Your data, your rules

Privacy Policy

We hate creepy data practices as much as you do. Here's exactly what we do (and don't do) with your info, including which AI services touch your data.

Last updated: July 2026 • 8 minute read

The 10-second version

We do not sell your data or track you around the internet. MIDNIGHT stores the account, coursework, uploads, integrations, and usage data needed to run the app. When you use AI, search, transcript, document, voice, image, video, or integration features, the relevant content may be processed by the providers that power those features.

What we collect

  • Account identifiers like your email, profile details, authentication/session records, and preferences
  • Content you create or upload, including notes, documents, images, grader submissions, rubrics, instructions, Tutor chats, knowledge-bank files, quizzes, flashcards, and generated outputs
  • Connected account data you authorize, such as Canvas, Google Classroom, Google Drive, and Notion metadata or content needed for the features you use
  • Coursework data such as courses, assignments, deadlines, grades, submissions, tasks, calendar events, study progress, quiz attempts, and flashcard progress
  • Usage, device, performance, and diagnostic metadata such as feature usage, rate-limit events, errors, and logs
  • Cookies and local storage for authentication, security, preferences, and analytics configuration

What we DON'T collect

  • Your browsing history outside of MIDNIGHT
  • Your social media or personal life unless you intentionally paste or upload it
  • Biometric data or precise location data
  • Data from other apps on your device that you did not connect or provide

AI & Third-Party Processing

  • When you use AI features, relevant prompts, files, extracted text, images, audio, transcripts, and outputs may be sent to providers such as Fireworks, Groq, Cerebras, OpenAI, Perplexity, Tavily, Firecrawl, Replicate, Supadata, and Modal depending on the feature.
  • OpenAI is used for embeddings; Fireworks, Groq, and Cerebras power generation, grading, tutoring, OCR, and study tools; Perplexity, Tavily, Firecrawl, and Supadata support research, web search, URL extraction, and transcripts; Modal and Replicate support document, voice, image, or video workflows.
  • We use these providers to deliver the feature you requested and choose/configure providers with student-data protections where available, but each provider processes data under its own terms, security program, and retention practices.
  • We do not sell your content, use it to build advertising profiles, or use it to train a MIDNIGHT-owned general-purpose model.

Analytics & Monitoring

  • PostHog may collect product analytics when configured; text and element attributes are masked, and autocapture, session recording, and performance capture are controlled by environment settings.
  • Sentry and server logs capture errors, performance traces, request metadata, and diagnostic context so we can debug, secure, and operate the app.
  • We try to keep academic content out of analytics and logs, but diagnostic logs may contain metadata or short content snippets when needed to troubleshoot a feature, investigate abuse, or protect the service.

Infrastructure

  • Vercel hosts the application; Supabase stores app data; WorkOS manages authentication and sessions; Upstash Redis handles caching, rate limiting, and locks.
  • Resend sends transactional emails; UploadThing stores uploaded files; Trigger.dev runs background jobs; Modal handles document and video processing; Infisical manages secrets and environment configuration.
  • If you connect integrations, Canvas, Google Classroom, Google Drive, and Notion receive or return data according to the actions you take and their platform rules.

How we use your data

  • To provide AI grading, tutoring, research, quiz generation, flashcard creation, document extraction, study tools, source downloads, and generated outputs
  • To sync connected services such as Canvas, Google Classroom, Google Drive, and Notion when you authorize those integrations
  • To track study activity, tasks, calendar items, streaks, feature usage, and progress across the product
  • To send transactional emails, security messages, account updates, and occasional product updates you can opt out of where applicable
  • To troubleshoot bugs, enforce limits, prevent abuse, protect accounts, and improve reliability

Who sees your stuff

  • Your account data is scoped to you in the app unless you share, export, submit, or connect it through an integration.
  • Third-party processors receive the minimum content reasonably needed for the feature you request.
  • Authorized team members may access account metadata, logs, and, when necessary for support, security, or debugging, limited user content.
  • We do not sell data to brokers, advertisers, schools, professors, or employers.
  • Law enforcement only receives data when we are legally required to provide it, and we will notify you if legally allowed.

Your rights

  • You can request or export account data from settings where the product supports it.
  • You can delete or deactivate your account; we remove or anonymize active account data where required and technically feasible.
  • Some backups, security logs, abuse-prevention records, and legal records may persist for a limited period.
  • You can disconnect integrations in settings, which removes stored tokens where supported.
  • You can opt out of nonessential emails while still receiving important security or account messages.

Keeping it safe

  • OAuth and LMS tokens, including Canvas, Google, and Notion credentials, are encrypted with AES-GCM before storage and decrypted server-side only when needed.
  • WorkOS authentication, scoped server-side Supabase access guards, owner checks, and Supabase RLS or policies where applicable help isolate user data.
  • CSRF protections, rate limits, request-size limits, file type and magic-byte validation, and SSRF-safe URL fetching reduce abuse and unsafe input risk.
  • Secrets and service-role credentials stay server-side and are not exposed to client code.
  • If we identify a breach affecting your personal data, we will notify affected users as required by law and appropriate to the incident.

Connected school and productivity accounts

  • If you connect Canvas or Google Classroom, we access courses, assignments, deadlines, submissions, grades, announcements, or related coursework data needed for the enabled sync features.
  • If you connect Google Drive or Notion, we access the selected files, pages, metadata, and actions you authorize.
  • Stored access or refresh tokens are encrypted before storage, and you can disconnect integrations in settings.
  • We do not intentionally access more integration data than needed for the features you use.

Children & Age

  • You must be at least 13 years old to use MIDNIGHT.
  • If you are between 13 and 17, you may need parental consent depending on your jurisdiction.
  • We do not knowingly collect data from anyone under 13.
  • If you believe a child under 13 has created an account, contact us and we will remove it.

For the legal nerds (GDPR/CCPA stuff)

If you're in the EU, you have GDPR rights. If you're in California, you have CCPA rights. Either way, you can:

  • • Access your data (email us, we'll send it)
  • • Correct mistakes (just update your profile)
  • • Delete or deactivate your account, with active data removed or anonymized where required and feasible
  • • Port supported account data through an export
  • • Object to processing (though that means closing your account)
  • • Request we stop selling your data (we don't sell it, but the right is yours)

Our promise to you

We built MIDNIGHT because we were tired of sketchy edtech companies harvesting student data. We'll never become what we hate. Your privacy isn't for sale, period.