← Back to Home

Privacy Policy for Buoy

Last Updated: January 15, 2026

1. Who We Are

Buoy is a homework visibility tool that helps parents see what's happening with their kids' schoolwork without constant nagging. A lifeline, not a leash.

In this policy:

  • "Buoy," "we," "our" means Buoy LLC
  • "Service" means the Buoy website, mobile app, email processing, push notifications, and connected features
  • "You" means the parent or guardian who creates an account

The Service is designed for adults 18 years and older. If you are under 18, you may not create an account. Children may only interact with the Service (by adding assignments or marking signals) under the direct supervision and at the instruction of their parent or guardian who holds the account.

Contact us about privacy:

For users in the European Union and United Kingdom, Buoy is the "data controller" of your personal data under GDPR.

2. What This Policy Covers

This policy explains in plain language:

  • What data we collect and why
  • How we use and protect your data
  • Who we share it with (spoiler: we don't sell it)
  • How long we keep it
  • Your rights and how to exercise them
  • How to control email forwarding and notifications

3. Data We Collect

3.1 Account and Contact Data

When you sign up, you provide:

  • Name
  • Email address
  • Password (stored in hashed/encrypted form only)
  • Time zone and preferences

3.2 Family and Child Data

To organize homework by child, you provide:

  • Children's names (first name or nickname is sufficient)
  • School name and grade level
  • Class schedules (optional, for block day resolution)
  • Teacher names (extracted from forwarded emails)

Note: We only need first names or nicknames for children. We don't need or want detailed personal information about your kids beyond what's necessary to organize their schoolwork.

3.3 Email Forwarding Data

When you forward school emails to Buoy, we receive:

  • Email sender, recipient, subject line
  • Email body content (text and HTML)
  • Timestamps

We send this content to Anthropic's Claude API to extract assignment details (title, due date, class, child), then create dashboard entries from the parsed information.

3.4 Screenshot and Image Data

When you upload screenshots of school portals (Canvas, Google Classroom, etc.), we receive:

  • The image file
  • Any text visible in the image
  • Upload timestamps

We send images to Anthropic's Claude API for parsing, extract assignment information, and create dashboard entries.

3.5 Assignment and Homework Data

We store structured data about assignments:

  • Assignment titles and descriptions
  • Due dates and test dates
  • Class/subject associations
  • Which child the assignment belongs to
  • Completion status
  • Kid signals (Easy/Okay/Hard) if your child uses this feature

3.6 Push Notification Data

When you enable push notifications, we store:

  • Push notification tokens (device identifiers for delivering notifications)
  • Notification preferences (digest time, quiet hours)
  • Notification delivery logs

What we send: We send ONLY transactional notifications related to your use of Buoy:

  • Daily digest summaries ("2 tests this week, 5 assignments due")
  • Test reminders (2 days before, 1 day before)
  • "Hard" signal alerts when your child marks something as difficult
  • Occasional feature announcements (a few times per year maximum)

What we DON'T send:

  • Marketing notifications about third-party products
  • Promotional offers
  • Spam

3.7 Payment and Billing Data

For paid subscriptions, Stripe processes payments. We receive from Stripe:

  • Last 4 digits of card, card brand, expiration date
  • Billing name and address
  • Subscription status, plan type, billing history

We never see or store full credit card numbers. Stripe handles all payment card data in PCI-compliant infrastructure.

3.8 Usage and Technical Data

When you use the Service, we automatically collect:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Error logs and performance data
  • Timestamps of actions

This helps us keep the Service running, fix bugs, and improve performance.

3.9 Cookies and Tracking

We use essential cookies to:

  • Keep you logged in
  • Remember your preferences
  • Prevent fraud and abuse

We use analytics cookies to:

  • Understand which features are used
  • Identify performance issues
  • Improve the user experience

We do not use advertising cookies or sell data to ad networks.

4. How We Use Data

4.1 To Provide the Service

We use your data to:

  • Create and manage your account
  • Parse email and screenshot content into structured assignment data using AI (Claude API)
  • Display assignments in The Glance and The Briefing dashboards
  • Send push notification digests and reminders
  • Generate AI summaries of what's coming for each child
  • Track kid signals (Easy/Okay/Hard) when children use this feature

Legal basis (GDPR): Performance of contract (we need this data to deliver the service you signed up for)

4.2 To Secure and Maintain the Service

We use data to:

  • Detect and prevent fraud, spam, and abuse
  • Monitor system performance and uptime
  • Debug errors and fix bugs
  • Keep audit logs for security investigations
  • Prevent unauthorized access

4.3 To Handle Payments and Subscriptions

We use billing data to:

  • Process subscription charges through Stripe
  • Manage plan upgrades, downgrades, and cancellations
  • Issue receipts and handle refunds
  • Maintain financial records for tax and accounting purposes

4.4 To Communicate With You

We send you:

  • Service emails about account changes, security alerts, and billing
  • Push notification digests and reminders
  • Responses to support requests
  • Onboarding tips to help you use Buoy effectively

We do not send marketing emails or push notifications about third-party products.

4.5 To Comply With Law

We may use or disclose data to:

  • Respond to valid legal requests from law enforcement or courts
  • Protect our rights, property, or safety, and those of our users
  • Enforce our Terms of Service
  • Meet record-keeping requirements

5. Legal Basis for Processing (EU/UK Users)

Under GDPR, we rely on these legal bases:

Contract: Processing necessary to provide the Service you signed up for (account creation, email parsing, dashboard display, payment processing)

Legitimate interests: Processing for security, fraud prevention, service improvement, and customer support

Consent: For optional features like email forwarding or analytics that require explicit consent

Legal obligations: Processing required by law, such as keeping financial records

6. Email Forwarding and AI Processing

6.1 How Email Forwarding Works

Email forwarding is a core feature of Buoy. When you forward school emails:

  1. You forward schedule-related emails to your unique Buoy email address
  2. We receive and store the email in our database (Supabase)
  3. We send the email content to Anthropic's Claude API for parsing
  4. Claude extracts assignment details (title, date, class, child)
  5. We create dashboard entries based on the parsed information

6.2 What You Should and Shouldn't Forward

Good to forward:

  • Teacher assignment announcements
  • School event notifications
  • Test and quiz schedules
  • Google Classroom or Canvas notifications
  • Activity coordinator updates

Don't forward:

  • Medical records or health information
  • Financial statements or tax documents
  • Government IDs or Social Security numbers
  • Confidential business information
  • Anything you wouldn't want processed by a third-party AI

6.3 AI Processing Disclosure

We use Anthropic's Claude API (a large language model AI) to parse email and screenshot content.

What Claude does: Reads message and image content and extracts structured data (assignment name, date, class, child)

What Claude doesn't do:

  • Make decisions about your account
  • Contact you directly
  • Store or train on your data (Anthropic's API terms prohibit training on customer data)
  • Access any other part of your account

Human review: We generally don't review your content unless you contact support about a parsing error.

6.4 How to Control Email Forwarding

Stop forwarding anytime:

  • Turn off forwarding rules in Gmail/Outlook
  • Delete stored emails from your Buoy dashboard
  • Email support@getbuoy.co to request deletion of all forwarded email data

Deletion timeline: When you request deletion, we remove forwarded emails from active storage within 7 days, and from backups within 90 days.

7. Data Sharing

7.1 We Don't Sell Your Data

We do not sell or share personal information for cross-context behavioral advertising. Period.

We're not an ad-tech company. We're a family homework tool. Your data stays between you, us, and the service providers we need to make Buoy work.

7.2 Service Providers (Data Processors)

We share data only with vendors who help us operate the Service. These vendors are contractually required to protect your data and use it only for providing services to Buoy.

Anthropic

Purpose: AI parsing of emails and screenshots

Data shared: Email content, screenshot images for parsing

Supabase (AWS)

Purpose: Database hosting and authentication

Data shared: All account and service data

OneSignal

Purpose: Push notification delivery

Data shared: Device tokens, notification content

Stripe

Purpose: Payment processing (PCI DSS certified)

Data shared: Billing info, subscription data

Vercel

Purpose: Website and app hosting

Data shared: Usage logs, visitor data

7.3 Legal Disclosures

We may disclose data to:

  • Law enforcement or government agencies in response to valid legal requests
  • Courts or regulators when required by law
  • Professional advisers under confidentiality obligations
  • Acquirers if Buoy is sold (see Section 13)

8. International Transfers

8.1 Data Location

Your data is primarily stored in the United States (Supabase/AWS US regions). Most vendor infrastructure is US-based.

8.2 For EU and UK Users

If you're in the European Union or United Kingdom, your data will be transferred to the United States for processing. Safeguards we use:

  • Standard Contractual Clauses with our US vendors
  • Vendor commitments to GDPR-equivalent data protection standards
  • Encryption in transit and at rest
  • Regular security assessments

9. Data Retention

9.1 How Long We Keep Data

We keep data only as long as necessary:

Account data: Kept while your account is active, plus 1 year after account closure

Email forwarding content: Kept for up to 90 days for troubleshooting, then deleted

Assignment data: Kept while your account is active or until you delete specific items

Billing records: Kept for 7 years to comply with tax laws

System logs: Retained for 90 days for security and debugging

10. Your Rights and Controls

10.1 Rights for All Users

Everyone who uses Buoy can:

  • Access: Request a copy of personal data we hold about you
  • Correction: Ask us to fix inaccurate or incomplete information
  • Deletion: Request deletion of your personal data
  • Portability: Get a machine-readable copy of key data you provided
  • Objection: Object to certain processing based on our legitimate interests
  • Restriction: Ask us to temporarily limit processing in specific situations

10.2 How to Exercise Rights

Email us: support@getbuoy.co with your request

In-app: Settings > Data & Privacy > Download My Data or Delete Account

Response time: We respond within 30 days

10.3 Push Notification Controls

To manage push notifications:

  • Go to Settings in the Buoy app
  • Toggle notifications on or off
  • Set your preferred digest time
  • Configure quiet hours

10.4 California Residents (CCPA/CPRA Rights)

If you live in California, you have additional rights:

  • Right to know: Request details about personal information collected
  • Right to delete: Request deletion
  • Right to correct: Request correction of inaccurate information
  • Right to opt out: We don't sell data, but you can still request we don't
  • Right to non-discrimination: We won't treat you differently for exercising your rights

10.5 EU and UK Residents (GDPR Rights)

If you're in the EU or UK:

  • Right to withdraw consent: For processing based on consent, you can withdraw at any time
  • Right to lodge a complaint: File a complaint with your national data protection authority

11. Children's Privacy

11.1 Age Requirement

You must be 18 years or older to create a Buoy account. If you're under 18, do not sign up, do not provide information, and do not use the Service.

11.2 Children Using the Service

The Service is designed for parents to manage family homework. Children may interact with Buoy (by adding assignments or marking Easy/Okay/Hard signals) ONLY:

  • At the instruction of their parent or guardian
  • Under the supervision of the account holder
  • For the sole purpose of tracking schoolwork

Parents are responsible for:

  • Explaining to children what Buoy does and how it works
  • Monitoring what children enter into Buoy
  • Ensuring children don't share inappropriate or sensitive information

11.3 COPPA Compliance

We do not knowingly collect personal information from children under 13 except as directed by parents through the Service. If we learn we've collected data from a child under 13 without proper parental involvement, we'll delete the information as soon as possible.

12. Security

12.1 How We Protect Data

We use industry-standard security measures:

Encryption: All data transmitted uses TLS 1.2 or higher. Data at rest is encrypted (AES-256).

Access controls: Role-based access for staff, multi-factor authentication for admin access

Infrastructure: Secure cloud hosting with Vercel and AWS (via Supabase)

Monitoring: Automated alerts for suspicious activity

12.2 Breach Notification

If we experience a data breach that poses a high risk to your rights, we'll notify you by email within 72 hours of discovering the breach, explain what happened and what data was affected, and notify relevant authorities as required by law.

13. Business Changes

13.1 If Buoy is Sold or Acquired

If we're acquired by or merged with another company:

  • Your data may be transferred as part of the transaction
  • The new owner would still be bound by this Privacy Policy
  • We'll notify you by email before the transfer
  • If the new owner wants to change data handling, they must give you notice and choice

13.2 If Buoy Shuts Down

If we decide to discontinue the Service:

  • We'll give you at least 90 days' notice
  • We'll provide tools to export your data
  • We'll delete your data per our retention schedule unless you export it

14. Changes to This Policy

We may update this policy when we add new features, laws change, or we improve our privacy practices.

For significant changes:

  • We'll email you at your account email address
  • We'll show a notice in the app when you next log in
  • We'll give you at least 30 days' notice before changes take effect
  • We'll update the "Last Updated" date at the top

15. Contact Us

Privacy questions or requests:

Email: support@getbuoy.co

Response time: We respond to privacy inquiries within 5 business days to acknowledge receipt, and provide a full response within 30 days.

Quick Reference

  • What we collect: Account info, forwarded emails, screenshots, assignment data, notification preferences
  • AI processing: We use Claude to parse emails/screenshots - data is not used to train AI models
  • Data sharing: We don't sell data. We share with service providers only.
  • Your controls: Manage notifications in Settings, stop forwarding anytime, delete account anytime
  • Data location: United States (AWS/Supabase)
  • Retention: Active data kept while account active, emails kept 90 days, billing kept 7 years
  • Questions: support@getbuoy.co

Final Note: We wrote this policy in plain English because legal jargon doesn't help anyone understand how their data is used. If anything is unclear, email us at support@getbuoy.co and we'll explain it.

Version: 3.0 | Effective: January 15, 2026