Privacy Policy

1. Information We Collect

When you use DrFrostSync, we collect only the data necessary to provide the service:

• ✓Account information — your email address and authentication token, collected when you sign up or log in
• ✓DrFrost session cookie — the single _df_session login cookie for drfrost.org, read by the extension and transmitted to our backend so it can fetch your skill summary from DrFrost on your behalf — no other cookies are collected
• ✓Skill names and topic units — e.g. "Density", "Compound Measures" — the category labels DrFrost shows you, extracted by the browser extension
• ✓Wrong-answer count per skill — a single integer per skill (e.g. ×3) indicating how many times you answered that skill incorrectly — not the questions or your actual responses
• ✓Practice link URLs — the publicly available DrFrost links for each skill, extracted from the page the extension reads
• ✓Status you set manually — whether you marked a skill as Not Started, In Progress, or Done
• ✓Subscription status — whether you are on a free or paid plan, managed via Stripe
• ✓Usage timestamps — the date and time when a sync was performed, used to display your last-synced information

We do not collect:

• ✕Homework questions, exam questions, or any question content
• ✕Your answers or solutions to any questions
• ✕Individual scores, grades, or marks
• ✕Your browsing history on DrFrost or any other website
• ✕Any content from DrFrost pages beyond skill labels and wrong-answer counts
• ✕Keystroke data, mouse movements, or screenshots

2. How We Use Your Data

We use the data we collect solely to operate and improve DrFrostSync:

• To authenticate you and maintain your account session.
• To store your synced skill data and display it in your Notion workspace or dashboard.
• To track your subscription status and enforce plan limits.
• To display your last-sync timestamp so you know when your data was last updated.
• To send transactional emails (e.g. account creation confirmation, password reset). We do not send marketing emails without your explicit consent.
• To diagnose and fix technical issues when errors are reported.

We do not use your data for advertising, profiling, or any purpose unrelated to operating the service.

3. How the Browser Extension Handles Data

The DrFrostSync Chrome extension operates as follows:

• It is active only while you are on drfrost.org and only does anything when you open the popup and click the sync button.
• Before any data is collected, the popup shows a clear disclosure and requires you to tick a consent box. The sync button stays disabled until you do. You can withdraw consent at any time by un-ticking it.
• On sync, it reads a single cookie — your DrFrost login session cookie (_df_session) — using Chrome's cookies permission, scoped to drfrost.org. It does not read any other cookies.
• That session cookie is sent over HTTPS to our backend, which uses it to request your skill names, topic units, wrong-answer counts and practice links from DrFrost on your behalf. Only this derived skill summary is stored in your account — the cookie itself is used in-memory for the request and is not retained after the sync completes.
• The extension does not run in the background, does not record keystrokes, does not take screenshots, does not read page content, and does not access any website other than drfrost.org.
• The only data stored locally by the extension is your DrFrostSync authentication token and your consent setting, kept in Chrome's extension storage.

4. Data Storage

Your data is stored in the following systems:

• Google Firestore — a cloud database operated by Google LLC, located in data centres in the United States (us-central1 region). Your skill records and account information are stored here.
• Firebase Authentication — used to securely manage account credentials. Passwords are hashed and never stored in plain text.
• Stripe — payment and subscription data is stored exclusively by Stripe, Inc. DrFrostSync never stores your card number, CVV, or bank details.

All data transmitted between your browser, the extension, and our servers is encrypted using TLS (HTTPS).

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Service providers: Google (Firebase/Firestore for database and auth) and Stripe (for payments) act as data processors on our behalf under their respective data processing terms. They are contractually prohibited from using your data for their own purposes.
• Notion API: If you connect a Notion workspace, your skill data is written to your own Notion database using an integration token you provide. We do not share data with Notion beyond what you direct us to sync.
• Legal requirements: We may disclose data if required by law, court order, or a valid government request, or to protect the rights and safety of users.
• Business transfers: In the event of a merger or acquisition, user data may be transferred to the new entity, who will be bound by this policy.

We do not share your data with advertisers, analytics platforms, or any third party for commercial purposes.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the service:

• Account and skill data is retained for the lifetime of your account.
• If you delete your account, all associated skill records, sync history, and account information are permanently deleted within 30 days.
• Stripe retains billing records as required by financial regulations (typically 7 years); this is governed by Stripe's own retention policy.
• Server access logs (IP address, timestamp, endpoint) are retained for up to 90 days for security and debugging purposes, then automatically deleted.

7. Security

We implement appropriate technical and organisational measures to protect your data, including: TLS encryption for all data in transit, Firebase Security Rules to restrict database access to authenticated account owners only, hashed credential storage via Firebase Authentication, and access controls limiting who on our team can access user data. No method of transmission or storage is 100% secure; if you believe your account has been compromised, please contact us immediately.

8. Children's Privacy

DrFrostSync is designed for use by secondary school students and may be used by individuals under the age of 13. We collect only the minimum data necessary to operate the service (email address and skill summary data), and we do not use this data for advertising or profiling. We do not knowingly collect sensitive personal information from children. If you are a parent or guardian and believe your child has provided information to us without your consent, please contact us at lishan.shuwei@gmail.com and we will promptly delete it.

9. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: You can view all skill data stored in your account via your dashboard at any time.
• Correction: You can update your email address or manually adjust skill statuses within the app.
• Deletion: You can request deletion of your account and all associated data by emailing us. We will complete the deletion within 30 days.
• Data portability: You can export your skill data from your dashboard in a machine-readable format upon request.
• Withdraw consent: You can disconnect the extension or delete your account at any time to stop further data collection.

To exercise any of these rights, contact us at lishan.shuwei@gmail.com.

10. Cookies and Local Storage

The DrFrostSync website uses a session cookie to keep you logged in. This cookie is strictly necessary for the service to function and does not track you across other websites. We do not use analytics cookies, advertising cookies, or any third-party tracking technology on this site. The browser extension stores your authentication token in Chrome's local extension storage solely to authenticate API requests.

11. Payments

Subscription payments are processed by Stripe, Inc. When you enter payment details, you are submitting them directly to Stripe's secure servers. DrFrostSync never receives, sees, or stores your card number, CVV, or bank account details. Stripe's own Privacy Policy governs how Stripe handles your payment data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you by email. Continued use of DrFrostSync after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: lishan.shuwei@gmail.com
We aim to respond to all enquiries within 5 business days.