Privacy Policy
Last updated: April 6, 2026 โ See what changed
The short version: We read your teacher emails to extract school info, then we discard them. We never store, sell, or share your email content. Your data stays in your Google account. We do not sell your personal information.
Who We Are
BackpackBuddy is a product of Cultivate Data Solutions, LLC ("we," "us," "our"), a Maryland limited liability company. BackpackBuddy helps parents stay organized by automatically extracting homework assignments, school events, and deadlines from teacher emails and adding them to Google Calendar.
Data Controller: Cultivate Data Solutions, LLC
Contact: [email protected]
Address: Bethesda, Maryland, United States
What Information We Collect
We collect the minimum information needed to provide our service:
- Account information: Your name and email address (provided during signup).
- Child information: First name, grade, school, and teacher email address for each child โ provided by you, used only to identify which emails to scan and which calendar to update.
- Google account access: When you connect your Google account via OAuth, we receive a token to read your Gmail, manage your Google Calendar, and save files to your Google Drive. We only access emails from teacher email addresses you specify.
- Payment information: Processed securely by Stripe. We never see or store your credit card numbers.
- Usage data: Number of emails processed, calendar events created, and scan history (for troubleshooting and improving the service).
- Policy acceptance: When you agree to this Privacy Policy, we record the version accepted and the timestamp.
How We Use Your Information
- Email scanning: We read emails ONLY from teacher email addresses you specify. We extract homework assignments, events, deadlines, and attachments. We do not read any other emails in your inbox.
- Calendar events: We create events on Google Calendars you designate for each child.
- Attachments: We download newsletter PDFs and worksheets from teacher emails and upload them to your Google Drive, then attach them to calendar events.
- Email archiving: After processing, we archive teacher emails from your inbox (they remain in your Gmail archive and are never deleted).
- Daily digest: We send you a summary of what we found and created.
- Service communications: We may send you account notices, policy updates, and security alerts. These are not marketing emails and cannot be opted out of while you have an active account.
We do NOT store the content of your emails. We process them in real-time, extract the relevant school information, and discard the email content. All data remains in your Google account.
Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data on the following legal bases:
| Data Type | Legal Basis | Explanation |
|---|---|---|
| Name, email address | Contract performance | Necessary to create and manage your account |
| Child name, school, teacher email, calendar ID | Contract performance | Necessary to deliver the core service |
| OAuth tokens | Contract performance | Necessary to access your Google account on your behalf |
| Usage data (emails processed, events created) | Legitimate interest | Used for troubleshooting and improving service reliability |
| Policy acceptance record | Legal obligation | Required for compliance with applicable privacy laws |
| Payment data | Contract performance | Processed by Stripe to fulfill your subscription |
We do not use your data for automated decision-making or profiling.
What We Do NOT Do
- We do NOT store or copy your email content on our servers
- We do NOT read emails from anyone other than the teacher addresses you specify
- We do NOT sell, rent, or share your personal information with third parties
- We do NOT use your data for advertising or marketing purposes
- We do NOT delete any emails โ archiving only moves them out of your inbox
- We do NOT access your email account for any purpose other than scanning teacher emails
- We do NOT build profiles on children or use child data for any purpose other than providing the service
- We do NOT engage in automated decision-making or profiling
Children's Privacy (COPPA)
BackpackBuddy is a tool for parents, not children. We do not knowingly collect information directly from children under 13.
The child-related information we collect (first name, grade, school name, and teacher email address) is provided by a parent or legal guardian and is used solely to deliver the service โ specifically, to identify which teacher emails to scan and which Google Calendar to update. This information is:
- Never used for advertising, profiling, or any purpose other than providing the service
- Never shared with third parties except as required to deliver the service (e.g., creating a Google Calendar event)
- Deleted within 30 days of account cancellation
If you believe we have inadvertently collected information from a child without parental consent, contact us at [email protected] and we will delete it promptly.
Student data protection: We do not use student data to advertise or market to students or their families, build student profiles beyond what is necessary to provide the service, or sell student data under any circumstances.
Google API Services
BackpackBuddy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Data Storage & Security
| Data Type | Storage | Retention | Encrypted |
|---|---|---|---|
| Email content | Never stored | Processed in real-time and discarded | N/A |
| OAuth tokens | Cloudflare KV (encrypted at rest) | Duration of subscription; deleted immediately on cancellation | Yes (AES-256) |
| Account & child info | Cloudflare KV (encrypted at rest) | Duration of subscription; deleted within 30 days of cancellation | Yes (AES-256) |
| Usage data | Cloudflare KV | Duration of subscription; deleted within 30 days of cancellation | Yes (AES-256) |
| Policy acceptance record | Cloudflare KV | Duration of subscription + 1 year | Yes (AES-256) |
| Payment data | Stripe (not our servers) | Per Stripe's retention policy | Yes (Stripe PCI-DSS) |
We maintain a written data security program that includes access controls, encrypted storage, and regular security reviews. In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery, as required by applicable law.
Third-Party Services & Data Processors
We use the following third-party services to operate BackpackBuddy. Each acts as a data processor under our instruction:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google (Gmail, Calendar, Drive) | Email scanning, calendar events, file storage | OAuth tokens, calendar/drive operations | policies.google.com/privacy |
| Stripe | Payment processing | Name, email, billing info | stripe.com/privacy |
| Cloudflare | Website hosting, data storage (KV), Worker APIs | Account data, OAuth tokens | cloudflare.com/privacypolicy |
We have executed Data Processing Agreements with Cloudflare and Stripe. For users in the EEA or UK, these agreements include Standard Contractual Clauses to govern international data transfers.
International Data Transfers
We are based in the United States. If you use BackpackBuddy from outside the US (including from the European Economic Area or United Kingdom), your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection for transfers to our service providers (Cloudflare, Stripe).
Your Rights & Choices
Depending on where you live, you may have the following rights regarding your personal data. To exercise any of them, email [email protected]. We will respond within 30 days.
| Right | What it means | Who it applies to |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | All users |
| Correction / Rectification | Ask us to correct inaccurate information | All users |
| Deletion | Request deletion of your account and all personal data within 48 hours | All users |
| Portability | Receive your data in a structured, machine-readable format | EEA/UK users (GDPR) |
| Restriction | Ask us to limit how we process your data in certain circumstances | EEA/UK users (GDPR) |
| Objection | Object to processing based on legitimate interest | EEA/UK users (GDPR) |
| Opt-out of sale/sharing | We do not sell or share your data. Nothing to opt out of. | California users (CCPA/CPRA) |
| Opt-out of profiling | We do not profile users. Nothing to opt out of. | All users |
| Appeal | If we deny a rights request, you may appeal by replying to our denial notice | US state law users |
| Lodge a complaint | You may complain to your local data protection authority | EEA/UK users (GDPR) |
You can also:
- Revoke Google access: Visit Google Account Permissions at any time to disconnect BackpackBuddy.
- Cancel subscription: Cancel anytime from your dashboard or by emailing us. OAuth tokens are deleted immediately on cancellation.
- Export your data: All calendar events and Drive files are already in your Google account and fully portable.
California residents: We do not sell or share your personal information as defined under the CCPA/CPRA. We do not use your data for cross-context behavioral advertising.
Data Retention
| Data Type | Retention Period |
|---|---|
| Email content | Never retained โ processed in real-time and discarded |
| OAuth tokens | Active subscription only; deleted immediately upon cancellation |
| Account information (name, email, child info) | Active subscription + 30 days after cancellation |
| Usage statistics | Active subscription + 30 days after cancellation |
| Policy acceptance records | Active subscription + 1 year after cancellation |
| Payment records | Per Stripe's policy (typically 7 years for financial records) |
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to your registered email address
- Require your acknowledgment the next time you log in to the dashboard
If you do not agree to the updated policy, you may cancel your account at any time. Continued use of the service after acknowledging the updated policy constitutes acceptance.
Summary of changes from April 2, 2026 version:
- Added GDPR legal basis table for each data type
- Expanded children's privacy section (COPPA compliance)
- Added full data subject rights table
- Added data retention table with specific timeframes per data type
- Added breach notification commitment (72 hours)
- Added international data transfers section with SCCs reference
- Added third-party processor table with DPA disclosure
- Added California CCPA/CPRA opt-out disclosure
- Added policy acceptance mechanism
- Expanded security section with encryption details
Contact Us
For privacy questions, rights requests, or concerns:
Cultivate Data Solutions, LLC
Email: [email protected]
Bethesda, Maryland, United States
EEA/UK users may also lodge a complaint with their local supervisory authority. A list of EEA data protection authorities is available at edpb.europa.eu.