Bridge&Harbor
Find My Tool →

Effective March 2, 2026 · Updated March 2, 2026

Privacy Policy

Your Canvas data stays in your browser. We built it that way on purpose.

Who We Are

Bridge&Harbor, LLC builds Chrome extensions for Canvas LMS — Breeze, Helm, Compass, and Keel. We're based in Iowa. Our website is bridgeharbor.app. To reach us: [email protected]

The Short Version

Our extensions don't send your Canvas data to us. All processing happens in your browser. We don't store your course content, student data, or usage history on our servers. The short version is the accurate version — the rest of this policy just explains the details.

What Our Extensions Access

To do their jobs, our extensions access your Canvas session — the same data your browser already has when you're logged in. Depending on which tool you use, this may include:

  • Your course list, assignments, grades, announcements, and other Canvas content visible to your account
  • Your Canvas user identity (name, role, and institution)
  • Navigation and interface state within Canvas
  • For Helm: quiz and assignment data from Canvas New Quizzes (quiz-lti-iad-prod.instructure.com)

This data is processed locally, in your browser. It is not transmitted to Bridge & Harbor servers.

AI-Powered Features (Breeze, Helm, and Compass)

Breeze, Helm, and Compass include optional AI features — discussion drafting, exam prep, feedback drafting, course review summaries, accessibility audits, and similar. These features require you to supply your own API key from OpenAI or Anthropic.

Keel does not include AI features. Keel communicates exclusively with your Canvas institution's domain and no external services.

When you use an AI feature:

  • Your content goes directly from your browser to the AI provider you chose (OpenAI or Anthropic). It does not pass through Bridge & Harbor.
  • Your API key is stored locally in your browser's extension storage — not on our servers.
  • We have no visibility into your prompts, your AI provider's responses, or how your AI provider processes your data.
  • Each provider's privacy policy governs their handling of your content. Links: OpenAI Privacy Policy | Anthropic Privacy Policy

You are never required to use AI features. They are optional and off by default until you supply a key.

What We Collect on Our Website

When you visit bridgeharbor.app, standard web server and infrastructure logs may be automatically generated. These may include your IP address, browser type and version, pages visited, time of visit, and referring URLs. This is standard infrastructure logging, not behavioral tracking.

We do not use third-party analytics on bridgeharbor.app. We do not install tracking pixels, behavioral analytics scripts, or advertising trackers on our website.

This site is served through Cloudflare's global network. Cloudflare may process standard connection data (such as IP addresses and request metadata) as part of normal CDN and security operations. That processing is governed by Cloudflare's Privacy Policy, not ours. Bridge & Harbor does not have access to individual-level request logs.

If you contact us by email, we retain that correspondence to respond to your inquiry and for our records.

What We Don't Collect

To be explicit:

  • We don't collect student personally identifiable information (PII) on our servers
  • We don't collect, store, or transmit the contents of your Canvas courses
  • We don't build user profiles
  • We don't sell data — to anyone, ever
  • We don't use your Canvas data for advertising
  • We don't share data with third parties (other than the AI provider you choose, as described above, and only when you use an AI feature)

Chrome Extension Permissions

All four extensions use Chrome Manifest V3 and request only the permissions necessary to function.

Permissions used by all four extensions:

  • sidePanel — opens Bridge & Harbor's side panel UI within your browser
  • cookies — reads your Canvas session cookies to authenticate Canvas API calls on your behalf
  • storage — saves your preferences and (where applicable) your API key locally in your browser
  • tabs — reads the current tab URL to know which Canvas page you're on

alarms permission (Breeze, Helm, Compass only):

  • Used for client-side scheduling — for example, Breeze's missing assignment alerts. No server-side monitoring.

Host permissions — Canvas access:

  • https://*.instructure.com/* — all four extensions
  • https://*.quiz-lti-iad-prod.instructure.com/* — Helm only, for Canvas New Quizzes

Host permissions — AI providers (Breeze, Helm, Compass only):

  • https://api.anthropic.com/* and https://api.openai.com/* — your content goes directly to your chosen AI provider when you use AI features
  • Keel has no AI host permissions and makes no external API calls

We do not request microphone, camera, geolocation, clipboard, or any other sensitive browser permissions.

FERPA

We have designed our architecture with FERPA in mind.

Because Canvas data is processed in your browser and never transmitted to Bridge & Harbor servers, we do not function as a "school official" with legitimate educational interest, and we do not handle "education records" as defined under FERPA (20 U.S.C. § 1232g). The data stays with you.

Institutions performing due diligence can:

  • Review our Security Overview at bridgeharbor.app/security
  • Request our Data Processing Agreement (DPA) template, available at the same link

If your institution requires a signed DPA for deployment, we have one ready.

Children's Privacy

Our extensions are designed for higher education professionals and students aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will take appropriate action.

Data Retention

Because we do not collect or store your Canvas data, there is nothing to delete on your behalf.

Because the site is hosted on Cloudflare Pages, Bridge & Harbor does not control or retain server-side access logs. Email correspondence is retained as long as reasonably necessary to respond to your inquiry and then deleted upon request.

Security

Our browser-only architecture is a security feature, not just a privacy feature. There's no Bridge & Harbor server holding your Canvas data because your data never reaches our servers.

Your API keys (if you use AI features) are stored in your browser's encrypted extension storage, managed by Chrome's built-in security model. We never see them.

For a full technical overview, see our Security Overview at bridgeharbor.app/security.

Your Choices

  • Uninstall at any time. Removing the extension removes all locally stored preferences and API keys from your browser.
  • Email deletion. If you've contacted us by email and want that correspondence deleted, email us and we'll honor it.
  • No account to delete. We don't create accounts. There's nothing to log in to, and nothing to close.

Changes to This Policy

If we make material changes to this policy, we will update the "Last Updated" date above. For significant changes, we'll also post a notice on bridgeharbor.app and may update the Chrome Web Store listing description.

Contact

Privacy questions, data requests, FERPA inquiries, or anything else:

Bridge&Harbor, LLC
[email protected]
bridgeharbor.app

We respond to privacy inquiries within 5 business days.