Privacy Policy

Last updated: April 29, 2026

Memento is persistent AI memory for coding assistants. This policy explains what we collect, why, and the controls you have. Questions: [email protected].

1. Who we are

Memento ("Memento," "we," "our," "us") operates the Memento service at mementoagi.com, mementochat.com, and related APIs, plugins, and integrations (collectively, the "Service"). We are based in the United States.

For privacy questions, data requests, or to exercise any right described below, email [email protected] or [email protected].

2. What data we collect

2.1 Information you provide

Account information — email address, display name, first/last name, password hash, OAuth identifier (if you sign in via Google/GitHub/Apple), optional 2FA setup.
Billing information — if you upgrade to a paid plan, payment processing is handled by Stripe. We receive customer IDs, plan tier, and subscription status, but never your full card number.
Memory content — the files, notes, tickets, and context you save into Memento through any client (Cursor, Claude Code, MCP tools, the web dashboard). This is your data; see Section 4.
API keys — Memento issues you an API key to authenticate your IDE plugins. It is stored hashed on our servers and only the prefix is retained for display.
Third-party keys you choose to save — you may optionally store credentials for external services (e.g. model providers, integrations) in your Memento account. These are encrypted at rest.
Communications — messages you send to [email protected], feedback submitted through the in-app feedback widget, and replies to our emails.

2.2 Information we collect automatically

Usage data — tool invocations, command counts, error traces, and performance timings. We use this to debug issues and improve the Service.
Technical data — IP address, browser type, operating system, device identifiers, timestamps.
Session cookies — strictly necessary to keep you signed in. We do not use advertising, tracking, or analytics cookies at this time. If we add them in future, we will update this policy and present a consent option where required by law.

2.3 What we do NOT collect

We do not sell personal information to anyone.
We do not use your memory content to train foundation models. Memory content is processed by LLM providers only at your request (e.g. when you invoke a recall or a command) and only as needed to fulfill that request.
We do not read the source code of your repositories unless you explicitly save it into Memento or instruct an agent to do so.

3. How we use your data

To provide and operate the Service — authentication, memory storage and retrieval, command execution, billing, customer support.
To debug, monitor, and improve the Service — aggregated usage data, error reports, performance metrics.
To communicate with you — transactional emails (signup, receipts, security alerts), product updates, responses to your inquiries.
To protect the Service and users — fraud prevention, abuse detection, enforcement of our Terms.
To comply with legal obligations.

4. Memory content is yours

Everything you save to Memento — notes, files, tickets, organizational context — belongs to you. We act as a custodian. You can read, export, or delete any file at any time through the dashboard, the MCP tools, or by emailing us. When you close your account, we delete your memory content within 30 days except where we are required to retain it for legal reasons (see Section 8).

5. Subprocessors and sharing

We use a small set of infrastructure providers to run the Service. Each one is bound by a Data Processing Agreement (DPA) or equivalent contractual privacy terms.

Provider	Purpose	Data location
Cloudflare (R2, DNS, CDN)	Memory content storage, DNS, edge caching	United States
Neon	Relational database (accounts, metadata)	United States
Render	Application hosting	United States
OpenAI	Embeddings and LLM operations at your request	United States
Anthropic	LLM operations at your request (Claude)	United States
Stripe	Payment processing	United States
Resend	Transactional email delivery	United States

We may add or change subprocessors as the Service evolves. We will update this list when we do.

We may also disclose information if required by law (subpoena, court order, government request), to enforce our Terms, or to protect the rights, safety, or property of Memento, our users, or others.

6. International data transfers

The Service is hosted in the United States. If you access Memento from outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area, United Kingdom, or Switzerland: we rely on Standard Contractual Clauses with our subprocessors as the lawful transfer mechanism, and we are evaluating self-certification under the EU-US Data Privacy Framework. We do not actively target the EEA or UK markets at this time; if you are located there and you use the Service, you acknowledge the transfer described above.

For users in Brazil: we comply with the Lei Geral de Proteção de Dados (LGPD). You have the rights described in Section 7, and our international transfers are based on your consent and on the legitimate interest of operating the Service you signed up for.

7. Your rights

Depending on where you live, you may have some or all of the following rights. To exercise any of them, email [email protected] from the address on your account. We will respond within 30 days.

Access — request a copy of the personal information we hold about you.
Correction — ask us to fix inaccurate or incomplete data.
Deletion — ask us to delete your account and associated data.
Portability — request a machine-readable export of your memory content.
Objection / restriction — object to or restrict certain processing, where applicable under GDPR/UK GDPR/LGPD.
Withdraw consent — where processing relies on consent, you can withdraw it at any time.
Non-discrimination — we will not deny service, raise prices, or reduce quality because you exercised a privacy right (California CCPA/CPRA).
Complain to a supervisory authority — EEA/UK users can lodge a complaint with their local data protection authority; California users can contact the California Attorney General; Brazilian users can contact the ANPD.

8. Data retention

Account data is kept for as long as your account is active.
Memory content is kept until you delete it or close your account. Closed accounts are fully purged within 30 days.
Billing records are retained for up to 7 years to meet tax and accounting obligations.
Security logs and audit trails are retained for up to 12 months.
Backup snapshots may persist for up to 30 days after deletion.

9. Security

We use TLS in transit, encrypted storage at rest, access controls, audit logging, and least-privilege provisioning. API keys are hashed. Sensitive credentials you store with us are encrypted with per-record keys. No system is perfectly secure; if we discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

10. Children

Memento is not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has given us personal information, email us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email and on this page. The "Last updated" date above always reflects the current version.

12. Contact

Privacy inquiries: [email protected]
General support: [email protected]