Morning Bell
Starting at BYU–Idaho · pilot, summer 2026 Join the waitlist
THE FINE PRINT, UNBURIED

Privacy & data practices

Effective date: set at launch. Operated by Andersen Labs LLC. Written to be read, not skimmed past — if anything here is unclear, email hello@trymorningbell.com and a human (Luke) answers.

The short version

Morning Bell reads your school's LMS with the access token you give us, builds one email every morning, and keeps almost nothing. Your token is encrypted the moment it arrives. We are read-only — provably, not just as a promise. One click deletes everything, immediately. Your data is never sold or shared. Period.

What we access

With your access token we read, and only read: your active courses and official course grades, assignments and due dates, your own submission records (so we never call something overdue without checking), and professor announcements from the last 24 hours. The complete list of API calls we make is published below in the API calls section and generated from our actual code. The token you create cannot submit, post, message, or change anything on your behalf through our code: we make zero write calls.

What we store

The minimum that a "what changed since yesterday" email requires:

What we never store

Announcement bodies. Submission content. Files. Discussion posts. Messages. Classmates' anything. Your LMS password (we never see it — a token is not a password and cannot log in as you).

Deletion — real, immediate

Deleting your account is one click. It deletes your encrypted token from the vault, every row of your data, and the account itself, immediately — no 30-day retention, no soft delete, no "processing period." Independently of us, you can revoke the token in your LMS settings at any time and Morning Bell is locked out on the spot.

Every brief also carries a one-tap unsubscribe that stops all sending instantly (your account pauses; deletion is the bigger hammer, also one click).

Selling, sharing, advertising

Your data will never be sold, shared, rented, or used for advertising. There are no third-party analytics on your LMS data. If Morning Bell ever costs money, it will be a price you see and choose — never your data behind your back.

Who processes what

That's the whole list. No data brokers, no ad networks, no analytics companies with access to academic data.

Security honesty

Tokens encrypted at rest with managed keys separate from the database; read-only API usage; deny-by-default access rules on every table; secrets never in code or logs. If we ever have a breach affecting your data, we will tell you directly and promptly — not in a footnote.

Email practices

Every brief includes a working one-tap unsubscribe and our physical mailing address (CAN-SPAM). Subject lines say what the email is. We monitor complaint rates and stop sending to anyone who marks us as spam.

Changes

If these practices ever change materially, you get an email before the change takes effect, written in the same plain English.

Every API call Morning Bell makes — the complete list

This list is published here ("Read-only, provably"). It is generated from the actual client code (supabase/functions/_shared/lms/client.ts); any code change that adds an endpoint must update this list in the same commit, and vice versa. All calls are HTTP GET — the token we ask for is used exclusively to read. Morning Bell makes zero write calls of any kind.

# Endpoint Why we call it
1 GET /api/v1/users/self Validating that your token works (at connect time, and a daily infrastructure health check)
2 GET /api/v1/courses?enrollment_state=active&include[]=total_scores Your active courses and each course's official current grade
3 GET /api/v1/courses/:id/assignments?include[]=submission Assignments and due dates for each course, with your submission status
4 GET /api/v1/courses/:id/assignments/:id/submissions/self Verifying YOUR submission record for a specific assignment before we ever use the word "overdue"
5 GET /api/v1/announcements?context_codes[]=... Professor announcements from the last 24 hours

What these calls can never do: submit an assignment, post or reply to a discussion, message anyone, change a setting, delete anything, or see other students' work. Those operations require write scopes and different endpoints that Morning Bell does not call and has no code for.

hello@trymorningbell.com · Andersen Labs LLC
Morning Bell is not affiliated with Instructure, Canvas, or BYU–Idaho.