Privacy Policy
What we collect, why, how long we keep it, who we share it with, and how to get it deleted. This document is a template pending review by qualified privacy counsel.
Template — not legal advice
At a glance
1. Who we are
MemHQ is a memory infrastructure service for AI agents, currently operated as an individual project. Contact: [email protected] for general; [email protected] for data-subject requests (these aliases will route to the operator until a separate legal entity is set up).
This Privacy Policy describes how MemHQ ("MemHQ", the operator of the Service, "we") collects, uses, and shares personal data in connection with the hosted memory infrastructure available at memhq.ai (the "Service"). For the purposes of the EU/UK General Data Protection Regulation, we act as a data controller for personal data we collect to run our own business (e.g., account and billing) and as a data processor for the Customer Content you submit through the Service.
2. Data we collect
Account information
Authentication is handled by Clerk. When you sign up, Clerk collects your name, email address, hashed password (or SSO identity), and session metadata. We receive a stable user identifier and your email address. We never see your password.
API usage telemetry
For every authenticated request to the API we record the request path, response code, latency, the LLM model used for any extraction or synthesis step, the token counts associated with model calls, and the size of the response. We do not record request bodies or extracted memories as telemetry.
Billing information
Payments are processed by Stripe. Stripe collects your billing identity (name, billing address) and your card details under PCI-DSS. We receive a Stripe customer identifier, the subscription status, and the last four digits of the card on file. We do not see full card numbers.
Customer-uploaded memory content (Customer Content)
Anything you submit through the SDK, the API, or the MCP server: raw text, documents, messages, extracted memories, entities, relations, embeddings, and the metadata that accompanies them. This is the content that the Service is designed to store and recall on your behalf.
Support and communications
If you email us or contact us through the dashboard, we keep a record of the conversation, including any information you choose to share with us in support of your request.
Cookies and similar technologies
We use only essential cookies, set by Clerk to keep you signed in. We do not use tracking cookies, advertising cookies, or analytics cookies that follow you across sites. See Section 9.
3. How we use it
We use the data we collect to:
- Operate the Service. Authenticate you, route your requests, store and recall memories, and deliver the API, SDK, dashboard, and MCP server functionality you signed up for. (Lawful basis: performance of a contract.)
- Bill correctly. Meter usage, generate invoices, and process payments. (Lawful basis: performance of a contract.)
- Maintain security and detect fraud. Monitor for abusive traffic, rate-limit anomalies, credential stuffing, and other security events. (Lawful basis: legitimate interest in protecting the Service.)
- Improve the product. Analyze telemetry only (request counts, latencies, error rates, model token usage) to find performance regressions and decide what to build next. (Lawful basis: legitimate interest.) We do not analyze Customer Content for product improvement.
- Support customers. Respond to questions you send us. (Lawful basis: performance of a contract or legitimate interest.)
- Comply with the law. Respond to lawful requests from public authorities and meet our own regulatory obligations. (Lawful basis: legal obligation.)
We do not use Customer Content to train models, build datasets, or improve unrelated features, except where you explicitly opt in through a documented mechanism in the dashboard.
4. Subprocessors
We engage the following subprocessors to operate the Service. Each is contractually bound (through a Data Processing Addendum or equivalent) to use personal data only on our documented instructions and to apply appropriate technical and organizational measures.
| Vendor | Purpose | Data shared | Processing location |
|---|---|---|---|
| OpenAI | Default LLM inference for memory extraction and synthesis | Customer Content submitted for extraction (text, messages, documents) and the prompts derived from it | United States |
| OpenRouter | LLM routing layer used to dispatch extraction prompts to the configured provider | Customer Content embedded in the extraction prompt, routed in transit | United States |
| Anthropic | Judge LLM used in the internal evaluation harness (bench) for ranking and quality metrics | Benchmark prompts and synthetic Q/A pairs — no Customer Content is sent to Anthropic in production | United States |
| Google (Gemini, Vertex AI) | Embeddings provider and synthesis model when configured by the customer | Customer Content when the customer selects a Google model; text passed for embedding generation | United States |
| Clerk | Authentication, account management, SSO | Account information: name, email address, hashed password, SSO tokens, session metadata | United States |
| Stripe | Payment processing and subscription billing | Billing identity (name, billing address, email) and a tokenized payment-method reference. We do not see card numbers. | United States |
| Resend | Transactional email delivery (sign-up confirmation, billing receipts, security alerts) | Account email address and the message body sent to it | United States |
| Sentry | Error reporting and exception monitoring | Stack traces, application context, and a limited subset of request metadata. Request bodies are scrubbed. | United States |
| Fly.io | Application hosting (API and worker fleet) | Customer Content in transit and ephemerally in process memory; no persistent customer-content storage at this layer | Primary region: US-East. Optional regional add-ons. |
| Neon | Managed Postgres for persistent storage | Customer Content at rest: memories, entities, relations, embeddings, project metadata, audit log entries | Primary region: US-East (AWS us-east-2). EU residency available as a paid add-on. |
| Upstash | Managed Redis for the ingest queue and ephemeral job state | Ephemeral job payloads (which may briefly contain Customer Content) and queue metadata. TTL-bounded. | United States |
| Better Stack | Application log aggregation and uptime monitoring | Request metadata (path, status, latency, anonymized actor id), error traces. Request bodies are not shipped. | European Union |
We will give notice of new subprocessors at least thirty (30) days before they begin processing personal data, through an update to this page and an email to customers who have subscribed to the subprocessor notification list (write to [email protected] to subscribe). Enterprise customers receive notice directly under the Data Processing Addendum.
5. Data sharing
We share personal data only with the subprocessors listed in Section 4 and, where required, with public authorities responding to a lawful request. We do not sell personal data. We do not share personal data with advertisers or data brokers. We do not train models on Customer Content without an explicit opt-in.
If we are involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred to the acquiring entity subject to the protections in this Privacy Policy. We will notify you of any such transfer and of any material change in privacy posture that results.
6. Data retention
- Customer Content: retained for as long as your account is active, according to the per-plan retention window you selected. On account deletion, Customer Content is removed from active systems within thirty (30) days and from encrypted backups on their normal lifecycle thereafter (typically within ninety days).
- Account and billing records: retained for as long as the account is active and for up to seven (7) years after closure to meet tax and audit obligations.
- API usage telemetry: thirteen (13) months rolling window.
- Application logs: thirty (30) days.
- Audit log entries: retained for the lifetime of the project. Entries are metadata only; they do not contain memory content.
- Support correspondence: retained for two (2) years from the date of the last message.
7. Security
We apply industry-standard technical and organizational measures to protect personal data, including:
- Encryption in transit: all API traffic and dashboard traffic is served over TLS 1.3.
- Encryption at rest: Customer Content is stored in managed Postgres (Neon) and managed Redis (Upstash) with disk-level encryption at rest, managed by the respective provider.
- API-key handling: API keys are hashed on the server with SHA-256. We store only the hash; the plaintext key is shown to you once at creation time.
- Access control: role-based access control on the storage layer, with project-scoped credentials. Operator access to production is restricted to a small, audited set of engineers.
- Tenant isolation: every API request is scoped to a single project; cross-project queries are not exposed.
- Backups: encrypted daily backups with restore tests on a regular cadence.
We require every member of the engineering team to use a hardware security key for production access, rotate credentials on a regular cadence, and complete annual security training. Production access requests are logged and reviewed. Vulnerability scanning runs on every container image we deploy; dependency advisories are reviewed weekly and patched on a severity-driven schedule.
No service can guarantee perfect security. If we become aware of a personal-data breach affecting your account, we will notify you without undue delay and in any event in accordance with the notification windows required by applicable law (within 72 hours of becoming aware of a qualifying breach under GDPR Article 33, and on the schedule required by U.S. state breach-notification statutes that apply to you). Our breach notification will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or plan to take.
8. Your rights
Depending on where you live, you have some or all of the following rights with respect to the personal data we hold about you:
- Access — ask for a copy of the personal data we hold about you.
- Deletion — ask us to delete your account and associated Customer Content, subject to our retention obligations.
- Export — receive a portable copy of your Customer Content. We expose a self-service export endpoint at
/v1/internal/exportthat lets projects dump their own data; you can also request an export by writing to us. - Correction — ask us to correct inaccurate account information; you can edit most fields directly in the dashboard.
- Objection — object to processing based on our legitimate interest.
- Withdrawal of consent — withdraw any consent you previously gave us (for example, by opting out of the model-training opt-in).
- Complaint — lodge a complaint with your local data-protection authority. We would prefer the chance to resolve it directly first.
To exercise any of these rights, write to [email protected]. We may need to verify your identity before acting on the request. We aim to respond within thirty (30) days; for complex requests we may extend that window by an additional sixty (60) days and will let you know if we do. We will not charge for the first request in a twelve-month period; for repeat or manifestly excessive requests we may charge a reasonable fee or refuse to act, in which case we will explain why.
If your data is held by us as a processor on behalf of one of our customers (for example, your employer uses MemHQ and your data appears inside their project), please contact that customer directly — they are the controller for that data and we will act on their instructions. If you cannot reach the controller, write to us and we will help locate the right party.
9. Cookies
We use only essential cookies. Clerk sets cookies necessary to keep you signed in to the dashboard. We do not use Google Analytics, advertising cookies, retargeting pixels, or any cross-site tracking technology on memhq.ai. Because the cookies we set are strictly necessary, no consent banner is required under the ePrivacy Directive.
10. Children
The Service is not directed to children and is not intended for use by anyone under the age of 13 in the United States or under 16 in the European Economic Area, the United Kingdom, or any jurisdiction with a higher digital-consent age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, write to [email protected] and we will delete it.
11. International transfers
By default, the Service is hosted in the United States (US-East region). When you use the Service from outside the United States, your personal data is transferred to and processed in the United States. Where required by law, we rely on the European Commission's Standard Contractual Clauses (and, for the United Kingdom, the International Data Transfer Addendum) as the legal mechanism for these transfers, supplemented by the technical and organizational measures described in Section 7.
EU customers may request EU data residency for Customer Content storage as a paid add-on. Contact [email protected] for the current scope of the residency add-on and the list of subprocessors that remain in-region under it.
12. GDPR, CCPA, and equivalents
We act as a data processor for Customer Content (you are the controller; you instruct us how to process it through your use of the Service). We act as a data controller for the account and telemetry data we collect to run our business.
A Data Processing Addendum (DPA) is available on request — write to [email protected] and we will send the current version. Enterprise contracts include the DPA by default. The DPA incorporates the EU Standard Contractual Clauses where applicable.
For California residents under the CCPA / CPRA: you have the right to know what personal data we collect about you, the right to delete it, the right to correct it, the right to opt out of any "sale" or "sharing" (we do neither), and the right not to be discriminated against for exercising these rights. The categories of personal data we collect are listed in Section 2; the business purposes are listed in Section 3; the categories of recipients are listed in Section 4.
For residents of Virginia, Colorado, Connecticut, Utah, and the other U.S. states with comprehensive privacy laws in effect at the time you read this notice, you have substantially the same rights as California residents above. Write to [email protected] with the name of the law you are invoking and we will treat the request as a request under that statute.
For residents of the EEA, the United Kingdom, and Switzerland: you have the right to lodge a complaint with your local data-protection authority if you believe our processing of your personal data infringes the GDPR or the UK GDPR. The supervisory authority for our lead establishment, once designated, will be listed here. In the meantime we encourage you to contact us first so we have a chance to resolve the issue directly.
13. Changes to this policy
We may update this Privacy Policy from time to time. For material changes — a new category of data we collect, a new category of recipient with whom we share it, a meaningful expansion of how we use it — we will give you at least thirty (30) days' notice by email to the account contact on file and a banner in the dashboard before the change takes effect. Non-material changes (clarifications, formatting, typo fixes) take effect when we update the "last updated" date.
14. Contact
For privacy questions, data-subject access requests, or to subscribe to subprocessor change notifications, write to [email protected]. For security incidents and vulnerability reports, write to [email protected].
Last updated: 2026-05-21. This page is a template pending review by qualified privacy counsel and is not legal advice.