Data Handling Policy

Studytrix is built on a local-first principle: your data belongs to you and should live on your device. The application is designed so that the developer — a single person — never has access to your files, your notes, your search queries, or your personal information. This is not just a policy commitment; it is reflected in the technical architecture.

Because the project is open source under the MIT License, every data handling claim in this document can be verified by reading the source code in the public repository.

IndexedDB is the primary persistent store. It holds: offline file blobs downloaded from Google Drive; folder and file metadata cached from Drive API responses; the semantic search embedding vectors generated by the on-device AI model; download task history and status; Personal Repository configuration; and Quick Capture media content (photos, text notes, voice recordings).

localStorage holds: application settings and feature toggles; onboarding state; user personalisation preferences; study set and pinned file configuration; and smart collection state.

The Cache Storage API, managed by the Service Worker, holds: application shell assets (JavaScript, CSS, fonts, icons) required for offline PWA operation. It does not cache Google Drive file content.

The server component of Studytrix is intentionally minimal. It exists primarily as a secure proxy to avoid exposing Google Drive service account credentials in the client application. It performs the following operations and nothing more.

Drive Folder Listing Proxy: Accepts a folder ID from the client, queries the Google Drive API using a service account, and returns the folder contents. No user information is logged or stored.

File Stream Proxy: Streams a requested file from Google Drive to the client device. The file is not written to server storage at any point in this process.

Custom Folder Verification: Accepts a Drive folder ID, queries the Drive API to check accessibility and retrieve basic metadata, and returns the result. No user information is logged.

PDF Summarisation: Accepts extracted PDF text from the client, forwards it to the Google Gemini API, and returns the generated summary. The text payload is not persisted after the API call completes. This is the only server-side operation that processes document content, and it only runs when explicitly invoked by the user.

The Smart Search feature uses the bge-small-en-v1.5 embedding model, which runs entirely within a Web Worker in your browser. The model processes file metadata — folder paths, filenames, file types, and user-applied tags — to generate vector representations stored locally in IndexedDB.

No search queries, no file metadata, and no embedding vectors are ever transmitted to an external server as part of this feature. The model binary (~34MB) is downloaded once from Hugging Face CDN and cached in the browser. All subsequent inference runs locally.

The registered Service Worker intercepts network requests to serve cached application assets when offline. It is explicitly configured to not intercept Google Drive file stream requests, ensuring that file downloads always retrieve fresh content and are not served from a potentially stale cache.

The Service Worker uses a BroadcastChannel to notify the main application thread when new files are cached, which triggers background updates to the local semantic search index.

Browser storage is not guaranteed to be permanent. The amount of storage available varies by device and browser. The browser or operating system may evict locally stored data under storage pressure without warning.

iOS Safari applies a 7-day inactivity eviction policy to web app storage for apps not saved to the home screen. Installing Studytrix as a PWA (Add to Home Screen) prevents this and requests persistent storage from the browser. Installing the PWA is strongly recommended for regular users.

Private or incognito browsing sessions do not persist data between sessions. Using Studytrix in private mode will result in data loss when the session ends.

This is a solo developer open-source project. It is operated with awareness of and good-faith effort to comply with applicable Indian law, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. The local-first, no-account architecture means the application collects minimal personal data by design.

If you have compliance concerns or questions about how the application handles data in your specific institutional context, please contact the developer and review the source code directly.

Contact: legal@attendrix.app