MemoryKey← Back

Privacy Policy

Last updated: April 2, 2026

1. Overview

MemoryKey ("we", "us", "our") operates memorykey.co (the "Service"). This Privacy Policy explains what data we collect, how we use it, and your rights. By using the Service you agree to this policy. If you do not agree, do not use the Service.

MemoryKey stores personal memory and context data and processes it using artificial intelligence to provide features such as memory synthesis, consolidation, and interactive conversations. This policy describes how that data is collected, processed, shared with third parties including AI service providers, and protected.

This policy applies to all users worldwide, including those in the European Economic Area (EEA), United Kingdom, and California.

2. Data We Collect

  • Account data: email address and name, collected via Clerk authentication.
  • Context data: all text you enter into your context fields. This data is encrypted at rest using XSalsa20-Poly1305 (libsodium) before being stored in our database.
  • File uploads: PDF, Markdown (.md), and plain text (.txt) files you upload to the Service (maximum 10 MB per file, 20 files per user). We extract and store the text content of these files.
  • Brain conversations: multi-turn conversations you have with the Brain feature, including your messages and AI-generated responses.
  • Contact form submissions: your name, email address, and message text when you submit a request through our contact form.
  • Usage data: API access logs, audit logs, IP address hashes (not full IPs), and timestamps associated with read/write operations.
  • API keys: we store only a bcrypt hash of each key. The plaintext key is shown once and never stored.
  • Local storage data: we store the following on your device via browser localStorage: theme preference (light/dark), onboarding goals, and UI tip dismissal flags. This data never leaves your device.

3. How We Use Your Data

  • To provide, operate, and maintain the Service.
  • To authenticate you and secure your account.
  • To process your memory data using AI (Anthropic Claude) for memory synthesis, consolidation, and Brain conversations (see Section 6 for details).
  • To extract and store text from files you upload.
  • To generate audit logs for your own review.
  • To deliver contact form submissions to our support team.

We do not sell your data. We do not use your context data to train AI models. When your data is sent to Anthropic for processing, it is subject to Anthropic's data usage policy, which as of our last review does not use API inputs for model training. We do not share your data with third parties except as described in this policy.

4. Legal Basis for Processing (GDPR)

If you are in the EEA or UK, we process your personal data under the following legal bases:

  • Contract performance (GDPR Art. 6(1)(b)): Processing necessary to provide the Service you signed up for, including storing your context data, processing it with AI features, and managing your account.
  • Legitimate interest (GDPR Art. 6(1)(f)): Audit logging, security monitoring, fraud prevention, and service improvement. You may object to processing based on legitimate interest by contacting us.
  • Consent (GDPR Art. 6(1)(a)): Where we rely on consent (e.g., optional features), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (GDPR Art. 6(1)(c)): Where we are required to process data to comply with applicable law.

5. Data Security

Context data is encrypted using XSalsa20-Poly1305 (libsodium) with a unique data encryption key per user. That key is itself encrypted by a master key stored in a separate secrets management system and never written to the database. Part of the NaCl cryptography family — the same foundations that power WireGuard VPN and Cloudflare's HTTPS. This means a database breach exposes only ciphertext — nothing readable without the application-layer keys.

Operator access: As the operator of this service, MemoryKey has technical ability to decrypt your data through the application layer. This is true of all standard hosted SaaS services. Your encryption protects against database breaches and unauthorized third-party access — not against the service operator. We do not access your context data except to deliver the service to you.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security and accept no liability for security breaches beyond our reasonable control.

6. AI Data Processing

MemoryKey uses Anthropic's Claude AI models to provide core features of the Service. The following data is sent to Anthropic's API for processing:

  • Memory synthesis: When an AI agent proposes updates to your memory, your existing memory content and the proposed update are sent to Claude to intelligently merge them.
  • Brain conversations: When you use the Brain feature, your memory data and conversation messages are sent to Claude to generate responses and execute memory operations.
  • Memory consolidation (Digest): Periodically, your full memory context may be sent to Claude to prune stale entries, deduplicate content, resolve contradictions, and restructure for optimal organization.
  • File summarization: Text extracted from your uploaded files may be sent to Claude for summarization and integration into your memory.

Important disclosures:

  • Your data is transmitted to Anthropic's servers in the United States via encrypted HTTPS connections.
  • Anthropic acts as a data sub-processor. Their API usage policy (as of our last review) states that API inputs and outputs are not used to train their models.
  • We use Claude Haiku and Claude Sonnet models. We send only the minimum data necessary for each operation.
  • We do not use your data to train, fine-tune, or improve any AI models.

AI outputs are provided "as is" without any warranty of accuracy, completeness, or fitness. MemoryKey is not responsible for the accuracy, reliability, or appropriateness of any AI-generated content, including modifications to your memory data. You are solely responsible for reviewing all AI-processed content.

Automated decision-making: The AI processing described above assists in organizing and managing your memory data. No decisions with legal or similarly significant effects are made solely by automated means. You retain full control to review, edit, or delete any AI-processed content.

7. Third-Party Services and Sub-Processors

We use the following third-party services to operate MemoryKey:

  • Anthropic — AI processing (Claude API). Your memory data is sent to Anthropic for synthesis, Brain conversations, and memory consolidation. Anthropic processes data on servers located in the United States. See Section 6 for details.
  • Clerk — authentication and user management. Stores your email and name.
  • Neon / PostgreSQL — stores encrypted ciphertext only. Cannot read your context without the application-layer decryption keys, which are not stored in the database.
  • Vercel — hosting and compute. Processes requests in memory during API calls. No persistent access to your data.
  • Resend — transactional email for contact form submissions.

We maintain data processing agreements with our sub-processors where required by law. A current list of sub-processors is provided above. We will update this list and this policy when we add new sub-processors.

Each third-party service operates under its own privacy policy. We require our sub-processors to maintain appropriate security measures, but we cannot guarantee their compliance.

8. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our infrastructure providers and sub-processors (including Anthropic, Vercel, and Neon) operate.

If you are in the EEA or UK, we rely on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where available from our sub-processors.
  • Adequacy decisions, where applicable.

By using the Service, you acknowledge that your data will be transferred to and processed in the United States and other jurisdictions that may not provide the same level of data protection as your home country.

9. Bring Your Own Database (BYODB)

MemoryKey offers an optional feature allowing you to provide your own PostgreSQL database for data storage. If you use this feature:

  • Your memory data will be stored in your own database instead of our managed database.
  • You are solely responsible for the security, availability, backup, and compliance of your own database.
  • We connect to your database using the credentials you provide. We store your database connection string securely but cannot guarantee the security of your database infrastructure.
  • Our AI processing features (Section 6) still apply — your data is still sent to Anthropic for processing regardless of where it is stored.
  • We accept no responsibility or liability for any data loss, breach, or corruption in your self-hosted database.

10. Data Retention

We retain your data for as long as your account is active. Brain conversation history, file uploads, and their extracted text are retained for as long as your account is active. Contact form submissions are retained in our email system for support purposes. You may request deletion of your account and all associated data at any time by . Audit logs may be retained for up to 90 days after account deletion for security and compliance purposes.

11. Your Rights

For all users: You have the right to access, correct, export, or delete your personal data. To exercise any of these rights, . We will respond within 30 days.

For EEA/UK residents (GDPR): You additionally have the right to:

  • Data portability: Receive your data in a structured, commonly used, machine-readable format.
  • Restriction of processing: Request that we limit how we use your data.
  • Object to processing: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.
  • Lodge a complaint: File a complaint with your local data protection supervisory authority.

For California residents (CCPA/CPRA): You have the right to:

  • Know: Request the categories and specific pieces of personal information we have collected about you.
  • Delete: Request deletion of your personal information, subject to certain exceptions.
  • Opt-out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Categories of personal information collected: identifiers (name, email), internet activity (usage logs, IP hashes), and user-generated content (context data, files, conversations).

12. Cookies and Local Storage

Cookies: We use only strictly necessary cookies for authentication session management (via Clerk). We do not use tracking cookies, analytics cookies, or advertising cookies.

Local storage: We use browser localStorage to store the following non-personal preferences on your device:

  • Theme preference (light/dark mode)
  • Onboarding goals you selected
  • UI tip dismissal flags

This data is stored only on your device and is never transmitted to our servers.

13. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this policy at any time. For material changes, we will make reasonable efforts to notify you via the email address associated with your account or through an in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy. We will update the "Last updated" date at the top of this page.

15. Contact

Questions about this policy?

If you are in the EEA and have concerns about our data practices, you have the right to lodge a complaint with your local data protection supervisory authority.