Privacy, in numbers
The pre-read for principals and privacy officers — what we keep, for how long, and what we never do.
The data floor
The roster stores three things per student: first name, last initial, reading level. That is the whole list — no student accounts, no emails, no birthdays, no photos. It isn't a setting; the columns for anything more don't exist.
What we never do
We never train AI on student writing. Letter text is retained up to 30 days for safety monitoring and never used for training. No ads, no selling data, no profiling beyond the reading level the teacher sets, and no third-party scripts on any page a student touches.
Retention, in numbers
| What | Kept until |
|---|---|
| Letter scans (photos of handwriting) | Purged when the teacher confirms the transcript — 72 hours at the outside |
| Letter content | End of school year (Aug 31); districts may set earlier |
| On withdrawal | Full deletion within 30 days, with a certificate |
| Audit trail (IDs and timestamps — never letter text) | 180 days beyond content deletion |
Who touches what
Processors we disclose today: Anthropic (reply drafting and safety checks), Google Cloud Vision (handwriting cross-check), Supabase (database and storage), Vercel (web hosting). Letter text goes only where the letter pipeline requires it.
If Penny Post winds down
Schools get 5 business days' notice, a 30-day export window, and hard deletion with certificates. No acquirer gets access to school data without fresh consent from the school, and any change of use means re-consent.