Privacy Policy

1. Who we are

Memora ("we," "us," "our") operates the Memora web application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service. By using the Service, you consent to the practices described in this Privacy Policy and our Terms of Service.

2. Information we collect

Account information. When you register, we collect your name and email address. If you use password-based login, we store a securely hashed version of your password (we never store plaintext passwords). If you sign in via Google OAuth, we receive your Google profile name, verified email address, and Google account identifier.

Content you provide. Text you paste into the quiz generator (notes, transcripts, summaries) is transmitted to a third-party AI model provider (currently OpenAI) solely to generate quiz questions. The generated quiz, your answers, scores, and session data are stored in our database to provide your quiz history and dashboard.

Usage and log data. We automatically collect standard server logs, which may include IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and request metadata. We also collect quiz-related analytics (scores, streaks, completion times, question counts) to operate and improve the Service.

Contact requests. If you use our contact form, we store the name, email address, and message you submit.

Payment information. If you subscribe to a paid plan, payment is processed by Stripe. We do not store full credit card numbers, CVV codes, or bank account details. We may receive and store limited billing information such as subscription status, customer identifiers, tax status, billing address, and transaction identifiers.

3. Legal basis for processing (EEA/UK users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

• Contract performance : processing necessary to provide the Service you signed up for (account creation, quiz generation, progress tracking).
• Legitimate interests : processing for security, abuse prevention, rate limiting, analytics to improve the Service, and communication regarding your account. Our legitimate interests do not override your fundamental rights and freedoms.
• Consent : where required, such as when you voluntarily submit a contact-form inquiry. You may withdraw consent at any time.
• Legal obligation : processing necessary to comply with applicable laws (e.g., tax record-keeping for paid subscriptions).

4. How we use your information

• To provide, operate, maintain, and improve the Service.
• To generate quizzes from the text you provide.
• To display your scores, progress, leaderboard rankings, and dashboard.
• To process payments and manage subscriptions.
• To send transactional communications (account verification, password resets, billing receipts, service notifications).
• To respond to contact-form inquiries and support requests.
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• To enforce our Terms of Service.
• To comply with applicable legal obligations.

We do not use your personal information for automated profiling that produces legal or similarly significant effects. Quiz difficulty or content ordering within the Service is based on general algorithms, not on profiling of individual users.

5. Third-party services and data sharing

We share personal data with third-party service providers only as necessary to operate the Service:

• OpenAI : your submitted text is transmitted to OpenAI's API to generate quiz questions. OpenAI processes this data under its usage policies and API data usage policy. As of this writing, OpenAI does not use API inputs/outputs for training.
• Vercel : application hosting and serverless compute (United States).
• Neon : managed PostgreSQL database (United States).
• Upstash : Redis-based rate limiting (may include US and EU regions).
• Google : if you use Google sign-in, your authentication is facilitated through Google OAuth.
• Stripe : payment processing, subscription billing, tax calculation, invoices, and fraud prevention for paid plans.

We do not sell, rent, or share your personal information with third parties for their advertising or marketing purposes.

We may also disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

6. International data transfers

Your personal data may be transferred to and processed in countries other than your country of residence, including the United States, where our hosting providers and third-party services operate. These countries may have data protection laws that differ from the laws of your jurisdiction.

Where required by applicable law (such as the GDPR), we rely on appropriate safeguards for international transfers, including the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or the data importer's binding commitments. By using the Service, you consent to the transfer of your data to the United States and other countries as described herein.

7. Data retention

We retain your account data and quiz history for as long as your account is active or as needed to provide the Service. If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain it (e.g., billing records for tax purposes, which may be retained for up to 7 years).

Contact-form submissions are retained for up to 2 years to allow us to follow up on inquiries, after which they are deleted.

Server logs containing IP addresses are retained for up to 90 days for security and debugging purposes.

8. Security

We implement industry-standard technical and organizational measures to protect your personal data, including: encrypted connections (TLS/HTTPS), bcrypt-hashed passwords, HTTP-only secure session cookies, database access controls, environment-variable-based secrets management, and IP-based rate limiting.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security and shall not be liable for any unauthorized access, disclosure, or loss that occurs despite our reasonable security measures.

9. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by applicable law (including GDPR Article 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the categories of data affected, and the measures taken or proposed to address it.

10. Cookies

We use a small number of essential cookies strictly necessary for the Service to function:

• Session cookie (memorize.session): authenticates your login session (HTTP-only, secure, SameSite=Lax, 30-day expiry).
• OAuth state/PKCE cookies : short-lived (5 minutes), used only during the Google sign-in redirect flow, then automatically deleted.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. Because we use only strictly necessary cookies, consent banners are not required under the ePrivacy Directive.

11. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access : request a copy of the personal data we hold about you.
• Rectification : request correction of inaccurate or incomplete personal data.
• Erasure ("right to be forgotten") : request deletion of your personal data, subject to legal retention requirements.
• Restriction : request that we limit the processing of your personal data under certain circumstances.
• Data portability : request a machine-readable copy of the personal data you provided to us.
• Objection : object to processing based on our legitimate interests.
• Withdraw consent : where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights: Contact us via our contact form or by email at support@memora.win. We will respond to your request within 30 days (or within the time period required by applicable law). We may request verification of your identity before processing your request.

Right to lodge a complaint: If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority.

12. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

• Right to know : you may request the categories and specific pieces of personal information we have collected about you.
• Right to delete : you may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale/sharing : we do not sell or share your personal information as defined under the CCPA/CPRA.
• Non-discrimination : we will not discriminate against you for exercising your rights.

To exercise your CCPA rights, contact us via the contact form or by email at support@memora.win.

13. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately so we can take steps to remove that information and terminate the child's account.

14. Automated decision-making

The Service uses AI models to generate quiz content based on the text you provide. This is a content-generation feature, not an automated decision-making process that produces legal or similarly significant effects on you. Quiz scores, streaks, and leaderboard rankings are calculated by deterministic algorithms based on your quiz answers and do not involve profiling.

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a prominent notice on the Service and updating the "Last updated" date above. For material changes that affect how we use data you have already provided, we will make reasonable efforts to notify you via the email address associated with your account at least 14 days before the changes take effect. Your continued use of the Service after the revised Privacy Policy becomes effective constitutes your acceptance of the updated policy.

16. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please reach out via our contact form or email support@memora.win.