Stu.Do

Legal · Stu.Do

Privacy Policy

Effective May 5, 2026Updated May 5, 2026
On this page
  1. ·TL;DR
  2. /01What's stored on your behalf
  3. /02What we actively collect
  4. /03Who can see your data
  5. /04What we don't do
  6. /05Operator access (honest disclosure)
  7. /06Encryption
  8. /07Where data lives
  9. /08Children
  10. /09Your rights
  11. /10Changes
  12. /11Contact

TL;DR

  • Stu.Do stores your data on your behalf so it can sync across your devices and reach the people you invite to groups. We don't read your content, sell it, share it with advertisers, or train AI on it.
  • The personal information we actively collect is what you give us when you sign up (email, name, username) and anonymous crash + usage telemetry that helps us fix bugs.
  • You own your content. You can delete it all from inside the app at any time.

Stu.Do ("we", "us", "the app") is provided by Mend Labs LLC. This policy explains how we handle your data, what we do with it, and — just as importantly — what we don't.

/01What's stored on your behalf

Stu.Do is offline-first. The app works fully without an account, with all data on your device only.

When you sign in (optional), the following is stored in your account so it can sync to your other devices and follow you between phone and tablet:

  • Tasks, courses, schedules, GPA records — productivity data you create.
  • Group-chat messages and attachments — so the people you invite to a group assignment can see them.
  • Photos — only if you choose to attach them in chat or as a profile picture.

This content lives in your account. You can read, edit, and delete it at any time. Account deletion is permanent and removes everything within minutes.

/02What we actively collect

This is the small set of data Mend Labs actively processes to provide the service:

  • Account data — email address, name, and the username you chose. Used to sign you in and to identify you to people who invite you to a group.
  • Push token — an anonymous device identifier from Apple or Google so we can deliver notifications.
  • Crash reports & usage telemetry — via Firebase Crashlytics and Firebase Analytics. Crash reports contain stack traces and device info (no content). Usage events record which features were used (e.g., "event_created", "schedule_exported") with no content. Used to fix bugs and understand which features matter.

We do not collect:

  • The contents of your tasks, courses, GPA records, or chat messages — these are stored on your behalf, not analyzed.
  • Your precise location.
  • Any data for advertising, profile-building, or AI training.

/03Who can see your data

  • Tasks, courses, schedules, GPA records: only you, on devices you've signed into.
  • Group-chat messages and attachments: you and the people you've explicitly invited to that group.
  • Profile data (name, username, photo): anyone in a group with you can see this.

The backend uses Postgres row-level security, which means the database itself enforces these access rules — even our application code can't bypass them in normal operation.

/04What we don't do

  • We don't sell your data. Ever.
  • We don't run ads. There are no advertisements in the app.
  • We don't share your data with third-party data brokers.
  • We don't train AI models on your content.
  • We don't read your tasks, GPA records, or chat messages. We have an internal policy against doing so.

/05Operator access (honest disclosure)

Mend Labs has technical access to the storage backends (Supabase, Firebase) for legitimate operational reasons: database backups, security incident response, and investigating specific bugs you report. We will only access your content if:

  • You explicitly ask us to (e.g., to debug a problem you're seeing), or
  • We're legally required to (e.g., a valid subpoena, which we'll fight if it's overbroad).

We aren't proactively reading anyone's data, and we'd rather not have to.

/06Encryption

  • In transit: all traffic between your device and our backends uses HTTPS / TLS.
  • At rest: data on Supabase and Firebase is encrypted on disk by those providers.
  • Group-chat end-to-end encryption is on the roadmap for a future release. Today, group-chat messages are not end-to-end encrypted — they're encrypted in transit and at rest, but the storage operator (Mend Labs) has technical access. If end-to-end encryption is a hard requirement for you, please wait for the release that adds it.

/07Where data lives

  • On your device (always — for offline-first operation).
  • On Supabase (Postgres + Storage) — only when you sign in. Operates in the United States.
  • On Firebase Cloud Messaging — push tokens only, no content. Operates in the United States.
  • On Firebase Crashlytics & Analytics — crash and usage telemetry only. Operates in the United States.

Supabase and Firebase are GDPR-compliant data processors.

/08Children

Stu.Do is intended for students aged 13 or older. We do not knowingly collect data from children under 13. If you believe a child under 13 has signed up, email us at hello@stu.do and we'll delete the account.

/09Your rights

You can:

  • Delete your data — Settings → Account → Delete account. Permanent, removes everything tied to your account within minutes.
  • Export your data — coming soon. Until then, email hello@stu.do for a manual export.
  • Ask questions or make requests — email hello@stu.do anytime.

Under GDPR / CCPA you have the right to access, correct, delete, restrict processing of, or port your data. The Delete Account button covers most of these; for anything else email us and we'll respond within 30 days.

/10Changes

We may update this policy as the app evolves. Material changes will be highlighted in-app or via email before they take effect.

/11Contact

Mend Labs LLC
hello@stu.do