Privacy Policy for the Memoro App

Introduction

We are very pleased about your interest in our app. Data protection has a particularly high priority for the management of Memoro GmbH. This privacy policy is intended to inform you about the type, scope and purpose of the collection and use of personal data when using our app.

Our Promise: We will never view or sell your data. We specifically rely on solutions that meet the highest European data protection standards and are steadily reducing our dependence on non-European providers.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Memoro GmbH
Reichenaustraße 11a
78464 Konstanz
Phone: +49 176 444 343 85
Email: [email protected]

2. Definitions

This privacy policy is based on the terminology of the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for both the public and our customers and business partners. To ensure this, we would like to explain the terminology used in advance:

  • Personal data: Any information relating to an identified or identifiable natural person.
  • Data subject: Any identified or identifiable natural person whose personal data is processed by the controller.
  • Processing: Any operation performed on personal data, whether or not by automated means.
  • Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.
  • Profiling: Any form of automated processing of personal data to evaluate certain personal aspects.
  • Pseudonymization: The processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information.
  • Controller: The natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processor: A natural or legal person who processes personal data on behalf of the controller.
  • Recipient: A natural or legal person to whom personal data is disclosed.
  • Third party: A natural or legal person other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct responsibility of the controller or processor.
  • Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.

3. Purposes of Data Processing

3.1. Processing of Voice Recordings, Transcriptions and Summaries

Purpose of data processing: Your voice recordings are processed for the purpose of transcription and subsequent creation of summaries (“Memories”). This data processing is carried out exclusively for your personal use and the results are made available only to you.

Type of data processed:

  • Voice recordings
  • Transcriptions of voice recordings
  • Summaries of transcriptions (“Memories”)

The path of your data:

  1. Recording: The audio file is first stored securely on your device
  2. Upload: Encrypted transmission to Supabase (Frankfurt, Germany)
  3. Transcription: Processing by Microsoft Azure (Sweden, EU)
  4. Conversion (if required): Google Cloud (Frankfurt, Germany)
  5. Analysis: Creation of “Memories” by Google Gemini (Belgium, EU) or Azure OpenAI (Sweden, EU)
  6. Storage: Final analyses in Supabase (Frankfurt, Germany)

Note on recording other people: Please note that recording other people’s voice recordings without their express consent violates the GDPR. You are obliged to ensure that all recorded persons have given their consent to the processing of the voice recordings. It is your responsibility to obtain and prove this consent.

3.2. Processing of Usage Data

Purpose of data processing: Usage data is collected to improve the functionality and user-friendliness of our app.

Type of data processed:

  • IP address of the mobile device
  • Device type
  • Unique device identifier
  • Mobile device operating system
  • Type of mobile internet browser
  • Unique device identifiers
  • Diagnostic data
  • Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
  • If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b GDPR.
  • If our company is subject to a legal obligation which requires the processing of personal data, such as to fulfill tax obligations, the processing is based on Art. 6 I lit. c GDPR.
  • In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. The processing would then be based on Art. 6 I lit. d GDPR.
  • Finally, processing operations could be based on Art. 6 I lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party.
  • If special categories of personal data are processed in accordance with Article 9 GDPR, the processing is also based on your express consent in accordance with Article 9 paragraph 2 letter a GDPR.

5. Data Security

We use extensive technical and organizational measures to protect your data:

  • Encryption: AES-256 for stored data, TLS 1.2/1.3 for data transmission
  • Access control: Multi-factor authentication, role-based permissions
  • Backup strategy: 3-2-1 backup strategy with daily encrypted backups
  • Certifications: Our service providers are SOC 2 Type II, ISO 27001 and GDPR compliant

6. Duration of Storage

The criterion for the duration of storage of personal data is the respective statutory retention period. After the period expires, the corresponding data is routinely deleted, provided it is no longer required for contract fulfillment.

Storage and deletion periods:

  • Content data (recordings, transcripts, memories): As long as the user account exists; immediate deletion upon user request
  • Account data: Deletion within 30 days after deletion request
  • Technical log data: Maximum 90 days
  • Product analysis data (PostHog): Maximum 12 months
  • Backups: Maximum 30 days retention period
  • AI processing cache (Google/Azure): Automatic deletion after maximum 30 days

Special regulations for organizational customers: Individual automatic deletion periods can be agreed within the framework of a data processing agreement (DPA).

We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may also result from contractual regulations (e.g., information about the contracting party). Sometimes it may be necessary for a contract to be concluded that a data subject provides us with personal data, which must subsequently be processed by us. The non-provision of personal data would mean that the contract with the data subject could not be concluded.

8. Service Providers

We employ third-party companies and individuals to support our app (“Service Providers”), to provide services on our behalf, to perform service-related services or to assist us in analyzing how our app is used.

These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to use or disclose it for other purposes.

9. Use of Cloud Services and Data Processing

We use selected cloud services to make our data processing efficient and secure. All service providers are GDPR compliant and act as processors in accordance with Art. 28 GDPR.

9.1. Supabase (Backend & Database)

Server location: Frankfurt, Germany
Purpose: Storage of all content data, account data and authentication
Compliance: SOC 2 Type II certified, GDPR compliant
Note: Supabase is headquartered in the USA. Access from the USA may occur in limited cases (support, maintenance). This is secured by Standard Contractual Clauses (SCCs).

9.2. Microsoft Azure

Server location: Sweden, EU
Purpose: Speech transcription (Azure Speech) and AI analysis (Azure OpenAI)
Compliance: ISO 27001, SOC 1/2/3, GDPR compliant
Guarantee: No use of your data for model training; deletion after max. 30 days

9.3. Google Cloud

Server locations:

  • Frankfurt, Germany (file conversion)
  • Belgium, EU (Google Gemini AI analysis)
    Compliance: ISO 27001, SOC 1/2/3, GDPR compliant
    Guarantee: No use of your data for model training; deletion after max. 30 days

9.4. PostHog (Product Analysis)

Server location: Frankfurt, Germany (EU hosting)
Purpose: Anonymized usage analysis to improve the app
Compliance: SOC 2 Type II, GDPR compliant
Special feature: Can be completely deactivated for organizational customers

9.5. Firebase Services

Firebase (Google Ireland Limited) is used for the following functions:

  • Firebase Analytics: for analyzing user behavior
  • Firebase Cloud Messaging: for sending push notifications
  • Firebase Realtime Database: for storing and synchronizing data
  • Firebase Storage: for backing up and storing media
  • Firebase Crashlytics: for detecting and analyzing app errors

All Firebase services are GDPR compliant and data processing takes place within the EU.

10. Transparency Notice on International Data Transfers

Although your data is physically stored and processed in the EU, we would like to inform you transparently about possible international aspects:

  • US service providers: Some of our processors (Supabase, PostHog) are headquartered in the USA
  • Protective measures: All data transfers are secured by EU Standard Contractual Clauses (SCCs) and additional technical measures
  • Residual risk: Theoretical access by US authorities (e.g., via CLOUD Act) cannot be completely ruled out legally
  • Your control: You can request the deletion of your data at any time

11. Use of Google Analytics

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the collected data to monitor and analyze the use of our app. This data is shared with other Google services. Google may use the collected data to contextualize and personalize ads in its own advertising network.

For more information about Google’s privacy practices, please visit the Google Privacy & Terms website: Google Privacy & Terms

We also recommend that you review Google’s privacy policy to protect your data: Google Analytics Safeguarding Your Data.

12. Existence of Automated Decision-Making

As a responsible company, we do not use automatic decision-making or profiling.

13. Rights of the Data Subject

You have the right:

  • to information about the personal data concerning you stored by us (Article 15 GDPR),
  • to correction of incorrect data (Article 16 GDPR),
  • to deletion (Article 17 GDPR),
  • to restriction of processing (Article 18 GDPR),
  • to data portability (Article 20 GDPR),
  • to object to processing (Article 21 GDPR),
  • to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Article 7 paragraph 3 GDPR),
  • to lodge a complaint with a supervisory authority (Article 77 GDPR).

Withdrawal of consent:

You can withdraw your consent to the processing of your personal data at any time. The withdrawal can be made in writing or by email to the contact details given above. Your data will be deleted immediately after withdrawal, unless there are legal retention obligations.

14. Special Notes for Organizational Customers

For corporate and organizational customers, we offer tailored data protection solutions:

  • Individual data processing agreements (DPA) in accordance with Art. 28 GDPR
  • Automatic deletion periods according to your compliance requirements
  • Deactivation of analytics services (e.g., PostHog) on request
  • Customized data processing processes according to your specifications

Contact us at [email protected] for more information.

15. Changes to the Privacy Policy

We reserve the right to update this privacy policy as needed. We will inform you of significant changes through a notice in the app.

Status: December 15, 2024