MBA MemorySign In

DRAFT — under review

These terms are AI-assisted drafts undergoing review. Report concerns to sdhir26@gsb.columbia.edu.

MBA Memory — Privacy Policy

Draft prepared with AI assistance. This is not legal advice and has not been reviewed by counsel. Consult an attorney before relying on it. Last revised: 2026-05-26.

This Privacy Policy describes how MBA Memory ("we," "us") collects, uses, shares, and protects information when you use the MBA Memory service (the "Service"). It is part of, and incorporated by reference into, our Terms of Service.

MBA Memory is not affiliated with Columbia University or Columbia Business School. Operator: Sanat Dhir. Contact: sdhir26@gsb.columbia.edu.

If we partner with Columbia or any other institution in a "school-sponsored" mode, additional protections will apply per our School-facing Data-Handling Note.

1. Who this applies to

This policy applies to users of the Service — currently CBS students and faculty granted access through our invite-only flow — and to visitors of mbamemory.com.

2. Information we collect

2.1 Information you provide

  • Account information. Your columbia.edu email address (including subdomain addresses such as gsb.columbia.edu), name (if you provide one), password (hashed by AWS Cognito), and approval status. We do not store your raw password.
  • Honor Code acceptance. A record that you accepted the CBS Honor Code and these Terms (a timestamp and version, not the text you signed).
  • Canvas personal access token (transient). When you connect your courses, you paste a Canvas personal access token (generated by you at courseworks2.columbia.edu/profile/settings). We use this token once to call the Canvas API and retrieve the list of courses you are enrolled in. We do not persist the Canvas access token in our User database.
  • Chat content. The questions you ask, the answers the Service returns, and the conversation history that makes the chat coherent.
  • Personal notes you upload. Files or text you choose to ingest into your personal knowledge area, plus their derived chunks and embeddings.
  • Feedback. Thumbs up/down ratings, comments on individual answers, and any feedback you send us directly.
  • Support communications. Emails or messages you send us.

2.2 Information collected automatically

  • Usage and telemetry. Pages viewed, features used, query counts, latency, error states. Used to operate, secure, and improve the Service.
  • Pseudonymous usage analytics. To understand what is working and where the Service falls short, we record pseudonymous behavioral events — for example: session start/end and duration, query submissions and counts, AI-answer completions and latency, regenerate and mid-answer-abandonment signals, citation-panel and source-click interactions, copy/export actions, feedback events, and onboarding/enrollment steps. These events store bounded metadata only — event type, timestamps, counts, coarse value buckets, course labels, and the identifiers that link an event to your account, session, or a specific conversation/message. They do not contain the text of your questions or the AI's answers; that chat content is stored separately as described in Section 2.1. These events are pseudonymous — linked to your account by identifier so we can provide support and analyze cohorts — and are not anonymous.
  • Device and connection data. IP address, user agent / browser, approximate location derived from IP, time stamps.
  • Cookies / local storage. We use cookies and similar technologies to keep you signed in (session tokens), remember preferences, and measure usage. See Section 9.
  • Error / crash data. When the application encounters an error, our error-monitoring subprocessor (planned: Sentry — see Section 6) may receive a redacted stack trace, the URL, and limited environment information.

2.3 Information derived from your content

We derive vector embeddings of (a) lecture-material chunks and (b) any personal notes you upload, store them in our vector database, and use them at query time to retrieve relevant context for AI-generated answers. We also derive course-enrollment metadata from the Canvas API call described above.

2.4 What we do not collect

  • We do not collect Columbia academic records (grades, transcripts, registrar data) directly from the school. We only see your enrolled-course list, which we fetch via your own Canvas token.
  • We do not ask for, and do not want, sensitive categories such as government-issued IDs, biometric data, health data, or financial-account credentials.

3. How we use information

We use the information we collect to:

  1. Provide the Service — authenticate you, scope your access to courses you took, retrieve relevant content, generate AI answers, render the chat UI.
  2. Manage approvals — review and approve (or decline) accounts in the pending_approval waitlist.
  3. Bill credits — calculate the credit cost of each query from token usage and decrement your balance.
  4. Improve quality — review failed answers, low-rated answers, and feedback to fix retrieval, prompts, and content gaps. We also infer answer quality and engagement from the pseudonymous behavioral events in Section 2.2 (for example, a high rate of regenerating or abandoning answers on a particular topic or course) and prepare aggregated, de-identified learnings about how the beta is used. Where we do this we prefer aggregated or de-identified analysis; where we look at individual messages it is for debugging, abuse-investigation, or in response to a user-submitted feedback item.
  5. Communicate with you — service announcements, welcome emails, approval/denial notices, billing-related messages.
  6. Detect and prevent abuse — automated checks plus manual review of behavior that looks like account sharing, Honor-Code violations, or attempts to exfiltrate the corpus.
  7. Comply with law and enforce our Terms of Service, respond to DMCA notices (see our DMCA & Takedown Policy), and protect our rights, your safety, and the rights and safety of others.

We do not sell your personal information. We do not "share" it for cross-context behavioral advertising (as those terms are used under U.S. state privacy laws).

4. Legal bases (where applicable)

If a privacy regime applies that requires us to state a "legal basis" (for example GDPR or analogous frameworks), we rely on: performance of a contract with you (Section 3.1–3.5), our legitimate interests in operating, improving, and securing the Service (Section 3.4, 3.6), legal obligations (Section 3.7), and your consent where required.

5. AI training — what we do and do not do

We do not use your queries, chat content, personal notes, or feedback to train AI models (ours or our subprocessors'). The Service relies on retrieval-augmented generation: at query time we pass relevant snippets and your prompt to a third-party model, receive an answer, and return it to you.

Our AI subprocessors (Anthropic and OpenAI) provide model APIs that, under their standard API terms, do not use API inputs or outputs to train their models by default. We rely on those terms.

  • Anthropic API training/retention posture under the then-current Anthropic Commercial Terms and Usage Policy, including any zero-data-retention or enterprise options we have or have not opted into.
  • OpenAI API training/retention posture under the then-current OpenAI Business Terms and API Data Usage Policies, including default 30-day retention for abuse monitoring and any zero-data-retention configuration.
  • AWS Bedrock or other inference providers if added.

We will update this Policy if those postures change.

6. Subprocessors

We use the following third-party providers ("subprocessors") to operate the Service. Each is bound by their own terms and privacy commitments.

SubprocessorPurposeData categories processedLocationTraining posture
Anthropic (Claude API)AI inference / answer synthesisPrompts, retrieved context, generated answersU.S.API inputs/outputs not used for model training under standard API terms
OpenAI (Embeddings API — text-embedding-3-small)Generate vector embeddings of chunks and queriesText snippets from the corpus, query textU.S.API inputs not used for model training under standard API terms; default short retention for abuse monitoring
Amazon Web Services (AWS)Hosting (App Runner / planned ECS Fargate), database (RDS Postgres), authentication (Cognito), object storage (S3 — s3://phoenix-bridge-ingest/mba-mind/), serverless functions (Lambda — email_domain_gate), email (SES), networkingAll account, content, query, log, and corpus dataus-east-1 (N. Virginia)AWS does not use customer content to train its services as a customer of AWS
Sentry (planned — MM-060)Error and performance monitoringRedacted stack traces, URL paths, environment metadata; PII scrubbing enabledCustomer error data not used to train models

If we add or change subprocessors, we will update this list. Material additions will be announced in-product or by email before they take effect, where feasible.

7. How we share information

We share information only as described here:

  1. With subprocessors acting on our behalf (Section 6), under their terms.
  2. With you — your own data, on request (Section 11).
  3. With law enforcement or in response to legal process when we believe in good faith that disclosure is required by law, or to protect our rights, your safety, or the safety of others.
  4. In a corporate transaction — if the operator's business or assets are merged, acquired, or transferred, your information may transfer with the Service, subject to this Policy (or a successor policy with materially equivalent protections).
  5. With your direction — for example, if you choose to share an answer outside the Service (we cannot control what you do with what we return).

We do not sell your personal information and do not share it for cross-context behavioral advertising.

8. Retention

We retain information for as long as your account is active and as needed to provide the Service. Specific retention notes:

  • Account, chat, feedback: retained for the life of your account.
  • Canvas personal access token: not persisted beyond the single use needed to fetch your enrolled-course list.
  • Logs and telemetry: retained for a rolling window for operations, security, and debugging.
  • Behavioral analytics events (Section 2.2): raw per-user event rows retained for a rolling window — default 180 days — for quality assessment and beta learning; aggregated or de-identified summaries derived from them may be retained longer.
  • Backups: RDS backups follow AWS's retention defaults plus our settings. We will work to honor deletion requests in backups within the normal backup-retention window.
  • Error data (Sentry): redacted; default vendor retention applies.
  • Corpus content: lecture-material chunks remain indexed until removed via our DMCA & Takedown Policy, a content-quarantine decision (see MM-054 Corpus Provenance), or account/data deletion.

When you ask us to delete your data, or when we close your account, we will remove or anonymize your personal information per Section 11, subject to legal-hold or backup-cycle exceptions.

9. Cookies and similar technologies

We use cookies and local storage to keep you signed in, remember preferences, support security, and measure usage. We do not use third-party advertising cookies. Most browsers let you control cookies; if you block essential cookies the Service may not work.

10. Security

We use commercially reasonable safeguards to protect your information, including:

  • Encryption in transit (HTTPS / TLS) between your browser and the Service.
  • Encryption at rest for the database, object storage, and backups (AWS-managed encryption).
  • Authentication via AWS Cognito (hashed credentials, MFA support
  • Access controls. Course-level RBAC restricts users to courses they took; the same applies to personal notes (private to the uploader).
  • Network isolation. The database is in a VPC; secrets are managed in AWS.
  • Logging and monitoring for abuse detection, plus the planned Sentry integration.

No system is perfectly secure. Tell us promptly if you believe your account has been compromised.

11. Your choices and rights

You may, at any time:

  1. Access and export your account and chat data. Email sdhir26@gsb.columbia.edu.
  2. Correct inaccurate information in your account.
  3. Delete your account and associated chat history, feedback, personal-notes corpus, and your raw behavioral-analytics events (Section 2.2) — these are deleted together with your account. Some derived information (e.g., aggregated or de-identified usage metrics and learnings; legal-hold items; backup cycles) may persist for the windows described in Section 8.
  4. Opt out of non-essential communications (we will still send service-critical messages, like billing or security notices).

Depending on where you live you may have additional rights under U.S. state privacy laws (e.g., California's CCPA/CPRA, Virginia, Colorado, Connecticut, Texas, Utah) or other regimes — including the right to know what we collect, request deletion, correct inaccuracies, opt out of "sale" or "sharing" (we do neither), and not be discriminated against for exercising your rights. To exercise any of these, email sdhir26@gsb.columbia.edu from the address on your account.

12. Children's privacy

The Service is not directed to children under 18 (or the applicable age of majority). We do not knowingly collect information from children. Our eligibility criteria (columbia.edu email + waitlist approval + 18+ requirement in the Terms) are designed to prevent this. If you believe a child has used the Service, email us.

13. International transfers

The Service is hosted in AWS us-east-1 (Northern Virginia, USA). If you access it from outside the United States, your information is processed in the United States, which may have different data-protection rules from your home jurisdiction. By using the Service you understand and consent to that processing.

14. School-sponsored mode

If your school (e.g., Columbia) enters a formal partnership with us, additional terms — including a data-protection addendum, vendor-grade retention/deletion commitments, audit support, and (where applicable) FERPA "school official" obligations — will apply. See the School-facing Data-Handling Note. Until such a partnership is in place, MBA Memory operates as an independent service and is not a school official, vendor, or contractor of Columbia or CBS.

15. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Last revised" date below and, for material changes, give reasonable advance notice (in-product or by email). Continued use of the Service after the effective date of an updated Policy means you accept the update.

16. Contact

Questions, requests, or notices about this Policy or your data: sdhir26@gsb.columbia.edu.

DMCA / copyright notices: see our DMCA & Takedown Policy.

Last revised: 2026-05-26.

Last revised: 2026-05-26