DueHub Privacy Policy

Effective Date: May 5, 2026 · Last Updated: May 5, 2026

Introduction

DueHub is a study-planning application for K-12 and college students, available at https://app.getduehub.com. This Privacy Policy describes how DueHub accesses, uses, stores, shares, retains, and deletes user data — including data obtained from Google through OAuth — when you use the application.

If you have questions about this policy or want to exercise your rights regarding your data, contact us at admin@getduehub.com.

Limited Use of Google User Data

DueHub's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

DueHub uses Google user data only to provide and improve user-facing features that you have explicitly enabled by connecting your Google account and using the application.
DueHub does not use Google user data for advertising.
DueHub does not sell, rent, or transfer Google user data to third parties for any independent use.
DueHub does not use Google user data to train generalized or third-party AI/ML models.
DueHub does not allow humans to read your Google user data, except (a) with your explicit consent (e.g., when you initiate a support request and share specific data with us), (b) when necessary for security purposes such as investigating abuse, or (c) to comply with applicable law.

Data Accessed

When you connect your Google account, DueHub requests the following OAuth scopes:

Scope	Sensitivity	What DueHub reads
`openid`	Standard	Your Google user ID (`sub`) and email claim, contained in the OAuth ID token
`https://www.googleapis.com/auth/userinfo.email`	Standard	Your email address (read from the ID token claims; DueHub does not make a separate userinfo call)
`https://www.googleapis.com/auth/calendar.readonly`	Sensitive	Your calendar list metadata and events from the calendars you choose to sync
`https://www.googleapis.com/auth/calendar.events`	Sensitive	Permission to create, edit, and delete events that DueHub itself has created on a single "write target" calendar that you select

The specific Google API endpoints DueHub calls are:

POST https://oauth2.googleapis.com/token — OAuth code exchange and refresh-token exchange.
GET /calendar/v3/users/me/calendarList — list your calendars so you can choose which to sync.
GET /calendar/v3/calendars/{calendarId}/events — read events from calendars you have selected.
POST, PATCH, and DELETE on /calendar/v3/calendars/{calendarId}/events — create, modify, or delete events that DueHub itself has created.

The specific fields DueHub reads are:

From the OAuth ID token: sub (Google user ID) and email.
From calendarList.list: id, summary, primary flag,backgroundColor, selected flag, and accessRole (used to determine which calendars are eligible as a write target).
From events.list: id, summary (event title), description, location, htmlLink, status, start, and end.

DueHub does not access any other Google scopes or services. DueHub does not request or read Gmail, Drive, Contacts, People API, Photos, YouTube, or Workspace admin APIs.

Data Usage

DueHub is a study planner. Calendar data is used so your existing schedule appears alongside your DueHub study sessions on a single calendar grid. We use the data you authorize for the following narrowly scoped purposes:

Identity (sub and email): stored to associate your Google connection with your DueHub account, to differentiate users, and to display “Connected as <email>” on your Settings → Connections page. Your email address is used only for in-app display. It is not used for marketing, analytics, advertising, or shared with any third party.
Calendar list (read scope): used to populate the calendar picker on Settings → Connections so you can toggle which Google Calendars DueHub should sync events from. Your per-calendar selection is persisted so it survives between sync runs.
Calendar events (read scope):rendered on DueHub's calendar grid (/calendar) and Today view (/today) alongside your DueHub study sessions. DueHub stores only events that fall within a window of 30 days in the past through 90 days in the future. Events outside that window are not stored.
Calendar events (write scope, opt-in per session): when you create a study session in DueHub and toggle “Also add to Google Calendar,” DueHub creates a corresponding event on the Google Calendar you have selected as your write target. Subsequent edits or deletions you make to that DueHub session are mirrored to the Google event. DueHub never modifies events that DueHub did not create. It writes, edits, or deletes only events that DueHub itself originated and tracks via a stored Google event ID.

DueHub does not use Google user data for advertising, profiling, generalized AI/ML training, or any purpose other than the features you have explicitly enabled by connecting your account.

Data Sharing

DueHub does not sell, rent, or share Google user data with any third party for advertising or any other independent purpose.

To operate the service, DueHub relies on three infrastructure providers, each of which acts only as a data processor under our direction:

Vendor	Role	Google data handled
Neon	Postgres database host	Stores all DueHub data, including encrypted Google OAuth tokens, calendar list metadata, and cached event rows. Neon applies encryption at rest to the database.
Render	Application hosting	Runs the DueHub server that issues calls to Google APIs. Holds the master encryption key needed to decrypt OAuth tokens for active API calls in process memory. Render does not persistently store Google data outside of the application's runtime.
Sentry	Error monitoring	Receives crash and error events from server and client. A scrubbing layer strips cookies, the `Authorization` and `Cookie`headers, request bodies, and any OAuth-state-bearing query strings before any event leaves DueHub's process. Sentry's PII-by-default behavior is disabled, and Sentry session replay is not enabled.

Other vendors used by DueHub do not see Google calendar data:

Clerk handles your DueHub sign-in session but is not part of the Google OAuth flow, which DueHub initiates server-to-Google.
Resendis used solely to deliver the message you type into the in-app “Send feedback” form to the developer's inbox. This path does not transmit Google calendar data.

There are no third-party trackers, advertising networks, data brokers, or analytics vendors loaded by DueHub's frontend or backend.

Data Storage & Protection

Encryption at rest (Google OAuth tokens): access tokens and refresh tokens are encrypted using AES-256-GCM with a master key held only in environment variables on the production hosting platform. Each ciphertext has its own random 12-byte initialization vector and a 16-byte authentication tag that is verified on decryption (which fails closed on any tampering). A leaked database row alone cannot be decrypted without the separately held master key.

Encryption in transit:all network traffic between you and DueHub, and between DueHub and Google's APIs, uses HTTPS/TLS. DueHub sends a strict transport security header (Strict-Transport-Security: max-age=31536000; includeSubDomains; preload). Additional security headers in place include X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and a restrictive Permissions-Policy that disables geolocation, microphone, camera, payment, USB, magnetometer, accelerometer, and gyroscope APIs.

Tenant isolation: every database row that holds user data carries an explicit user_id column. Database-level composite foreign keys require that child rows reference a parent row owned by the same user, enforcing tenant isolation at the database layer.

Application-level access control:every API route validates the user's authenticated session via Clerk before reading any data. Internal-only endpoints (cron-triggered sync and cleanup routes) use bearer-token authentication with constant-time comparison. During DueHub's closed beta, an allowlist further restricts access at the middleware layer.

Rate limiting: sensitive endpoints are rate-limited. Examples include the allowlist gate (30 requests/minute per user), credential configuration endpoints (10 attempts per 10 minutes), the account deletion endpoint (3 attempts per hour), and the internal sync trigger (5 requests/minute).

Logging hygiene: OAuth token-exchange and refresh requests do not log request or response bodies, which would otherwise contain client secrets, authorization codes, refresh tokens, and access tokens. Application error logs extract only error message strings rather than raw error objects, to avoid accidental token or response-body leakage.

Pre-beta security review: a structured security review was conducted on May 1, 2026, covering authentication, tenant scoping, token encryption, server-side request forgery defenses, PII in logs, security headers, and rate limiting.

Hosting location and data residency: DueHub uses Neon Postgres (US-East AWS region) for its database and Render (US-East) for its application server. Both providers are US-based, and DueHub stores and processes user data exclusively in the United States. We do not currently transfer user data outside of the United States; if that ever changes, this policy will be updated and existing users will be notified through the application.

Data Retention & Deletion

You can remove your Google data from DueHub at any time using one of the following self-service actions:

Disconnect Google(Settings → Connections → Disconnect): immediately deletes your Google credentials row (encrypted access and refresh tokens, calendar list metadata, and identity columns) and all of your cached event rows. Clears your configured write-target calendar setting. Removes the Google event ID linkage from your DueHub study sessions, so DueHub no longer references any Google event. Before deletion, DueHub also makes a best-effort revocation of your refresh token at Google's /revoke endpoint.
Disconnect Google with delete-events option: identical to (1), and additionally deletes the events DueHub created from your Google Calendar via the events.deleteAPI. You choose between “delete N events from Google” and “leave events” in a confirmation prompt; the default is to leave events untouched.
Account deletion (Settings → Account → Delete account, with type-DELETE confirmation): hard-deletes every database row associated with your account across all 18 DueHub tables, including Google credentials, cached Google events, study sessions, assignments, courses, and preferences, atomically in a single transaction. Your Clerk authentication account is then deleted. An optional toggle deletes DueHub-created events from your Google Calendar before the database wipe. This endpoint is rate-limited to 3 attempts per hour to prevent abuse of a compromised session.
Data export (Settings → Account → Export my data): downloads a JSON copy of all data DueHub has stored about you. Encrypted credential ciphertext is excluded from the export; only non-secret connection metadata (such as your display email) is included.

Automatic retention windows (enforced by a daily cleanup job):

Soft-deleted user content (assignments, courses, study sessions, terms, bell schedules, class meetings, school-day exceptions, and iCal feeds): hard-deleted 30 days after the row's deleted_at timestamp. This window exists so that you can restore content from your in-app Trash within that period.
Sync log rows: pruned 30 days after creation. These rows record sync timing and outcome only — they do not contain Google calendar content (only counts, status flags, and, rarely, an error message string).
Auth-expired credential rows (Google and other third-party connections): hard-deleted 7 days after the most recent successful sync timestamp on rows where authentication has expired. For Google specifically, your cached events are deleted at the same time. After the grace window you must reconnect from Settings to use the integration again.
Database point-in-time recovery (PITR): Neon retains backups for up to 7 days for disaster-recovery purposes. Deleted data may be recoverable by Neon-administrative action during this window. There is no application-level interface to restore from PITR.
Sentry event retention: error events stored in Sentry are retained for 30 days.

How to request deletion: the in-app deletion controls described above are self-service and immediate. You may also email admin@getduehub.com to request deletion; email requests will be honored within a reasonable business window.

Children's Privacy

DueHub's user base may include K-12 students, including minors. The broader Privacy Policy will include disclosures required by COPPA, FERPA, and applicable state student-data- protection laws. The present version focuses on how DueHub handles data obtained from Google and other connected services; it is not a substitute for the full children's- privacy disclosures that will be added under counsel guidance before public launch.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date and, where appropriate, request your re-acceptance from within the application. The currently published version at https://app.getduehub.com/privacy is authoritative.

Contact

For privacy questions, deletion requests, or to exercise your rights regarding your data:

admin@getduehub.com