred digest day and time.
  • Your payment information, processed by Stripe โ€” we never see or store your card details ourselves.

Information we access via Google with your permission:

  • The content of your Gmail messages, accessed under the gmail.readonly OAuth scope. We do not read sent mail, drafts, or any folder you keep private โ€” we read the inbox the way Gmail itself presents it.
  • Your Google Calendar, accessed under the https://www.googleapis.com/auth/calendar.events scope, only to create new events that you have approved. We do not read, modify, or delete events we did not create.

Information we collect automatically:

  • Basic technical logs (IP address, browser type, request timestamps) for security and debugging. Retained 30 days.
  • Audit records of every Gmail read we perform on your behalf โ€” visible to you in your dashboard.

We do not use cookies for advertising or tracking. We use a single session cookie for keeping you signed in.

4. How we use your information

We use your information only to:

  1. Authenticate you and operate your account.
  2. Read your Gmail to identify school-related messages.
  3. Extract events, deadlines, and announcements from those messages using AI (see Section 6).
  4. Send you the weekly digest by SMS or WhatsApp.
  5. Create Google Calendar events you have asked us to create.
  6. Charge your subscription via Stripe.
  7. Send you essential service emails (receipts, security notices, major changes to this policy). You cannot opt out of these because they are required for the Service to function โ€” but they are infrequent.

We do not use your information for advertising. We do not sell or rent your information to anyone, ever. We do not use the content of your emails to train AI models.

5. Legal basis for processing

We process your information based on:

  • Your consent, granted when you connect your Gmail account.
  • Performance of a contract, where processing is necessary to deliver the Service you have paid for.
  • Legitimate interest, for security logging and abuse prevention.

You can withdraw your consent at any time by disconnecting your Gmail account or deleting your account from your dashboard.

6. AI processing

To extract events and deadlines from your email, we send the relevant portion of each school email to Anthropic, the maker of the Claude AI model. Specifically:

  • We send only the parts of the email body needed for extraction. Attachments are never sent.
  • Before sending, we run a pattern-based redaction pass that removes any visible Social Security numbers, full credit card numbers, and bank account numbers.
  • Anthropic's API terms prohibit them from training on this data. They retain it for at most 30 days for abuse monitoring and then delete it.
  • We never send sender names, recipient names, or your personal identifiers to the AI unless they are part of the email body itself.

7. Who we share information with

We share information only with the following service providers, and only as needed to operate the Service:

ProviderWhat they receiveWhy
GoogleOAuth tokens issued back to GoogleTo read Gmail and write to Calendar with your permission
Anthropic (Claude AI)Excerpts of school emails for extractionTo identify events, dates, and action items
TwilioYour phone number and digest textTo deliver SMS / WhatsApp
StripeYour name, email, payment methodTo process the subscription
Supabase (database hosting)All account and email data, encryptedTo store your account
Vercel (web hosting)Web traffic and account dataTo run our website and app
CloudflareWeb traffic metadataDNS, CDN, security
SentryError logs (no email content)To find and fix bugs
Backblaze B2Encrypted backupsDisaster recovery

We do not share your information with anyone else. We do not sell or rent it. We do not participate in advertising data exchanges.

If we are ever compelled to disclose information by a valid legal order, we will notify you unless legally prohibited from doing so.

8. How long we keep your information

  • Raw email content: at most 30 days. We extract what we need (events, action items) and discard the original.
  • Extracted events, action items, and digest history: kept while your account is active so you can review past digests.
  • Account details (name, email, phone): kept while your account is active.
  • OAuth tokens: kept while your account is active. Encrypted at rest.
  • Audit logs: 90 days.
  • Backups: 30-day rolling retention.

When you delete your account, we delete everything within 30 days, except limited records we are required to keep for tax or fraud-prevention purposes.

9. Your rights

Regardless of where you live, you have the right to:

  • Access the information we hold about you. Email us and we will send you an export within 30 days.
  • Correct information that is wrong. Most fields you can edit yourself in your dashboard.
  • Delete your account and all associated data. You can do this from your dashboard with one click, or by emailing us.
  • Export your data in a portable format (JSON).
  • Revoke Google access at any time at myaccount.google.com/permissions. Doing so will stop the Service from functioning, but will not automatically cancel your subscription โ€” please cancel separately from your dashboard.

If you live in California, you also have the rights described in the California Consumer Privacy Act (CCPA), including the right to know, delete, correct, and opt out of "sale" of personal information. We do not sell your information. To exercise these rights, email us.

If you live in the EU, UK, or EEA, you have the rights described in the GDPR, including the right to lodge a complaint with your local supervisory authority. Our service is not currently directed at users in these regions, but if you choose to use it from one of them, these rights apply.

10. Security

We protect your data with:

  • TLS encryption in transit for everything.
  • Encryption at rest for all OAuth tokens (column-level encryption using a server-side key).
  • Encrypted nightly database backups.
  • Strict access controls โ€” only the founder has production database access.
  • Two-factor authentication on every administrative account.
  • Regular review of access logs and an audit log of every Gmail read.

No system is perfectly secure. If a security incident affects your data, we will notify you by email within 72 hours of discovering it, along with what we know about the incident and what you should do.

11. Children's privacy

School Buddy is for parents and guardians of school-age children. The Service is not directed at children, and we do not knowingly collect information from anyone under 13. Inevitably, school emails contain information about children โ€” that information is processed solely to deliver the digest to the parent, and is subject to the same retention and security rules as all other data. If you believe we have collected information from a child contrary to this policy, email us and we will delete it immediately.

12. International transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US.

13. Changes to this policy

If we make material changes to this policy, we will email you at least 14 days before the changes take effect. Minor changes (typos, clarifications) we will post here and update the effective date.

14. Contact

For any privacy question, request, or complaint:

We will acknowledge within 5 business days and respond fully within 30 days.

This document was last reviewed on May 19, 2026.