Privacy Policy

Effective February 27, 2026

What We Collect

• API key hash — a SHA-256 hash of your key, used for authentication. We never store the plaintext.
• Workspace metadata — item counts, memory counts, timestamps for rate limiting and usage tracking.
• Usage metrics — request counts per workspace, used for rate limiting and tier enforcement.

What We Don't Collect

No email addresses. No names. No IP logging beyond transient rate-limit checks. No tracking cookies. No analytics scripts. No fingerprinting. We don't know who you are — and that's the point.

Your Data Is Encrypted

All memories, items, and working memory content are encrypted with per-workspace AES-256 keys derived from your API key. The encryption happens before storage. We cannot read your content — not as a policy choice, but as a technical constraint. We don't have your key.

Billing Data

If you subscribe to Pro, Stripe handles all payment processing. Your card details go directly to Stripe — we never see them. We store only your Stripe customer ID and subscription status to manage your tier.

Third Parties

• Stripe — payment processing for Pro subscriptions
• Cloudflare — hosting, CDN, and DDoS protection

We don't sell your data. We don't share it with advertisers. We don't have data worth selling — it's encrypted and we can't read it.

Data Retention

Your data persists as long as your account is active. Revoking your API key is equivalent to account deletion — without the key, the encrypted data is unrecoverable. We may periodically clean up orphaned encrypted data that can no longer be accessed.

Your Rights

• Export — use the API to retrieve all your memories, items, and working memory at any time.
• Delete — revoke your API key. Your encrypted data becomes permanently inaccessible.

Children

Memento Protocol is not designed for or directed at anyone under 13. We don't knowingly collect data from children.

Changes

We may update this policy. Changes will be posted on this page with an updated effective date. Continued use of the API after changes constitutes acceptance.

Contact

Questions about your data? Send a message.