Skip to main content
Harvest Kernel Faculty Toolkit
Tools Pathway My Courses My Library Preferences Ideas Help
Founding member
I

Privacy

How the Harvest Kernel Faculty Toolkit handles your data. Last updated June 2026 (beta). The student-data and FERPA terms below are newly added and are being finalized with legal counsel.

What we collect

  • Your account details (name, email, hashed password).
  • Course Records and preferences you enter (course details, policies, outcomes, branding).
  • Content you submit to a tool and the outputs it generates, when you save them to your Library.

How it is stored

Data is stored in a private PostgreSQL database and a persistent file volume hosted on Railway. Each account's data is isolated to that account. Passwords are stored only as one-way hashes. Data is encrypted in transit (HTTPS with HSTS) and at rest. Our hosting provider has confirmed in writing that stored data is encrypted at rest, covering the database, the file volume, and automated backups.

AI processing

To generate output, the text you provide and your course context are sent to Anthropic's API using a commercial API account. Under Anthropic's Commercial Terms, this content is not used to train models. Anthropic retains API inputs and outputs for 30 days and then deletes them, except where retention is required by law or to investigate misuse. Only the data needed to fulfill your request is sent. See our Sub-processors page for the full list of services we rely on and what each one does.

Student data and FERPA

The toolkit is built for instructors, and instructors sometimes enter information drawn from student education records, for example a student's name, feedback on their work, the text of an email they sent, or a grade. The Family Educational Rights and Privacy Act (FERPA) protects that information.

When an institution licenses the toolkit, the institution remains the party responsible for those education records under FERPA. Harvest Kernel operates as a "school official" under the institution's direction and direct control, under the school official exception (34 CFR 99.31(a)(1)). In plain terms: we handle student data only to run the tools the institution is paying us to run, and only as the institution directs.

What we collect that may include student data. Any text or file you submit to a tool, the outputs you save to your Library, and the course records you create. We do not ask for, and you should not enter, more student information than a task needs.

Legal basis. The school official exception under FERPA, exercised under your institution's direction. Where an institution has signed a Data Processing Agreement or FERPA addendum with us, that agreement governs.

Retention. We keep your data while your account is active. After an account is closed, we apply a grace period (currently 30 to 90 days, being finalized in our retention policy) and then permanently delete the data, except where the law requires us to keep it longer.

Your deletion and export rights. You can edit or delete your courses, preferences, and saved outputs at any time inside the app. On request we can permanently erase a student's data, a course's data, or an entire account's data, including files on our storage volume and any cached extracted text, and we record a logged confirmation when we do. You (or your institution) can also request a portable export of your data in a structured format with its associated files, which supports an institution's own FERPA access obligations.

What we do not do

We do not sell your data. We do not use it for advertising, and the toolkit shows no third-party advertising. We do not use student data to train AI or machine-learning models, and we require our AI provider to honor the same restriction. This is true both in our contracts and in how the product actually runs.

Sub-processors

We rely on a short list of trusted service providers (Anthropic for AI text generation, Railway for hosting, Resend for email, and Sentry for error monitoring). Each is bound to data-protection terms no less protective than our own, and we commit to giving notice before adding a new one that would handle student data. The current list and what each provider does is on our Sub-processors page.

Security and incident response

A plain-language summary of our security controls is on our Trust and Security page. If we ever confirm a breach affecting an institution's student data, we commit to notifying the institution without undue delay and no later than 72 hours after we confirm it.

Account deletion and contact

To delete your account, or to request a deletion or export described above, email dean@harvestkernel.com. Questions about privacy go to the same address.