Privacy Policy
Due Gooder Inc.
Version:
v1.0
Effective Date:
May 22, 2026
Last Updated:
May 22, 2026
This Privacy Policy explains how Due Gooder Inc. ("Due Gooder," "we," "us," or "our") collects, uses, shares, and protects information about you when you use duegooder.com, our mobile applications, and related services (collectively, the "Service"). It also explains the choices you have about your information and how to contact us.
By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.
Contents
1. Who We Are
Due Gooder Inc. is a Delaware corporation headquartered in Louisville, Kentucky. Due Gooder operates duegooder.com and the Due Gooder mobile applications — a study-planning and AI-tutoring platform for college students. For privacy-related questions, contact us at nate@duegooder.com.
2. Scope of This Policy
This Policy applies to information we collect through the Service. It does not apply to:
Third-party websites, applications, or services that the Service links to or integrates with. Those services are governed by their own privacy policies (see Section 7 for our subprocessors).
Information you provide to your institution, employer, or any third party outside the Service.
Information collected by your device, browser, or operating system independently of the Service.
3. Information We Collect
We collect information that you provide directly, information we receive automatically when you use the Service, and information we receive from third parties at your direction.
3.1 Information You Provide
Account information: name, email address, profile image, and account preferences (timezone, theme, notification settings) collected when you sign up or update your profile.
Onboarding information: school, major, graduation year, how you heard about us — collected during onboarding to personalize your experience.
Course and assignment information: course names, instructor names, office hours, attendance and late-work policies, course descriptions, required materials, and assignments — provided either directly by you, extracted from a syllabus you upload, or synced from your LMS (Canvas, Blackboard, D2L, Moodle, Sakai) via iCal feed or LMS API at your direction.
Study materials: PDFs, slides, notes, and other study-related files you upload to your Locker.
Brain dump entries: audio recordings or text you submit for AI-assisted timeblock extraction.
Conversations with Duey, our AI assistant: the text of your messages and the AI responses.
Support and contact communications: messages you send to nate@duegooder.com, in-app support tickets, and form submissions.
Push notification tokens: when you enable mobile push notifications.
3.2 Information Collected Automatically
Usage information: pages and screens viewed, features used, actions taken, time spent — collected via PostHog analytics to help us improve the Service.
Device information: device type, operating system, browser type and version, language preference, and approximate location inferred from IP address.
Log information: IP address, request timestamps, referrer URLs, and response codes — collected via Vercel platform logs.
Error information: error events including stack traces, captured by Sentry. Sensitive user content is not intentionally captured by error events.
Last-seen timestamp: when you last accessed the Service.
Cookies: see Section 9.
3.3 Information from Third Parties at Your Direction
Identity provider data: when you sign in with Google or Microsoft Entra ID, we receive your email address, name, profile image, and account identifier from that provider.
Calendar data: when you connect Google Calendar or Microsoft Outlook, we read event metadata (title, time, attendees as text) to schedule study blocks; we write study blocks back to your calendar only when you confirm.
LMS data: when you connect a Learning Management System, we read course and assignment metadata via iCal feed or LMS API.
Referral information: when you arrive via a referral link, we receive the referral identifier (Dub click ID) for attribution.
Payment information: when you subscribe, our payment processors (Stripe, PayPal, DodoPayments, Apple In-App Purchase) handle your payment details directly; we receive only a tokenized customer/payment reference and billing metadata.
3.4 AI-Derived Content
When you use AI features, we generate derived content — flashcards, practice tests, proposed study blocks, syllabus extractions, semantic search indexes — from materials you provide. This derived content is owned by you and stored alongside your other account data. See Section 8 for additional detail on how AI processes your information.
3.5 What We Do Not Collect
We do not collect: payment card numbers (handled by our PCI-DSS-certified payment processors); Social Security numbers or other government identifiers; biometric identifiers; precise geolocation (we do not invoke geolocation APIs); protected health information; or information about your race, ethnicity, religion, political views, sexual orientation, or other sensitive attributes (unless you voluntarily include such information in content you upload — we do not request it).
4. How We Use Information
We use the information we collect to:
Provide, maintain, and operate the Service, including organizing your assignments, generating study schedules, and storing your study materials.
Authenticate you to your account and maintain your session.
Generate AI-powered study aids you request (flashcards, practice tests, study-block suggestions, semantic search) — see Section 8.
Send transactional emails (account confirmations, magic-link sign-in, password-reset notifications, billing receipts, support responses, breach notifications) via Resend.
Send optional email notifications and engagement messages, where you have not opted out (account settings).
Process payments and manage subscriptions via Stripe, PayPal, DodoPayments, or Apple IAP.
Improve the Service by analyzing aggregate usage patterns via PostHog.
Diagnose, debug, and fix errors via Sentry.
Prevent fraud, abuse, and security incidents.
Comply with our legal obligations (e.g., responding to lawful requests from authorities, complying with breach-notification laws).
Enforce our Terms of Service.
We do not sell your personal information. We do not use your information for behavioral advertising or share it with advertising networks.
5. Legal Bases for Processing (where applicable)
If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following bases:
Performance of a contract: most of our processing is necessary to provide the Service you have requested under our Terms of Service.
Consent: where required, including for certain marketing communications and certain integrations (calendar, LMS).
Legitimate interests: to operate, maintain, secure, and improve the Service, prevent fraud, and communicate with you about your account — provided your rights and interests do not override these interests.
Legal obligation: where we must process information to comply with applicable law.
You may withdraw consent at any time where consent is the legal basis (see Section 13).
6. How We Share Information
We share information only as described in this Policy. We do not sell your personal information.
6.1 With Subprocessors
We share information with the third-party vendors that help us operate the Service. See Section 7 for the current list. Each subprocessor processes information only as needed to provide its service to us and is contractually bound to data-protection obligations.
6.2 With Your Institution (if applicable)
If you use the Service under an agreement between Due Gooder and your educational institution, we may share information with that institution as described in our agreement with them and consistent with FERPA (see Section 15).
6.3 With Your Direction
We share information at your direction — for example, writing study blocks back to your Google Calendar or Outlook calendar, generating output you can share with others, or invoking integrations you have connected.
6.4 For Legal Reasons
We may disclose information if required by law (subpoena, court order, regulatory request), if necessary to protect our rights or property, to investigate fraud, or to protect the safety of our users or the public. Where lawful and practical, we will notify you of any such disclosure.
6.5 Business Transfers
If Due Gooder is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. In such case, the recipient will be bound by privacy commitments at least as protective as those in this Policy, or we will provide you with notice and the opportunity to delete your account before the transfer is effective.
7. Subprocessors
Due Gooder uses the following third-party services to operate the Service. Each maintains its own privacy practices and security commitments (SOC 2 Type II, ISO 27001, or equivalent unless noted).
SubprocessorFunctionData ProcessedLocationVercelApplication hosting + edge platformAccount data, request logs (incl. IP)USNeonPostgres databaseAll account and content dataUS (us-east-1)Google Cloud PlatformObject storage (GCS), AI inference (Gemini)Uploaded files; AI prompt contentUSPineconeVector database for semantic searchEmbeddings of uploaded materialsUSResendTransactional email deliveryEmail address, email contentUSDopplerSecrets managementOperational credentials only (no user data)USInngestBackground job queueJob metadata referencing user IDsUSSentryError monitoringError events with incidental user contextUSPostHogProduct analyticsUsage events, page views, feature useUS/EU (US selected)Stripe / PayPal / DodoPayments / ApplePayment processingEmail, billing metadata, tokenized payment reference (no card numbers)US (varies)Google Identity / Microsoft Entra IDOAuth identity providersIdentity claims at sign-inUSGitHubSource code hostingNo user data (code only)US
Our current subprocessor list is maintained in our internal Third-Party Risk Management Policy and is made available to institutional customers on request. We notify institutional customers of material subprocessor changes in advance of going live with the new subprocessor.
8. AI Features and Your Data
Due Gooder uses Google Gemini, accessed via Google's paid Generative AI API, to power five user-facing AI features:
Syllabus extraction — parses an uploaded syllabus into structured course information and assignments.
AI study-block generation — proposes study time blocks around your calendar.
Adaptive flashcards — generates flashcards from uploaded study materials.
Practice tests — generates practice questions from uploaded materials.
Semantic note search — generates vector embeddings (stored in Pinecone) for natural-language search of your notes.
Important commitments about how AI processes your content:
Customer content sent to Gemini via the paid API is NOT used to train Google's foundation models. Google retains prompts and responses briefly (typically up to 30 days) for abuse-monitoring purposes, then deletes them.
Due Gooder does not train, fine-tune, or otherwise modify any AI model on customer data. We use Gemini at inference time only.
Only the content needed for the requested feature is sent to Gemini. We do not include unrelated personal data.
Cross-user content is never combined in a single AI request.
AI-generated output is labeled in the user interface as AI-generated. AI is provided as a study aid; it does not make grading, advising, admissions, or other high-stakes decisions.
AI features can be functionally avoided today by choosing not to invoke them (e.g., importing assignments via LMS sync instead of uploading a syllabus). An explicit per-user toggle to disable AI is on our roadmap.
9. Cookies and Similar Technologies
We use cookies and similar technologies to operate the Service and analyze usage. The main categories of cookies we use:
Strictly necessary cookies — session tokens (set by NextAuth) to keep you signed in; CSRF protection tokens; referral attribution cookies (30-day expiry).
Functional cookies — preferences such as your selected theme.
Analytics cookies — PostHog analytics for understanding aggregate usage. Where required by law, we present a cookie banner with an option to decline analytics cookies.
Most browsers allow you to control cookies through their settings. Blocking strictly-necessary cookies will impair Service functionality.
10. International Data Transfers
Due Gooder's production infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where our subprocessors operate.
Where required by law (e.g., for European or UK residents), such transfers are governed by Standard Contractual Clauses or other appropriate transfer mechanisms with our subprocessors.
Institutional customers with specific regional data-residency requirements should contact us; our infrastructure providers offer regional deployment options that we can arrange in an institutional engagement.
11. Data Retention
We retain information for as long as needed to provide the Service and as required by applicable law. Specifically:
CategoryRetentionActive account dataWhile your account is active.Account data after deletion requestDeleted from production systems within 30 days; backups expire on natural schedule (typically within 35 days).Subscription and billing recordsRetained as required by applicable tax and accounting laws (typically 7 years), maintained by our payment processors.Email send logUp to 12 months for deliverability and analytics purposes.Application logs (Vercel)Per Vercel's published retention policy.Error events (Sentry)Per Sentry project default retention.Analytics events (PostHog)Retained at aggregate / pseudonymous level; identifiable events removed on account deletion.Provider audit logsPer each provider's retention.
Backups are subject to provider-managed retention (Neon point-in-time recovery typically 30 days; GCS object versioning per configured lifecycle). Backup data is overwritten on its natural schedule rather than selectively purged.
12. Security
We implement administrative, technical, and physical safeguards designed to protect your information. Key measures include:
Encryption in transit (TLS 1.2+) and at rest (AES-256) across all data tiers.
Multi-factor authentication required on all administrative accounts.
Secrets managed via Doppler with audit logging.
Least-privilege access controls; production-data access restricted to named staff.
Vercel-edge web application firewall and DDoS protection.
Pull-request review and branch protection on all code changes.
Dependency vulnerability scanning via GitHub Dependabot; AI-assisted code review via CodeRabbit.
Documented Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan.
Annual responsible-AI and secure-coding training for all engineering staff and contractors.
Despite these measures, no system is completely secure. If we learn of a security incident affecting your information, we will notify you in accordance with applicable law and our contractual commitments — within 72 hours of confirmation, where feasible.
13. Your Rights and Choices
You have the following rights with respect to your information. To exercise any of these rights, see Section 20 for how to contact us.
13.1 All Users
Access: you can view most of your information in your account settings.
Correction: you can update your account information in your account settings.
Deletion: you can delete your account at any time via Settings → Delete Account. We delete your account data from production systems within 30 days. Backups expire on their natural schedule.
Email preferences: you can unsubscribe from optional emails via the link in any email or via Settings → Notifications.
Push notification opt-out: in mobile-app settings.
Data export: contact nate@duegooder.com to request a structured export of your data. We aim to fulfill within 30 days. (An in-app self-service export tool is on our roadmap.)
Object to processing: if you are in a jurisdiction that recognizes this right, you may object to certain processing of your information.
13.2 Authentication and Integration Controls
Disconnect a connected calendar or LMS at any time in account settings. Disconnecting stops further reads; previously-retrieved metadata is removed per the deletion procedure if you also delete your account.
Revoke OAuth grants at the identity provider (Google or Microsoft) at any time.
14. Children's Privacy
Due Gooder is intended for college and university students. The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13 without verifiable parental consent, we will delete it.
For users between 13 and the age of majority in their jurisdiction, we recommend parental or guardian awareness of use of the Service.
15. Institutional Use and FERPA
When Due Gooder is used under a contract with a US educational institution, we act as a "School Official" with a legitimate educational interest under the Family Educational Rights and Privacy Act, 34 CFR §99.31(a)(1)(i)(B). In that capacity:
We process student data only as authorized by, and under the direct control of, the contracting institution.
We do not sell or further disclose student education records without institutional authorization.
We do not use student data for marketing.
We do not use student data to train shared or foundation AI models (see Section 8).
We delete or return institutional and student data at contract termination per the engagement agreement and Section 11.
Students may exercise their FERPA rights through their institution. Institutional inquiries should be directed to nate@duegooder.com.
16. California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to know what personal information we collect, use, and share.
Right to delete personal information we have collected from you, subject to certain exceptions.
Right to correct inaccurate personal information.
Right to portability — to receive your personal information in a portable format.
Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising.
Right to limit use of sensitive personal information — we do not collect sensitive personal information for purposes that would trigger this right.
Right to non-discrimination for exercising your rights.
To exercise these rights, contact nate@duegooder.com. We may need to verify your identity before fulfilling certain requests. You may also designate an authorized agent to make a request on your behalf, subject to verification.
Due Gooder is a "service provider" under the CCPA when handling institutional student data and operates under the limitations applicable to service providers.
17. European and UK Residents (GDPR / UK GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under applicable law:
Right of access to your personal data.
Right to rectification of inaccurate personal data.
Right to erasure ("right to be forgotten"), subject to certain exceptions.
Right to restrict processing in certain circumstances.
Right to data portability.
Right to object to processing based on legitimate interests, and to direct marketing at any time.
Right to withdraw consent where consent is the legal basis.
Right to lodge a complaint with your local supervisory authority.
Due Gooder generally acts as a Data Controller for direct-to-consumer users. For institutional engagements, Due Gooder acts as a Data Processor under the institutional customer's direction; processing terms are set out in the engagement Data Processing Agreement.
For transfers of personal data outside the EEA/UK to the United States, we rely on Standard Contractual Clauses (or the UK International Data Transfer Addendum), supplemented by additional measures as appropriate.
We do not currently maintain a designated EU representative or Data Protection Officer; if you have questions, contact nate@duegooder.com and we will route inquiries appropriately. Should we expand operations in the EEA/UK in ways that require a representative or DPO, we will designate one and update this Policy.
18. Other US State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states that have enacted consumer privacy laws may have rights similar to those described above, including rights to access, correct, delete, and obtain portability of their personal information; to opt out of the sale of personal information and certain profiling; and to non-discrimination for exercising rights. To exercise these rights, contact nate@duegooder.com. We may need to verify your identity before fulfilling a request.
19. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account), by posting a notice in the Service, or both, before the changes take effect. The "Last Updated" date at the top of this Policy reflects the most recent revision.
Continued use of the Service after a change takes effect constitutes acceptance of the updated Policy. If you do not agree, you may delete your account.
20. How to Contact Us
For privacy questions, requests, or complaints, contact us:
Email: nate@duegooder.com
General inquiries: nate@duegooder.com
Mailing address: Due Gooder Inc., Louisville, Kentucky [insert street address before publication]
We aim to respond to privacy inquiries within 10 business days for routine matters and within statutory windows for formal rights requests.