mmemo Privacy Policy

21/05/2026

Welcome to mmemo. We know that your privacy matters, and we are committed to protecting it. This Privacy Policy explains, in a clear and direct way, how we collect, use and protect your personal data when you use mmemo, an AI aggregator product for researchers and R&D professionals.

Scope of this Privacy Policy. This Privacy Policy applies when you use mmemo as a consumer for your personal or research activities. If you use mmemo in the course of your business and through this you process personal data of other persons, you are the data controller of that processing and mmemo acts as your data processor. In that case, the data processing terms attached to your subscription apply.

Quick summary of what we do and do not do:

• We do not use your Inputs or Outputs to train any AI model, not ours and not those of third-party model providers.
• Your account data and conversation history are stored on servers physically located in Germany within the European Economic Area.
• To answer your prompts, we transmit them to third-party Large Language Model Providers, including providers located in the United States, under Standard Contractual Clauses.
• Payments are handled by Stripe acting as Merchant of Record; for payment data, Stripe is an independent controller under its own privacy notice.
• You can access, export, correct or delete your data at any time through your account settings.

1. Who collects your data

In this Privacy Policy, mmemo.ai OÜ is the data controller. We are the entity that decides how and why your personal data is collected and used.

Who we are:

mmemo.ai OÜ
Narva maantee 7a, office 404
15172 Tallinn, Estonia
Registry code: 17512767

How to contact us about privacy:

• By email: privacy@mmemo.com
• By post: mmemo.ai OÜ, Attn: Privacy Team, Narva maantee 7a, office 404, 15172 Tallinn, Estonia.

Data Protection Officer. Where we are required to appoint a Data Protection Officer under Article 37 GDPR, contact details will be published here. In any event, you can reach our privacy team using the contact points above.

2. What data we collect

2.1. Data you provide directly to us

| Category of personal data | When we collect it |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
| Identity data, such as your first and last name, username or display name. | When you create your mmemo account. |
| Account data, such as your email address and the means used to recover your password or verify your account. | When you create your mmemo account. |
| Contact data, such as your email address. | When you subscribe to our communications or contact our support team. |
| Contract data, such as the mmemo plan you subscribe to and your usage preferences. | When you subscribe to a paid plan or change your settings. |
| Billing identifiers, such as your billing country, country of residence and currency. We do not collect or store your credit-card number, bank account or other payment instrument details: these are handled by Stripe (see Section 6). | When you make a purchase or top-up. |
| Inputs, meaning any prompt, file, document, instruction or other content you submit to the Service to generate an Output. | When you use mmemo. |
| Outputs, meaning the AI-generated content returned to you in response to your Inputs. | When you use mmemo. |
| Memory items, meaning information you choose to save, or that the Service derives from your interactions to be reused for personalisation. | When you use the memory feature. |
| Feedback, such as thumbs up or thumbs down ratings, written comments and the associated Inputs and Outputs. | When you rate an Output or send us feedback. |
| Support data, such as the content of your messages to our support team. | When you contact support. |

2.2. Data generated when you use mmemo

| Category of personal data | When we collect it |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- |
| Technical data, such as your IP address (truncated where possible), browser type, device type, operating system, language settings and approximate location derived from the IP address. | Automatically when you connect to the Service. |
| Usage data, such as the features you use, the models you select, the timestamps of your interactions and aggregated metrics about your session. | Automatically when you use the Service. |
| Cookies and similar identifiers, as described in our Cookie Policy. | When you visit our website or use the Service. |

2.3. Data we receive indirectly

We do not crawl the public Internet to build training datasets, and we do not train AI models. The only categories of data we receive indirectly are:

• Authentication data from identity providers (such as Google Sign-In or Apple Sign-In), where you choose to log in through such a provider. We receive your email address and basic profile information, in accordance with the permissions you grant.
• Payment confirmation data from Stripe, such as the fact that a payment has been completed, the amount, the currency and a transaction reference. We do not receive your card number or bank account details.

3. Why we use your personal data

The table below sets out, for each purpose, the categories of personal data used and the legal basis under Article 6 GDPR.

| Why we use your personal data | Categories of personal data | Legal basis |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| To provide and maintain the Service under the conditions set out in our Terms of Service. This includes transmitting your Inputs to LLM Providers in order to generate Outputs, storing your conversation history in your account, and returning Outputs to you. | Identity data, account data, contract data, technical data, usage data, Inputs, Outputs. | Performance of the contract between you and mmemo (Article 6(1)(b) GDPR). |
| To operate the persistent memory feature, by saving memory items and reusing them in future interactions to provide more relevant and personalised responses. | Inputs, memory items, usage data. If you choose to include sensitive data within the meaning of Article 9 GDPR (such as health information) in your Inputs and save it as a memory item, that data is stored to provide you with more relevant answers. | Our legitimate interest in providing an enhanced and personalised service (Article 6(1)(f) GDPR). Your explicit consent (Article 9(2)(a) GDPR) for any special category data you voluntarily include and save. You can review, edit, delete or turn off memory items at any time in your account settings. |
| To create and administer your account, including authentication and account-recovery procedures. | Identity data, account data, contact data. | Performance of the contract (Article 6(1)(b) GDPR). |
| To provide customer support, including responding to your questions and debugging issues you have reported. | Identity data, contact data, support data, the specific Inputs and Outputs concerned by your request. | Performance of the contract (Article 6(1)(b) GDPR). |
| To manage payments and billing, in coordination with Stripe acting as Merchant of Record. | Identity data, account data, contact data, billing identifiers, contract data. | Performance of the contract (Article 6(1)(b) GDPR). Compliance with our legal obligations regarding accounting and tax (Article 6(1)(c) GDPR). |
| To ensure the security and integrity of the Service, prevent fraud and abuse, and detect violations of our Terms of Service. | Identity data, account data, technical data, usage data, Inputs and Outputs where strictly necessary. | Our legitimate interest in protecting our service, our users and ourselves (Article 6(1)(f) GDPR). Compliance with our legal obligations (Article 6(1)(c) GDPR). |
| To communicate with you, including sending you service-related notifications (such as changes to these terms, security incidents or feature updates) and, with your consent, marketing communications. | Identity data, contact data. | Performance of the contract (Article 6(1)(b) GDPR) for service communications. Your consent (Article 6(1)(a) GDPR) for marketing communications, which you can withdraw at any time. |
| To improve the Service in an aggregated and anonymous manner, such as analysing which features are used most, the latency of different models or general performance metrics. We do not use the content of your Inputs or Outputs to train any AI model. | Aggregated and anonymous statistics derived from usage data and technical data. | Our legitimate interest in continuously improving the Service (Article 6(1)(f) GDPR). |
| To enforce our Terms of Service and Acceptable Use rules, including content moderation in response to abuse reports. | Identity data, account data, the specific content concerned by the report. | Performance of the contract (Article 6(1)(b) GDPR). Our legitimate interest in maintaining the integrity of the Service (Article 6(1)(f) GDPR). |
| To comply with legal obligations under EU and Estonian law, such as accounting, anti-money-laundering, content moderation under the Digital Services Act and responses to lawful requests from competent authorities. | Any data relevant to the obligation in question. | Compliance with legal obligations (Article 6(1)(c) GDPR). |
| To investigate and resolve disputes between you and mmemo. | Any data relevant to the dispute. | Our legitimate interest in protecting and exercising our legal rights (Article 6(1)(f) GDPR). |
| To respond to your requests to exercise your data subject rights. | Identity data, contact data and any data relevant to the request. | Compliance with our legal obligations (Article 6(1)(c) GDPR). |

4. What we do not do with your data

To remove any ambiguity:

• We do not use your Inputs, Outputs or memory items to train any AI model, ours or any third party's.
• We do not sell your personal data.
• We do not share your personal data with advertising networks, data brokers or third-party advertising platforms.
• We do not engage in profiling or in fully automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Cookies

When you visit our website or use the Service, we use cookies and similar technologies. For details, please see our Cookie Policy.

You can adjust your cookie preferences at any time through the cookie banner or your browser settings. Non-essential cookies are not set without your prior consent in the EEA, the United Kingdom and Switzerland.

6. Stripe as Merchant of Record

The sale of mmemo to you is processed by Stripe Inc., or one of its regional affiliates, acting as Merchant of Record under Stripe's Managed Payments solution.

For the purposes of payment processing, fraud prevention, tax compliance and invoicing, Stripe is an independent data controller. Stripe processes your payment data (such as card details, billing address, IP address at the time of payment and transaction history) under its own privacy notice, which is available at stripe.com/privacy.

mmemo does not collect, store or have direct access to your card details, bank account numbers or other payment instrument credentials.

For everything else, including your account, your Inputs and Outputs and your interactions with the Service, mmemo remains your data controller, as described elsewhere in this Privacy Policy.

7. How long we keep your personal data

We store your personal data only for as long as necessary for the purposes set out in Section 3. The main retention periods are as follows. They are subject to longer retention where required by applicable law (such as accounting or tax retention obligations, claims defence or court orders).

• Account data, identity data and contract data: for the duration of your account, plus up to one year after account deletion, for security and account-recovery purposes.
• Inputs, Outputs and conversation history: until you delete the conversation, or until you delete your account, whichever is earlier. Permanent deletion completes within 30 days of your request.
• Memory items: until you delete the memory item or turn off the memory feature, or until you delete your account.
• Feedback (ratings, comments and associated Inputs and Outputs): for a rolling 12 months after submission, for service-improvement purposes.
• Technical data and usage data: for a rolling 12 months after collection.
• Support data: for the duration of the request and for up to 5 years for record-keeping.
• Billing identifiers and contract data: for 10 years from the close of the relevant financial year, in accordance with Estonian accounting law.
• Cookies and similar identifiers: for the period set out in our Cookie Policy, not exceeding 13 months without renewed consent.
• Data relating to disputes and privacy requests: for the duration of the matter and for up to 6 years after closure.
• Data we keep solely to comply with a legal obligation: for the period required by that obligation, after which the data is permanently deleted.

Data kept for legal-retention purposes is not actively used by our teams during the retention period, except where strictly necessary to comply with the legal obligation, defend a claim or respond to a lawful authority request.

8. Who we share your personal data with

We share your personal data only on a need-to-know basis and only with the following categories of recipients.

8.1. Within mmemo

Authorised members of our team who need access to perform their role (such as customer support, engineering for debugging purposes, security, finance and legal), subject to confidentiality obligations and access controls.

8.2. Service providers acting as our processors

We engage carefully selected service providers to operate the Service. Before engaging any provider that handles personal data, we conduct a privacy and security assessment and sign a data-processing agreement under Article 28 GDPR. The main categories include:

• Hosting and infrastructure providers, located in Germany within the EEA.
• Large Language Model Providers, who process your Inputs to generate Outputs (see Section 8.3 below).
• Email and communication providers, used for service notifications and support.
• Analytics providers, used to measure aggregated and pseudonymised usage of the Service.
• Fraud prevention and security providers.
• Customer support tooling providers.

A list of our main sub-processors is available at trust.mmemo.com and is updated when material changes occur.

8.3. Large Language Model Providers

mmemo is an aggregator. To generate an Output, we transmit your prompt and, where relevant, the conversation context, to one or more Large Language Model Providers selected automatically or by you. These LLM Providers currently include providers in the United States and the European Union, such as Anthropic, OpenAI, Google, Mistral AI, Meta and others. The current list is published at trust.mmemo.com.

We have contractual arrangements with each LLM Provider that include:

• a data-processing agreement consistent with Article 28 GDPR where the LLM Provider acts as our processor, or arrangements for joint or independent controllership where applicable;
• a commitment by the LLM Provider not to use your Inputs or Outputs to train their general-purpose AI models;
• Standard Contractual Clauses adopted by the European Commission for transfers to providers outside the EEA.

Outputs returned by an LLM Provider are made available to you through the Service and stored in your account, subject to the retention rules in Section 7.

8.4. Stripe as Merchant of Record

As described in Section 6, Stripe processes payment-related data as an independent controller.

8.5. Other recipients

We may also share personal data with:

• Banks and financial institutions, where strictly necessary for the operation of our business.
• Regulatory and supervisory authorities, including the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), the Estonian Consumer Protection and Technical Regulatory Authority (TTJA) and other competent authorities, where required by law.
• Legal and professional service providers, such as lawyers, auditors, accountants, courts and mediators.
• Acquirers and successors, in the context of a merger, acquisition, reorganisation or sale of assets, subject to the requirement that any acquirer protects your data on terms no less protective than this Privacy Policy.

We do not sell your personal data and we do not share it for cross-context behavioural advertising.

9. Where your data is processed and international transfers

9.1. Primary location

Your account data, conversation history, memory items and uploaded files are stored on infrastructure physically located in Germany, within the European Economic Area.

9.2. Transfers outside the EEA

Some of our service providers and LLM Providers are located outside the EEA, including in the United States. When your personal data is transferred to a country that has not been recognised by the European Commission as providing an adequate level of protection, we put in place appropriate safeguards under Chapter V GDPR, including:

• the Standard Contractual Clauses adopted by the European Commission Decision 2021/914 of 4 June 2021, in their most recent version;
• where relevant, the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office;
• additional technical and organisational measures where the transfer impact assessment indicates that such measures are necessary, including encryption in transit and at rest, access controls, and contractual obligations to challenge unlawful access requests.

For transfers to the United States, we rely on the EU-US Data Privacy Framework where the recipient is self-certified, and on Standard Contractual Clauses in any event.

You may request a copy of the safeguards in place by contacting us at privacy@mmemo.com.

10. Security

We implement technical and organisational measures designed to protect your personal data, including:

• encryption of personal data in transit (TLS) and at rest;
• strict access controls, multi-factor authentication for internal access, and role-based permissions;
• network segmentation and intrusion detection on our hosting infrastructure;
• regular vulnerability scanning and security testing;
• logging and monitoring of access to systems holding personal data;
• staff confidentiality obligations and security training;
• incident response procedures, including notification of personal data breaches to the competent supervisory authority and, where applicable, to affected users within the time frames required by Articles 33 and 34 GDPR.

No security measure is perfect. If you believe your account has been compromised, please contact us immediately at security@mmemo.com.

11. Your rights

You have the following rights with respect to your personal data, exercisable subject to the conditions and limitations set out in the GDPR.

• Right of access. You have the right to obtain confirmation of whether we process your personal data and, if so, to obtain a copy of that data and further information about how it is processed.
• Right to rectification. You have the right to ask us to correct inaccurate or incomplete personal data.
• Right to erasure (right to be forgotten). You have the right to ask us to delete your personal data, subject to legal retention obligations and the other limitations of Article 17 GDPR.
• Right to restriction of processing. You have the right to ask us to limit the processing of your personal data in the situations listed in Article 18 GDPR.
• Right to data portability. You have the right to receive a copy of the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller. This right is implemented through the export function available in your account settings and complements your right to switch under the Data Act (see Section 8 of our Terms of Service).
• Right to object. You have the right to object, at any time, to the processing of your personal data based on our legitimate interests. Where we process your personal data for direct marketing, you have an absolute right to object.
• Right to withdraw consent. Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making. mmemo does not engage in fully automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.
• Post-mortem instructions. You have the right to define how your personal data should be processed after your death, where the law of your country of residence grants such a right.
• Right to lodge a complaint. You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement. The supervisory authority in Estonia is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, info@aki.ee, aki.ee.

You can exercise these rights:

• through the user controls available in your mmemo account settings (export, deletion, communications preferences);
• by emailing us at privacy@mmemo.com;
• by post at the address in Section 1.

We will respond to your request within one month of receipt, in accordance with Article 12(3) GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We may ask you for additional information to verify your identity before processing your request.

There is no fee for exercising your rights, except in the cases set out in Article 12(5) GDPR (manifestly unfounded or excessive requests).

12. Children

The Service is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13.

In the European Economic Area, the age of digital consent under Article 8 GDPR is 16 by default, with national variations down to 13. Where you are below the age of digital consent in your country, the consent of a parent or legal guardian is required.

If you become aware that a minor has provided us with personal data without the required consent, please contact us at privacy@mmemo.com and we will take steps to delete that data.

13. Additional disclosures for users in the United States

If you reside in a US state with a comprehensive privacy law (currently including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia, among others), the following supplements apply. This section also serves as our California notice at collection.

Consumer rights. Depending on the US state where you reside and applicable exceptions, you may be entitled to: (a) the right to know what personal data we process about you and to access a copy of it; (b) the right to request deletion of your personal data; (c) the right to request correction of your personal data; (d) the right to opt out of sale, sharing or targeted advertising; (e) the right to be free from discrimination for exercising your rights; and (f) the right to appeal our decision regarding your request.

No sale, sharing or targeted advertising. mmemo does not sell, share for cross-context behavioural advertising, or use for targeted advertising any personal data of consumers, including any consumer that we know is under 18 years of age, as those terms are defined under US state privacy laws.

Sensitive personal information. To the extent you voluntarily provide sensitive personal information, we use it only as permitted by applicable law and only for the purposes for which you provided it. We do not use sensitive personal information to infer characteristics about you.

Exercising your rights. You may submit a request by emailing us at privacy@mmemo.com. To protect your data, we may require you to verify your identity, including by authenticating your mmemo account.

Authorised agents. You may exercise your available rights through an authorised agent. The agent must submit evidence of your authorisation and we may also require you to independently verify your identity.

Appeals. You may appeal our response by emailing privacy@mmemo.com with the subject line "US Rights Response Appeal".

Categories of personal data we collect, the purposes for collection and the categories of recipients are described in Sections 2, 3 and 8 of this Privacy Policy.

No training on consumer data. We do not use your personal data to train AI models. We do not use sensitive personal information for any purpose that triggers a right to limit under US state privacy laws.

14. Additional disclosures for users in the United Kingdom

If you are located in the United Kingdom, the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to the processing of your personal data, in addition to or in place of the EU GDPR as applicable.

You may lodge a complaint with the United Kingdom Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, ico.org.uk.

International transfers to or from the United Kingdom are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the ICO.

15. Additional disclosures for users in Switzerland

If you are located in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies to the processing of your personal data.

You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, edoeb.admin.ch.

16. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time to reflect changes in the law, the Service, or our practices.

We will notify you of material changes by email or through the Service before they take effect. Non-material changes (such as clarifications, corrections of typographical errors and changes that do not adversely affect users) may be made without prior notice.

The current version of this Privacy Policy, together with its effective date, is always available at the URL where you are reading this document.

Definitions

• EEA: the European Economic Area, comprising the Member States of the European Union plus Iceland, Liechtenstein and Norway.
• GDPR: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.
• Inputs: prompts, files, instructions and other materials you submit to the Service.
• LLM Providers: third-party providers of large language models accessed by mmemo to generate Outputs.
• Outputs: AI-generated content returned to you in response to your Inputs.
• Service: the mmemo product, including its web, mobile and desktop applications.
• Stripe: Stripe, Inc. and its regional affiliates, acting as Merchant of Record for the sale of the Service.
• Standard Contractual Clauses: the contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914 of 4 June 2021.

End of Privacy Policy.