Grades, assignment names, notes, exact due dates, professor names, emails, and exact schedule times are never shared publicly by default.
Security and privacy center
Build trust before scaling the product.
GradeNeeded is designed around student productivity data, so the social layer, premium roadmap, ads, and future cloud sync need clear boundaries from the start.
Privacy guardrails
What GradeNeeded should never casually expose.
Social features should use safe summaries like XP, badges, streaks, and broad workload counts.
Free-text public posting should stay disabled until moderation, reporting, and abuse controls exist.
API keys must only live in server environment variables and never in client components.
Local planner data should remain in the documented localStorage keys unless a migration is intentionally built.
Public-safe
- achievement badges
- XP level
- general streaks
- safe completed counts
Friend-only optional
- safe workload summary
- class names if allowed
- profile basics
Private only
- grades
- notes
- exact deadlines
- teacher names
- exact schedule times
- email addresses
Engineering checklist
Safety items before scaling.
Secret handling
Keep AI, payment, analytics, and database keys in server-side environment variables only. Never expose secrets in client code.
Auth-gated app routes
Private productivity routes should continue using Clerk-gated flows before cloud data is introduced.
Safe social sharing
Friend profiles and feed posts must avoid sensitive academic details and use template-based updates until moderation exists.
Payment readiness
Do not enable real payments until Stripe products, webhook verification, customer portal, and entitlement checks are implemented.
Ads readiness
Do not render real Google ads until publisher IDs, consent/privacy language, and layout slots are configured.
Input safety
Validate and cap user input before sending it to APIs, especially Study Helper and future upload features.