Privacy Policy

What We Collect

Momentum collects the minimum data needed to deliver your daily study plan:

• Google account info— name, email, and calendar events (read-only) via Google OAuth.
• Phone number— provided during onboarding for SMS delivery.
• Syllabus data— uploaded by you to generate assignment schedules.
• SMS messages— inbound and outbound messages processed to provide planning assistance.

How We Use It

Your data is used solely to generate and deliver personalized daily plans. We do not sell, rent, or share your personal data with third parties for marketing purposes.

Limited Use of Google User Data

Momentum’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

Specifically, Momentum uses Google Calendar data solely to provide user-facing features: (1) writing events you create in Momentum to your Google Calendar, and (2) reading your calendar to generate AI-powered daily study plans and SMS briefings. We do not use this data for advertising, do not allow humans to read it (except with your explicit consent, for security investigations, or where required by law), and do not transfer it to third parties except as necessary to provide or improve these user-facing features.

Third-Party Services

We use the following services to operate Momentum:

• Supabase— authentication and database storage.
• Google APIs— calendar access via OAuth.
• Twilio— SMS messaging.
• Anthropic— AI processing for plan generation.
• Vercel— hosting and serverless functions.

Data Retention

Your data is retained as long as your account is active. You may request deletion of your account and all associated data by contacting us.

How We Protect Your Data

• Encryption in transit— all communication between your device, Google, and Momentum is protected with TLS 1.3.
• Encryption at rest— user data, including OAuth refresh tokens and synced calendar events, is encrypted with AES-256 via Supabase.
• Credential handling— Momentum does not store passwords. Authentication is handled entirely through OAuth 2.0. You can revoke access at any time via Google Account Permissions.
• Access controls— row-level security is enforced in Supabase so each user can only access their own data. Personnel access is restricted, logged, and justified.
• Data retention and deletion— OAuth tokens are deleted immediately when you disconnect your Google account or delete your Momentum account. Associated calendar data is purged within 30 days. To request deletion, email privacy@momentum.study.
• No sale or advertising use— we do not sell user data or use Google user data for advertising.
• Sub-processors— Supabase (database and storage), Vercel (hosting), Anthropic (AI processing), and Twilio (SMS). AI prompts sent to Anthropic do not include raw OAuth tokens.
• Breach notification— in the event of a data breach affecting your information, we will notify affected users within 72 hours.

Contact

For privacy questions, contact us at privacy@momentum.study.