Privacy Policy

Controller/Processor role.For institution-managed accounts, your institution is the data controller and nutshell acts as a data processor operating the service on the institution’s instructions. You may contact either your institution or nutshell with requests; we will promptly coordinate with the institution to fulfill them.

Email address (required): used as your account identifier and for essential account communications (e.g., password reset, security alerts).

Password (required): used only to authenticate you. We hash and salt passwords using industry-standard algorithms. We never store plain-text passwords.

No other personal data. We do not collect profile details, analytics identifiers, advertising IDs, or behavioral data under this policy.

Cookies. We use a strictly necessary session cookie to keep you signed in. It is limited in scope and configured with security attributes.

Provide and operate the service.
GDPR legal basis: performance of a contract (Art. 6(1)(b)) and our legitimate interests in platform security and integrity (Art. 6(1)(f)).

Security and fraud prevention.
GDPR legal basis: legitimate interests (Art. 6(1)(f)).

We do not use your information for advertising or profiling.

We host on Amazon Web Services (AWS) in eu-central-1 (Frankfurt, Germany). If limited transfers outside the EEA/UK/Türkiye are necessary (e.g., support operations), we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and comparable mechanisms as required by law.

• Password security: SHA-256 hashing with salt.
• Encryption: TLS in transit; encryption at rest via our hosting provider.
• Access controls: role-based, least-privilege access; access is logged.
• Secure development & operations: patching, dependency management, and incident response procedures.

We apply industry-standard safeguards designed to protect your information.

Active accounts: we retain your email and hashed password while your account remains active.

Account deletion/termination: upon verified request or institutional instruction, we delete or irreversibly anonymize credentials within 90 days, subject to minimal legal/security log retention.

Backups are rotated on scheduled cycles; deletion propagates to backups within standard retention windows.

We do not sell or share personal information as “sell” or “share” are defined under the CCPA/CPRA. We may disclose information to:

• Service providers / sub-processors strictly to run the service (e.g., cloud hosting, email sending), bound by data-processing terms. Our current list is available upon request.
• Legal / safety: if required by law or necessary to protect the rights, safety, and security of users, the public, or nutshell.

Service providers are not permitted to use your data for their own marketing.

Depending on your location and institutional arrangement, you may have rights to access, rectify, delete, restrict, or object to processing, and to portability under GDPR, and to know, delete, and correct under CCPA/CPRA.

How to exercise: email info@nutshell-edu.com. You may also contact your institution. nutshell will verify your request and coordinate with your institution when needed.

We may update this Policy to reflect operational, legal, or regulatory changes. If updates materially affect your rights, we will provide reasonable notice (e.g., in-app notice or email). The Effective date above shows when the latest version took effect.

Questions or requests: info@nutshell-edu.com