Privacy Policy

Last updated: April 1, 2026

1. Introduction

This policy describes how Memra collects, uses, and protects your personal data. We are committed to transparency and to protecting your privacy in accordance with the General Data Protection Regulation (GDPR).

2. Data Controller

Memra operates as the data processor. You (the API user) are the data controller for memory content stored through the API. You are responsible for ensuring that you have a lawful basis for storing personal data in memories and for responding to data subject requests from your own end users.

3. Data We Collect

  • Account data: Email address, password hash
  • API usage data: Request counts, timestamps, rate limit counters
  • Memory content: Stored on your behalf through the API
  • Billing data: Managed by Stripe (we do not store card numbers)

4. Data Storage Location

All data is stored on servers in Falkenstein, Germany (EU), operated by Hetzner Online GmbH. Data never leaves the European Union. This includes memory content, account data, metadata indices, and cached embeddings.

5. How We Use Your Data

  • To provide the API service (store, retrieve, and manage memories)
  • To send transactional emails (welcome, password reset, billing notifications)
  • To monitor service health and errors
  • To enforce rate limits and usage quotas

6. Data We Do NOT Use

We do not use your memory content for AI training, analytics, advertising, or any purpose other than storage and retrieval on your behalf. Your data is your data.

7. Third-Party Services

  • Stripe — Payment processing (EU). Handles card data; we never see or store card numbers.
  • Resend — Transactional email (EU region). Receives email addresses for delivery only.
  • Sentry — Error tracking. Memory content is stripped from all error reports before transmission.
  • OpenAI — Embedding generation. Content is sent for vectorization only, not for training. OpenAI's data usage policy applies.

8. Your Rights (GDPR)

  • Right to access: Export all your data via GET /v1/export or the dashboard
  • Right to rectification: Update memories via the PATCH endpoint
  • Right to erasure: Delete individual memories via the API or delete your entire account
  • Right to data portability: Export as JSON at any time
  • Right to object: Contact us at the address below

9. Data Retention

Account data is retained while your account is active. Memory data is retained until you delete it. After account deletion, all data is purged across all storage layers (content files, metadata index, Redis cache, audit logs) within 30 days.

10. Security

API keys are bcrypt-hashed at rest. Memory content is never written to application logs. All connections use TLS 1.3. Admin access is restricted to VPN. We conduct regular security reviews of our infrastructure and application code.

11. Contact

Data protection inquiries: privacy{{ config('memra.domain') }}