Privacy notice

Memoral ("we," "us") operates the Memoral web app at memoral.ai and the Memoral iOS app. This notice covers both. If you have a question about anything below, email [email protected].

• Your entries are encrypted. Entry content is encrypted on our server with a key only your account can unlock (AES-256-GCM, envelope encryption). We can't read your entry bodies as plaintext at rest.
• AI features process entry content as plaintext in flight. When you use search, ingest, or chat features, the relevant entry content is decrypted in memory and sent to OpenAI (for embeddings) and Anthropic (for Claude) over TLS. They process the request and return a result; they don't train on it.
• Metadata is not encrypted. Titles, summaries, tags, entry types, and dates are stored as plaintext so we can show them in lists, search results, and the knowledge graph.
• We don't sell your data. Ever. There's no advertising business here.
• Delete means delete. "Delete account" in Settings purges your entries, tags, sessions, and audit log from our database.

Account information

When you create an account we store your email address, your name (optional), and either a password hash (bcrypt) or your social login (Google, Apple) / passkey credential. If you turn on two-factor authentication, we store the encrypted 2FA secret so we can verify codes.

Your entries

The body of every entry — the part you write or paste in — is encrypted with AES-256-GCM before it's written to our database. Each entry has its own data encryption key (DEK), which is itself wrapped by a per-user key encryption key (KEK), which is wrapped by a server master key. We can't decrypt your entries without your account being active in a request.

What is notencrypted at rest: the entry's title, AI-generated summary, tags, entry type (journal, contact, event, etc.), the date the entry refers to ("happened at"), and timestamps. This is what lets us show you a usable list, run text search, and draw the knowledge graph without round-tripping your master key on every page load.

Sessions and activity

For each active session we store an opaque session token in an HTTPS-only cookie, plus the IP address and User-Agent that started it. We also keep an audit log of significant actions (sign-in, entry created/edited, billing change, account deletion) with the same IP and User-Agent. Audit log rows older than 90 days are deleted automatically.

Email ingest (optional)

If you enable email ingest, we generate a personal forwarding alias for you (e.g. ingest+<token>@…). Email you send to that address is delivered to us by Resend, our email provider. We store the message ID, sender address, subject, and our processing decision (created an entry, split it, skipped it). We don't store the raw email body in the database — it lives only in the inbound processing job.

Billing

On the web, payment is handled by Stripe. We store your Stripe customer ID and your subscription status; we do not store your card number, CVC, billing address, or invoice PDFs — those live in Stripe. On iOS, paid plans use Apple In-App Purchase (and may use RevenueCat in a future version); Apple holds the payment data.

Analytics

We use Mixpanel to understand how the product is being used (which screens get traffic, where sign-up funnels break, which AI features are popular). Events include page views, feature usage, and account-level properties (plan, signup date, onboarding state). Your IP address is included so Mixpanel can derive approximate region; a small percentage of sessions are recorded as session replays, with passwords, email inputs, and your editor content masked.

We do not run advertising trackers. We do not use Google Analytics, Facebook Pixel, or similar.

Memoral's value comes from AI features — auto-tagging, semantic search, the chat-with-your-wiki view, the email triage, and so on. These features can't happen on a server that has never seen your content, so we want to be specific about what gets sent where.

• OpenAI — When you create or edit an entry, the body text is sent to OpenAI's embedding endpoint to compute a vector representation we use for semantic search. We store the vector; OpenAI doesn't store the input text under their API terms.
• Anthropic (Claude) — When you use AI ingest (auto-detect tags, type, and date), AI search synthesis, the chat view, or the lint scan, the relevant entry content (and a small amount of your wiki context — tags, related entries) is sent to Anthropic. Anthropic does not train on API traffic by default.
• ChatGPT and other MCP clients — If you connect Memoral to ChatGPT, Claude, or another MCP-compatible assistant, that assistant can call the Memoral tools you approved. Depending on the tool, we may return entry content, titles, summaries, tags, entry types, dates, properties, linked-entry metadata, search scores, lint results, and newly-created or updated entry IDs to that assistant.

OpenAI and Anthropic are reached over TLS. Those model requests do not include your name, email, or account ID — just the text needed to produce the answer. Memoral tool results sent to connected assistants also do not include your Memoral account ID.

MCP connections use OAuth scopes so read, create, and update access can be granted separately. You can revoke connected assistants from Settings at any time. Revoking stops future tool calls, but it does not erase content an assistant already received in a prior conversation.

On iOS, certain small tasks (e.g. summarising a single entry you already have on screen) may run on Apple's on-device Foundation Models so the text never leaves your phone. We'll always prefer on-device when the task fits; we'll use the server route for anything that needs your wider wiki.

• To show you your wiki, search it, and draw the graph.
• To run the AI features described above.
• To send you transactional email — verification, password reset, ingest confirmations.
• To bill you for paid plans and apply discounts or refunds.
• To keep the service secure (rate-limiting, abuse detection, audit log).
• To diagnose bugs and improve the product (analytics).

We don't use your entry content to train AI models, ours or anyone else's. We don't sell your data. We don't share it with advertisers.

The companies that touch your data so the service can run:

• DigitalOcean — application hosting and the PostgreSQL database (US region).
• Cloudflare — DNS and edge proxy in front of memoral.ai.
• OpenAI — text embeddings.
• OpenAI / ChatGPT — if you connect Memoral to ChatGPT, ChatGPT receives the Memoral tool results returned during your conversations.
• Anthropic — Claude (LLM inference for ingest, search synthesis, chat, lint).
• Resend — outbound transactional email and inbound email ingest.
• Stripe — web subscription billing.
• Apple — iOS In-App Purchase, App Store delivery, Sign in with Apple.
• Mixpanel — product analytics and session replay.

• Entries, tags, settings: until you delete them or delete your account.
• Audit log: 90 days, then auto-purged.
• Sessions: until they expire or you sign out.
• Email ingest metadata: kept while your account is active so you can see what was processed; removed when you delete your account.
• Stripe records: Stripe retains payment and invoice records as long as their compliance obligations require, even after you delete your Memoral account. We unlink them from your account.

• Access and export: ask us at [email protected]and we'll send you a JSON export of everything in your account.
• Correction: edit entries, profile, and tags directly in the app.
• Deletion: Settings → Danger zone → Delete account. This cascades through entries, tags, sessions, audit log, and email-ingest metadata.
• Marketing email: we don't send any. The only email you'll get from us is transactional (verification, billing, ingest confirmations).
• Analytics opt-out: standard Do Not Track / Global Privacy Control headers are honored — we'll skip Mixpanel for the session.

If you're in the EU, UK, or California, the rights above are also yours under GDPR / UK GDPR / CCPA. We act as the data controller for your account.

We use TLS 1.2+ for every connection, AES-256-GCM for entry content at rest, bcrypt for password hashes, and PostgreSQL Row-Level Security to enforce tenant isolation at the database layer. Sessions are bound to opaque tokens with HTTPS-only cookies; passkeys and 2FA are available on every account.

Nothing on the internet is unbreakable. If we ever discover a security incident affecting your account, we'll tell you within the windows our regulators require, and we'll tell you what data was affected.

Memoral is not intended for use by anyone under 13 (or under 16 in jurisdictions where that's the local minimum). We don't knowingly collect data from children. If you believe a child has created an account, email us and we'll delete it.

Memoral's servers and database are in the United States. If you use the service from elsewhere, your data will be transferred to the US to be processed. We rely on Standard Contractual Clauses with our subprocessors where required.

We'll update this page when the data flows change — for example when we add a new subprocessor or a new AI feature. The "last updated" date at the top will move; for material changes we'll also email you.

Privacy questions, data export requests, or anything else: [email protected].