Privacy Policy

Last Updated: February 12, 2026

1. Overview

Kernion Cognitive Labs LLC ("we," "us," "our," or "TYay") operates the TYay platform (the "Service"), an educational tool designed to help science educators grade lab reports efficiently using AI-powered feedback. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our Service, and describes the rights and choices available to you regarding your information.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

2. Information We Collect

2.1 Google Account Information

When you sign in with Google, we collect:

  • Your email address
  • Your name
  • Your Google profile picture URL
  • Your Google Account identifier
  • OAuth tokens (access tokens and refresh tokens) necessary to interact with Google services on your behalf

2.2 Google Drive and Docs Access

We request access to:

  • Google Drive files: Only the specific files you choose to use with our Service (lab report templates and student submissions). We use the most restrictive scope possible (drive.file) to only access files you explicitly use with our Service.
  • Google Docs: To read lab report content, place feedback comments, and create snapshots (copies) of student submissions for grading and academic integrity purposes.

2.3 Student Educational Data

When teachers use the Service with their students, we collect and process the following student data:

  • Student email addresses (provided by the teacher during enrollment)
  • Student names (from Google account profiles)
  • Lab report content (text, images, tables, and equations extracted from Google Docs)
  • Self-assessment responses (when enabled by the teacher)
  • AI-generated grades and feedback
  • Submission status and timestamps

2.4 Payment Information

When you subscribe to a paid plan or purchase additional units, payment processing is handled by Stripe, Inc. We do not directly collect or store your credit card number, bank account number, or other sensitive financial information. However, we do receive and store:

  • Your Stripe customer identifier
  • Subscription tier, status, and billing period
  • Billing cycle dates and current period start/end dates
  • Payment success or failure status (via Stripe webhooks)
  • Refill pack purchase records

For information about how Stripe handles your payment data, please review Stripe's Privacy Policy.

2.5 Support Conversations

When you use our in-app support chat, we collect and store:

  • Your messages and our AI-generated responses
  • Conversation metadata (timestamps, message count, conversation status)
  • Your name, email, and subscription tier are included as context when generating support responses

Support conversations are processed by AI language models (see Section 4) to provide helpful responses. Support conversation history is retained for up to 12 months after the last message, after which it is deleted.

2.6 Usage Data

We track usage metrics to manage your subscription and enforce plan limits, including:

  • Submission units consumed
  • Assignment units consumed
  • Test grading (mockup) units consumed

Usage counters are reset on your monthly billing cycle date.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: Authenticate your identity, manage your account, create and distribute lab report assignments, collect and process student submissions, generate AI-powered feedback and grades, and place comments in Google Docs.
  • Academic integrity: Create snapshots (copies) of student submissions at registration and submission time, stored in teacher-controlled Google Drive folders.
  • Billing and payments: Process subscription payments, manage plan limits, and track usage.
  • Support: Respond to your support inquiries via the in-app chat.
  • Service improvement: Monitor usage patterns (in aggregate) to improve the Service. We do not use individual student educational data for product development or marketing purposes.

4. Data Sharing and Third-Party Processors

We share data with the following third-party services that are necessary to operate the Service. Each third-party processor is used only for its stated purpose:

  • Google APIs (Google LLC): To access Google Drive and Google Docs on your behalf for assignment distribution, submission collection, and comment placement. Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements.
  • OpenAI (OpenAI, L.L.C.): To generate AI-powered feedback and grades from student lab report content. We use API configurations that instruct OpenAI not to use submitted data for training its models. See OpenAI's Privacy Policy.
  • Anthropic (Anthropic, PBC): As an alternative AI provider for generating feedback and grades. When Anthropic models are used, student lab report content is sent to Anthropic's API under their data protection terms. See Anthropic's Privacy Policy.
  • Google AI / Gemini (Google LLC): As an alternative AI provider for generating feedback and grades. When Gemini models are used, student lab report content is sent to Google's Gemini API. See Google's Privacy Policy.
  • Stripe, Inc.: To process subscription payments and manage billing. See Stripe's Privacy Policy.

We do not sell, rent, or share your personal information or student data with any other third parties for marketing, advertising, or any purpose unrelated to providing the Service.

5. Data Storage and Retention

5.1 Where Data Is Stored

  • Student lab report content: Processed temporarily in memory for grading purposes. We do not permanently store the full text of student lab reports on our servers. All student documents remain in Google Drive under the teacher's account control.
  • Document snapshots: Stored in teacher-controlled Google Drive folders, not on our servers.
  • Metadata and grades: Assignment information, submission status, AI-generated grades, feedback text, and grading logs are stored in our database.
  • Account data: User profiles, authentication tokens, and subscription information are stored in our database.

5.2 Retention Periods

  • Account data: Retained while your account is active. Upon account deletion request, account data is deleted within 30 days.
  • Submission metadata and grades: Retained while the associated teacher account is active. Deleted within 30 days of teacher account deletion.
  • OAuth tokens: Retained while your account is active. Automatically revoked and deleted upon account deletion.
  • Support conversations: Retained for up to 12 months after the last message in the conversation, then automatically deleted.
  • Usage tracking data: Reset monthly on your billing cycle date. Historical usage data is not retained beyond the current billing period.
  • Payment records: Retained for as long as required by applicable tax and financial regulations (typically 7 years), then deleted.

6. Cookies and Similar Technologies

We use cookies and similar technologies that are strictly necessary to operate the Service. We do not use any advertising, analytics, or tracking cookies.

  • Session cookies: Used to maintain your authenticated session after you sign in. These are HTTP-only, secure cookies that expire when your session ends or after a set duration.
  • CSRF protection cookies: Used to prevent cross-site request forgery attacks.
  • OAuth state cookies: Temporary cookies used during the Google sign-in process to maintain security. These expire within 15 minutes.
  • Authentication cookies: Used internally by our automated comment placement system to interact with Google Docs on behalf of authorized users for placing feedback comments.

Because we only use strictly necessary cookies (no tracking or advertising cookies), we do not require separate cookie consent under most privacy regulations. You can configure your browser to block cookies, but this may prevent the Service from functioning properly.

7. FERPA Compliance (United States)

For educators and educational institutions in the United States, we understand the importance of compliance with the Family Educational Rights and Privacy Act (FERPA).

7.1 Our Commitments Under FERPA

  • Student education records are processed only for legitimate educational purposes (grading and feedback) as directed by the teacher or educational institution.
  • Student documents are stored in teacher-controlled Google Drive folders, keeping institutional control over education records.
  • We do not share student education records with unauthorized third parties.
  • We do not use student education records for any purpose other than providing the grading and feedback services requested by the teacher.
  • Third-party AI processors (OpenAI, Anthropic, Google Gemini) are used solely to generate educational feedback and are configured to not retain or train on student data.

7.2 School Official Exception

When TYay is used by an educational institution (school, district, or university), we operate under the "school official" exception to FERPA's consent requirements. Under this exception, we act as a service provider with a legitimate educational interest in the student data necessary to provide the Service.

For educational institutions: We offer a Data Processing Agreement (DPA) that formalizes our obligations under FERPA and any applicable state student privacy laws. To request a DPA, please contact us at tyaysupport@kernioncognitivelabs.com.

7.3 Individual Teacher Use

Individual teachers (not operating under an institutional agreement) who use the Service are responsible for ensuring that their use complies with FERPA and any applicable institutional policies. By enrolling students, teachers represent that they have the authority to do so and that their use of the Service is for a legitimate educational purpose.

8. Children's Privacy (COPPA Compliance)

We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA).

8.1 Age Requirement

The Service is designed for use by educators and their students in educational settings. Students must be at least 13 years of age to use the Service directly. We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent or school authorization as described below.

8.2 School Authorization for Students Under 13

Where students under 13 may use the Service, we rely on the school (or teacher acting as an authorized agent of the school) to provide consent on behalf of parents for the collection of student data for educational purposes, consistent with COPPA's school consent exception. Teachers enrolling students under 13 represent and warrant that they have obtained the necessary school authorization or parental consent to do so.

8.3 Parental Rights

Parents or legal guardians of students under 13 have the right to:

  • Review the personal information we have collected about their child
  • Request deletion of their child's personal information
  • Refuse further collection of their child's personal information

To exercise these rights, please contact us at tyaysupport@kernioncognitivelabs.com.

8.4 Data Minimization for Student Data

We collect only the minimum student data necessary to provide the grading and feedback service. We do not:

  • Require students to provide more information than necessary to participate
  • Use student data for marketing, advertising, or profiling
  • Sell or rent student data to any third party
  • Build personal profiles of students for non-educational purposes

9. State Privacy Laws

9.1 California

We comply with the California Student Online Personal Information Protection Act (SOPIPA) and the California Consumer Privacy Act (CCPA/CPRA) as applicable. California residents have additional rights including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

9.2 New York

For schools and districts in New York, we comply with Education Law Section 2-d and are prepared to enter into the required data privacy and security agreements. Contact us to request a compliant agreement.

9.3 Other States

We are committed to complying with applicable state student privacy laws including but not limited to the Illinois Student Online Personal Protection Act (SOPPA), Colorado Student Data Transparency and Security Act, and other state-specific requirements. Educational institutions that require state-specific Data Processing Agreements or supplementary terms should contact us at tyaysupport@kernioncognitivelabs.com.

10. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Authentication: OAuth 2.0 for secure Google account authentication with CSRF protection and PKCE verification.
  • Minimal access scope: We request only the Google API scopes necessary to provide the Service (drive.file).
  • Secure token management: OAuth tokens and API keys are stored securely and are never exposed to client-side code.
  • Session management: HTTP-only, secure session cookies with CSRF token protection.
  • Access controls: Role-based access ensures students can only see their own submissions and teachers can only access their own classes.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of personal information, we will:

  • Investigate promptly: Initiate an investigation within 24 hours of discovering the breach.
  • Notify affected users: Notify affected individuals without unreasonable delay, and no later than required by applicable law (typically within 60 days of discovery, or sooner where state law requires).
  • Notify educational institutions: If student education records are affected, we will notify the relevant educational institution or teacher promptly so they can fulfill their own notification obligations.
  • Notify regulators: We will notify applicable state attorneys general and other regulatory bodies as required by law.
  • Remediate: Take reasonable steps to contain the breach, mitigate harm, and prevent recurrence.

Breach notifications will include, to the extent known: the nature of the breach, the types of information affected, the steps we are taking in response, and guidance on steps individuals can take to protect themselves.

12. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request information about the personal data we store about you.
  • Correction: Request that we correct inaccurate personal information.
  • Deletion: Request deletion of your account and associated personal data. We will process deletion requests within 30 days, subject to legal retention requirements.
  • Data portability: All your documents remain in your Google Drive and can be exported at any time using Google Takeout. You may also request an export of your account data.
  • Revoke access: You can revoke our access to your Google account at any time through your Google Account settings.
  • Opt out: We do not sell personal information. If you wish to stop using the Service, you may delete your account at any time.

To exercise any of these rights, please contact us at tyaysupport@kernioncognitivelabs.com. We will respond to verifiable requests within 30 days.

13. Google API Services User Data Policy

TYay's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data for the purposes described in this Privacy Policy.
  • We do not transfer Google user data to third parties except as necessary to provide and improve the Service, as required by law, or with your explicit consent.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes, to comply with applicable law, or our use is limited to internal operations.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Notify registered users via email of any material changes at least 15 days before they take effect.
  • Post a prominent notice on the Service for at least 30 days following a material change.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For FERPA-related inquiries, Data Processing Agreement requests, or state-specific privacy law questions, please use the same email address with the subject line "Privacy / DPA Request."

← Back to Home