Privacy Policy

DALI OS is an internal tool operated by the DALI Lab at Dartmouth College. This policy covers the data the application collects, stores, and transmits when you sign in or link a Google account.

• Account profile: your name, Dartmouth or DALI email address, and profile photo, used to identify you inside the app.
• Membership and role data: your team assignments, domain eligibility, lab role, and project participation — managed by DALI staff and used to scope what you can see and do in the app.
• Work content you create: forms, tasks, comments, announcements, documents, and similar artifacts you author or collaborate on within the app.
• Google account data (only if you choose to link a Google account — see the next section).

You can optionally link a Google account so the app can read your calendar availability and create meetings on your behalf. When you authorize this, the application requests the OAuth scope https://www.googleapis.com/auth/calendar and uses it to:

• Read your free/busy times across your linked calendars to find mutual availability when scheduling meetings with other lab members. The app reads busy time blocks only — it does not read event titles, descriptions, attendee identities, or attachments.
• List your calendars (id and display name only) so you can choose which calendar should receive new events the app creates.
• Create calendar events when you or another lab member schedules a meeting through the app, and update those events' attendee response status as members RSVP.

The app does not read, modify, or delete calendar events that it did not create. It does not access any other Google service through your linked account beyond the scopes listed above.

A single shared lab account (applications@dali.dartmouth.edu) is authorized with the scope https://www.googleapis.com/auth/gmail.send so the application can send transactional email — interview invitations, decision notifications, and similar lab correspondence — from that single address. The app does not read inboxes, list messages, or access any user's personal Gmail.

OAuth access and refresh tokens issued to the application are encrypted with AES-256-GCM before being written to the database. The encryption key is held only in the deployment's runtime environment and is not stored alongside the tokens. Tokens are scoped to your user record and are deleted when you disconnect the integration or when an administrator removes you from the lab.

• To authenticate you and authorize what you can do in the app.
• To display lab content (projects, tasks, applications, calendars, announcements) to the people who should see it.
• To schedule and update calendar events you participate in, when you have opted in to the Google Calendar integration.
• To send transactional email from the lab's shared account (interview invitations, decisions, scheduling confirmations).

We do not use your data for advertising, profiling, training machine-learning models, or sale to third parties.

DALI OS data is not sold or shared with third parties for marketing. The application relies on the following processors, each handling only the data needed to perform its function:

• Neon — managed PostgreSQL hosting (all application data).
• Fly.io — application hosting and request handling.
• Google — Calendar / Gmail APIs (only for accounts you have linked or, in the case of Gmail, the shared lab account).
• AWS S3 — file uploads attached to forms and applications.
• Slack — optional notifications routed to a member's Slack DM, if a Slack user id is on file.

You can disconnect your linked Google account at any time from Settings → Connected Apps inside DALI OS. Doing so deletes the stored tokens for that account and stops the application from making Calendar API calls on your behalf.

You can also revoke the application's access directly from your Google account at myaccount.google.com/permissions. Revoking there invalidates the stored tokens immediately; the next API call from the app will fail and the integration will be marked disconnected.

Account, membership, and content data persists for as long as you are an active or alumni member of the DALI Lab. Google OAuth tokens are deleted when you disconnect the integration. Application logs containing request metadata are retained for up to 30 days for operational purposes.

To request deletion of your data, email staff@dali.dartmouth.edu. We will remove identifying account information within 30 days, subject to records the Lab is required to retain for academic or administrative reasons.

When this policy changes in a material way, we will update the "Last updated" date at the top and, where appropriate, notify active users in-app. Earlier versions are available in the application's source repository.

Questions about this policy or how DALI OS handles your data: staff@dali.dartmouth.edu.