✦ MsgSchool

■ PRIVACY

Privacy Policy

Last updated: April 21, 2026

MsgSchool ("we", "our") is a narrow, Telegram-first assistant for tracking Canvas and Skyward. This policy explains what we collect, why, and what we do with it.

What we collect

  • Telegram identifiers. Your Telegram numeric user ID and username so we can route messages to your agent.
  • Messages you send the bot. To respond, log, and audit for abuse.
  • Credentials you provide. To watch your Canvas and Skyward accounts, you provide limited credentials — portal URLs, API tokens, and in some cases a school login username and password. They are stored encrypted at rest in an isolated per-user workspace using a machine-bound key held by our server's operating system kernel (Linux systemd-creds). The encrypted files and the key are stored separately; a disk image stolen while our server is powered off contains only ciphertext. Decryption happens in memory at the moment of use by the MsgSchool service — never written to disk in plaintext, never written to backups in plaintext. We use them solely to read your own Canvas and Skyward data on your behalf, never share them with third parties, and never use them for any other purpose.
  • Activity the agent observes. Assignments, grades, attendance, and announcements pulled from the services you connect. Stored only inside your own isolated workspace.
  • Operational logs. Webhook events, error traces, timing, and usage counters for debugging and capacity planning.

What we do not collect

  • We do not collect a password or email address to use MsgSchool.
  • We do not sell any data to third parties.
  • We do not use your data to train general-purpose AI models.

How your data is isolated

Every user is assigned their own dedicated workspace on our server. Your messages, credentials, and observed activity live only in that workspace. Other users cannot see it, and neither can other agents on the platform. The server itself sits behind our own firewall and is not reachable from the public internet except through the Telegram webhook endpoint.

Credential handling when you share them

When you paste a Canvas URL, API token, Skyward portal URL, username, or password into the bot, MsgSchool detects the credential-shaped message on arrival and does three things within about a second: (1) writes it encrypted to your workspace using the mechanism above, (2) deletes the original paste from your Telegram chat so it doesn't sit in your history, and (3) acknowledges with a short receipt like “Stored canvas.token.” The raw value is not logged, not echoed back to you, and not passed to the AI model.

Security work in progress

MsgSchool is a small operation and we're continuing to improve its security posture. The remaining item in flight is encrypted off-site backups with an offline decryption key. We will update this policy when it lands.

Data retention

We keep your data as long as your account is active. If you want your account and its data removed, email [email protected] and we will remove your workspace, credentials, message log, and any copies in our backup rotation. Backups are retained for up to 30 days and then pruned.

Third-party services

  • Telegram. Messages transit Telegram's servers. Their privacy policy applies to their infrastructure.
  • Canvas & Skyward. We connect to your schools' Canvas and Skyward instances using credentials you give us, read-only where possible.
  • Language model providers. We run the agent primarily on Claude by Anthropic. For reliability we may automatically fall back to other model providers (currently Moonshot and OpenAI) if the primary provider is unavailable. Each provider's terms govern their handling of the prompts and responses sent to them. None of these providers are given your raw credentials — the agent queries Canvas and Skyward from our server and only sends the resulting data into model prompts.

Children

MsgSchool is intended for parents, guardians, and students age 13 and up. We do not knowingly collect data from users under 13. If you are a parent or guardian and believe your under-13 child has created an account, email [email protected] and we will delete the account and its associated data within seven days.

Contact

Questions: [email protected]