Privacy Policy

1. Who We Are

The Memory Palace is operated from Belgium. We built this app to help you preserve and share your most precious memories — safely and privately. We are committed to protecting your personal data in full compliance with the General Data Protection Regulation (GDPR) and applicable Belgian and EU law.

For any privacy-related questions, you can always reach us at: privacy@thememorypalace.ai

2. What We Collect

We only collect what we need to provide you with a great experience. Here is what we gather:

• Profile information: your name, email address, and profile photo when you create an account.
• Your memories: the photos, videos, stories, and other content you upload to your Memory Palace. This is the heart of the service.
• Device information: basic details like your browser type and screen size, so we can make the app look and work its best on your device.

3. How We Use Your Data

We use your data solely to provide and improve The Memory Palace. Specifically:

• To store, organize, and display your memories in your palace.
• To authenticate your account and keep it secure.
• To send you important service-related messages (such as email confirmations, security alerts, or legacy notifications).
• To improve the app based on your feedback and support requests.

We will never use your data for advertising, and we will never sell it to anyone.

Legal Basis for Processing (Art. 6 GDPR)

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): storing your memories, account management, and providing core app functionality.
• Consent (Art. 6(1)(a)): AI-powered features (tagging, context generation, interviews, bust generation), optional cookies, and marketing communications.
• Legitimate interest (Art. 6(1)(f)): security monitoring, abuse prevention, and service improvement based on aggregated usage patterns.
• Legal obligation (Art. 6(1)(c)): responding to lawful requests from authorities and maintaining required records.

4. Where We Store Your Data

Your core data is stored within the European Union:

• Database: Supabase PostgreSQL, hosted in Frankfurt, Germany (EU). Your memories, profile data, and account information all live here, encrypted at rest with AES-256.
• Application hosting: Vercel, with servers in the EU. All connections are encrypted with TLS 1.2+.
• File storage: Supabase Storage (EU region), encrypted at rest. Your photos and media are only accessible through authenticated, time-limited links.
• Cross-border transfers: some data is processed by US-based services: Anthropic (AI features), Stripe (payments), Resend (email), and — when you explicitly connect them — Google (Google Photos), Dropbox, Microsoft (OneDrive), and Box. Additionally, Vercel and Supabase are US-headquartered companies with EU data processing regions. All cross-border transfers are protected by Standard Contractual Clauses (SCCs) and each provider's data processing agreement, ensuring your data remains protected to EU standards.

Your database and files are hosted in the EU and protected by European data protection laws. Where data is processed outside the EU, appropriate safeguards are in place.

5. Who We Share Your Data With

We do not sell, rent, or trade your personal data. Period. We only share data with a small number of trusted service providers who help us run The Memory Palace:

• Supabase — database hosting, file storage, and authentication.
• Vercel — application hosting and content delivery.
• Resend — sending transactional emails (such as password resets and notifications).
• Stripe — processing payments securely. We never see or store your credit card details.
• Anthropic (Claude AI) — powering AI features such as memory tagging, interview summaries, and context generation. Data sent to Anthropic may include interview responses, memory titles and descriptions, file metadata, and image thumbnails. Anthropic does not use API data to train its models by default and processes data in accordance with its data processing agreement.
• Google (Google Photos) — optional integration for importing photos. Data is only transferred when you explicitly connect your Google account and initiate an import.
• Dropbox — optional integration for importing photos and files. Data is only transferred when you explicitly connect your Dropbox account and initiate an import.
• Microsoft (OneDrive) — optional integration for importing photos and files. Data is only transferred when you explicitly connect your Microsoft account and initiate an import.
• Box — optional integration for importing files. Data is only transferred when you explicitly connect your Box account and initiate an import.
• Apple — authentication provider for Sign in with Apple. Only used when you choose to sign in with your Apple ID. Apple receives your authentication request but does not access your Memory Palace data.

All these providers are bound by data processing agreements and comply with GDPR. The cloud storage integrations (Google, Dropbox, Microsoft, Box) are entirely optional and only process your data when you explicitly connect them. Beyond these providers, your data is only shared when:

• You choose to share: when you invite family members to view rooms or memories, the shared content becomes accessible to those people.
• The law requires it: we may disclose data if required by law or valid legal process.

6. Your Rights

Under the GDPR (Articles 15-20 and beyond), you have strong rights over your personal data. Here is what you can do:

• Access your data: request a complete copy of everything we hold about you.
• Export your data: download all your memories, stories, and photos as a JSON file with a ZIP of your media — directly from your account settings.
• Correct your data: update or fix any information that is inaccurate or incomplete.
• Delete your data: request complete deletion of your account and all associated data. When you delete your account, everything is permanently removed.
• Data portability: receive your data in a structured, machine-readable format that you can take to another service.
• Object to processing: object to the processing of your personal data at any time.
• Withdraw consent: change your mind about optional processing at any time.
• Restrict processing (Art. 18): request that we limit how we use your data while a dispute or verification is pending.

To exercise any of these rights, email us at privacy@thememorypalace.ai. We will respond within 30 days, as required by law.

Data Breach Notification

In the event of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR Articles 33 and 34.

Automated Decision-Making (Art. 13(2)(f))

Our AI features (memory tagging, context generation, interview summarization, and bust generation) use automated processing to generate suggestions. These features are entirely optional, require your explicit consent, and do not produce decisions with legal or similarly significant effects. You can disable AI features at any time in your account settings.

7. Data Retention

Your data is kept for as long as your account is active. You are in control:

• Active account: your memories and data stay safely stored for as long as you use The Memory Palace.
• Account deletion: when you delete your account, all personal data and uploaded content is permanently removed immediately upon request. Backup copies are purged according to our infrastructure provider's retention schedule.
• Legacy delivery: if you have set up legacy contacts, your memories will be delivered to your chosen family members according to your settings. This is entirely optional and under your control.
• Service logs: basic server logs (for security and debugging purposes) may be retained for up to 12 months after account deletion.

8. Cookies

We keep cookies to an absolute minimum:

• Essential cookies: required for logging in and core functionality (authentication session, CSRF protection). These cannot be disabled, as the app would not work without them.
• Preference cookies: store your language preference and display settings. These are optional but improve your experience.

We do not use analytics cookies, advertising cookies, or third-party trackers of any kind.

9. Children's Privacy

The Memory Palace is designed for adults and is not intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will promptly remove it.

10. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you by email or with a clear notice inside the app. Your continued use of The Memory Palace after any changes means you accept the updated policy.

11. Contact Us

If you have questions about this privacy policy, want to exercise your rights, or simply want to know more about how we protect your data, we would love to hear from you:

• Email: privacy@thememorypalace.ai
• Company: The Memory Palace, Belgium

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) if you believe your rights have been violated.