Privacy Policy
This Privacy Policy explains how memoro me collects, uses, shares, and protects personal data under the EU General Data Protection Regulation (GDPR). memoro me is a personal AI memory service: the Service works by processing the information you choose to add or connect, together with the account, security, billing, preference, and operational data needed to provide and protect the Service.
Last updated: 11 June 2026
What Data Do We Collect?
We collect the content, account, and service data needed to provide memoro me. Content you add, create, or connect includes: audio, video, and text from meetings, lectures, calls, and other recordings you choose to create; conversations, prompts, messages, and instructions you send to AI-assistance features; learning and practice sessions; notes, files, photos, documents, and course materials; email you forward to, send from, or receive at a Service-provided email address; calendar feeds you subscribe to; contacts, calendar events, and photos you choose to import from your device; people, organisations, topics, events, and other records you create; and encrypted secrets or secure entries you choose to store, which are held by the server as ciphertext only. Account and service data includes your name and email address from the sign-in provider you use, your date of birth, which we ask for during account setup to assess Service eligibility and to tailor the Service to your life stage, profile details you choose to share, consent records, credit and billing records, session/authentication data, security logs, and your analytics preference. From content that is not stored as client-side encrypted secrets, memoro me creates transcripts, summaries, action items, extracted entities and relationships, embeddings/search indexes, learning observations, and other derived knowledge that helps the Service remember and surface what matters to you. Plaintext for client-side encrypted secrets, master passwords, and encryption keys for those secrets are not sent to our servers.
Personal Data About Others
Some content you add, create, import, or connect may contain personal data about other people, such as participants in recordings, email correspondents, contacts, people you create records for, or individuals mentioned in files, photos, notes, and messages. You are responsible for ensuring that you have a lawful basis or other appropriate permission to provide that data to the Service. We process that data only to provide the Service to you and protect the Service, with the protections described in this policy.
Legal Bases for Processing
We process your personal data on the following legal bases under the GDPR: providing and administering the Service, including account setup, eligibility checks, authentication, content storage, AI processing, search, memory features, credits, support, exports, and deletion controls, under our contract with you or to take steps before entering into that contract (Article 6(1)(b)); optional analytics, with your consent (Article 6(1)(a)), which you can withdraw at any time through the Service's privacy controls; security, fraud prevention, abuse prevention, diagnostics, and rate limiting, under our legitimate interests (Article 6(1)(f)) in keeping the Service safe and reliable; and billing, tax, accounting, and legal compliance records, to meet our legal obligations (Article 6(1)(c)), including Swedish bookkeeping law.
AI Processing
Your content and derived account context may be processed by AI services to provide the Service, including transcription, summarisation, structured extraction, semantic search, conversational assistance, image analysis, image generation, voice synthesis, speech analysis, learning feedback, and related background processing. AI processing may happen when you ask for something and automatically in the background, for example to transcribe, summarise, extract knowledge, prepare relevant context, or update search and memory features from content you add or connect. The AI providers we use include Anthropic, OpenAI, Google, and Cloudflare. We do not use your content to train AI models, and we send it to these providers under terms that do not permit them to use it for training. Before many text requests leave memoro me, automated redaction replaces email addresses, phone numbers, and credit-card numbers where technically feasible. Redaction cannot reliably catch names, addresses, national identifiers, or every personal detail contained in free text, images, audio, or files, so avoid adding sensitive personal information you do not need to use in the Service. Many external AI providers process data in the United States. See International Data Transfers and the Sub-Processor List for provider, transfer, and location details.
How Is Audio Handled?
When you use voice, recording, meeting, or language-practice features, audio may be captured on your device and sent in short segments for transcription, response generation, meeting notes, and speech analysis. Speech analysis may include signals such as pacing, pauses, filler words, self-corrections, and pronunciation patterns, so the Service can adapt practice and feedback to your level. Raw audio is kept only while transcription, response generation, speech analysis, or temporary recording processing takes place, typically seconds to minutes after the session or recording ends, and is then deleted. Some recordings may be temporarily stored in our EU file storage for transcription or processing and deleted after processing. We do not use your voice to identify you or build voice biometric profiles; if that changes, we will update this policy and obtain your explicit consent before it applies. We do not share your audio with third parties for AI model training. After processing, we may keep meeting transcripts and notes; transcripts from temporary voice interactions and language-practice sessions for about 14 days before automatic removal; and derived learning observations, such as pronunciation patterns, until you delete your account.
Personalisation and Profiling
We use your content and activity to create and update personalisation data in your account, such as preferences, learning observations, and connections between the people, topics, events, and things in your life. This is profiling under the GDPR, and we use it to personalise the Service. We do not use your personalisation data to make decisions producing legal or similarly significant effects about you based solely on automated processing.
Storage and Security
Your account content and service data are stored and processed on cloud infrastructure provided by Cloudflare. This includes databases, file storage, caches, queues, real-time session infrastructure, analytics infrastructure, workflows, and semantic search indexes. Files you upload or create are stored using Cloudflare file storage configured for EU jurisdiction. Some databases, caches, search indexes, and operational infrastructure run on Cloudflare's global network, with processing governed by Cloudflare's data processing agreement and Standard Contractual Clauses where required. Data is encrypted in transit, and stored data is protected by the platform encryption available for the infrastructure services we use. OAuth tokens are additionally encrypted by memoro me using AES-256-GCM. Each user's data is logically isolated, and access is limited to authenticated requests and authorised operational access.
Cookies and Local Storage
On the web, we use a secure session cookie to keep you signed in. It expires after 90 days of inactivity and has a 365-day absolute cap. We also use browser local storage for functional preferences, setup progress, and a client-side cache of account data so the Service loads quickly and stays responsive. This cache mirrors data we already hold on our servers and is cleared when you sign out. Your acceptance of the Terms and Privacy Policy, and your analytics preference, are recorded against your user account rather than stored only in a cookie, so the choice follows you across devices. We do not use advertising cookies, tracking cookies, or third-party cookies. In native apps, authentication uses a device token stored in secure device storage, and cached data is stored in the app's sandboxed storage. You can change your analytics preference at any time through the Service's privacy controls.
Analytics
We collect optional usage analytics to understand how the Service is used, improve reliability, and decide which features need attention. Analytics may include events such as feature usage, frequency, performance, and errors. Before optional analytics events are stored, your user ID is replaced with a one-way pseudonym so the analytics layer does not contain your direct account identifier. Because the pseudonym is deterministic, events can still be grouped as activity from the same account; this is pseudonymisation under GDPR Article 4(5), not anonymisation. You choose whether to enable optional analytics during account setup and can change that choice at any time through the Service's privacy controls. When analytics is off, optional analytics events are not recorded for your account.
Data Retention, Export, and Deletion
Personal content and the knowledge memoro me extracts from it are retained while your account is active, unless a shorter period is stated in this policy. Raw audio is deleted after processing; transcripts from temporary voice interactions and language-practice sessions are kept for about 14 days; optional analytics records that include your pseudonymous user identifier are kept for up to 90 days; and security, audit, and AI-processing logs are kept for limited operational periods. If the date of birth provided during account setup shows that you are under 13, we cannot provide the Service and delete the account and related setup data. If you have not logged in for roughly a year, we send a warning email; if you do not log in within 30 days of the warning, your account and associated personal data are deleted from active storage, subject to the limited exceptions described in this policy. You can export your data at any time through the Service's export controls or by contacting us. When you delete your account, memoro me removes your account, content, files, client-side encrypted ciphertext, search indexes, vector embeddings, cached sessions, and other user-linked records from active storage. Payment processors may keep payment records under their own legal obligations and policies. Aggregate operational metrics and records that are no longer reasonably linkable to your account may remain, and pseudonymised rate-limiting or security records expire automatically.
Your Rights
Under the GDPR, you have the right to request access to your personal data, correction of inaccurate data, deletion, restriction of processing, objection to processing, withdrawal of consent where processing is based on consent, and a portable copy of your data. You can exercise many of these rights through the Service's account, export, deletion, and privacy controls. You can also contact us at support@meetmemoro.app. Withdrawing consent does not affect processing that took place before withdrawal, and some rights may be limited where we must retain data for legal obligations, security, fraud prevention, or dispute handling. We will respond within one month, which we may extend by up to two further months for complex or numerous requests. You also have the right to lodge a complaint with a supervisory authority; in Sweden, this is Integritetsskyddsmyndigheten (IMY, imy.se).
Third-Party Services (Sub-Processors)
We use third-party service providers, called sub-processors, to host infrastructure, process AI requests, support sign-in, deliver email, process payments, support real-time audio and video, and provide other services needed to operate memoro me. We share personal data with them only as necessary for those purposes. Each sub-processor is bound by a data processing agreement or equivalent contractual data-protection terms. For the current list of sub-processors, including the categories of data they receive and their processing locations, see the Sub-Processor List.
International Data Transfers
Some of our sub-processors are based outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework where available, and supplementary measures such as encryption in transit and at rest, data minimisation, access controls, and redaction where feasible. Some providers must process content in readable form to deliver the AI, payment, email, sign-in, infrastructure, or real-time communication services used by the Service. Primary customer files are stored using Cloudflare file storage configured for EU jurisdiction; other application data, caches, search indexes, and operational infrastructure may be processed on Cloudflare's global network under Cloudflare's data processing agreement. See the Sub-Processor List for the current provider list, processing locations, and transfer details.
Sign-In Providers and Device Permissions
You can sign in to memoro me with Apple or Google. We use these providers only to verify your identity; we receive your email address and name, and nothing else from the sign-in provider unless you choose to share it. memoro me does not read, sync, or access other data from those providers, such as calendar, contacts, mail, or files, unless a future integration asks for your explicit consent. In native apps, you may choose to grant on-device permissions so that memoro me can import contacts, calendar events, or photos directly from your device. Each permission is optional, requested through the operating system's standard dialog, and can be revoked at any time in your device settings. Data stays on your device until you choose to import it into memoro me.
Contact
For privacy-related questions or to exercise your data rights, contact us at support@meetmemoro.app. The data controller is Martin Forsberg, trading under the registered Swedish business name Memoro, Palme Lydersgatan 20, 271 50 Ystad, Sweden.