1. Who We Are
[Entity Name, LLC] is an Alabama limited liability company (formation pending). We operate Gnosis Memory, a remote cloud MCP (Model Context Protocol) memory server that gives AI assistants persistent, encrypted memory across sessions and platforms.
Our Role Under Data Protection Law
Gnosis Memory operates as a data processor for the memory content you store through your AI assistants. You are the data controller: you determine what memories are stored, searched, and deleted. Your AI assistant delivers those instructions to us via the MCP protocol.
We are the data controller for a limited set of operational data that we process for our own purposes: account management (your Google OAuth profile), technical logs (IP addresses, request timestamps, error codes), and service security (rate limiting, abuse detection). Our Terms of Service include Data Processing Agreement provisions governing how we process your memory data on your behalf.
2. Data We Collect
Account Data
When you sign in with Google OAuth, we receive your email address, display name, and profile picture. This is collected at the moment of sign-in and is used to identify your account.
Memory Content
The text content you submit through AI assistants. We encrypt all memory content at rest using per-user encryption keys derived from your authentication credentials. We cannot decrypt this content. See Our Encryption Model below for details.
Vector Embeddings
When you store a memory, we generate a mathematical representation (a vector embedding) of its content. These embeddings enable semantic search, letting your AI assistant find relevant memories by meaning rather than keywords.
What embeddings can and cannot reveal:
- Lossy and non-reversible. Embeddings do not contain the exact text of your memories and cannot be decoded back into the original words. They may, however, reveal general subject matter. We treat them as sensitive data.
- Stored unencrypted. Similarity search requires mathematical operations on raw vectors. Encrypting them would make search impossible.
Metadata
Each memory includes metadata fields: topics (stored as SHA-256 hashes), memory type, scope, timestamps, and expiry settings. We pseudonymize topics by hashing them. The hashes do not contain the topic text, but could reveal subject matter if an attacker knows the topic and computes the matching hash. We treat topic hashes as sensitive data.
Usage Data
We collect API call counts, timestamps, and which endpoints you access. We use this data for rate limiting, service health monitoring, and understanding aggregate usage patterns.
Technical Data
Our infrastructure automatically collects IP addresses, user-agent strings, and TLS version information when you connect. We use this data for security and debugging.
3. How We Use Your Data
- Service provision — Storing your memories, retrieving them via semantic search, and delivering them to your AI assistants. This is the primary purpose of everything we collect.
- Security and abuse prevention — Detecting unusual access patterns, enforcing rate limits, and preventing misuse of the service.
- Debugging — When something breaks, error logs help us find and fix the problem. These logs contain technical data, not memory content (which we cannot read).
- Service improvement — We analyze aggregate usage patterns (how many memories are created per day, which endpoints are most used, average response times) to improve the service. Aggregate analysis is performed on operational data only (API call counts, endpoint usage, response times). We do not perform analytics on memory content, metadata, or embeddings — those are processed solely on your instructions as described in our Data Processing Agreement.
We do not use your memory content, embeddings, or any personal data to train AI models. The embedding model is pre-trained and is not fine-tuned on user data.
4. Legal Basis for Processing
If you are in the European Union, European Economic Area, or the United Kingdom, the following applies under the General Data Protection Regulation (GDPR):
Memory Data (Gnosis as Processor)
We process your memory content, vector embeddings, and associated metadata on your instructions, delivered via your AI assistant through the MCP protocol. As the data controller, you determine the lawful basis for this processing. We process this data solely to fulfill those instructions: storing, searching, retrieving, and deleting memories as requested.
Operational Data (Gnosis as Controller)
For the limited operational data we process for our own purposes, we rely on the following legal bases:
- Contract performance (Article 6(1)(b)) — Processing your account data (Google OAuth profile) is necessary to authenticate you and provide service access.
- Legitimate interests (Article 6(1)(f)) — Processing technical and usage data for security, abuse prevention, and service reliability.
- Purpose: Maintaining a secure, reliable, and functional service by detecting abuse, enforcing rate limits, and diagnosing errors.
- Necessity: This processing is necessary because security monitoring and error diagnostics cannot function without technical data (IP addresses, request metadata, error codes). There is no less intrusive way to achieve these goals.
- Balancing: This does not override your rights because we process the minimum data necessary, retain IP addresses for only 7 days and request logs for only 30 days, and do not use this data for profiling, marketing, or any purpose unrelated to service operations.
5. Our Encryption Model
This section explains exactly what we can and cannot see.
What this means in practice
We derive encryption keys from your OAuth credentials at the start of each session. These keys are ephemeral: they exist only in memory during an active session and are never stored at rest. We do not hold these keys and cannot decrypt your content. This is an architectural constraint, not a policy promise.
We do not log search queries, memory content, or user-generated text beyond what is encrypted in the database. Operational logging is limited to request counts, timestamps, endpoint paths, and error codes.
Vector embeddings cannot be encrypted. Similarity search requires mathematical operations on raw vectors; encrypting them would make search impossible. As described in Section 2, embeddings are lossy and non-reversible but may reveal general subject matter.
We cannot read your memories. We can see that memories exist (count, timestamps, metadata) and perform operations on their embeddings, but we cannot access the text you wrote.
Early Access transparency
During Early Access, our engineering team retains programmatic access to memory data for service operations: database migrations, schema updates, and data integrity verification. We use this access solely for service continuity, never to read or extract user content. We will remove this access as we approach general availability.
For a detailed explanation of the encryption architecture, key derivation, and threat model, see our Security page.
6. Sub-Processors
We use the following third-party services to operate Gnosis Memory. Each receives only the data it needs.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| OAuth authentication | Email, name, profile picture | United States | |
| Cloudflare | CDN, DNS, Workers (API edge) | IP addresses, request metadata, API request/response payloads (in transit, not stored by Cloudflare) | Global (edge network) |
| CrunchyBridge | PostgreSQL database hosting | Encrypted memories, embeddings, account data | United States |
| RunPod | GPU infrastructure hosting | All application data resides on RunPod-hosted infrastructure during runtime. Embedding generation occurs locally within the pod, not via external API. | United States |
7. International Data Transfers
All data processing occurs in the United States. If you are in the EU, EEA, or UK, we transfer your data to the US when you use the service.
Where required, we enter into Standard Contractual Clauses (SCCs) approved by the European Commission with our sub-processors to provide appropriate safeguards for international transfers. For transfers from the United Kingdom, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as approved by the Information Commissioner's Office (ICO). The encryption model described above provides a supplementary technical measure — even in the event of a government data request, your memory content cannot be decrypted by us or any third party.
8. Data Retention
We retain data for the minimum period necessary for each purpose. Deletion is automated and not subject to manual override.
| Data type | Retention | Notes |
|---|---|---|
| Account data | While account is active | |
| Memory content | Until you delete it or close your account | You control deletion through your AI assistant at any time |
| Connection metadata (IP, user-agent) | 7 days | Then permanently deleted |
| Request logs (endpoints, timestamps, status) | 30 days | Contains account identifier, never memory content |
| Security events (failed auth, rate limits) | 30 days | May extend to 90 days during active security investigation |
| Aggregate system metrics | Indefinite | Contains no personally identifiable information |
| Billing records | 7 years (when paid tiers launch) | Required by tax law |
| Law enforcement request records | Permanent | Date, scope, and our response only |
| Deletion audit records | Permanent | Proof of deletion (date, scope), not the deleted content |
| User correspondence | 3 years | Emails to support/legal addresses |
When you close your account, all associated data (account information, encrypted memories, embeddings, metadata) is permanently removed from production systems within 30 days. Deleted data may persist in encrypted database backups for up to 90 days until those backups are naturally replaced. Backup data is not accessed or processed for any purpose. If a backup is ever restored, previously completed deletions are re-applied.
We comply with valid legal process for data currently in our possession but do not extend retention periods in anticipation of future requests.
9. Your Rights
GDPR Rights (EU/EEA/UK)
If you are in the European Union, European Economic Area, or United Kingdom, you have the following rights under the GDPR:
- Access (Article 15) — You can request a copy of all personal data we hold about you.
- Rectification (Article 16) — You can ask us to correct inaccurate data.
- Erasure (Article 17) — You can request deletion of your personal data.
- Restriction (Article 18) — In certain circumstances, you can require us to limit how we use your data.
- Portability (Article 20) — We will provide your data in structured, machine-readable JSON.
- Objection (Article 21) — You can object to processing based on legitimate interests.
- Automated decisions (Article 22) — Not applicable. We do not make automated decisions with legal or similarly significant effects.
To exercise any of these rights, contact us at the email address below. We will respond within 30 days. For complex or voluminous requests, this period may be extended by up to 60 additional days, in which case we will notify you within the initial 30-day period.
CCPA Rights (California)
We do not sell your personal information. We have never sold personal information and have no plans to do so. California residents have the right to know, delete, and correct their personal data under the California Consumer Privacy Act, and we honor these requests regardless of residency.
10. Cookies and Tracking
We use session cookies for authentication only. These cookies are strictly necessary for the service to function — they keep you signed in.
We do not use:
- Tracking cookies
- Advertising cookies
- Analytics cookies
- Third-party cookies
Because we use only strictly necessary cookies, no consent banner is required under the ePrivacy Directive.
11. Children's Privacy
Gnosis Memory is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If we discover that we have inadvertently collected data from a child under 13, we will delete the account and all associated data promptly.
If you believe a child under 13 has created an account, contact us immediately.
12. Data Breach Notification
For operational data (where we are the controller): In the event of a personal data breach affecting operational data (account information, technical logs) that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Article 33) and notify you without undue delay if the breach poses high risk (GDPR Article 34).
For memory data (where we are the processor): In the event of a personal data breach affecting memory data we process on your behalf, we will notify you (as the data controller) without undue delay and within 72 hours of becoming aware of the breach, providing sufficient information for you to fulfill any notification obligations you may have under applicable law.
For US residents, we comply with applicable state breach notification laws including the Alabama Data Breach Notification Act (notification as expeditiously as possible, no later than 45 days). The 72-hour timeline above applies specifically to GDPR-covered individuals and to our obligations as a data processor; US state law timelines apply separately.
Because we encrypt memory content with per-user keys, a database breach would not expose readable memory content. A breach could, however, expose account data, metadata, and embeddings.
13. Changes to This Policy
We may update this policy from time to time. When we make material changes — changes that affect your rights or how we handle your data — we will notify you by email before the changes take effect.
The updated policy will be posted on this page with a new effective date. Continued use of the service after the notice period constitutes acceptance of the updated policy.
Non-material changes (typo fixes, clarifications that don't change meaning) may be made without notice.
14. Contact and Complaints
For privacy-related questions, data requests, or to exercise your rights:
- Email: privacy@gnosismemory.com
- Physical address: Pending entity formation. Will be updated here once [Entity Name, LLC] is formally registered.
We have not appointed a Data Protection Officer as we do not currently meet the thresholds requiring one under GDPR Article 37. Direct privacy inquiries to privacy@gnosismemory.com.
If you are in the European Union and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local Data Protection Supervisory Authority. If you are in the United Kingdom, you may lodge a complaint with the Information Commissioner's Office (ICO).