Privacy Policy

Effective date: April 2, 2026

1. Introduction

Mnemo("we", "us", or "our") operates the Mnemo application. This Privacy Policy explains what information we collect, how we use it, and your choices. It applies to all users of the Service, including those in the European Economic Area (EEA), United Kingdom, and Switzerland.

2. Data Controller

The data controller for information processed through Mnemo is mnemoai.com. For privacy questions or data requests, contact us at privacy@mnemo.study.

3. Information We Collect

Account information. When you sign in with Google or GitHub, we receive your name, email address, and profile picture from the provider. If you register with email and password, we store a salted hash of your password — never the plaintext.

Content you upload. Documents, audio files, pasted text, and URLs you provide are stored so we can generate study materials and power search. We do not share your uploaded content with other users.

Usage data. We collect basic server logs (timestamps, request paths, response codes) for reliability and security. We do not use third-party analytics or advertising trackers.

4. How We Use Your Information and Legal Basis

Under the GDPR, we process your personal data only when we have a lawful basis. The table below describes each processing activity and its legal basis:

Processing Activity	Legal Basis
Account creation and authentication	Performance of contract (Art. 6(1)(b) GDPR)
Storing and processing your uploaded documents	Performance of contract (Art. 6(1)(b) GDPR)
Generating study materials (flashcards, quizzes, summaries)	Performance of contract (Art. 6(1)(b) GDPR)
Sending content to LLM providers for AI-powered features	Performance of contract (Art. 6(1)(b) GDPR)
Error tracking and diagnostics via Sentry	Legitimate interest (Art. 6(1)(f) GDPR) — maintaining service reliability and security
Session cookies	Strictly necessary for authentication — no consent required

5. Sub-Processors

We use the following third-party service providers (sub-processors) to operate Mnemo. Data Processing Agreements are in place with all sub-processors. We do not sell your data to any third party.

Provider	Country	Purpose
OpenAI	USA	Text generation and embeddings
Anthropic	USA	Text generation
Google Cloud	USA	Text generation (Gemini), file storage, authentication (OAuth)
GitHub	USA	Authentication (OAuth)
Sentry	USA	Error tracking and diagnostics

When you use chat or artifact generation, relevant text excerpts from your uploaded documents are sent to the configured LLM provider. These providers process your data under their data-processing agreements and do not use it to train their models.

6. International Data Transfers

Our sub-processors are located in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards including the EU–U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) included in our Data Processing Agreements with each sub-processor.

7. Data Retention

Account data (email, name, profile picture) — retained until you request account deletion.
Uploaded content, artifacts, and chat history — retained until you delete the workspace or request account deletion.
Authentication tokens — access tokens expire after 15 minutes; refresh tokens expire after 30 days.
Server logs — retained for up to 90 days, then automatically purged.
Error reports (Sentry)— retained according to Sentry's data retention policy (90 days by default).

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For all users

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate personal data. Profile information sourced from OAuth providers (Google, GitHub) should be corrected at the provider.
Deletion — request deletion of your account and all associated data.
Data export — request a copy of your data in a machine-readable format.

Additional rights for EEA, UK, and Swiss residents (GDPR)

Restriction of processing — request that we limit how we use your data (Art. 18 GDPR).
Objection — object to processing based on legitimate interest (Art. 21 GDPR).
Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20 GDPR).
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@mnemo.study. We will respond within 30 days (or within the timeframe required by applicable law).

California residents (CCPA)

California residents have additional rights under the CCPA, including the right to know what data we collect, request deletion, and opt out of any sale of personal information. We do not sell personal information.

9. Security

We use encryption in transit (TLS), hashed passwords, and least-privilege access controls. Sensitive fields are automatically redacted from application logs. No system is perfectly secure — if you discover a vulnerability, please contact us responsibly.

10. Children

Mnemo is not directed at children under 16 (or under 13 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children.

11. Changes

We may update this policy from time to time. Material changes will be communicated via the application or email. The "Effective date" at the top of this page indicates when the policy was last revised.

12. Contact

For privacy questions or data requests, contact us at privacy@mnemo.study.

← Back to sign in