Memory Palace

Privacy Policy

Last updated: December 30, 2025

1. Introduction

Memory Palace ("we," "our," or "us") is operated by Vedha LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at memorypalace.app (the "Service"). We are committed to protecting your privacy and handling your data with transparency.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (required for authentication)
  • Name (from OAuth provider if you sign in with Google/GitHub)
  • Profile picture (from OAuth provider, optional)
  • Authentication tokens (managed by Supabase Auth)

2.2 User Content

You create and store the following content in Memory Palace:

  • Memories: Notes, thoughts, and text content you create
  • Pockets: Collections of documents and URLs for knowledge organization
  • Documents: PDFs, text files, and other uploaded documents
  • URLs: Web pages you save for later reference
  • Chat History: Questions you ask and AI-generated responses
  • Tags and Organization: Labels, colors, and folder structures
  • Comments: Annotations on shared memories

2.3 Technical Data

We automatically collect:

  • Usage analytics via Vercel Analytics (page views, web vitals)
  • Error logs for debugging and service improvement
  • Audit logs for security (login events, data access patterns)
  • IP addresses (for rate limiting and abuse prevention)

2.4 API Keys (Optional)

If you choose to bring your own OpenRouter API key, we encrypt it using AES-256-GCM before storage. The key is only decrypted when making API calls on your behalf and is never logged or transmitted elsewhere.

3. How We Use Your Information

  • Provide the Service: Store, organize, and retrieve your memories and documents
  • AI Features: Generate embeddings for semantic search and provide AI chat responses
  • Authentication: Verify your identity and secure your account
  • Communication: Send essential service notifications (security alerts, password resets)
  • Improvement: Analyze usage patterns to improve features and performance
  • Security: Detect and prevent abuse, fraud, and security threats

4. Data Sharing

We do NOT sell your personal data. We share data only in these circumstances:

4.1 Third-Party Service Providers

  • Supabase: Database hosting and authentication (data stored in their US infrastructure)
  • Vercel: Web hosting and analytics (aggregated, privacy-focused)
  • Railway: API and worker hosting
  • OpenRouter: AI/LLM API provider (receives only the content needed for your specific queries)

4.2 AI Processing

When you use AI features, relevant portions of your content are sent to OpenRouter's API (which routes to various LLM providers like OpenAI, Anthropic, Google). Only the minimum context needed for your query is shared. We do not use your content to train AI models.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Security

  • Encryption at Rest: All data encrypted using AES-256
  • Encryption in Transit: TLS 1.3 for all communications
  • Row-Level Security: PostgreSQL RLS ensures complete data isolation between users
  • API Key Encryption: Your OpenRouter keys are encrypted with AES-256-GCM
  • Access Controls: Strict internal access policies and audit logging

6. Data Retention

We retain your data as long as your account is active. You can:

  • Delete individual memories, pockets, or documents at any time
  • Archive content instead of deleting
  • Request complete account deletion (contact security@vedha.llc)

Upon account deletion, all your data is permanently removed within 30 days, except where required for legal compliance.

7. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of your data
  • Correction: Update inaccurate information
  • Deletion: Request removal of your data
  • Portability: Export your data in a machine-readable format
  • Objection: Object to certain processing activities

To exercise these rights, contact us at privacy@vedha.llc

8. Cookies and Tracking

We use essential cookies for authentication and session management. Vercel Analytics collects anonymized, aggregated data about page views and web performance. We do not use advertising cookies or sell data to ad networks.

9. Children's Privacy

Memory Palace is not intended for users under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

10. International Data Transfers

Your data is stored in US-based data centers. By using our Service, you consent to the transfer of your data to the United States. For EU data residency requirements, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the Service. Your continued use after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices:

  • Email: privacy@vedha.llc
  • Security concerns: security@vedha.llc