Privacy Policy
Last Updated: March 6, 2026 · Effective: March 6, 2026
1. Introduction
OmniStudent Suite (“we,” “our,” or “the Service”) is an AI-powered academic productivity tool available as a Chrome extension and desktop application. We are committed to protecting your privacy and being transparent about how your data is handled.
2. Authentication & Account Data
2.1 GitHub Device Flow Authentication
OmniStudent authenticates users exclusively through the GitHub Device Authorization Grant (OAuth 2.0 Device Flow). You authorize OmniStudent via GitHub's official login page — we never see, handle, or store your GitHub password. We request only the minimum scopes necessary for Copilot API access.
2.2 Token Storage
Your GitHub OAuth tokens are stored locally on your device only:
- Chrome Extension: Stored in
chrome.storage.localwith AES-256 encryption, accessible only to the extension. - Desktop App: Stored via OS-level keychain integration (Windows Credential Manager, macOS Keychain, or Linux Secret Service).
We do NOT transmit, store, or have access to your tokens on any server.
3. How Your Data Is Processed
3.1 Architecture
All AI requests are routed directly from your device to GitHub's Copilot API endpoints using your own authenticated token. Our servers are not intermediaries in this communication.
3.2 Your Content
We do NOT collect, transmit, store, or have access to:
- Your code, essays, assignments, or any academic content
- Text you type, paste, or generate within the extension or desktop app
- Content extracted from Canvas, Blackboard, or any Learning Management System
- PDF documents, Word files, or any files processed by the local RAG engine
All document processing (PDF parsing, text extraction, vectorization, and RAG queries) happens entirely on your local device.
3.3 Canvas & Blackboard Integration
The browser extension reads DOM elements from Canvas and Blackboard pages to extract assignment text, rubrics, and due dates. This extraction happens locally within your browser tab and is never sent to OmniStudent servers.
4. What We Do Collect
4.1 Subscription & Billing Data
If you subscribe to OmniStudent Pro ($10/month), the following data is stored in our Cloudflare D1 database:
| Data | Purpose |
|---|---|
| GitHub username | Unique account identifier |
| Stripe Customer ID | Links to your Stripe payment profile |
| Subscription status | Active, inactive, or past due |
| Current period end date | When your billing cycle renews |
4.2 Payment Processing
All payment processing is handled entirely by Stripe, Inc. We do not collect or store credit card numbers, CVVs, expiration dates, bank account information, or billing addresses.
5. Data Storage & Security
| Data | Location | Protection |
|---|---|---|
| OAuth tokens | Your device only | AES-256 / OS keychain |
| Local RAG vectors | Your device only | SQLite on local filesystem |
| Subscription status | Cloudflare D1 (edge) | Encrypted at rest |
| Payment details | Stripe infrastructure | PCI DSS Level 1 |
Client-to-worker communication is authenticated via HMAC-SHA256 signatures. All data in transit uses TLS 1.3.
6. Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| GitHub / Copilot | Auth & AI API | Link |
| Stripe | Payments | Link |
| Cloudflare | Worker hosting & D1 | Link |
We do not use any analytics, tracking, or advertising SDKs. There are no cookies, pixels, or third-party trackers in any OmniStudent product.
7. Your Rights & Choices
- Revoke access: Go to GitHub Settings → Applications to immediately invalidate all tokens.
- Delete local data: Uninstalling the extension or desktop app removes all locally stored data.
- Delete subscription data: Email us to request deletion from our database. Processed within 30 days.
8. Children's Privacy
OmniStudent is intended for university and college students (ages 18+). We do not knowingly collect data from children under 13 (or under 16 in the EEA).
9. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via our website and, where possible, through an in-app notification.
10. Contact
For privacy questions or data deletion requests: TBD
This privacy policy is designed to comply with GDPR, CCPA, and Chrome Web Store developer program policies.