Legal
Privacy Policy
The short version: we collect what we need to run the product, we don’t sell your data, and we tell you exactly which third parties see what.
Effective May 22, 2026 · Last updated May 22, 2026
1. Summary
All Squared (“we,” “us,” “All Squared”) is a research-workflow tool for university students. We help you organize citations, parse syllabi, track your course schedule, and chat with an AI scoped to your readings. To do that, we collect a small amount of account information and the content you create or import while using the product.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We use a short list of named service providers (Clerk, Supabase, AWS Bedrock, Anthropic, Stripe, and — at your direction — your school’s Canvas LMS) to operate the service. They are described in plain English below.
2. Who we are
This Privacy Policy is provided by All Squared, the operator of the product available at allsquared.app. If you have a privacy question, write us at privacy@allsquared.app.
3. Personal information we collect
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), personal information is grouped into categories. Here is what we collect, in those terms, with concrete examples.
Identifiers
- Email address and display name that you provide at sign-up, or that we receive from Google when you sign in with Google.
- Account identifier assigned to you by our authentication provider (Clerk), which we use as your stable user ID across our database.
- IP address, device, and browser information that our hosting and authentication providers automatically log when you interact with the service. We do not use these for advertising.
Account credentials (sensitive personal information)
- Authentication is handled by Clerk using a passwordless email code or a Google sign-in flow. We do not see or store your password. When you connect Canvas, you give us a Canvas-issued API access token, which is encrypted at rest and used only to read data from your Canvas account at your request.
Commercial information
- If you upgrade to a paid plan or buy a one-time top-up of AI tokens, our payment processor (Stripe) creates a customer record tied to your email. We store the Stripe customer ID, your subscription status, your plan tier, the current billing period end date, the identifier of the specific subscription product you bought, the monthly token allowance attached to that product at the time you subscribed, and a running balance of any one-time top-up tokens credited to your account. We do not receive or store your full payment card number, CVC, or bank credentials — those go directly to Stripe.
Internet or network activity
- Application logs covering sign-ins, requests to our API, AI feature usage (number of input/output tokens consumed and estimated cost), and basic error diagnostics.
- A small amount of browser local storage, used only to remember your theme choice, whether you have completed onboarding, and which in-product tips you have dismissed. This data never leaves your device.
Education-related information
- Your citations and source library: titles, authors, publication, year, DOI, URL, tags, topics, formatted citation fields, week assignments, access notes, and uploaded source metadata you choose to import.
- Your courses and syllabi: course name, code, institution, learning objectives, grading breakdown, weekly schedule, citation-format preference, and any course content you paste in or sync from Canvas — including modules, pages, assignments, discussions, files, quizzes, your submissions and grades, and the timezone of the Canvas course. We cache this Canvas content on the course record so the schedule, transcript, and AI features work without re-fetching every time.
- Your schedule progress: which schedule items (calendar events, assignments, discussions, quizzes) you have marked complete, and when. Some items are auto-completed when Canvas reports the assignment as submitted or graded.
- Your AI chat:the user messages you send to the assistant and the assistant’s replies are stored in your account, scoped per global / per-course / per-week conversation, so you can return to them. We also store the input and output token counts for each message for usage accounting.
- Discussion-post drafts:when you draft a Canvas discussion reply through All Squared, we autosave the draft body to your account, keyed to the Canvas topic and (if you’re replying to someone) the Canvas entry you’re replying to, so you can come back to it before posting.
- Files you upload for parsing (PDFs of syllabi, articles, or readings) are processed in memory on our servers to extract metadata, sent to our AI provider for that single request, and then discarded. We do not keep a copy of the uploaded file.
Social features (only when you opt in)
- Classmate opt-in: on a per-course basis, you can opt in to be discoverable to other All Squared users who have connected the same Canvas course. We store a single row per course recording that you opted in. Other users in the same Canvas course can see your display name and email when they open the classmates list for that course; we never expose your coursework, citations, schedule progress, or chats this way. Removing the opt-in row makes you immediately undiscoverable.
- Friendships: when you and another user become friends, we store a single row per pair recording who initiated the request, who accepted, and the timestamps. Removing a friendship deletes the row.
- Friend-invite links: when you generate a shareable invite link, we store a single-use token, an optional reference to the course you generated it from, an expiration timestamp, and (once accepted) the user id of whoever accepted it.
- Draft reviews: when you ask a friend to review a discussion-post draft, we store a record linking your draft to the reviewer. The reviewer can read the draft body and leave one comment; the comment text is stored on the review record and visible to both of you.
Profile information you choose to share
- During onboarding we ask, optionally, about your background, your program, projects you might draw on, and what you want to get out of school. Anything you write here is stored on your user record and is included in the system prompt when you chat with the AI, so the assistant knows who it is talking to. You can skip any field.
Inferences
- We do not build behavioral or advertising profiles about you. We do generate AI responses based on the inputs above; those responses are not used to profile you.
Categories we do not collect
- Government identifiers, financial account credentials, precise geolocation, biometric data, health information, racial or ethnic origin, religious beliefs, union membership, genetic data, sexual orientation, or the contents of non-product communications.
4. Where we get this information
- From you, when you create an account, fill out onboarding, add citations, upload PDFs, paste syllabi, create courses, send chat messages, draft a discussion post, mark schedule items complete, opt in to classmate visibility for a course, send or accept a friendship request, generate an invite link, or ask a friend to review a draft.
- From your Canvas LMS account, only when you connect Canvas by providing your own API access token. We read your course data on your behalf using that token. We also post to Canvas on your behalfin one specific case: when you press “Post” on a discussion-post draft you wrote inside All Squared, we send that exact text to Canvas as a discussion entry or reply under your Canvas account. We do not access other students’ Canvas data, and we do not perform any other writes (no grade changes, no submissions, no profile edits, no enrollment changes).
- From Google, if you sign in with Google. We receive your email address and basic profile name from Google through Clerk.
- From other users, when an existing All Squared user sends you a friend request, accepts your friend request, accepts your invite link, or leaves a comment on a draft you asked them to review.
- From our service providers, in the form of standard server and authentication logs (e.g., IP addresses, request times, webhook events from Stripe and Clerk).
5. How and why we use it
We use the information described above for the following business purposes:
- To provide the product: let you sign in, store your citations and courses, render your schedule, generate formatted citations, parse PDFs, sync Canvas data when you ask us to, and respond to your AI chat messages.
- To bill you, if you choose a paid plan or purchase a one-time top-up, by passing your email and our internal user ID to Stripe and reading back your subscription status, the product you bought, and (for top-ups) the number of bonus tokens to credit to your account.
- To enforce usage limits (free vs. paid tier, plus any bonus-token balance from top-ups) by counting AI tokens consumed per user per month.
- To run the social features you opt into (matching classmates inside the same Canvas course, processing friend requests, generating and accepting invite links, and surfacing drafts to the friend you asked to review).
- To keep the service secure, including detecting abuse, debugging errors, and verifying webhook signatures.
- To communicate with you about your account, service-critical changes, or replies to support requests you send us.
- To comply with the law and respond to valid legal process.
We do not use your content to train any AI model. We do not sell your information. We do not run advertising on the service or share information with advertisers.
6. Third parties who process data for us
The companies below act as our service providers (in CCPA terms) or as processors. They are contractually limited to using your data only to provide their service to us.
Clerk — Authentication
Clerk handles sign-up, sign-in, email verification codes, and the Google OAuth flow. Clerk receives your email, display name, IP address when you authenticate, and (if used) your Google account identifiers. See Clerk’s privacy notices at clerk.com.
Supabase — Database and infrastructure
Supabase hosts our Postgres database in the United States. Everything you store in the product — your profile fields, citations, courses, schedule progress, chat conversations and messages, classmate opt-in status, friend connections, draft reviews, encrypted Canvas tokens, and usage records — lives in our Supabase database. Row-Level Security policies ensure that one user cannot read another user’s rows.
Amazon Web Services — AI model hosting (Bedrock)
When you use any AI feature (chat, batch citation parsing, file parsing, syllabus parsing), we send the relevant content to Anthropic’s Claude model running on AWS Bedrock. The payload includes the system prompt we construct (which may contain your profile fields, course metadata, and citations relevant to the request), the messages in your current conversation, and any PDF pages or text you uploaded for that request. AWS Bedrock processes the request and returns a model response. Per AWS’s Bedrock terms, content sent to Bedrock is not used to train the underlying foundation models.
Anthropic — Foundation model provider
Anthropic provides the Claude model that runs on AWS Bedrock. Because we access Claude through Bedrock rather than Anthropic’s direct API, your content is governed by the Bedrock terms above.
Stripe — Payments
Stripe processes both recurring subscription payments and one-time token top-up purchases. When you start a checkout, we pass your email and our user ID to Stripe; Stripe collects your card details on its own infrastructure and returns a customer ID, subscription ID (for subscriptions), checkout-session metadata (for top-ups), and subscription or payment status to us via webhook. Stripe’s privacy notice is at stripe.com/privacy.
Canvas (Instructure) — only at your direction
If you connect Canvas, we use the API token you provide to read your course data from your Canvas instance and, in one specific case, to write on your behalf: when you post a discussion entry you drafted in All Squared, that text is sent to Canvas as a post under your account. We do not perform any other writes. We are not affiliated with Instructure, Inc., the operator of Canvas. We do not transmit your Canvas token to any other party, and you can disconnect Canvas at any time from your settings, which removes the encrypted token from our database.
External websites you ask us to fetch
When you add a citation by URL, our server fetches that URL to read publicly available HTML metadata (title, authors, publication date, DOI). We send a generic user-agent header and do not include any of your account information in the request.
7. Sale and sharing of personal information
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the preceding twelve (12) months.
8. Sensitive personal information
The only category of sensitive personal information we collect is account log-in credentials(the authentication tokens used to keep you signed in, and the Canvas API token you provide). We use this information only for the limited purposes described above — keeping you signed in and reading data from Canvas at your request. We do not use sensitive personal information to infer characteristics about you. Because we do not use sensitive personal information beyond purposes permitted by CCPA § 7027(m), the “Right to Limit” does not give you anything we are not already doing; we apply the limit by default.
9. How long we keep it
We keep the information described above for as long as your account is active, and for a short period afterward to wind down billing and to comply with our legal obligations. Concretely:
- Account, profile, citations, courses, cached Canvas content, schedule progress, chat messages, discussion-post drafts: kept until you delete the item or your account.
- Uploaded PDFs: not retained — processed in memory and discarded after the request.
- Canvas API token: kept encrypted until you disconnect Canvas or delete your account.
- Classmate opt-in row: kept until you turn the opt-in off, leave the course, or delete your account.
- Friendships, friend invites, and draft reviews: kept until you remove the friendship, the invite expires (default 30 days) or is accepted, or you delete the review record; deleting your account removes your side of these records.
- AI usage events (per-call token counts and estimated cost): kept indefinitely for billing-period rollups and budget enforcement; not used to profile you.
- Billing records (Stripe customer ID, subscription state, top-up history): kept for as long as required by tax and accounting law (typically up to seven years), then deleted or anonymized.
- Server logs: kept by our service providers for their standard retention windows (typically 30–90 days) for security and debugging.
10. Your California privacy rights
If you are a California resident, the CCPA gives you the following rights with respect to your personal information.
- Right to know: request that we tell you the categories of personal information we have collected about you, the categories of sources, the business purposes for collecting it, the categories of third parties to whom we have disclosed it, and the specific pieces of personal information we hold.
- Right to access (data portability): receive a copy of the specific pieces of personal information we hold about you in a portable, readily usable format.
- Right to delete: request that we delete the personal information we have collected from you, subject to limited exceptions (e.g., to complete a transaction, to comply with law).
- Right to correct: request that we correct inaccurate personal information we hold about you.
- Right to opt out of sale or sharing: as noted, we do not sell or share personal information, but you may make this request and we will confirm in writing that the practice does not apply.
- Right to limit use of sensitive personal information: as noted above, we already apply this limit by default.
- Right to non-discrimination: we will not deny you service, charge you a different price, or provide a different level or quality of service because you exercised a privacy right.
How to exercise these rights
Email privacy@allsquared.app with the words “California privacy request” in the subject line and tell us which right you want to exercise. To verify your request, we will ask you to send the email from the address on your account; for sensitive requests (like deletion or access to chat content) we may ask you to confirm a code we send to that same address. You can also delete most of your data from within the product directly: chat conversations, citations, courses, and your Canvas connection can all be removed from the settings or list screens. Deleting your account removes your stored personal data from our active systems, subject to the retention windows above.
Authorized agents
You may designate an authorized agent to make a CCPA request on your behalf. The agent must send us written, signed proof of authorization and we may contact you directly to verify. We will not process requests from agents we cannot verify.
Appeals
If we deny your request, you may appeal by replying to our denial message. We will respond within sixty (60) days with a written explanation.
11. Global Privacy Control and Do Not Track
Because we do not sell or share personal information, there is nothing for us to opt you out of when your browser sends a Global Privacy Control signal or a Do Not Track header. We still log these signals and treat them as a standing instruction not to start any sale or sharing practice in the future.
12. Shine the Light
California Civil Code § 1798.83 lets California residents request information about personal information disclosed to third parties for their own direct-marketing purposes. We do not disclose personal information to third parties for their direct-marketing purposes.
13. Minors
All Squared is built for and offered to university students who are at least 18 years old. We do not knowingly collect personal information from children under 13, and we do not sell or share the personal information of consumers we actually know to be under 16. If you are a parent or guardian and believe a child has provided us with information, contact us at privacy@allsquared.app and we will delete the account.
14. How we protect your information
- All connections to All Squared are made over HTTPS.
- Database access is gated by Row-Level Security policies so that your data is only readable by your own account.
- Your Canvas API token is encrypted at rest using a key we hold outside the database.
- Authentication is handled by Clerk, which manages session tokens and account recovery; we never see or store your passwords.
- No security control is perfect. If we ever experience a security incident affecting your information, we will notify affected users as required by California Civil Code § 1798.82 and other applicable law.
15. International users
All Squared is operated from, and stores data in, the United States. If you access the service from outside the United States, you understand that your information will be processed in the United States, which may have different data-protection laws than your home jurisdiction. By using the service, you consent to that transfer.
16. Changes to this policy
If we make material changes to this Privacy Policy, we will update the “Last updated” date at the top and, where appropriate, notify you in the product or by email before the change takes effect. Your continued use of All Squared after a change means you accept the updated policy.
17. Contact
Questions, requests, or corrections — write us at privacy@allsquared.app. We try to answer within five business days, and within the timeframes California law requires for verifiable consumer requests.
See also our Terms of Service.