Privacy Policy

Overview

Firuva (“we”, “our”, “us”) is a student-built academic life manager that connects to your university’s Canvas LMS account. This policy explains what data we collect, how we use and store it, and your rights. We keep things plain and specific — we don’t pad this policy with legalese.

1. Data we collect

We collect only what is necessary to provide the service:

Account data: Your email address, used to identify your account and authenticate you with Supabase.
Canvas credentials: An OAuth access token and refresh token (or a Personal Access Token if you choose that sign-in method), along with your Canvas instance URL and your Canvas display name.
Academic data synced from Canvas: Enrolled courses (name, course code, term), assignment groups and their grade weights, individual assignments (name, due date, points possible, your score), and course file metadata. We do not sync submission content, messages, or discussion posts.
Optional display name: A name you set in your Firuva profile settings, used only for display in the app.

2. How we use your data

To sync and display your courses, grades, and assignments within the app.
To calculate your GPA and track grade changes over time.
To power AI features such as study plan generation and course Q&A (using Anthropic’s Claude API).
To refresh your Canvas access token automatically so syncs keep working.
We do not use your data for advertising, sell it to third parties, or use it to train AI models.

3. How we store and protect your data

Token encryption: Your Canvas OAuth tokens and Personal Access Tokens are encrypted with AES-256-GCM before being written to the database. The encryption key is stored separately in an environment variable and never in the database.
Database: All data is stored in Supabase (hosted on AWS). Row-level security policies ensure that each user can only read and write their own data — no user can access another user’s records.
Transport: All communication between your browser, our servers, and Supabase is encrypted via HTTPS/TLS.
Read-only Canvas access: Firuva only reads data from Canvas. We never post, submit, grade, or modify anything in your Canvas account.

4. Third-party services

We use the following third-party services to operate Firuva:

Supabase

Database, authentication, and file storage. Hosted on AWS.

Vercel

Hosting and serverless functions for the Firuva web application.

Anthropic (Claude API)

Powers AI features such as study plan generation and course Q&A. Prompts sent to Anthropic do not include your Canvas credentials.

Your university's Canvas instance

The source of your academic data. Governed by your university's own privacy policies.

5. Data retention

We retain your data for as long as your account is active. If you request account deletion, we will permanently delete your account, encrypted tokens, and all synced academic data within 7 days. Anonymised, aggregated usage statistics (e.g. number of active users) may be retained indefinitely.

6. Cookies and tracking

Firuva uses HTTP-only session cookies set by Supabase to maintain your login state. We do not use advertising trackers, analytics pixels, or fingerprinting. We do not use Google Analytics or similar products.

7. Your rights

Access: You can view all data we hold about you by logging in to your account.
Correction: You can update your display name in Settings at any time.
Deletion: You can request full account and data deletion by contacting us.
Revocation: You can disconnect your Canvas account at any time from your Canvas account settings, which will invalidate the access tokens we hold.

8. Changes to this policy

If we make material changes to this policy — particularly around how we use or share data — we will notify signed-in users via an in-app banner before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

9. Contact

Questions, data requests, or concerns? Email us at privacy@canvai.app. We aim to respond within 3 business days.