Privacy Policy

Expresso (“the Platform,” “we,” “us,” or “our”) is a mentorship platform operated by AggieWorks at UC Davis that connects UC Davis students with alumni and professional mentors for coffee chats. This Privacy Policy explains what information we collect, how we use it, how we share it, how we store it, and how you can request deletion.

By signing in with Google or otherwise using the Platform, you agree to this Privacy Policy. For terms governing your use of the Platform, see our Terms of Service.

We collect the following categories of information:

• Google account information (OAuth)— When you sign in with Google, we receive your name, email address, profile picture, and whether your email is verified. Students must use a @ucdavis.edu address unless approved as a mentor with another registered email.
• Google Calendar data (when authorized)— If you grant calendar access, we may create or update calendar events for confirmed mentorship sessions, including Google Meet links where applicable, solely to facilitate scheduling and attendance for those sessions.
• Profile and mentorship data— Information you provide during onboarding and in your profile (for example, bio, academic year, major, career interests, work experience, fun facts, and profile photos you upload).
• Scheduling data— Mentor availability templates, booking times, session notes or locations you submit, and booking status (confirmed, cancelled, or rescheduled).
• Session and security data— HTTP-only session cookies and related authentication tokens used to keep you signed in and protect your account.
• Usage analytics (optional)— If enabled, we use PostHog to collect anonymized or pseudonymous usage events (such as page interactions) to improve the Platform. We do not use analytics data to sell advertising profiles.

We use personal information only to operate, secure, and improve the Platform, including to:

• Authenticate you and maintain your account and session.
• Display mentor and student profiles and enable mentor discovery.
• Manage availability, bookings, rescheduling, and cancellations.
• Send transactional emails (for example, booking confirmations, updates, and calendar invitations) related to your mentorship sessions.
• Create calendar events and meeting links for confirmed sessions when you have authorized Google Calendar access.
• Enforce eligibility, acceptable use, and platform security.
• Diagnose errors and improve product experience through aggregated analytics.

We do not use your personal information for unrelated advertising, and we do not sell your personal data to third parties.

The use of information received from Google APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

Specifically, for data obtained through Google:

• We use Google sign-in data (name, email, profile photo) only to create and manage your Expresso account and profile.
• We use Google Calendar access only to create and manage calendar events tied to mentorship sessions you book or host on Expresso, including generating meeting links when that feature is enabled.
• We do not use Google user data for serving third-party advertisements, credit worthiness decisions, or unrelated data brokerage.
• Human access to Google user data is limited to personnel who need it to operate or support the Platform, fix security issues, or comply with law, and only when reasonably necessary.

We may share information only as follows:

• Between users— Mentor profiles and limited booking-related details are visible to other authenticated users as needed to schedule mentorship sessions. Mentor email addresses are not shown publicly on mentor profile pages.
• Service providers— We use trusted vendors that process data on our behalf under contractual obligations, including:
  • Google (OAuth and, when authorized, Calendar)
  • Resend (transactional email delivery)
  • Cloudflare R2 (profile and experience image storage)
  • PostHog (product analytics, when enabled)
  • Our hosting and database infrastructure providers
• UC Davis / AggieWorks— As a student-run program affiliated with UC Davis, we may share information with AggieWorks administrators for program operations, safety, or policy enforcement.
• Legal requirements— We may disclose information if required by law, court order, or to protect the rights, safety, and security of users or the Platform.

We do not sell personal information.

Data is stored on secure servers (PostgreSQL databases and object storage) operated by our infrastructure providers. Session tokens are stored in our database and referenced by HTTP-only cookies in your browser.

We retain personal information for as long as your account is active or as needed to provide the Platform, comply with legal obligations, resolve disputes, and enforce our agreements. Booking and email records may be retained for a reasonable period for operational and audit purposes even after a session occurs.

We use industry-standard measures including HTTPS, HTTP-only session cookies, access controls, and server-side validation. No method of transmission or storage is fully secure; we cannot guarantee absolute security.

You can:

• Update most profile fields from your Expresso profile settings.
• Revoke Expresso's access to your Google account at any time via your Google Account permissions page.
• Request account deletion or export of your data by emailing [email protected]. We will delete or anonymize personal data within a reasonable timeframe, except where retention is required by law or for legitimate operational backups.

Deleting your Expresso account does not automatically delete calendar events already created in your Google Calendar; you may remove those directly in Google Calendar.

The Platform is intended for users who are at least 18 years old or the age of majority in their jurisdiction. We do not knowingly collect personal information from children under 13.

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated “Last updated” date. Material changes may also be communicated through the Platform or by email where appropriate.

For privacy questions, data access requests, or deletion requests, contact: