Memeri Privacy Policy

Effective date: 15 June 2026 Who we are: Memeri Ltd (company number 17051682), 20 Wenlock Road, London, England, N1 7GU ("Memeri", "we", "us") Contact: privacy@memeri.ai · Security: security@memeri.ai

Memeri (memeri.ai) is a persistent AI workspace for software development. You connect your own AI coding agents (such as Claude Code, ChatGPT, or Codex) to Memeri, and Memeri stores your project memory — workflows, jobs, decisions, conversation context, and activity telemetry — so your agents can pick up where they left off.

This policy explains what we collect, why, where it goes, and what your rights are. We've tried to write it the way we'd want to read it: specific, honest, and without padding. Memeri is in private beta. Self-serve export and account deletion are now built (Settings → Data & Privacy); where other data-management details are still maturing, we say so plainly.


The short version


1. Who this policy covers

This policy covers:

For the personal data of account holders and visitors, we act as the data controller. For personal data contained inside the project content you and your agents store with us (including data about third parties), our role is more nuanced: we act as a processor/service-provider for user-supplied content, and as controller for account and telemetry data.

Memeri is intended for users aged 18 or older and is not directed at children.


2. What we collect

Plain-language summary: account details, request logs, detailed telemetry about what your AI agents do, and — the big one — the project content and AI conversations you and your agents store with us.

2.1 Account and identity data

2.2 Network, device, and usage data

2.3 AI-agent activity telemetry

Because Memeri's core job is showing you what your agents are doing, we record detailed telemetry about agent activity:

2.4 Project content and "memory" (the most sensitive category)

This is everything you and your agents deliberately put into Memeri, and it can contain anything — code, architecture, business plans, names, credentials you shouldn't have pasted:

2.5 Data from linked git repositories

If you link a repository, we poll it (currently public repos, via the GitHub API) and ingest branch and commit metadata — including commit author names and email addresses, which may belong to people who have never used Memeri. See Section 5.

2.6 Terminal and local-machine data

Your agents execute commands on your own machine via the Memeri local console. Terminal command history is held in server memory during a session but is not persisted to our database unless an agent explicitly posts output into a work log or artifact. Console transcripts, scrollback, and workspace layouts live in ~/.memeri-console/ on your machine, not on our servers. Setup also installs a small session hook into your local Claude settings so conversations can be linked to jobs — we're disclosing this because it modifies a config file on your machine.

2.7 What we do NOT collect


3. How we use your data (and our lawful bases)

Plain-language summary: we use your data to run the product, keep it secure, and email you about your account. We don't sell it, we don't advertise with it, and we don't use it to train AI models.

Purpose Data Lawful basis (GDPR/UK GDPR)
Providing the workspace: storing and serving your projects, memory, conversations, telemetry to you and your agents Sections 2.3–2.6 Contract (Art. 6(1)(b))
Account creation, login, email verification Section 2.1 Contract
Transactional email (verification, account notices) Email, name Contract
Security, abuse prevention, debugging, service operation Section 2.2, server logs Legitimate interests (Art. 6(1)(f)) — keeping the service secure and working
Showing repo activity for projects you link Section 2.5 Legitimate interests — you asked us to surface your repo's activity; see Section 5 for third-party authors
Beta feedback handling Section 2.2 feedback Legitimate interests / consent (contact_ok flag)
Legal compliance, responding to lawful requests As required Legal obligation (Art. 6(1)(c))

Things we do not do:


4. Your AI agents and their providers (read this section)

Plain-language summary: you bring your own AI. Whatever your agent sees, its provider sees — under that provider's terms, not ours.

Memeri is a workspace around AI agents you supply. You authenticate to Anthropic, OpenAI, or another provider directly; we never own that relationship, resell model output, or sit between you and the vendor's billing.

This has a privacy consequence you should understand clearly:

Separately: your agents execute real commands on your machine with your privileges. Memeri hosts the surface, not the compute. What an agent reads from your disk can end up in Memeri (via work logs, conversation sync) and at your provider (via the agent's context).


5. Data about other people (third parties)

Plain-language summary: if you link a repo or talk about people to your agent, data about those people ends up in Memeri. Make sure you're allowed to put it there.

Two ways data about people other than you enters Memeri:

  1. Linked repositories. We ingest commit author names and email addresses from repos you link — including contributors who have never used Memeri. We use this only to show you your project's commit activity. If you are a commit author whose data appears in someone's Memeri project and you want it removed, contact privacy@memeri.ai.
  2. Your content. Conversations, notes, and code you store may mention or include other people's data. You are responsible for having a lawful basis to put third-party personal data into Memeri. Where we store such data on your behalf, we act on your instructions.

6. Who we share data with (sub-processors and recipients)

Plain-language summary: a hosting provider sees everything (that's how hosting works), an email provider sees your email address, GitHub is involved if you link a repo, and one CDN currently sees your IP on terminal pages. No data brokers, no ad networks.

6.1 Service providers

Provider What they process Why
Railway (hosting: app servers, database, cache, WebSocket relay) Effectively all server-side data described in Section 2, plus server logs (IPs, user-agents, request URLs) and tunnel traffic in transit They host Memeri.
Resend (transactional email) (launching with email verification; key pending) Your email address, display name, verification links Sending account emails
GitHub Repo identifiers we poll on your behalf; inbound webhook payloads Repo activity for projects you link
jsDelivr (CDN) Your IP address, user-agent, and referring page — but only when you load Terminal/Console pages, which fetch one terminal-rendering library at runtime Currently the only third-party call our web client makes. We plan to bundle this library ourselves and remove this disclosure.
Hugging Face Hub No user data — our server downloads an embedding model file once (server IP only) Local embedding model

6.2 Planned (not yet active)

We currently have no analytics, error-tracking, or advertising vendors. If we ever add one, we will update this policy first.

6.3 No platform-side AI providers

Memeri does not send your content to large-language-model providers on our own account. All AI work runs on your own connected agents under your own provider accounts (see Section 4). We do not use platform API keys to send your chat text, project context, or workflow prompts to OpenAI, Anthropic, or any other LLM provider, and accordingly we do not list any such provider as a Memeri sub-processor.

6.4 The connection tunnel

When your agents talk to your machine through Memeri, traffic passes through a WebSocket relay hosted on our infrastructure. This relay forwards file contents, terminal commands and output, and git diffs between your machine and your agents. This traffic is encrypted in transit (TLS) but is not end-to-end encrypted — it transits our servers in a form our infrastructure could technically observe. Additionally, certain file operations fall back to our server's filesystem when no tunnel to your machine exists; file operations are not guaranteed to be local-only.

6.5 Other disclosures

We may disclose data if required by law or legal process, to protect the rights, safety, or property of Memeri or others, or as part of a merger, acquisition, or asset sale (in which case this policy continues to apply and we'll notify you).


7. Browser storage (the "cookie" section)

Plain-language summary: zero cookies, zero trackers. We use localStorage for your login token and preferences.

We set no cookies and run no tracking or analytics scripts. We use browser storage as follows:

Honesty notes: (1) logging out clears your auth tokens but currently does not clear drafts, cached feeds, or gateway settings — on a shared computer, use a private window or clear site data manually; (2) if you connected a REST-based agent via a gateway API key, that key sits in localStorage in plain text. Both are on our hardening roadmap.

Under the EU ePrivacy rules, this storage is either strictly necessary (login) or functionality you asked for (preferences, drafts), so no consent banner is required. We will reassess this the moment we add payments or any analytics.


8. Data retention

Plain-language summary: while your account exists, most data is kept until you delete it — we don't yet run fixed retention schedules for most categories. You can erase your account yourself (Settings → Data & Privacy): a true erasure that completes after a 30-day grace period.

We are a private beta and are still building out automated, category-by-category retention schedules. The current reality:

As we ship data-lifecycle tooling, we will publish concrete retention periods here. Until then, the honest statement is: assume indefinite retention unless you ask us to delete.


9. Your rights (GDPR / UK GDPR and generally)

Plain-language summary: you have real legal rights, and we'll honor them — but today most of them are fulfilled manually by a human, not a button. Email privacy@memeri.ai.

If you're in the EU/UK (and as our default for everyone), you have the right to access, correct, export, delete, and restrict or object to processing of your personal data, and to withdraw consent where consent is the basis. You also have the right to complain to your supervisory authority.

How this works in practice today:

We will verify requests (normally by matching your account email) and will not discriminate against you for exercising any right.


10. International transfers

Our infrastructure is hosted on Railway. If you are in the EU, UK, or elsewhere outside that region, your data is transferred to and processed there.


11. California (CCPA/CPRA)

For California residents: we collect the categories described in Section 2 (identifiers, internet/network activity, and user-provided content), for the purposes in Section 3. We do not sell personal information and we do not share it for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We use no third-party advertising or analytics, so there is nothing for a "Do Not Sell Or Share" link to switch off; for the same reason, opt-out preference signals such as Global Privacy Control have no selling/sharing to opt out of (we set no cookies for such signals to govern). The rights to know, delete, correct, and non-discrimination apply, via privacy@memeri.ai, on the same manual process described in Section 9.


12. Security

Plain-language summary: real measures exist, real gaps exist, and we're a beta — don't store anything in Memeri whose leak you couldn't tolerate.

Measures in place: passwords hashed with bcrypt and never logged or returned; email-verification tokens stored hashed with short expiry; parameterized SQL throughout; HMAC-verified webhooks with timing-safe comparison; TLS in transit; provenance logging on agent actions; secret-pattern redaction in telemetry (with the coverage limits described honestly in Section 2.3 — redaction is not exhaustive); a verified backup-restore drill; and a 2026 security audit after which all 17 identified authentication issues were fixed and verified in production.

We are deliberately not going to promise "bank-grade security." Memeri is a private beta and we maintain a known-issues backlog (including credential-handling hardening noted in Sections 2.1 and 7). No system is perfectly secure, and we make no absolute guarantee. Practical advice we actually mean: don't paste production secrets into agent conversations, and treat your connection token like a password.

If we learn of a personal-data breach, we will assess it and notify affected users and regulators as required by applicable law (including GDPR's 72-hour authority-notification rule where it applies), without undue delay.

Found a vulnerability? Please tell us: security@memeri.ai. We commit to responding and to not pursuing good-faith researchers.


13. Changes to this policy

We'll update this policy as the product evolves — notably before launching payments, adding any analytics or error-tracking vendor, adding any platform-side AI provider, or changing hosting. Material changes will be announced by email or in-app notice with the new effective date. Continued use after the effective date means the updated policy applies.


14. Contact

Last updated: 18 June 2026