Privacy Policy

Last updated: March 2026

1. Overview

MyTA (“My Teaching Assistant”) is an AI-powered course operations platform that helps instructors manage discussion boards, grading, student communications, and course compliance. MyTA operates as a “school official” under FERPA (34 CFR §99.31(a)(1)(i)), processing education records solely on behalf of the institution under a Data Processing Agreement (DPA).

2. Data We Collect

From Instructors

  • Name, email, and institutional affiliation (via single sign-on)
  • Course configuration preferences
  • Grading rubrics and policy settings
  • Draft replies and feedback composed within MyTA

From Students (via LMS sync)

  • Name, student ID, email address, and enrollment status
  • Discussion board posts and replies
  • Assignment submissions (text content for AI grading)
  • Thread messages sent to instructors

MyTA does not collect data directly from students. All student data is synced from the institution’s Learning Management System (LMS).

3. How We Use Data

  • AI-assisted grading: Submission content is analyzed by AI to generate scores and feedback. Student names and identifiers are stripped before any data is sent to the AI provider.
  • Discussion compliance: Posts are evaluated for word count, substantiveness, and timeliness against course policies.
  • Inbox triage: Student messages are classified by urgency and draft replies are generated for instructor review.
  • Engagement monitoring: Participation patterns are aggregated to identify students who may need outreach.

4. Student PII Protection

Before any student data is processed by AI services, personally identifiable information (PII) is deterministically stripped using a roster-based pipeline:

  • Student names are replaced with pseudonyms (e.g., “[Student A]”)
  • Student IDs and email addresses are redacted
  • Pseudonyms are restored before results are shown to the instructor

The AI provider never receives identifiable student information. PII stripping is configurable per institution.

5. Encryption

  • In transit: All connections use TLS 1.2 or higher. Database connections require SSL.
  • At rest: Student PII fields (names, emails) are encrypted using AES-256-GCM with per-institution encryption keys. LMS credentials and session tokens are encrypted at the application level. Infrastructure-level encryption is provided by the hosting provider.

6. Data Retention

  • Student roster and messages: course duration + 1 year
  • AI-generated drafts: 90 days after course end date
  • Grading records: 7 years (per institutional policy)
  • Audit logs: 7 years
  • Session data: automatically expires (1-hour TTL)

Expired data is soft-deleted with a 30-day grace period, then permanently removed by an automated weekly purge process.

7. Third-Party Services

MyTA shares data with the following sub-processors, all US-based:

  • Google (Gemini AI):De-identified text only. Student PII is stripped before transmission. Google’s Gemini API does not store inputs or outputs and does not use customer data for model training.
  • Render (Hosting, Database, Cache): Application hosting, managed PostgreSQL, and managed Redis. Student PII fields are encrypted at the application layer (AES-256-GCM) before database storage. Redis cache holds ephemeral session data only, with automatic expiry. No persistent student records in the cache.
  • Clerk: Instructor authentication only. No student data.

No student data is sold, shared for advertising, or used for purposes outside the institution’s educational mission. A complete sub-processor register with data handling details is available upon request and included in our Data Processing Agreement (DPA).

8. AI-Specific Data Practices

  • No model training on student data:Google’s Gemini API has a zero-retention policy for paid API usage. Student data is not stored, cached, or used for model training by the AI provider.
  • PII stripped before AI processing: A deterministic, roster-based pipeline replaces student names, IDs, and emails with pseudonyms before any text is sent to the AI. The AI provider never receives identifiable student information. If stripping fails, the request is rejected.
  • Human oversight: All AI-generated content (grades, feedback, draft replies) is presented to the instructor as a draft requiring review and approval. No AI output reaches students without explicit instructor action.
  • AI usage tracking: Every AI API call is logged with the action type, model used, and token counts. Usage data is available to institutional administrators.

For more detail, see our AI Governance page.

9. Access Control

MyTA enforces role-based access control. Instructors can only access courses they teach. Department chairs and administrators can access courses within their scope. Row-level security policies are enforced at the database level to prevent cross-tenant data access.

10. Student Rights

Under FERPA, students (or parents of minors) have the right to:

  • Request access to their education records processed by MyTA
  • Request correction of inaccurate records
  • Request deletion of their data. Upon request, student records are anonymized (names replaced, identifiers hashed) and permanently deleted after a 30-day grace period.

To exercise these rights, contact your institution’s administration. Data subject access requests are processed within 30 days.

11. Contact

For privacy-related questions or concerns, contact your institution’s MyTA administrator or reach out to us at privacy@courseops.ai.

← Back to MyTA