Legal

Privacy Policy

Last updated: April 16, 2026

StayDue (“we”, “us”, “our”) is operated by Talha Ahmad. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use StayDue (the “Service”). By creating an account or using the Service, you agree to this policy.

1. Information We Collect

Account information. When you create an account, we collect your name, email address, password (stored as a secure hash — never in plain text), and your university admission year.

Phone number. If you opt in to WhatsApp reminders, we collect your Pakistani mobile phone number in E.164 format (+92XXXXXXXXXX). Providing a phone number is optional.

Calendar data. When you connect your Moodle calendar, we collect your Moodle ICS export URL and the deadline title, due date, and course information contained in your calendar feed.

Payment information. When you submit a subscription request, we collect a screenshot of your payment receipt, a transaction ID, and your preferred payment method name. We do not collect or store credit card numbers, full bank account numbers, or other financial credentials.

Usage data. We automatically collect limited usage information including login timestamps, deadline interaction events (marking a deadline done or undone), and calendar sync timestamps.

2. How We Use Your Information

We use the information we collect to:

Create and manage your account
Fetch and display your assignment deadlines on the dashboard
Send deadline reminder emails to your registered email address
Send deadline reminder messages to your WhatsApp number (only if you provide one and opt in)
Process and review your subscription payment
Respond to your support requests
Detect and prevent fraudulent use of the Service
Improve the Service

3. Third-Party Services

We rely on the following third-party services to operate StayDue. By using the Service, you agree to the applicable privacy practices of each service listed below.

MongoDB Atlas (MongoDB, Inc.)

Your account data, deadlines, and subscription records are stored on MongoDB Atlas database servers. Data may be processed and stored in the United States. Privacy Policy

Vercel, Inc.

StayDue is hosted and served through Vercel. All requests to the Service pass through Vercel's infrastructure. Privacy Policy

Cloudflare, Inc. (R2 Object Storage)

Payment receipt screenshots are stored in Cloudflare R2 private object storage. Screenshots are accessible only via time-limited signed URLs generated for admin review. Privacy Policy

Resend

We use Resend to deliver transactional emails, including OTP verification codes, password reset emails, and deadline reminder emails. Your email address and associated deadline information are transmitted to Resend for delivery. Privacy Policy

Meta Platforms, Inc. (WhatsApp Business Cloud API)

If you provide a phone number and opt in to WhatsApp reminders, your phone number and deadline information are transmitted to Meta's WhatsApp Business Cloud API to deliver notification messages to your WhatsApp account. By providing your phone number and activating WhatsApp reminders, you consent to this processing by Meta. You may withdraw consent at any time by removing your phone number in Settings → Notifications. Privacy Policy

Google (OAuth Sign-in)

If you choose to sign in with Google, your name and email address from your Google account are shared with StayDue under the OAuth 2.0 scopes you approve. We do not receive access to your Google account beyond what is required for authentication. Privacy Policy

4. Data Retention

Active accounts: your data is retained for as long as your account remains active.
Deleted accounts: all account data, deadlines, and subscription records are permanently deleted within 30 days of account deletion. You can delete your account at any time via Settings → Danger Zone → Delete Account.
Payment screenshots: retained for up to 90 days after subscription expiry for accounting reconciliation, then permanently deleted.
Backups: deleted data may persist in encrypted database backups for up to 30 additional days before being overwritten.

5. Your Rights

You may at any time:

View and edit your account via Settings → Account
Remove your phone number to stop WhatsApp messages via Settings → Notifications
Delete your account and all associated data via Settings → Danger Zone → Delete Account
Contact us for any other privacy-related request using the contact details below

6. Security

We take reasonable technical and organisational measures to protect your data:

Passwords are hashed using bcrypt before storage
One-time verification codes are hashed with SHA-256 and expire within 15 minutes
All communication is over HTTPS
Payment screenshots are stored in private cloud storage and accessible only via short-lived, signed URLs
Session tokens are managed via secure, HTTP-only cookies using NextAuth

No security system is impenetrable. If you become aware of a security concern, please contact us immediately.

7. Children's Privacy

StayDue is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a notice in the Service. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. The “Last updated” date at the top of this page reflects when the policy was last revised.

9. Contact

For privacy-related questions, requests, or to exercise your rights, contact us at:

Email: contact@staydue.app