Privacy Policy

Athena Privacy Policy

Effective Date: September 3rd, 2025

Athena is a learning service provided by Instructure, Inc. (“Instructure,” “we,” “us,” or “our”). This Privacy Policy explains how Athena collects, uses, and shares personal information when you use our website(s) and, if applicable, any mobile applications we release, together with related services (collectively, the “Service”).

This policy is written in plain language and includes disclosures required by United States (U.S.) laws (for example, CalOPPA and modern state privacy laws such as the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and similar). Athena will comply with applicable state privacy requirements.

Who We Are & How To Reach Us

  • Service operator: Instructure, Inc. (Athena)
  • Address: 6330 S 3000 E, Suite 700, Salt Lake City, UT 84121, USA
  • Privacy email: privacy@studywithathena.com

Information We Collect

We collect only what we need to run and improve Athena:

  • Account identifiers: Email (required at sign-up). Name (optional).
  • Payment/subscription info: Payments are processed by Stripe. We receive limited transaction details (e.g., date/amount, Stripe IDs). We do not store full card numbers.
  • Content you create: Chat prompts/responses, attachments, and other content you add to Athena.
  • Usage & device data: IP address, browser/device type, pages viewed, clicks, time in app, referrer, and server logs—used for operations, security, and analytics.
  • Cookies/trackers:
    • Strictly necessary: authentication and security cookies.
    • Non-essential: analytics (Google Analytics 4) and advertising/attribution pixels (Meta Pixel, TikTok Pixel). See Cookies & Tracking below.

LMS Data You Choose To Sync (e.g. Canvas)

If you connect your LMS account to Athena, we access its APIs (with your authorization) to sync learning context such as course information, assignment information, and module information. We use this solely to personalize guidance and product features for you inside Athena. We do not modify your LMS records, and we do not share LMS-sourced data with your school or with third parties for their own uses. You can disconnect your LMS at any time; after disconnection, we delete any synced data and stop syncing new data.

Sensitive Information We Ask You Not To Provide

We do not seek sensitive personal information (for example: government IDs, precise geolocation, health or biometric data, or full financial account numbers). Please do not include such information in your Athena content or support messages.

AI-Powered Features

If you use Athena's AI features, your prompts and responses are processed by our systems and by third-party AI provider(s) to deliver the feature. We configure our AI integrations so that content sent via API is not used to train provider models by default (we do not opt in to such training). Providers may retain API inputs/outputs briefly (e.g., up to ~30 days) for abuse/safety monitoring, after which they remove them unless a longer retention is legally required. Please avoid including sensitive information in prompts.

How We Use Information

  • Service delivery. Account creation, login, core features, and (if enabled) LMS sync at your direction.
  • Improvement. Debugging, analytics, testing, and personalization.
  • Communications. Transactional messages (e.g., account notices). You can unsubscribe from product and recommendation emails at any time in settings.
  • Security & fraud prevention. Protecting users and our Service.
  • Legal compliance. Tax/accounting and responding to lawful requests.
  • With consent/at your direction. When you ask us to do something outside the above.

We may create de-identified or aggregated data (which no longer identifies you) and use/share it for any lawful purpose.

How We Share Information

We do not sell your personal information for money. We share information only as follows:

  • Service providers that work for us (e.g., hosting, storage, analytics, payments, email, logging). They must use data only to provide services to Athena.
  • Advertising/attribution & analytics partners (e.g., Meta Pixel, TikTok Pixel, Google Analytics) used to measure ads or understand product usage. See Cookies & Tracking and Your Privacy Rights for opt-out details.
  • Affiliates/corporate transactions. If Athena is reorganized, acquired, or spun out, information may transfer to a successor that must protect it consistently with this policy.
  • Legal/safety. When required by law or to protect rights and safety.
  • With your consent/direction. For example, if you enable a specific integration.

We may share de-identified or aggregated data without limitation.

Cookies & Tracking

  • Strictly necessary cookies (e.g., authentication and security) are required to operate Athena and deliver the Service.

  • U.S.: We may use Google Analytics 4 and, if used, advertising/attribution pixels (e.g., Meta, TikTok, Google Ads tags) to understand usage and measure ad effectiveness. Under applicable state privacy laws, disclosing identifiers and usage data to third-party ad/measurement partners may be deemed a “sale” or “sharing.” We honor the Global Privacy Control (GPC) signal as your opt-out of sale/sharing and do not load non-essential advertising/retargeting tags for that session/device. Because we honor GPC in a frictionless manner, we do not display a separate “Do Not Sell or Share” link. We do not respond to older Do Not Track (DNT) signals.

  • European Union (EU), European Economic Area (EEA), United Kingdom (UK), and Switzerland (CH) (no banner): For visitors we detect from the EU/EEA/UK/CH, we do not load any non-essential third-party scripts (e.g., no GA4, Meta Pixel, TikTok Pixel). We strip advertising click identifiers from URLs (e.g., gclid, fbclid, ttclid) and do not send server-side conversion events to advertising platforms. Because we do not set non-essential cookies/trackers in these regions, no cookie consent banner is required. If we later enable non-essential analytics or advertising tools in the EU/EEA/UK/CH, we will first present a consent banner and obtain valid opt-in consent before using them.

Your Privacy Rights

U.S. (state privacy laws)

Depending on your state, you may have rights to access/know, delete, correct, and opt out of “sale”/“sharing.”

  • Opt-out method (U.S.): We honor Global Privacy Control (GPC) signals; when detected, we do not load non-essential advertising/retargeting tags.
  • To exercise any privacy rights or submit questions, email privacy@studywithathena.com. We verify identity (typically via your account email) and respond within one month (we may extend once if reasonably necessary). We will not discriminate against you for exercising your rights.

EU/EEA/UK/CH (when you use the Service)

If you create an account or otherwise use Athena beyond a simple visit, you have rights under GDPR/UK GDPR, including access, deletion (erasure), correction (rectification), portability, restriction, objection (including to direct marketing), and withdrawal of consent where applicable.

  • To exercise these rights, email privacy@studywithathena.com. We will verify your identity and respond within one month (we may extend for complex requests as permitted by law).
  • As noted in Cookies & Tracking, we do not set non-essential cookies/trackers for EU/EEA/UK/CH visitors, so cookie choices are not required there.

Data Retention

We keep personal information while your account is active and as needed to operate Athena. We do not currently run automatic deletion/anonymization cycles. If you want your data deleted, email us at privacy@studywithathena.com and we will delete it upon verified request, subject to:

  • Legal/compliance retention (for example, billing/transaction records generally kept for approximately 7 years under tax/accounting and fraud-prevention rules).
  • Security/defense needs (e.g., to detect abuse or comply with lawful requests).
  • Backups/logs that roll off on a standard schedule and aren't actively used.

We may retain de-identified or aggregate data that no longer identifies you.

Children

Athena is a general-audience service and not directed to children. We do not knowingly collect personal information from children under 13. If we learn that a user is under 13, we will delete the account and associated personal information.
Users 13-17 may use Athena; they must have permission from a parent or guardian to use our Service.

Security

We use reasonable safeguards to protect personal information, including:

  • Encryption in transit (HTTPS) and at rest; hashed passwords.
  • Access controls and least-privilege practices for staff and vendors.
  • Monitoring, logging, and incident response procedures.

No method is 100% secure; please use a strong, unique password and tell us promptly if you suspect unauthorized access.

International Users & Data Transfers

We are a U.S.-based service, and we operate primarily from the U.S.. This means that if you access or use the Service from outside the U.S., your personal information will be transferred to and processed in the U.S. (and possibly in other countries where our team or service providers operate). We apply a privacy-first approach globally—we take steps to protect your information no matter where it's processed. In practice, we use reputable third-party service providers (subprocessors) to help run our Service (for example, cloud hosting or communications), and we require these partners to safeguard your data and use it only for our authorized purposes. If we transfer your personal data internationally (either directly or via our service providers), we ensure those transfers are covered by appropriate legal safeguards as described below.

EU/EEA/UK/CH

  • No non-essential trackers: If our systems detect that you're visiting from the European Union, European Economic Area, or United Kingdom, we do not load any non-essential cookies or trackers by default. In other words, we avoid using tools like Google Analytics or social media pixels unless and until we have a lawful basis (such as your consent). Because we don't set optional cookies in these regions, no cookie consent banner is shown. (See Cookies & Tracking.)

  • Data transfers & safeguards: If you sign up for an account or otherwise provide personal information, we process that data in the U.S. and ensure it remains protected during transfer. We rely on recognized data-transfer mechanisms to lawfully move data internationally—this includes the European Commission's Standard Contractual Clauses for EU transfers (and the UK Addendum/IDTA for UK data). In addition, we or some of our providers may participate in the EU-U.S. Data Privacy Framework (including the UK Extension and Swiss-U.S. DPF), as applicable. In all cases, we also apply reasonable technical and organizational safeguards (for example, encryption in transit and strict access controls). See Security for more.

  • Your GDPR/UK rights: If you are in the EU/EEA/UK/CH, you have rights under GDPR/UK-GDPR (for example, to access, correct, or delete your personal data; to object or restrict processing; and to port your data). You can exercise these rights by emailing privacy@studywithathena.com. We may ask you to verify your identity, and we will respond as soon as possible—ordinarily within one month. For details, see Your Privacy Rights.

  • You also have the right to lodge a complaint with your local supervisory authority.

Other Regions

  • Local rights & global standards: Privacy laws differ by country, and you may have additional rights under your local laws (for example, a right to access or delete your data). We encourage all users—regardless of location—to contact privacy@studywithathena.com with privacy requests or questions. We will handle your request in accordance with applicable law. Even where certain laws may not apply, we aim to treat your information with care and to respect your privacy preferences. For instance, where required and supported, we honor valid universal opt-out signals (such as Global Privacy Control) to indicate an opt-out from online tracking or “sale/sharing” of personal information.

Changes To This Policy

We may update this policy. If changes are material, we'll provide reasonable notice (e.g., in-product notice). The Effective Date above shows the latest revision.

Questions or requests: privacy@studywithathena.com