Last updated: 2026-04-29
What we collect. Email + bcrypt-hashed password, the memories you save, project/org/key metadata, and an audit log of mutations (with IP).
What we don't. No tracking pixels, no third-party analytics, no advertising IDs.
How we use it. Strictly to operate the service: serve memories back, enforce ACLs, bill subscribed orgs.
Embeddings. All embeddings are computed inside our own infrastructure (sentence-transformers/all-MiniLM-L6-v2). Your memory content is never sent to third-party AI providers.
Sub-processors. Stripe (billing only — never sees memory content). Hosting provider (data at rest). That's it.
Your rights (GDPR + general). Export everything via Account → Data → Export. Delete everything via Account → Data → Delete.
Retention. Active accounts: indefinite. Soft-deleted accounts: 30 days then purged.
Self-hosting. If you run SelfMem on your own infrastructure, this policy doesn't apply — you're the data controller.
This is a placeholder. For a real launch, replace with a policy reviewed by counsel.