Privacy Policy

Effective: June 3, 2026 · Last updated: June 3, 2026

Nessa helps Montessori teachers observe, plan for, and communicate about the children in their care. Because that means handling information about children, we hold this data carefully. This policy explains what we collect, how it's used, who it's shared with, and the choices you have.

The short version: We collect only what the app needs to work. We don't sell your data, show ads, or track you across apps. Photos and observations are private to your account. You can export or delete everything at any time. Some AI features send your content to third-party AI providers to work — section 3 explains exactly what, and where names can and can't be removed first.

1. Who is responsible for this data

Nessa is a tool that teachers and schools use to keep their own classroom records. You (the teacher) and your school decide what to record about your students. Under privacy laws like FERPA and GDPR, the school is generally the "controller" of student records and Nessa acts as a "processor" handling that data on your behalf. By using Nessa, you confirm you are authorized to record this information (see our Terms of Service).

2. Information we collect

Account information

Your email address and name. If you sign in with Google or Apple, we receive a verified email and display name from that provider — never your password.

Classroom data you create

Student profiles — first name, optional last name, optional birth year, optional gender, and an optional photo.
Observations & notes — the text you write (or dictate) about a child's progress, plus subject area and skill level.
Lesson plans, newsletters & summaries — content you write or generate with AI assistance.
Photos — images you attach to an observation, and photos you add to a newsletter.

What we do not collect

Advertising identifiers (IDFA / GAID)
Analytics or behavioural tracking
Your device location
Contacts, calendar, or other device data

3. AI features — what is sent to AI providers

Several Nessa features use AI: Ask Nessa, lesson and newsletter drafting, child summaries, voice-to-text observations, and scanning paper sheets or handwritten notes. When you use one of these, the relevant content is sent through our secure server to a third-party AI provider, which returns a result. We want to be precise about what's sent and whether names are removed first:

Text features (Ask Nessa, child summaries, newsletter drafting): before your classroom text is sent, we replace students' names with neutral placeholders (e.g. "Student A") and restore the real names only in the result shown to you. The AI provider does not receive those names.

Where names cannot be removed — please read:

• Scanning a sheet or handwritten note: the photo is sent to our vision AI provider as an image. If a child's name is written in that image, it is part of the picture and cannot be removed beforehand.

• Voice observations: the audio recording is sent for transcription. If you speak a child's name, it is in the audio. Audio is transcribed and then discarded — we don't store audio files.

• Voice / quick observations also send your class roster so the spoken name can be matched to the right child.

• Our name replacement matches exact names only. It will not catch nicknames, misspellings, or other identifying details (an address, a sibling's name, a health note) that you type into a free-text note. Please keep that in mind when recording sensitive details.

We choose providers whose API terms state that content submitted through their APIs is not used to train their models. We don't control these third parties; their handling is governed by their own policies (linked in section 4). If your school requires that no student data ever leave its own systems, AI features may not be appropriate for your setting — contact us and we'll discuss options.

4. Third-party services

We use a small number of providers to run Nessa:

Supabase — stores your account and classroom data (hosted on Amazon Web Services, encrypted at rest and in transit). Policy.
Groq — text AI and voice transcription. Policy.
OpenRouter (routes to Google Gemini) — vision AI for reading scanned sheets and handwritten notes. Policy.
Google & Apple Sign-In — optional authentication; we receive only your verified email and name. See Google's and Apple's policies.
Resend — sends the one-time welcome email. Policy.

We do not share your data with any other third parties, and none of these are used for advertising or tracking.

5. Photos & location data

Observation photos are private. They're stored in a private location tied to your account and shown only to you, through temporary signed links. They are not publicly accessible.
We strip location and device metadata. Before a photo is uploaded, it is re-encoded so that GPS coordinates, device details, and timestamps embedded by the camera (EXIF data) are removed.
Newsletter photos are shared when you send a newsletter. If you include photos in a newsletter, those images are made accessible so they can display in the email you send to families. By adding a photo to a newsletter and sending it, you are choosing to share that image with the recipients you select. Only include photos you have permission to share.

6. Storage & security

Data is stored in Supabase (on AWS) with encryption at rest and in transit (TLS).
Row-level security ensures you can only access your own data.
All AI API keys live in secure server-side functions and are never exposed in the app.
Authentication tokens are stored securely on your device.

No system is perfectly secure. Please use a strong, unique password for your Nessa account.

7. Your rights & choices

Access — all your data is visible in the app at any time.
Export — export a full copy of your data as a JSON file from Settings.
Correct — edit any student, observation, or note directly.
Delete — delete individual items, or your whole account. Deleting your account permanently removes your data, including stored photo files, from our systems.

Depending on where you live, you may have additional rights under laws such as the GDPR (EU/UK) or CCPA (California), including the right to access, correct, delete, or port your data, and to object to certain processing. To exercise any of these, email hello@nessaglobal.com.

8. Data retention

We keep your data for as long as your account is active. When you delete an item it is removed; when you delete your account, all associated data — observations, students, notes, settings, and photo files — is permanently deleted. Voice audio is never retained; only the resulting transcript is saved as your observation. Backups maintained by our infrastructure providers may persist for a short period before being overwritten.

9. Children's data — COPPA, FERPA & GDPR

Nessa is built for adult educators. It is not directed to children, and children do not create accounts or use the app. The information about children in Nessa is entered by teachers as part of their professional record-keeping.

You are responsible for authorization. Teachers and schools must ensure they have the appropriate authority or consent — under their school's policies, FERPA, COPPA, GDPR, or other applicable laws — to record observations, names, and photos of their students. The school, as the data controller, is responsible for obtaining any parental consent required.

We do not knowingly collect personal information directly from children under 13. If you believe student data has been entered without proper authorization, contact us at hello@nessaglobal.com and we will promptly delete it. Schools that need a Data Processing Agreement can request one at the same address.

10. International users

Nessa is operated from, and stores data in, infrastructure that may be located in the United States. If you use Nessa from outside the US, you understand your data will be processed there. We rely on appropriate safeguards for any cross-border transfers as required by applicable law.

11. Changes to this policy

We may update this policy. If we make material changes, we'll notify you in the app or by email before they take effect. The "Last updated" date above reflects the latest revision.

12. Contact us

Questions, concerns, or requests about your data? Email hello@nessaglobal.com. We aim to respond within 5 business days.