Your data doesn't touch our servers.
Bridge & Harbor Chrome extensions process Canvas data locally in your browser. Nothing is transmitted to our servers. This page explains exactly what each extension reads, where your data goes, and what we never see.
What each extension can see — and what it can't
Bridge & Harbor extensions read only what's visible in your current Canvas session — the same data you'd access by clicking around Canvas yourself. No passwords are read. No private messages are intercepted. No access is created that you don't already have as an authenticated user.
| Extension | Reads | Does NOT Read |
|---|---|---|
| Breeze | Assignment names, due dates, submission status, grades (if Canvas shows them) | Other students' data, submission content, private messages |
| Helm | Student names (in courses you teach), submission status, grade data in your gradebook | Student IDs/SSNs, data outside your authorized courses, other instructors' gradebooks |
| Compass | Course structure, module/item names, publication status, links (in courses you have Designer/Teacher access to) | Student submissions, student grades, personally identifiable information |
| Keel | Course metadata, enrollment counts, user roles in the admin console (data you already see as an admin) | Student submission content, grades, personal data beyond what Canvas's admin UI shows you |
What stays in your browser vs. what Bridge & Harbor receives
Canvas page data is processed locally in your browser. Bridge & Harbor servers receive nothing except:
- A license validation ping (if Pro) — no user data, just a license check
- Any data you explicitly send (e.g., a support email)
That's it. No course content, no student records, no gradebook data, no user lists, no institutional data. If you don't have a Pro subscription, we receive nothing at all.
How AI features work — and where your content goes
When you use an AI feature (Helm or Compass only):
You provide your own API key from your AI provider (OpenAI, Anthropic, etc.)
Your API key is stored only in Chrome's local extension storage — never sent to Bridge & Harbor
Content you submit for AI review goes directly from your browser to your AI provider
Bridge & Harbor never sees, routes, processes, or stores the content you submit for AI review
Your AI provider's own privacy policy governs how they handle your content. We recommend reviewing it — especially if you're using AI features with sensitive institutional data. Bridge & Harbor's systems are not involved in that data flow.
Bridge & Harbor recommends reviewing your AI provider's data handling policies before using AI features with sensitive educational content. Bridge & Harbor is not responsible for data handling by third-party AI providers.
Is using a Chrome extension with Canvas allowed?
Canvas allows Chrome extensions. Bridge & Harbor operates as assistive technology — similar to a screen reader or browser accessibility tool. We read Canvas pages you're already authorized to view and present the data in a more useful format.
We don't modify Canvas's database, bypass Canvas's permission system, or access data beyond what your Canvas role authorizes.
Assistive browser extensions — including accessibility tools, interface enhancers, and productivity extensions — are consistent with Instructure's terms of service for authorized users. Hundreds of thousands of Canvas users use browser extensions daily. Bridge & Harbor operates in the same category.
If your institution has specific policies about browser extensions, those policies apply. Bridge & Harbor does not claim to override institutional policy — we recommend confirming with your IT team if you have specific compliance requirements.
Chrome Web Store Limited Use Disclosure
Bridge & Harbor's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Bridge & Harbor Chrome extensions only access Canvas LMS pages and data that you are already authorized to view. We do not use your data for advertising, and we do not sell your data to third parties.
Specifically: Bridge & Harbor does not sell user data, use user data for advertising or serving ads, transfer user data to unauthorized third parties, or use user data for any purpose unrelated to the extension's core functionality as described on this page and in the Chrome Web Store listing.
FERPA and Student Privacy
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records.
Bridge & Harbor is not a "school official" under FERPA — we don't receive or store student education records. All Canvas data is processed client-side in your browser. Education records never leave your browser and never reach Bridge & Harbor's servers.
We do not claim "FERPA compliance" because we are not subject to FERPA — we claim FERPA consistency because student education records never reach our servers.
The instructor, admin, or instructional designer using Bridge & Harbor remains the authorized user. Bridge & Harbor simply presents data they're already authorized to see in a more useful format.
If your institution has specific FERPA compliance requirements for technology vendors, please contact us. We are happy to provide documentation for your institution's review.
Data Deletion
To remove all Bridge & Harbor data: uninstall the extension from Chrome. Chrome's extension storage is cleared automatically. There is no server-side data to delete because no user data was ever transmitted to Bridge & Harbor's servers.
If you created a Bridge & Harbor account for licensing, email [email protected] with subject line "Data Deletion Request." We will process your request within 30 days and send a confirmation.
Reporting a Vulnerability
Found something? Email [email protected] with details. We'll respond within 48 hours and credit responsible disclosures.