Last updated: 2026-05-03
Account: when you sign in with Google we store your email, display name, and a unique user ID. We do not access your Google password, contacts, calendar, or any other Google data.
Usage signals: for each interaction we record the domain classification (e.g. "system-design"), the friction outcome (passed / skipped / no-friction), the score change, timestamps, attachment count + MIME types, and token / cost counts.
Like every Chrome extension, mu.ai uses Chrome's built-in extension storage (chrome.storage.local) on your device. We store your session token and basic profile (email and display name) there so you don't have to sign in on every page load. This storage is sandboxed by Chrome to the mu.ai extension — it is not accessible to other websites or other extensions. It is cleared when you sign out or uninstall the extension. We do not use third-party tracking cookies, pixels, or analytics scripts.
Your prompts, the contents of any attachments, the challenge questions you receive, your written responses to those challenges, and any image-description text generated to classify uploads are processed in memory and immediately discarded. They are never written to our database, never written to backups, and never written to log files. RAM lifetime is bounded by the lifetime of the request (typically <1 second; up to 5 minutes if a friction challenge is held open awaiting your reply).
In transit: all traffic between your browser, the mu.ai extension, and our servers is encrypted with TLS (TLS 1.2 minimum; TLS 1.3 negotiated by default with modern browsers). Certificates are managed by our hosting provider via Let's Encrypt with automatic rotation.
At rest: the database and all backups are encrypted with AES-256. The database lives on a managed encrypted disk in US Oregon (Render). Backups live in Cloudflare R2 with server-side encryption enabled by default.
Sessions and passwords: we do not store passwords. Sign-in is via Google OAuth. Once signed in, your session is identified by a random 256-bit token (generated server-side, regenerated on every login, expires after 30 days). Operator-only endpoints (backup, seed) are gated by a separate secret header validated with constant-time comparison to prevent timing attacks.
Why the most sensitive data can't leak from a database compromise: because student work (prompts, attachments, written responses) is never written to the database, backups, or logs in the first place, no breach of stored data could expose that content. The only data at rest is mastery signal — domain classification, pass/fail, timestamps — protected by the disk and backup encryption above.
Your data is used solely to provide the mu.ai service: adaptive friction challenges, mastery tracking, and learning feedback. We do not sell your data, share it with advertisers, or use it to train AI models.
Privacy guarantee: individual mastery scores are never shared with managers, admins, teachers, or anyone else. Owners see only aggregated cohort data across a minimum of 5 members (k=5 anonymity floor). Individual interactions, prompts, and per-user scores are never visible to team owners or other team members.
When a school deploys mu.ai for classroom use, mu.ai operates as a "school official" under FERPA's school official exception (34 CFR § 99.31(a)(1)(i)(B)). Student data is processed only on the school's behalf and only for the agreed educational purpose. We do not redisclose student data, share it with advertisers, or use it to train AI models. Aggregate-only admin views (k=5 floor) mean teachers and administrators never see individual student performance — this is enforced architecturally, not by policy.
Inspection, correction, deletion: a parent or eligible student may inspect a student's record via "Export my data" in the dashboard (or GET /api/account/export) and delete it via "Delete account" (or DELETE /api/account). Both are processed within 24 hours. For requests outside the account interface, or for class- or district-wide offboarding, contact privacy@mu-ai.app.
Students under 13: per FTC COPPA guidance, a school may consent on behalf of parents for educational services that collect information solely for the school's use and benefit. Schools enrolling students under 13 should contact us before deployment so we can document the scope.
Anthropic (Claude API): prompts are sent to Anthropic for classification, challenge generation, and evaluation. Under Anthropic's standard commercial terms, prompts are not used for model training and are retained up to 30 days for abuse monitoring before deletion. mu.ai retains nothing from these calls. See Anthropic's privacy policy.
Google AI (Gemini): when you upload images or PDFs, they are sent to Gemini for classification under Google's commercial AI terms (no training, standard retention).
Google OAuth: authentication only — email and display name. No other Google data accessed.
Resend: transactional email for team invitations only. No prompt or mastery data sent.
Render: hosting (United States, Oregon).
Cloudflare R2: encrypted backups of the database described above (which contains only mastery signals, no prompts).
Account information and mastery signals are retained for as long as your account exists. When you delete your account (via the dashboard, the API, or by emailing privacy@mu-ai.app), all of your data — account record, mastery scores, interaction history, team memberships — is removed within 24 hours. Backups containing your data age out under the 30-day backup rotation; deletion runs as part of each backup job, so any data already past 30 days is removed at the next backup run.
Delete my account: hit DELETE /api/account while authenticated, or use the "Delete account" button in your dashboard. Removes all of your data within 24 hours. You may also email privacy@mu-ai.app.
Export my data: hit GET /api/account/export while authenticated, or use the "Export my data" button in your dashboard. Returns a JSON file containing everything we hold about you.
For questions about this policy, contact privacy@mu-ai.app.