What StudyFlow collects, and what we don’t.

StudyFlow stores your account (email + password) and the workspace you create — assignments, exams, classes, notes. If you connect Google Classroom, we use a read-only Google API to pull in your active courses and their assignments. If you use the AI study assistant, your messages and a small workspace summary are sent to OpenAI to generate the reply. We don’t run ads, we don’t sell anything to anyone, and we don’t use any of this data to train AI models.

StudyFlow is operated by an independent developer. If you have privacy questions or want your data deleted, email hello@usestudyflow.com and you’ll get a real reply.

Account

When you create an account we store your email and a bcrypt hash of your password (never the password itself), plus an optional display name you give us. That’s used to sign you in and to label your account inside the app.

Workspace

Everything you type into StudyFlow — assignments, exams, classes, notes, settings — is stored against your account so it syncs across devices when you sign in. If you use StudyFlow without an account (guest mode), that workspace lives only in your browser’s local storage; we never see it on the server.

Sessions and cookies

Signing in sets a small HttpOnly session cookie so you stay signed in. Connecting Google Classroom sets a second HttpOnly cookie holding an encrypted Google refresh token (more on that below), and a non-sensitive gc_connected flag the UI reads to show your connection state. We don’t use analytics or advertising cookies.

Operational logs

Our hosting provider (Vercel) records standard server logs — IP, request path, timing, errors — for short-term operational purposes. We don’t cross-reference these with your account for any non-operational reason.

When you click Connect Google Classroom, you’ll be sent through Google’s OAuth consent screen. We ask only for the two minimum read-only scopes we need:

• https://www.googleapis.com/auth/classroom.courses.readonly
• https://www.googleapis.com/auth/classroom.coursework.me.readonly

These let us see the names of your active courses and the titles, descriptions, and due dates of the coursework you’re assigned. We’ll never request access to grades, submissions, announcements, calendar, classroom rosters, or anything you write or submit.

After you grant access, Google returns a refresh token to our server. We encrypt that token with AES-256-GCM and store it in an HttpOnly cookie scoped to your browser. The token is never exposed to JavaScript and never written to localStorage. When you press Sync, our server uses that refresh token to request a short-lived access token, fetches your courses and coursework, hands the imported items to your StudyFlow workspace, and discards the access token. We don’t store a copy of your courses or assignments outside your workspace.

Limited Use disclosure. StudyFlow’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertisements; we do not transfer Google user data to third parties except as needed to provide or improve user-facing features that are prominent in the requesting application’s user interface; we do not allow humans to read Google user data unless we have your specific consent, it’s required for security, or it’s required by law; and we do not use Google user data to develop, improve, or train generalized AI models.

You can disconnect Google Classroom from inside StudyFlow at any time (Settings → Synced Accounts → Disconnect), which deletes both Google cookies on your device. To fully revoke StudyFlow’s access on Google’s side, visit myaccount.google.com/permissions.

If you open the AI assistant, your messages — along with a compact, AI-only summary of your workspace (class names, assignment and exam titles, due dates, short snippets of any recent notes) — are sent to OpenAI’s API to generate the reply. That context is what lets the assistant suggest things like “Practice for your Calculus midterm” instead of generic chips.

Per OpenAI’s API policies, data submitted through their API is not used to train OpenAI models. We don’t store AI conversations on our server — your message thread lives only in your browser tab during that session.

If you’d rather not send workspace content to a third-party model, you can simply not use the AI feature. Nothing else in StudyFlow depends on it.

• We don’t sell, rent, or trade your data.
• We don’t use Google user data for advertising.
• We don’t train AI models on your data, and our AI provider doesn’t either.
• We don’t use third-party analytics, ad networks, or cross-site tracking pixels.
• We don’t access Google Classroom submissions, grades, rosters, calendar entries, or announcements.
• We don’t store your plaintext password anywhere — only a one-way bcrypt hash.

Your workspace and account stay until you delete them. The Google session cookie is set to expire after 90 days; using the Sync button extends it. Temporary OAuth state cookies expire after five minutes. Server logs roll off on the standard Vercel retention schedule.

You can sign out, disconnect Google Classroom, edit or delete any item in your workspace, or delete your account entirely. To request a copy of your data or a full deletion of your account, email hello@usestudyflow.com and we’ll handle it.

If you live somewhere with a specific privacy framework — GDPR in the EU/UK, CCPA in California, or similar — those rights apply. Use the same email and we’ll honor them.

StudyFlow is intended for high school and college students. If you’re under 13, please don’t create an account without a parent or guardian. If we learn we have data from a child under 13 without verified consent, we’ll delete it.

If we change anything material here, we’ll update the “last updated” date at the top of this page and, if you have an account, send a heads-up email before the change takes effect.

Questions, deletion requests, or anything else: hello@usestudyflow.com.

← Back to StudyFlow