Memorra← Back to home

Privacy Policy

Effective date: June 16, 2025

Last updated: June 16, 2025

1. Introduction

Memorra ("we", "our", or "us") operates the Memorra platform at memorra.app (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and what rights you have over it.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein. If you do not agree, do not use the Service.

This policy applies to all users of the Service regardless of location. Where applicable law imposes additional obligations (e.g. GDPR, CCPA), those obligations are addressed in dedicated sections below.

2. Data We Collect and Why

2.1 Account Data

When you register we collect your email address, full name (optional), and a hashed password. This is required to identify you, authenticate your sessions, and communicate with you about your account. Legal basis: contract performance and legitimate interest.

2.2 Event and Planning Data

Everything you enter into the Service — event names, dates, venues, guest lists (names, email addresses, phone numbers, dietary preferences, RSVP statuses, notes), seating arrangements, budget categories and line items, vendor names and contact details, checklists, schedules, and any other planning content — is stored on our behalf by Supabase, Inc. (hosted on AWS infrastructure). This data is necessary to provide the core functionality of the Service. Legal basis: contract performance.

2.3 Guest Personal Data (Third-Party Data)

When you add guests to your events you are providing us with personal data belonging to third parties. You represent and warrant that you have a lawful basis to provide this data (e.g. you are organising an event those individuals are attending and they expect to receive communications from you). We process guest data solely to carry out the features you request — sending invitations, tracking RSVPs, generating seating arrangements — and for no other purpose. We do not contact your guests for our own marketing or any purpose unrelated to your use of the Service.

2.4 AI Conversation Data

When you use AI-powered features, your text inputs and contextual event data (guest counts, budget summaries, vendor names, event details, etc.) are transmitted to Anthropic, PBC for processing via their Claude API. We store your conversation history in our database to maintain continuity across sessions. Anthropic may retain API inputs and outputs for safety monitoring, abuse prevention, and model improvement purposes under their own Privacy Policy. We have no control over Anthropic's data practices beyond our API agreement with them.

2.5 Payment and Billing Data

Subscription payments are processed entirely by Stripe, Inc. We never receive, see, or store your full payment card number, CVV, or bank account details. We store only your Stripe customer ID and subscription status (tier, renewal date, cancellation status) to manage your account access. Stripe's own Privacy Policy governs how they handle payment data. Stripe may retain billing records as required by financial regulations regardless of account deletion.

2.6 Email and Messaging Data

Outbound emails (invitations, RSVP confirmations, vendor communications) are sent via Resend, Inc. We store a log of sent messages including recipient addresses, timestamps, and delivery statuses. Resend may process message metadata per their own privacy policy. We do not store the full body of emails indefinitely after delivery except where needed for your communications history within the Service.

2.7 Usage and Technical Data

We may automatically collect technical data when you use the Service, including: IP address, browser type and version, operating system, referring URLs, pages visited within the Service, timestamps of actions, and error logs. This data is used to operate, secure, and improve the Service. We do not sell this data or use it for advertising profiling.

2.8 Cookies and Local Storage

We use authentication session cookies that are strictly necessary for you to log in and use the Service. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. You can configure your browser to refuse cookies but doing so will prevent you from logging in. We may use browser local storage for UI preferences (e.g. theme selection); this data stays on your device and is not transmitted to our servers.

3. How We Use Your Data

We use collected data to:

  • Create and manage your account and authenticate your sessions
  • Provide, operate, and maintain all features of the Service
  • Process subscription payments and manage billing via Stripe
  • Send transactional emails (invitation cards, RSVP links, vendor messages) via Resend
  • Power AI features by transmitting relevant context to Anthropic's API
  • Send service-related communications (security alerts, billing notifications, product updates directly related to the Service)
  • Diagnose technical issues, monitor uptime, and improve Service performance
  • Detect and prevent fraud, abuse, and violations of our Terms of Service
  • Comply with legal obligations

We do not sell your personal data. We do not use your data for advertising or share it with advertisers. We do not use your event or guest data to train AI models.

4. Data Storage and Security

Your data is stored in Supabase-hosted databases running on Amazon Web Services (AWS) infrastructure, located primarily in the United States. We implement the following security measures:

  • Encryption in transit: All connections to the Service use TLS (HTTPS). Data transmitted to third-party APIs is encrypted in transit.
  • Encryption at rest: Supabase encrypts data at rest on AWS infrastructure.
  • Row-level security: Database access policies ensure each user can only access their own data. No user can access another user's data.
  • Authentication: Passwords are hashed using industry-standard algorithms and never stored in plaintext. We use Supabase Auth for secure session management.
  • Access controls: Access to production systems is restricted to authorised personnel only.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your data, and you use the Service at your own risk. In the event of a data breach that is likely to result in risk to your rights, we will notify affected users as required by applicable law.

If you discover a security vulnerability, please report it responsibly to support@memorra.app.

5. Data Sharing and Third-Party Processors

We share data with the following categories of third parties only as necessary to provide the Service. These parties act as data processors on our behalf and are contractually required to protect your data:

  • Supabase, Inc. — database hosting, authentication, and file storage (AWS-hosted, USA)
  • Anthropic, PBC — AI processing for AI assistant and AI-powered features (USA). Note: Anthropic processes your AI inputs under their own privacy policy and may retain them per their safety obligations.
  • Stripe, Inc. — payment processing and subscription management (USA)
  • Resend, Inc. — transactional email delivery (USA)
  • Vercel, Inc. — cloud hosting and serverless infrastructure for the Service (USA)

We may disclose your data without notice if we believe disclosure is necessary to: (a) comply with applicable law, regulation, or valid legal process; (b) protect the rights, property, or safety of Memorra, our users, or the public; (c) detect or prevent fraud or abuse.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the successor entity. We will provide reasonable notice before your data becomes subject to a materially different privacy policy.

6. International Data Transfers

Our infrastructure and third-party processors are primarily located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

By using the Service, you consent to this transfer. Where required by applicable law (e.g. GDPR), we rely on appropriate safeguards such as Standard Contractual Clauses for international transfers to the extent they apply through our processor agreements.

7. Data Retention

We retain your account data and event/planning data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (e.g. fraud prevention records, billing dispute resolution).

Stripe retains billing and transaction records as required by financial regulations, independent of account deletion. Anthropic retains API inputs and outputs per their own policy. These retentions are outside our control.

We may retain anonymised or aggregated data derived from your use of the Service indefinitely for analytical and product improvement purposes.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention obligations)
  • Portability: Request an export of your data in a machine-readable format
  • Restriction: Request that we restrict processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw it at any time (without affecting prior processing)

To exercise any right, email support@memorra.app with your request. We will respond within 30 days. We may need to verify your identity before processing your request. Some requests may be limited where we have a legal obligation to retain data or where fulfilling the request would adversely affect other users.

We do not discriminate against users who exercise their privacy rights.

9. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

  • The right to know what personal information we collect, use, disclose, and sell
  • The right to delete personal information (with exceptions)
  • The right to opt out of the sale or sharing of personal information
  • The right to correct inaccurate personal information
  • The right to limit use of sensitive personal information

We do not sell or share your personal information for cross-context behavioural advertising. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.

To submit a CCPA request, email support@memorra.app. You may designate an authorised agent to make a request on your behalf; we will require verification of the agent's authority.

10. EEA / UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data. Our legal bases for processing are:

  • Contract performance — processing necessary to provide the Service you signed up for
  • Legitimate interests — security monitoring, fraud prevention, service improvement (balanced against your rights)
  • Legal obligation — where we must retain data to comply with applicable law
  • Consent — for any processing not covered by the above, where we have obtained your explicit consent

As noted in Section 6, data is transferred to the United States. We rely on appropriate transfer mechanisms to the extent required. You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data lawfully.

Memorra is the data controller for your account data. For guest data you add to the Service, you act as the data controller and Memorra acts as your data processor.

11. Children's Privacy

The Service is not directed to children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you become aware that a minor has provided us with personal data, please contact us at support@memorra.app and we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page and, where appropriate, by email or in-app notification. Your continued use of the Service after the revised policy takes effect constitutes your acceptance of the changes. We encourage you to review this page periodically.

13. Contact

For any privacy questions, data requests, or concerns, contact us at support@memorra.app. We will respond within 30 days.