Privacy Policy

This summary is a plain-English overview. The sections below are the full policy. If anything conflicts, the detailed sections control—subject to applicable law.

This Privacy Policy describes how FiCelia Labs LLC ("we," "us," or "our") handles information when you use Pestal, our AI-powered learning platform and related websites or services that link to this policy.

It applies to:

• Teachers, instructors, and instructional staff
• Schools, districts, tutoring organizations, and other education providers
• Tutors and coaches using the platform with learners
• Students and independent learners
• Parents or guardians where they interact with the service on a learner's behalf
• Visitors who browse our marketing or product pages

Your relationship with a school or organization may add separate terms or privacy notices. Where that happens, both this policy and your organization's materials may apply to different parts of your experience.

We collect information in the categories below, depending on how you use Pestal.

We use information for purposes such as:

• Providing and operating the platform, including accounts, authentication, and core product features
• Creating and managing courses, lessons, assessments, resources, question banks, and study workflows
• Generating instructional materials, feedback, and tutoring-style assistance with AI where you invoke those features
• Personalizing learning and teaching workflows within your workspace, based on the content and settings you provide
• Maintaining safety, integrity, abuse prevention, and fraud resistance
• Improving reliability, debugging, and product quality (including aggregated or de-identified analysis where appropriate)
• Communicating with you about the service, security, or support
• Complying with law, responding to lawful requests, and enforcing our agreements
• Supporting schools and organizations that administer accounts for their users, where applicable

Pestal uses AI providers—including OpenAI and potentially others—to power features such as course generation, lesson creation, Lesson Studio assistance, lesson tutoring, assessment generation, feedback on learner work, resource creation, and similar capabilities. These features only run when you (or your organization) use them; we do not needlessly send unrelated profile data along with every request.

Our architecture is built with data minimization in mind: we aim to send what is needed to fulfill the feature, and to avoid attaching direct identifiers (such as email addresses or phone numbers) to AI requests when they are not required for that feature.

We use centralized AI request handling and privacy-conscious usage logging. Logs are designed to capture operational metadata—such as feature identifier, model identifier, token usage ranges, status, and latency—rather than storing full raw prompts or completions in ordinary application logs. Limited technical logging may still be necessary for security or debugging; we work to keep that narrow and purpose-bound.

Please avoid entering sensitive personal, medical, disability-related, disciplinary, family, or legal information into AI features unless your organization has determined that is appropriate under its policies and applicable law. If you are unsure, use de-identified or generalized descriptions instead of real names or sensitive narratives.

Pestal is built for educational use. When a school, teacher, tutor, parent, or student uses the platform, we may process information that relates to students—including account identifiers, coursework, responses, progress, and AI conversations tied to a class or course.

Teachers and authorized school staff can typically view student activity, submissions, and interactions inside the courses and groups they manage. That visibility is part of how instructional products work; your organization may define additional rules.

We do not intentionally use student personal information for unrelated advertising. We do not intentionally sell student personal information in the ordinary sense of selling lists to data brokers.

For school-managed or organization-managed accounts, the school or organization may control certain data, exports, or deletion requests. Parent or student privacy rights may depend on the relationship with the institution and on local law—when in doubt, start with your school's administrator.

We describe our practices here to support transparency. Specific U.S. student privacy laws (such as FERPA) or children's privacy laws (such as COPPA) may impose additional requirements on schools or on us depending on how the service is used; we do not state blanket legal compliance with those frameworks on this page.

We may share information with vendors and subprocessors who help us host, secure, analyze, or deliver the service. Examples of categories include cloud hosting, databases and file storage, email delivery, authentication providers, AI inference providers (including OpenAI for many generative features), payment processors if billing is enabled, and diagnostics or error reporting services if we configure them.

We use these providers to operate, secure, and improve Pestal. We do not sell personal information for money in the conventional sense of building unrelated marketing profiles for sale.

We retain information for as long as reasonably needed to provide the service, comply with legal obligations, resolve disputes, enforce our agreements, and maintain security backups. Exact schedules can depend on the type of data and your organization's settings.

User-generated courses, lessons, chats, assessments, and resources generally remain available until you or your organization deletes them—or until a retention rule you have agreed to applies.

If you request account deletion, we will delete or anonymize personal information where we can, subject to applicable law and legitimate interests such as fraud prevention or legal holds. Some residual data may persist in encrypted backups for a limited period before cycling out.

Organization-managed workspaces may follow retention or deletion policies controlled by the institution. Backup systems may take additional time to reflect deletions.

We use administrative, technical, and organizational safeguards designed to protect information. Examples include access controls, authentication, role-based permissions within the product, encrypted transport where standard for web applications, rate limiting on sensitive endpoints, privacy-conscious logging practices, limited retention of raw AI payloads in logs, and database-backed authorization checks.

No method of transmission or storage is completely without risk. You should also protect your credentials and devices, and follow your school's policies when handling student information.

Depending on where you live, your account type, and applicable law, you may have rights to access, correct, delete, export, object to, or restrict certain processing of your personal information.

• Update profile and certain preferences directly in the product where those controls exist
• Request a copy or export of information we hold about you, where the feature or our team can fulfill it
• Ask us to correct inaccurate account or profile information
• Request deletion of your account or certain content, understanding that schools may retain copies separately
• Manage non-essential email preferences if we offer marketing communications in the future
• Control cookies through your browser where our site uses optional cookies

To exercise rights, contact us using the email below. We may need to verify your identity. If your account is owned by an organization, we may need to coordinate with their administrator.

For users in the European Economic Area, the United Kingdom, or Switzerland, certain privacy rights may apply under the GDPR or similar laws. Pestal is designed to support GDPR-conscious data handling—for example through data minimization, purpose limitation, access and deletion workflows where feasible, awareness of subprocessors, and security safeguards.

We may rely on lawful bases such as performing a contract with you, pursuing legitimate interests that are not overridden by your rights, obtaining consent where required, or complying with legal obligations—depending on the processing activity.

Schools or organizations may act as independent controllers for certain student data, with FiCelia Labs LLC acting as a processor or service provider for specific processing on their instructions, where that relationship applies.

If we transfer personal information across borders, we take steps designed to address applicable transfer requirements, which may include contractual safeguards where required by law.

This section describes supportive practices; it is not a certification of full statutory compliance in every jurisdiction or scenario.

Pestal may be used by students under the direction of a school, teacher, tutor, or parent. Children should use the service only with appropriate adult authorization and in line with local rules.

We do not knowingly encourage children to submit more personal information than is reasonably needed for the educational features in use. If you believe a child has provided personal information without proper authorization, contact us and we will work with you in good faith to address the request, subject to applicable law.

We do not claim specific children's privacy statute compliance (such as COPPA) on this page without a dedicated legal review for your deployment model.

We use cookies, local storage, and similar technologies for purposes such as:

• Keeping you signed in and securing sessions
• Remembering preferences you set in the product
• Protecting against abuse and verifying requests where needed
• Diagnostics or analytics, only if we enable them and describe them here

You can control many cookies through your browser settings. Blocking strictly necessary cookies may affect whether certain features work as expected.

We may send transactional messages such as account verification, password resets, invitations to classes or courses, security notices, and service updates important to your use of the product.

If we introduce broader product marketing emails, we will provide a way to opt out of non-essential messages where required by law. Transactional and legally required notices may continue even if you opt out of marketing.

We may update this Privacy Policy from time to time. When we make material changes, we will provide notice through the product, by email, or by posting an updated effective date—consistent with applicable law and the significance of the change.

Continued use of Pestal after the effective date of an update may constitute acceptance of the revised policy, where permitted by law.

Pestal is offered by FiCelia Labs LLC. For privacy questions or requests, email privacy@pestal.app.

This address is the default privacy inbox for inquiries. If your organization was given a different contact as part of a pilot or agreement, prefer that channel. Operators may also set NEXT_PUBLIC_SUPPORT_EMAIL to surface a shared support address in the product UI.

Effective date: April 26, 2026. Last updated: April 26, 2026.