Privacy Policy

Information You Provide

• Account information: email address (required for authentication and account recovery), display name (optional), and authentication information managed through Supabase Auth using PKCE and/or magic link flows.
• Professional content: raw note text you enter; draft extracted artifacts generated from your notes; confirmed artifacts you choose to save; resume drafts and evidence-linked claims you generate; and related records you create within the Service.

Information Collected Automatically

• Technical and usage data: timestamps, device and browser type, app version, operating system, approximate location derived from IP address, and performance and error logs. We design our telemetry so that raw user-authored note text is not included in analytics or logging.

Billing Information

If you purchase a paid plan, payments are processed by Stripe. We do not store full payment card numbers.

• Provide, operate, and secure the Service (including authentication, extraction workflows, and resume generation).
• Communicate with you about the Service (transactional emails such as login links and security notices).
• Process payments and manage subscriptions.
• Maintain, debug, and improve the Service (using data-minimization practices).

Where required by applicable law, we rely on the following legal bases to process personal data:

• Contract: to provide the Service you request, including authentication, processing your notes, generating drafts, and storing your confirmed artifacts.
• Legitimate interests: to secure, maintain, and improve the Service; prevent fraud and abuse; and debug and fix errors, using data-minimization practices.
• Consent: for any optional features where we ask you directly, and where required for non-essential cookies.
• Compliance with law: to meet legal obligations and respond to valid legal requests.

Memoa uses AI to help extract structured career artifacts (such as outcomes, metrics, skills, and evidence) from text you provide.

• What we send: When you request extraction, relevant portions of your note text are sent to the OpenAI API to generate a draft extraction result.
• Training: We do not permit our AI vendors to use your content to train their models. For OpenAI’s API platform, inputs and outputs are not used for training by default unless an account owner opts in, and we do not opt in.
• Human review: AI output is presented as a draft. Nothing becomes a confirmed artifact unless you explicitly review and confirm it.
• Isolation: Extraction requests are processed per request and are not designed to include cross-user context from Memoa.
• Fallback mode: In limited cases, Memoa may offer a heuristic-only, non-API fallback that processes text within Memoa systems without sending it to an external AI API.
• No automated decisions: Memoa does not make employment or hiring decisions for you. You control what you publish and share.

We share information with service providers who help us operate the Service:

• Supabase: Database hosting, authentication, and storage.
• Vercel: Application hosting and edge function execution.
• OpenAI: AI extraction processing (we do not opt in to training).
• Stripe: Payment processing for paid tiers. We do not store credit card numbers.
• Postmark: Transactional email delivery (account verification, security alerts, receipts).

For a complete list of service providers, see our Subprocessor List.

We may also disclose information if required by law or valid legal process. Where legally permitted, we will notify you.

• Account data and professional content: We retain your account information and professional content for as long as you maintain an account, unless you delete items earlier.
• Deletion timeline: If you delete your account (or request deletion), we delete or de-identify personal data from our active systems within 30 days, except where we must retain certain information to comply with law or resolve disputes.
• Backups: Encrypted backups are retained for up to 30 days and then overwritten or deleted on a rolling basis.
• Service logs: Security and operational logs (excluding raw note content by design) are retained for a limited period consistent with our operational needs (generally no more than 24 months) and then deleted or aggregated.
• Aggregated metrics: We may retain aggregated and de-identified metrics that cannot reasonably be used to identify you.

Depending on where you live, you may have rights to access, correct, delete, or export your data, and to object to or restrict certain processing. To exercise any of these rights, contact privacy@memoa.app or use the in-app account controls. We respond within 30 days where feasible and as required by law.

California residents may have rights to know, access, correct, delete, and obtain information about our collection and disclosure of personal information, and to opt out of the sale or sharing of personal information (as those terms are defined under California law).

Memoa does not sell or share personal information for cross-context behavioral advertising. We disclose personal information to service providers solely to operate the Service.

You (or an authorized agent) may submit requests by emailing privacy@memoa.app or through in-app account controls. If we need to verify your identity, we will request information sufficient to confirm you are the account owner.

Memoa is operated from the United States. If you access the Service from outside the U.S., your information may be processed in the U.S. and other jurisdictions where our service providers operate. Where required, we rely on appropriate safeguards such as contractual protections offered through our providers' data processing terms.

We use administrative, technical, and organizational safeguards designed to protect personal information (such as encryption in transit, access controls, and database row-level security). However, no security measure is perfect, and we cannot guarantee absolute security.

We use necessary cookies for authentication and security, and localStorage for preferences. We do not use third-party tracking cookies or advertising pixels. For details, see our Cookie Policy.

Memoa is designed for professional documentation. We recommend that you do not include sensitive personal information (such as Social Security numbers, medical information, or client-confidential data) in your notes unless you have the authority and intention to do so. Memoa does not request or require sensitive personal data to operate the Service.

The Service is not intended for children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

If we make material changes, we will notify you by email at least 14 days before changes take effect. The “Last updated” date at the top of this page indicates the most recent revision.

For privacy-related inquiries, data requests, or concerns:

• Email: privacy@memoa.app
• Memoa LLC, United States