Privacy Policy

MemorySync provides infrastructure that other companies use to power AI-driven products. We treat the information we handle on behalf of our customers, and the information we collect about visitors to our website and users of our dashboard, as a position of trust.

This document is written in plain language wherever possible, with enough clarity for users, security reviewers, and procurement teams to understand our practices. If any term is unclear, please contact us at the address listed in the Contact Us section.

MemorySync acts in two distinct capacities depending on context:

• Controller. For information we collect directly — for example, when you create an account, contact us, or browse our website — we determine the purposes and means of processing and act as a data controller (or equivalent role under applicable law).
• Processor. For data that customers submit to or generate within the Services (such as memories, embeddings, prompts, and metadata), MemorySync processes that information on the customer's behalf and acts as a data processor or service provider. The customer remains the controller of that data and is responsible for obtaining any consents required from end users.

Where MemorySync acts as a processor, the customer's agreement with MemorySync — including any Data Processing Addendum — governs how that data is handled, and this Policy describes our practices at a general level rather than the specific terms negotiated with any one customer.

The categories of information we collect depend on how you interact with the Services.

3.1 Account Information

When you sign up for MemorySync we collect the information needed to create and secure your account, including name, business email address, organization or team name, password (stored only in hashed form), and authentication-provider identifiers if you sign in with a supported identity provider. Enterprise customers may additionally provide billing contacts, security contacts, and information needed to configure single sign-on or directory provisioning.

3.2 Customer Content

When you or your end users use the Services, the platform stores the content you submit — including text passed to memory APIs, associated metadata, prompts, retrieval queries, and content ingested from connected sources you authorize. We process this content only to operate, secure, and improve the Services for the customer that submitted it, in accordance with our agreement with that customer.

3.3 API Usage Information

When you call our APIs we record information needed to deliver, meter, and secure the Services. This typically includes API key identifiers, request timestamps, endpoints invoked, response status, coarse request size and latency, and rate-limit signals. We do not treat this information as an end-user profile.

3.4 Technical Information

When you visit our website or use the dashboard we collect technical information that browsers and devices typically share, such as IP address, user agent, device and browser characteristics, referring pages, and pages viewed. We use this information to operate the site, detect abuse, and produce aggregate analytics.

3.5 Communications

If you contact us — through the website, support, or sales channels — we retain the contents of your message, your contact details, and any related correspondence so we can respond and keep a record of the exchange.

3.6 Inferred & Derived Data

The Services generate derived information about how the platform is used (for example, embeddings of customer content, aggregated usage counters, and signals used to detect anomalous activity). This data is used to operate the Services and is held under the same protections as the source data.

We use the information described above to:

• Provide, operate, maintain, and improve the Services.
• Authenticate users and protect accounts from unauthorized access.
• Bill customers, prevent fraud, and enforce usage limits agreed in the applicable plan or contract.
• Communicate with you about the Services, including changes, security advisories, and operational notices.
• Send marketing or sales communications where you have agreed to receive them; you can opt out at any time.
• Detect, investigate, and respond to security incidents, abuse, and violations of our Terms of Service.
• Comply with legal obligations and respond to lawful requests from public authorities.
• Conduct internal analytics, capacity planning, reliability engineering, and product research, primarily on aggregated or de-identified data.

We do not sell personal information, and we do not use customer content to train foundation models or to advertise to end users.

MemorySync uses a small set of cookies and similar technologies to operate the website and dashboard. These fall into a few well-defined categories — strictly-necessary cookies for authentication and security, preference cookies that remember your settings, and a minimal amount of analytics that help us understand site performance.

A complete description of the cookies we use, why we use them, and how to control them is available in our Cookie Policy.

We use first-party and a small number of carefully selected third-party tools to measure how the website and dashboard are used, to monitor performance, and to detect errors. These tools are configured to minimize the data they collect and, where possible, to operate on aggregated or de-identified information.

We do not use analytics or performance tooling to build advertising profiles, and we do not share analytics data with advertising networks.

The Services let customers connect third-party applications and sources — for example, source-code hosts, knowledge-base products, messaging platforms, and document storage — so that content from those systems can be ingested as memory. When a customer authorizes an integration:

• Authorization tokens are issued by the third-party provider under scopes that the customer selects at connection time and can be revoked at any time.
• We access and store only the content the customer instructs us to ingest, and only for as long as the integration remains connected or as required to operate the Services.
• The third-party provider's own privacy practices apply to the data that originates in their systems. Customers are responsible for confirming that their use of an integration complies with the third-party provider's terms.

MemorySync engages a limited number of trusted service providers to help operate the Services. These sub-processors fall into a small number of categories:

• Cloud hosting and infrastructure providers used to operate the Services.
• AI model providers used to generate embeddings, summaries, and model outputs on customer instruction. These providers are configured under commercial terms that prohibit using customer content to train their public models.
• Payment processing for customers on paid plans, performed by a third-party payments provider that handles cardholder data directly under its own controls. MemorySync does not store full payment card numbers.
• Email delivery for transactional messages such as account verification, billing notifications, and security alerts.
• Error monitoring and observability tools that help us detect failures and operate the Services reliably; these tools are configured to avoid collecting customer content.

We require sub-processors to provide written assurances that meet our security and confidentiality requirements, and we maintain a list of sub-processors that is made available to enterprise customers under their applicable agreements.

Because MemorySync is platform infrastructure, customers play a critical role in protecting the personal information processed within the Services. Customers are responsible for:

• Determining the lawful basis for processing personal information within the Services and providing notice to, and obtaining consent from, end users where required.
• Configuring access controls, single sign-on, directory provisioning, and audit retention in line with their own compliance program.
• Managing API keys, OAuth applications, and integration authorizations, and rotating credentials as required by their internal policy.
• Avoiding the submission of categories of data that are not appropriate for the Services or that require contractual coverage beyond the customer's current plan.
• Responding to data-subject requests directed to the customer in a timely manner, with our support where required by contract.

We retain information for as long as needed to provide the Services and for the periods required by law or our legitimate business interests. Specifically:

• Customer content is retained for the duration of the customer's subscription and according to the retention configuration the customer establishes within their workspace. On termination, customer content is deleted in accordance with the applicable agreement.
• Account information is retained for the life of the account and for a reasonable period afterwards to support reactivation, dispute resolution, and legal obligations.
• Operational logs (request metadata, security events, audit records) are retained for the period required to operate, secure, and meter the Services, and are subject to retention configurations available to enterprise customers.
• Anonymous and aggregate data may be retained indefinitely for analytics, capacity planning, and product improvement.

The Services are designed with enterprise security considerations throughout. Our security program includes administrative, technical, and physical controls that we continue to evaluate and improve as the platform matures. At a high level, this means:

• Encryption of data in transit using current TLS standards and encryption of data at rest using industry-standard algorithms.
• Tenant isolation across the platform, with logical separation of customer workspaces, projects, and search namespaces.
• Strong authentication, including support for single sign-on, multi-factor authentication, scoped API keys, and an OAuth authorization server with audit logging.
• Role-based access controls, principle of least privilege for internal personnel, and audit logging of administrative actions.
• Background processes for key management and rotation, and environment separation between development, staging, and production.
• Incident-response practices that include investigation, remediation, and notification of affected customers in accordance with applicable law and contracts.

No system can be guaranteed to be perfectly secure. Customers should maintain their own security program and report suspected vulnerabilities to security@memorysync.io.

MemorySync supports customers operating in regulated environments by providing tooling such as audit logs, retention controls, role-based access, and configurable governance settings. We continue to evaluate our security and privacy program as the platform matures.

Where third-party attestations, certifications, or examination reports become available, MemorySync may share them with enterprise customers under appropriate confidentiality terms. Information in this Policy describing security or compliance measures is provided as a summary and does not constitute a legal warranty unless restated in a signed agreement.

MemorySync operates across multiple jurisdictions. Information you provide to us, and information processed on behalf of customers, may be transferred to and stored in jurisdictions other than the one in which it was originally collected. Where transfers of personal information are subject to cross-border transfer requirements, we work to apply lawful transfer mechanisms and appropriate safeguards where applicable and where contractually agreed with the customer.

Depending on where you are located, you may have rights with respect to your personal information, including the right to access, correct, delete, or port your information; the right to object to or restrict certain processing; and the right to lodge a complaint with a supervisory authority.

Where MemorySync is the controller of your personal information, you can exercise these rights by contacting privacy@memorysync.io. Where MemorySync acts as a processor on behalf of a customer, we will direct your request to the relevant customer and assist them in responding to it as required by our contract.

You can also manage many privacy-related settings directly in the MemorySync dashboard, including profile information, notification preferences, session devices, and data export requests where available.

The Services are intended for businesses and developers and are not directed to children under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without appropriate consent, we will take steps to delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or the legal landscape. When we make material changes we will update the “Last Updated” date above and, where appropriate, provide additional notice through the Services or by other means.

Your continued use of the Services after a revised Policy takes effect constitutes acceptance of the updated terms.

If you have questions about this Privacy Policy or our handling of personal information, please contact us:

• Privacy inquiries: privacy@memorysync.io
• Security disclosures: security@memorysync.io
• General legal: legal@memorysync.io

Written notices may also be sent through the contact channel referenced in your order form or applicable agreement with MemorySync.