Privacy Policy

Last updated: March 14, 2026

Overview

Mentiora ("we", "our", "us") is a Chrome extension that enhances Canvas LMS with real-time messaging, AI study tools, and a unified academic dashboard. This privacy policy explains what data we collect, how we use it, how we store it, how we share it, and how we protect it.

Data We Collect

Authentication Data

  • What: When you sign in with Google or Microsoft, we receive your name, email address, and profile picture from the OAuth provider. We also store your Canvas user ID and display name.
  • How: Collected via Chrome's identity API (chrome.identity) using standard OAuth 2.0 flows. We never see or store your Google/Microsoft password.
  • Purpose: To create your Mentiora account, authenticate you across sessions, and display your identity in chats and social features.
  • Storage: OAuth tokens are stored locally in your browser via chrome.storage.local. Your user profile (name, email, Canvas ID) is stored in our AWS DynamoDB database in the US East region.

Canvas Academic Data

  • What: Grades, assignments, announcements, course files, syllabus content, and quiz information from your Canvas LMS account.
  • How: Fetched directly from Canvas using your existing Canvas session cookies. We do not ask for or store your Canvas password.
  • Purpose: To power the dashboard, grade tracking, and AI study tools.
  • Storage: Processed locally in your browser. Syllabus text and file summaries may be sent to our backend for AI parsing and cached in our DynamoDB database (associated with the course ID).

Chat Messages and Social Data

  • What: Messages you send in course group chats, direct messages, anonymous Q&A, polls, reactions, and friend connections.
  • How: Sent via encrypted WebSocket connection (WSS) to our backend and stored in our database.
  • Purpose: To enable real-time messaging, social features, and notifications between students in the same course.
  • Storage: Stored on AWS DynamoDB servers in the US East region. Messages are associated with your Canvas user ID and display name. Friend lists and notification history are also stored in DynamoDB.

AI Interactions

  • What: Questions you ask CampusBot or the AI tools, along with relevant course context (syllabus data, assignment details, selected text from course materials).
  • How: Sent to our backend via WebSocket, which forwards them to third-party large language model (LLM) providers for processing.
  • Purpose: To generate AI responses, flashcards, study notes, and contextual answers about your course materials.
  • Storage: AI queries are not permanently stored. Conversation context is held temporarily in server memory during your session (up to 8 turns) and discarded afterward. AI usage counts are tracked per user to enforce usage limits.

File Uploads

  • What: Files you upload through the extension (such as profile images or documents for AI analysis).
  • How: Uploaded via presigned URLs to AWS S3.
  • Purpose: To store user-uploaded content and enable AI processing of documents.
  • Storage: Files are stored in AWS S3 buckets in the US East region.

User Presence and Preferences

  • What: Your online/away/do-not-disturb status, study partner availability, theme preferences, and dashboard settings.
  • How: Sent via WebSocket when you connect or change status. Preferences are stored locally via chrome.storage.local.
  • Purpose: To show classmates who is online, enable study partner matching, and persist your UI preferences.
  • Storage: Presence data is stored temporarily in our database and removed when you disconnect. UI preferences are stored locally in your browser only.

Text-to-Speech Audio

  • What: Text content you submit for text-to-speech conversion.
  • How: Sent to our backend, which uses AWS Polly to generate audio.
  • Purpose: To convert course material text into spoken audio for accessibility and study purposes.
  • Storage: Generated audio files are stored temporarily in S3. TTS usage counts are tracked per user.

Data We Do NOT Collect

  • Canvas passwords or login credentials
  • Browsing history outside of Canvas LMS
  • Financial or payment information
  • Precise geolocation data
  • Keystroke logging or click tracking
  • Contacts, calendar, or other device data

How We Use Your Data

  • To provide and maintain the extension's features (messaging, AI tools, dashboard, notifications)
  • To authenticate you and manage your account
  • To display your identity to other students in shared course chats
  • To process AI queries and return relevant study materials
  • To track usage limits for AI and text-to-speech features
  • To deliver notifications about messages, friend requests, and course activity

Third-Party Services

We share data with the following third-party services solely to provide the extension's functionality:

Large Language Model Providers

AI features send your queries and relevant course context to LLM providers for processing. We currently use DeepSeek as our primary LLM provider. Only the specific context needed to answer your question is sent. The provider's privacy policy applies to data processed by their models. We do not send your personal identity information (name, email) to LLM providers.

Amazon Web Services (AWS)

Our backend infrastructure runs entirely on AWS in the US East (N. Virginia) region. This includes AWS Lambda (compute), DynamoDB (database), API Gateway (WebSocket routing), S3 (file storage), Polly (text-to-speech), and Textract (document OCR). AWS processes data in accordance with their security and compliance standards. See the AWS Privacy Policy.

Google Identity Services

If you sign in with Google, we use Chrome's built-in identity API to authenticate you. Google's privacy policy applies to the authentication flow. See the Google Privacy Policy.

Microsoft Identity Services

If you sign in with Microsoft, we use Chrome's built-in identity API to authenticate you. Microsoft's privacy policy applies to the authentication flow. See the Microsoft Privacy Statement.

Google Fonts

The extension loads fonts from Google Fonts for UI rendering. Google's privacy policy applies to font requests.

Data Sharing

  • We do not sell, rent, or trade your personal data to any third party.
  • We do not use your data for advertising or marketing purposes.
  • Data is only shared with the third-party services listed above as strictly necessary to provide the extension's functionality.
  • Your display name and profile picture are visible to other students in your course group chats and direct messages.
  • Anonymous Q&A posts do not display your identity to other users.

Data Retention

  • User accounts: Retained as long as the extension is installed and in use.
  • Chat messages: Retained indefinitely to preserve conversation history. You may request deletion.
  • Friend connections and notifications: Retained as long as your account exists.
  • Syllabus and file summary cache: Retained for up to 120 days, then automatically deleted.
  • User presence data: Deleted when you disconnect from the WebSocket.
  • AI conversation context: Held in server memory during your session only (up to 8 turns), not persisted to disk.
  • Uploaded files: Retained in S3 until you request deletion.
  • Local preferences: Stored in your browser via chrome.storage.local and deleted when you uninstall the extension.

Data Security

  • All communication between the extension and our backend uses encrypted WebSocket connections (WSS/TLS).
  • Canvas API requests are made over HTTPS using your existing authenticated session.
  • OAuth tokens are stored locally in your browser and never transmitted to our servers in plain text.
  • Our backend runs on AWS with encryption at rest (DynamoDB, S3) and in transit (TLS).
  • Server-side authentication verifies your identity on every WebSocket message to prevent spoofing.

Your Rights

  • Access: You can view all your data through the extension itself (messages, grades, friends, etc.).
  • Deletion: Contact us at the email below to request deletion of your account, chat messages, uploaded files, and any cached data. We will process deletion requests within 30 days.
  • Data portability: Contact us to request an export of your data.
  • Opt out of AI: AI data is only collected when you actively interact with the AI tools. You can use the extension without using AI features.
  • Uninstall: Removing the extension from Chrome deletes all locally stored data (preferences, cached tokens). To also delete server-side data, contact us.

Children's Privacy

Mentiora is designed for university and college students. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected in the “Last updated” date above. If we make material changes, we will notify users through the extension. Continued use of the extension after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy or want to exercise your data rights, contact us: