MemoryMesh Privacy Policy
Last updated: June 12, 2025
Our Commitment to Your Privacy
MemoryMesh is built with privacy-first principles. Your personal thoughts, emotions, and reflections are sacred to us. This Privacy Policy explains how we collect, use, store, and protect your information when you use our app, including our legal basis for processing and your comprehensive data rights.
We do not sell your data to anyone. Ever. MemoryMesh will never share your information for advertising or monetization purposes outside of the app experience you control.
App Store Privacy Summary:
- Data Linked to You: Email, Journal Content, Mood
- Data Not Linked to You: Crash logs, anonymous usage (opt-in only)
- Data Not Collected: Location, Contacts, Payment info
1. Legal Basis for Data Processing (GDPR Article 6)
Our Legal Grounds for Processing Your Data:
| Data Category |
Legal Basis |
Purpose |
| Account Information (Email, Name) |
Contract Performance |
Necessary to provide our journaling service |
| Journal Content & Mood Data |
Consent |
AI reflections and insights (with your explicit consent) |
| Health-Related Data (Mood, Cycle Tracking) |
GDPR Art. 9(2)(a) - Explicit Consent |
Special category data requiring enhanced consent and encryption |
| Usage Analytics |
Consent |
App improvement (only if you opt-in) |
| Security & Error Logs |
Legitimate Interest |
Ensuring app security and functionality |
| Cycle Tracking Data |
Consent |
Personalized insights (only if you enable this feature) |
Your Rights: You can withdraw consent at any time through Settings → Privacy & Data. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.
2. Data Retention Schedule
How Long We Keep Your Data:
| Data Type |
Retention Period |
Deletion Trigger |
| Journal Entries & Mood Data |
Until you delete your account |
User-initiated deletion or account termination |
| Account Information |
Until account deletion + 30 days |
Legal compliance period for audit trails |
| Voice Recordings |
Stored locally only - never uploaded |
When you delete the app or recordings |
| AI Processing Logs |
24 hours maximum |
Automatic deletion from AI provider servers |
| Analytics Data |
2 years or until consent withdrawal |
Whichever comes first |
| Security Logs |
1 year |
Required for security monitoring |
Note: You can request early deletion of any data category at any time by contacting admin@memorymesh.info
3. Information We Collect
Personal Information:
- Email address and name (for account creation)
- Gender and date of birth (optional, to personalize your experience)
- Authentication credentials (securely encrypted)
Journal Content:
- Text entries and mood selections
- Voice recordings and their transcriptions (processed entirely on your device)
- Voice recordings are never uploaded or shared — they remain on your device unless manually transcribed
- Emotional patterns and insights
Technical Information:
- Device type and iOS version (for compatibility)
- App usage patterns (only if you consent to analytics)
- Error logs and performance data (anonymized)
4. How We Use Your Information
Core App Functionality:
- Provide AI-powered reflections and insights
- Sync your data across devices (if enabled)
- Track emotional patterns and cycles
Personalization:
- Customize the AI companion's responses
- Generate relevant daily prompts
- Provide cycle-aware insights (for users who enable cycle tracking)
Service Improvement:
- Analyze app performance and fix bugs
- Understand feature usage (only with your consent)
- Develop new features based on anonymous usage patterns
5. AI Processing & Privacy
On-Device Processing:
- Voice transcription happens entirely on your device
- No audio data is ever sent to external servers
- Speech recognition uses Apple's on-device technology
AI Reflections - Enhanced Data Handling:
- Journal text is sent to our secure backend for AI processing
- We use trusted AI providers (Mistral, Anakin.ai) through our proxy
- Your data is never used to train public AI models
- All AI processing is encrypted and temporary
- Specific Retention: AI provider servers retain journal text for maximum 24 hours for processing, then automatically purge all data
- Audit Logs: Processing logs are pseudonymized (identifiers replaced with codes) and deleted within 72 hours
- No Model Training: Your data is never incorporated into AI model training datasets
Data Minimization:
- Only necessary content is sent for AI processing
- Personal identifiers are stripped from AI requests
- AI responses are generated specifically for you and deleted from AI providers
6. Data Security
Encryption:
- All data is encrypted with AES-256 both in transit and at rest
- Authentication uses secure JWT tokens with automatic expiration
- Database access is protected by Row Level Security (RLS)
Infrastructure:
- Data is hosted on Supabase's secure, SOC 2 compliant infrastructure
- Regular security audits and penetration testing
- Automatic backups with encrypted storage
Access Controls:
- Only you have access to your personal data
- MemoryMesh staff cannot read your journal entries
- Administrative access is logged and audited
7. Data Breach Notification Procedures
Our Commitment to Breach Response:
In the unlikely event of a data breach affecting your personal information, we commit to:
- Immediate Assessment: Breach identification and containment within 24 hours
- Regulatory Notification: Report to relevant authorities within 72 hours (GDPR requirement)
- User Notification: Direct notification to affected users within 72 hours via email and in-app alert
- Transparency: Clear explanation of what data was affected, steps taken, and protective actions you can take
- Remediation: Full incident report and preventive measures implementation
Immediate Actions: If you believe your account has been compromised, contact admin@memorymesh.info immediately.
8. Your Rights & Data Control
Regional Rights Framework:
EU/EEA Users: Full GDPR rights including access, rectification, erasure, portability, restriction, objection, and withdrawal of consent.
California Residents: CCPA/CPRA rights including access, deletion, portability, opt-out of sale/sharing, and non-discrimination.
All Other Users: Core privacy rights including access, correction, deletion, and consent withdrawal as described below.
Access & Export:
- View all data we have about you
- Export your complete data history in JSON format
- Receive data in a portable format within 30 days
Deletion & Correction:
- Delete your account and all associated data
- Modify or correct any personal information
- Request specific data deletion
Consent Management:
- Opt out of analytics and tracking
- Control data sharing preferences
- Withdraw consent at any time
California Consumer Rights (CCPA/CPRA):
Right to Opt-Out of Sale/Sharing: While we do not sell personal information for monetary consideration, California law may interpret certain analytics and AI processing as "sharing" for business purposes.
- Opt-Out Mechanism: Settings → Privacy & Data → "Do Not Sell/Share My Information"
- Web-Based Opt-Out: Submit opt-out request
- No Discrimination: We will not discriminate against you for exercising your privacy rights
- Authorized Agent: Agents may submit requests with proper verification
Communication:
- Control notification preferences
- Opt out of promotional communications
- Manage data processing consent
9. Third-Party Services & Sub-Processors
Sub-Processor Management & Notification:
We maintain strict control over our sub-processors and data partners:
- Current Sub-Processors: List maintained and updated monthly
- Change Notification: 30-day advance notice of any sub-processor additions or changes via email
- Objection Rights: You can object to new sub-processors within the notification period
- Contract Requirements: All sub-processors must meet GDPR adequacy standards
- Audit Rights: Regular compliance audits of all data processing partners
Database & Authentication: Supabase Inc.
- Purpose: Secure data storage and user authentication
- Data shared: Encrypted journal entries, account information
- Privacy policy: https://supabase.com/privacy
- Location: Global, with GDPR compliance measures
AI Processing: Mistral
- Purpose: Generate AI reflections and insights
- Data shared: Journal text only (via our secure proxy)
- Retention: Maximum 24 hours, then automatic deletion
- Privacy policy: https://mistral.ai/privacy-policy/
AI Processing: Anakin.ai
- Purpose: Generate AI reflections and insights
- Data retention: Temporarily processed only — not stored or used for training
- Maximum retention: 24 hours for processing, then purged
- Privacy policy: https://anakin.ai/docs/compliance/privacy-policy
Analytics: (Only with your consent)
- Purpose: App improvement and usage understanding
- Data shared: Anonymous usage patterns, no personal content
- You can opt out at any time through Settings
10. Cookies & Tracking Technologies
Our Use of Tracking Technologies:
MemoryMesh uses minimal tracking technologies in compliance with ePrivacy regulations:
Strictly Necessary:
- Authentication Tokens: Secure session management (cannot be disabled)
- Security Identifiers: Fraud prevention and account security
Optional Analytics (with your consent):
- Usage Analytics: Anonymous app performance and feature usage
- Crash Reporting: Anonymous error logs for bug fixes
- Device Identifiers: Anonymous device types for compatibility
Your Cookie Controls:
- Manage tracking preferences in Settings → Privacy & Data
- Opt out of analytics tracking at any time
- Tracking consent is requested during onboarding per ATT requirements
11. Children's Privacy (COPPA Compliance)
MemoryMesh is designed for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age.
Universal Privacy Protections for All Users:
MemoryMesh provides the same high level of privacy protection to all users, regardless of age:
- Content Safeguards: AI features include comprehensive content filtering and safety measures for all users
- Data Minimization: We collect only essential data necessary for app functionality
- Enhanced Security: All personal data is encrypted with industry-leading AES-256 encryption
- User Control: Every user has full control over their data with easy deletion and export options
- No Data Selling: We never sell personal information to third parties
- Transparent Processing: Clear disclosure of all data processing activities
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at admin@memorymesh.info and we will delete such information within 48 hours.
For parents and guardians: While we do not collect age information, we encourage parental guidance and supervision for younger users. Any user or their guardian can request account deletion at any time by contacting our support team.
12. International Data Transfers
MemoryMesh is based in the United States. Your data may be transferred to and processed in the United States or other countries where our service providers operate.
We ensure appropriate safeguards are in place for international transfers, including:
- Standard Contractual Clauses (SCCs) for EU users
- Adequacy decisions where applicable
- Encryption and security measures during transfer
- Regular compliance audits of international data flows
13. App Tracking Transparency
MemoryMesh fully respects your privacy choices and complies with Apple's App Tracking Transparency framework (ATT). If we engage in tracking activities that require your consent under applicable law, we will:
- Request your permission before tracking begins
- Allow you to opt out at any time
- Respect your choice and disable tracking if you decline
- Provide clear information about what data is tracked and why
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We'll notify you through the app or by email at least 30 days in advance
- The updated policy will be posted in the app and at this URL
- Material changes require renewed consent
- You can always access the current policy at this URL