Privacy Policy for the Memoro Website

1. Introduction

This privacy policy informs you about the nature, scope and purpose of the processing of personal data on our website www.memoro.ai. We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with legal data protection regulations and this privacy policy.

2. Responsible Party

Responsible for data processing on this website is:

Memoro GmbH
Reichenaustraße 11a
78464 Konstanz
Phone: 0049 176 444 343 85
Email: [email protected]

Editorial responsibility: Till Schneider

3. Types of Data Processed

We process personal data that we collect as part of your use of our website. The processed data includes:

  • Usage data (e.g., visited web pages, access times)
  • Meta/communication data (e.g., device information, IP addresses)

4. Purpose of Data Processing

We process your personal data for the following purposes:

  • Provision and optimization of our website
  • Conducting analyses and statistics
  • Marketing and advertising
  • Improving user experience

The processing of your personal data is based on your consent (Art. 6 para. 1 lit. a GDPR) and/or our legitimate interests (Art. 6 para. 1 lit. f GDPR), which consist of optimizing our offer and improving the user experience.

6. Recipients of Data

Your data may be passed on to the following recipients:

  • Service providers and processors working for us

7. Duration of Storage

We store your personal data only as long as necessary for the purposes for which it was collected or as required by law.

8. Your Rights

You have the right to:

  • Request information about your personal data processed by us
  • Request correction of incorrect or completion of your personal data stored by us
  • Request deletion of your personal data stored by us
  • Request restriction of the processing of your personal data
  • Revoke your consent at any time
  • Lodge a complaint with a supervisory authority

9. Use of Analysis and Tracking Tools

We use various analysis and tracking tools on our website to analyze and improve the use of our website. Below we inform you about these tools:

9.1. Vercel Analytics

We use Vercel Analytics, a web analytics service from Vercel Inc. Vercel Analytics does not use cookies and does not collect personal data. Only anonymized usage data is collected to improve the performance and use of our website.

9.2. Google Analytics

We use Google Analytics, a web analytics service from Google LLC. Google Analytics uses cookies that enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

We have activated IP anonymization. This means that your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area.

More information on the handling of user data by Google Analytics can be found in Google’s privacy policy: https://policies.google.com/privacy

9.3. Plausible Analytics

We use Plausible Analytics, a privacy-friendly web analytics service. Plausible Analytics does not collect personal data and does not use cookies. Only anonymized usage data is collected to analyze the performance and use of our website.

Further information about Plausible Analytics and their privacy practices can be found at: https://plausible.io/data-policy

9.4. Hotjar

We use Hotjar to better understand our users’ needs and to optimize the offer on this website. Using Hotjar’s technology, we get a better understanding of our users’ experiences (e.g., how much time users spend on which pages, which links they click, what they like and what they don’t, etc.) and this helps us to align our offer with our users’ feedback.

Hotjar works with cookies and other technologies to collect information about our users’ behavior and their devices (in particular device IP address (collected and stored only in anonymized form), screen size, device type (unique device identifiers), browser information, location (country only), preferred language for displaying our website).

Further information can be found in Hotjar’s privacy policy: https://www.hotjar.com/legal/policies/privacy

9.5. PostHog

We use PostHog, an open-source platform for product analytics. PostHog collects information about the use of our website, including page views, clicks, and user interactions. This data helps us improve our product and optimize the user experience.

PostHog uses cookies to identify users across multiple visits. You can disable the use of cookies in your browser settings.

We use PostHog’s EU cloud, which means that all data collected by PostHog is processed and stored within the European Union. This helps ensure compliance with the General Data Protection Regulation (GDPR).

More information about PostHog’s privacy practices can be found at: https://posthog.com/privacy

10. Opt-Out Options

You have the option to object to data collection by the above-mentioned services at any time:

11. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your next visit.

12. Questions about Data Protection

If you have any questions about data protection, please send us an email or contact the person responsible for data protection in our organization directly:

Memoro GmbH
Attn: Data Protection Officer
Reichenaustraße 11a
78464 Konstanz
Email: [email protected]

Status: December 15, 2024

Privacy Policy for the Memoro App

Introduction

We are very pleased about your interest in our app. Data protection has a particularly high priority for the management of Memoro GmbH. This privacy policy is intended to inform you about the nature, scope and purpose of the collection and use of personal data when using our app.

Our Promise: We will never access or sell your data. We specifically rely on solutions that meet the highest European data protection standards and continuously reduce our dependence on non-European providers.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Memoro GmbH
Reichenaustraße 11a
78464 Konstanz
Phone: 0049 176 444 343 85
Email: [email protected]

2. Definitions

This privacy policy is based on the terminology of the General Data Protection Regulation (GDPR). Our privacy policy should be easily readable and understandable for the public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance:

  • Personal data: Any information relating to an identified or identifiable natural person.
  • Data subject: Any identified or identifiable natural person whose personal data is processed by the controller.
  • Processing: Any operation performed on personal data, whether or not by automated means.
  • Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.
  • Profiling: Any form of automated processing of personal data to evaluate certain personal aspects.
  • Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
  • Controller: The natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processor: A natural or legal person who processes personal data on behalf of the controller.
  • Recipient: A natural or legal person to whom personal data is disclosed.
  • Third party: A natural or legal person other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  • Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.

3. Purposes of Data Processing

3.1. Processing of Voice Recordings, Transcriptions and Summaries

Purpose of data processing: The processing of your voice recordings is for the purpose of transcription and subsequent creation of summaries (“Memories”). This data processing is exclusively for your personal use and the results are only made available to you.

Type of data processed:

  • Voice recordings
  • Transcriptions of voice recordings
  • Summaries of transcriptions (“Memories”)

Your Data Journey:

  1. Recording: Audio file is first securely stored on your device
  2. Upload: Encrypted transmission to Supabase (Frankfurt, Germany)
  3. Transcription: Processing by Microsoft Azure (Sweden, EU)
  4. Conversion (if needed): Google Cloud (Frankfurt, Germany)
  5. Analysis: Creation of “Memories” by Google Gemini (Belgium, EU) or Azure OpenAI (Sweden, EU)
  6. Storage: Final analyses in Supabase (Frankfurt, Germany)

Note on recording other persons: Please note that recording voice recordings of other persons without their express consent violates the GDPR. You are obligated to ensure that all recorded persons have given their consent to the processing of voice recordings. It is your responsibility to obtain and prove this consent.

3.2. Processing of Usage Data

Purpose of data processing: Usage data is collected to improve the functionality and user-friendliness of our app.

Type of data processed:

  • IP address of mobile device
  • Device type
  • Unique device identifier
  • Mobile device operating system
  • Type of mobile internet browser
  • Unique device identifiers
  • Diagnostic data
  • Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
  • If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service or consideration, the processing is based on Art. 6 I lit. b GDPR.
  • If our company is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.
  • In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. Then the processing would be based on Art. 6 I lit. d GDPR.
  • Finally, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis is used for processing operations not covered by any of the aforementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party.
  • If special categories of personal data are processed in accordance with Article 9 GDPR, the processing is also based on your express consent in accordance with Article 9 paragraph 2 letter a GDPR.

5. Data Security

We use comprehensive technical and organizational measures to protect your data:

  • Encryption: AES-256 for stored data, TLS 1.2/1.3 for data transmission
  • Access Control: Multi-factor authentication, role-based permissions
  • Backup Strategy: 3-2-1 backup strategy with daily encrypted backups
  • Certifications: Our service providers are SOC 2 Type II, ISO 27001 and GDPR compliant

6. Duration of Storage

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted, provided it is no longer necessary for contract fulfillment.

Storage and Deletion Periods:

  • Content Data (recordings, transcripts, memories): As long as the user account exists; immediate deletion upon user request
  • Account Data: Deletion within 30 days after deletion request
  • Technical Log Data: Maximum 90 days
  • Product Analytics Data (PostHog): Maximum 12 months
  • Backups: Maximum 30 days retention period
  • AI Processing Cache (Google/Azure): Automatic deletion after maximum 30 days

Special Arrangements for Organization Customers: Individual automatic deletion periods can be agreed within a Data Processing Agreement (DPA).

7. Statutory or Contractual Requirements to Provide Personal Data

We clarify that the provision of personal data is partly required by law (e.g., tax regulations) or can also result from contractual provisions (e.g., information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with them. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded.

8. Service Providers

We employ third-party companies and individuals to facilitate our app (“Service Providers”), to provide services on our behalf, to perform service-related services or to assist us in analyzing how our app is used.

These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

9. Use of Cloud Services and Data Processing

We use selected cloud services to make our data processing efficient and secure. All service providers are GDPR compliant and act as processors according to Art. 28 GDPR.

9.1. Supabase (Backend & Database)

Server Location: Frankfurt, Germany
Purpose: Storage of all content data, account data and authentication
Compliance: SOC 2 Type II certified, GDPR compliant
Note: Supabase is headquartered in the USA. Access from the USA may occur in limited cases (support, maintenance). This is secured by Standard Contractual Clauses (SCCs).

9.2. Microsoft Azure

Server Location: Sweden, EU
Purpose: Speech transcription (Azure Speech) and AI analysis (Azure OpenAI)
Compliance: ISO 27001, SOC 1/2/3, GDPR compliant
Guarantee: No use of your data for model training; deletion after max. 30 days

9.3. Google Cloud

Server Locations:

  • Frankfurt, Germany (file conversion)
  • Belgium, EU (Google Gemini AI analysis)
    Compliance: ISO 27001, SOC 1/2/3, GDPR compliant
    Guarantee: No use of your data for model training; deletion after max. 30 days

9.4. PostHog (Product Analytics)

Server Location: Frankfurt, Germany (EU hosting)
Purpose: Anonymized usage analysis to improve the app
Compliance: SOC 2 Type II, GDPR compliant
Special Feature: Can be completely deactivated for organization customers

9.5. Firebase Services

Firebase (Google Ireland Limited) is used for the following functions:

  • Firebase Analytics: for analyzing user behavior
  • Firebase Cloud Messaging: for sending push notifications
  • Firebase Realtime Database: for storing and synchronizing data
  • Firebase Storage: for backing up and storing media
  • Firebase Crashlytics: for detecting and analyzing app errors

All Firebase services are GDPR compliant and data processing occurs within the EU.

10. Transparency Notice on International Data Transfers

Although your data is physically stored and processed in the EU, we want to transparently inform you about possible international aspects:

  • US Service Providers: Some of our processors (Supabase, PostHog) are headquartered in the USA
  • Protective Measures: All data transfers are secured by EU Standard Contractual Clauses (SCCs) and additional technical measures
  • Residual Risk: Theoretical access by US authorities (e.g. via CLOUD Act) cannot be legally completely excluded
  • Your Control: You can request deletion of your data at any time

11. Use of Google Analytics

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our app. This data is shared with other Google services. Google may use the collected data to contextualize and personalize ads in its own advertising network.

For more information on Google’s privacy practices, please visit the Google Privacy & Terms web page: Google Privacy & Terms

We also recommend that you review Google’s privacy policy for protecting your data: Google Analytics Safeguarding Your Data.

12. Existence of Automated Decision-Making

As a responsible company, we do not use automatic decision-making or profiling.

13. Rights of the Data Subject

You have the right:

  • to information about the personal data stored about you by us (Article 15 GDPR),
  • to correction of incorrect data (Article 16 GDPR),
  • to erasure (Article 17 GDPR),
  • to restriction of processing (Article 18 GDPR),
  • to data portability (Article 20 GDPR),
  • to object to the processing (Article 21 GDPR),
  • to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7 paragraph 3 GDPR),
  • to lodge a complaint with a supervisory authority (Article 77 GDPR).

Withdrawal of Consent:

You can withdraw your consent to the processing of your personal data at any time. The withdrawal can be made in writing or by email to the contact details mentioned above. Your data will be deleted immediately after withdrawal, unless there are legal retention obligations.

14. Special Notes for Organization Customers

For enterprise and organization customers, we offer tailored data protection solutions:

  • Individual Data Processing Agreements (DPA) according to Art. 28 GDPR
  • Automatic Deletion Periods according to your compliance requirements
  • Deactivation of Analytics Services (e.g. PostHog) upon request
  • Customized Data Processing according to your specifications

Contact us at [email protected] for more information.

15. Changes to the Privacy Policy

We reserve the right to update this privacy policy as needed. We will notify you of significant changes through a notice in the app.

Status: December 15, 2024