Legal

Privacy Policy

The short version: we collect what we need to run the product, we don’t sell your data, and we tell you exactly which third parties see what.

Effective May 22, 2026 · Last updated May 22, 2026

1. Summary

All Squared (“we,” “us,” “All Squared”) is a research-workflow tool for university students. We help you organize citations, parse syllabi, track your course schedule, and chat with an AI scoped to your readings. To do that, we collect a small amount of account information and the content you create or import while using the product.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We use a short list of named service providers (Clerk, Supabase, AWS Bedrock, Anthropic, Stripe, and — at your direction — your school’s Canvas LMS) to operate the service. They are described in plain English below.

2. Who we are

This Privacy Policy is provided by All Squared, the operator of the product available at allsquared.app. If you have a privacy question, write us at privacy@allsquared.app.

3. Personal information we collect

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), personal information is grouped into categories. Here is what we collect, in those terms, with concrete examples.

Identifiers

Account credentials (sensitive personal information)

Commercial information

Internet or network activity

Education-related information

Social features (only when you opt in)

Profile information you choose to share

Inferences

Categories we do not collect

4. Where we get this information

5. How and why we use it

We use the information described above for the following business purposes:

We do not use your content to train any AI model. We do not sell your information. We do not run advertising on the service or share information with advertisers.

6. Third parties who process data for us

The companies below act as our service providers (in CCPA terms) or as processors. They are contractually limited to using your data only to provide their service to us.

Clerk — Authentication

Clerk handles sign-up, sign-in, email verification codes, and the Google OAuth flow. Clerk receives your email, display name, IP address when you authenticate, and (if used) your Google account identifiers. See Clerk’s privacy notices at clerk.com.

Supabase — Database and infrastructure

Supabase hosts our Postgres database in the United States. Everything you store in the product — your profile fields, citations, courses, schedule progress, chat conversations and messages, classmate opt-in status, friend connections, draft reviews, encrypted Canvas tokens, and usage records — lives in our Supabase database. Row-Level Security policies ensure that one user cannot read another user’s rows.

Amazon Web Services — AI model hosting (Bedrock)

When you use any AI feature (chat, batch citation parsing, file parsing, syllabus parsing), we send the relevant content to Anthropic’s Claude model running on AWS Bedrock. The payload includes the system prompt we construct (which may contain your profile fields, course metadata, and citations relevant to the request), the messages in your current conversation, and any PDF pages or text you uploaded for that request. AWS Bedrock processes the request and returns a model response. Per AWS’s Bedrock terms, content sent to Bedrock is not used to train the underlying foundation models.

Anthropic — Foundation model provider

Anthropic provides the Claude model that runs on AWS Bedrock. Because we access Claude through Bedrock rather than Anthropic’s direct API, your content is governed by the Bedrock terms above.

Stripe — Payments

Stripe processes both recurring subscription payments and one-time token top-up purchases. When you start a checkout, we pass your email and our user ID to Stripe; Stripe collects your card details on its own infrastructure and returns a customer ID, subscription ID (for subscriptions), checkout-session metadata (for top-ups), and subscription or payment status to us via webhook. Stripe’s privacy notice is at stripe.com/privacy.

Canvas (Instructure) — only at your direction

If you connect Canvas, we use the API token you provide to read your course data from your Canvas instance and, in one specific case, to write on your behalf: when you post a discussion entry you drafted in All Squared, that text is sent to Canvas as a post under your account. We do not perform any other writes. We are not affiliated with Instructure, Inc., the operator of Canvas. We do not transmit your Canvas token to any other party, and you can disconnect Canvas at any time from your settings, which removes the encrypted token from our database.

External websites you ask us to fetch

When you add a citation by URL, our server fetches that URL to read publicly available HTML metadata (title, authors, publication date, DOI). We send a generic user-agent header and do not include any of your account information in the request.

7. Sale and sharing of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the preceding twelve (12) months.

8. Sensitive personal information

The only category of sensitive personal information we collect is account log-in credentials(the authentication tokens used to keep you signed in, and the Canvas API token you provide). We use this information only for the limited purposes described above — keeping you signed in and reading data from Canvas at your request. We do not use sensitive personal information to infer characteristics about you. Because we do not use sensitive personal information beyond purposes permitted by CCPA § 7027(m), the “Right to Limit” does not give you anything we are not already doing; we apply the limit by default.

9. How long we keep it

We keep the information described above for as long as your account is active, and for a short period afterward to wind down billing and to comply with our legal obligations. Concretely:

10. Your California privacy rights

If you are a California resident, the CCPA gives you the following rights with respect to your personal information.

How to exercise these rights

Email privacy@allsquared.app with the words “California privacy request” in the subject line and tell us which right you want to exercise. To verify your request, we will ask you to send the email from the address on your account; for sensitive requests (like deletion or access to chat content) we may ask you to confirm a code we send to that same address. You can also delete most of your data from within the product directly: chat conversations, citations, courses, and your Canvas connection can all be removed from the settings or list screens. Deleting your account removes your stored personal data from our active systems, subject to the retention windows above.

Authorized agents

You may designate an authorized agent to make a CCPA request on your behalf. The agent must send us written, signed proof of authorization and we may contact you directly to verify. We will not process requests from agents we cannot verify.

Appeals

If we deny your request, you may appeal by replying to our denial message. We will respond within sixty (60) days with a written explanation.

11. Global Privacy Control and Do Not Track

Because we do not sell or share personal information, there is nothing for us to opt you out of when your browser sends a Global Privacy Control signal or a Do Not Track header. We still log these signals and treat them as a standing instruction not to start any sale or sharing practice in the future.

12. Shine the Light

California Civil Code § 1798.83 lets California residents request information about personal information disclosed to third parties for their own direct-marketing purposes. We do not disclose personal information to third parties for their direct-marketing purposes.

13. Minors

All Squared is built for and offered to university students who are at least 18 years old. We do not knowingly collect personal information from children under 13, and we do not sell or share the personal information of consumers we actually know to be under 16. If you are a parent or guardian and believe a child has provided us with information, contact us at privacy@allsquared.app and we will delete the account.

14. How we protect your information

15. International users

All Squared is operated from, and stores data in, the United States. If you access the service from outside the United States, you understand that your information will be processed in the United States, which may have different data-protection laws than your home jurisdiction. By using the service, you consent to that transfer.

16. Changes to this policy

If we make material changes to this Privacy Policy, we will update the “Last updated” date at the top and, where appropriate, notify you in the product or by email before the change takes effect. Your continued use of All Squared after a change means you accept the updated policy.

17. Contact

Questions, requests, or corrections — write us at privacy@allsquared.app. We try to answer within five business days, and within the timeframes California law requires for verifiable consumer requests.

See also our Terms of Service.