memrybeta
Join waitlist
Effective 22 May 2026 · v1.0

Privacy Policy
Datenschutzerklärung

This policy explains what personal data memry collects, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR / DSGVO) and the Austrian Data Protection Act.

Contents

  1. Data controller
  2. Scope of this policy
  3. Data we collect
  4. Purposes & legal bases
  5. Source data on behalf of customers
  6. Cookies & tracking
  7. Recipients & subprocessors
  8. International transfers
  9. Retention
  10. Security
  11. Your rights
  12. Complaints
  13. Changes to this policy
  14. Contact the DPO

1. Data controller

The controller responsible for processing your personal data under Art. 4 (7) GDPR is:

memry GmbH
[Street address], [Postcode] Vienna, Austria
Email: privacy@memry.ai
Commercial register: FN [number], Handelsgericht Wien

You can reach our Data Protection Officer at dpo@memry.ai.

2. Scope of this policy

This policy applies to:

  • visitors to memry.ai and any subdomain;
  • users of the memry product (web app, Slack bot, CLI, MCP server);
  • people who contact us via email, phone, or social channels.

It does not cover personal data we process on behalf of our business customers (for example, content indexed from their Slack, Notion, or Google Drive). For that processing memry acts as a processor on the customer's instructions. The customer is the controller, and their own privacy policy applies.

3. Categories of data we collect

3.1 Data you provide directly

  • Account data: name, work email, organisation, role;
  • Communication data: support messages, sales enquiries, feedback;
  • Billing data: company name, billing address, VAT ID, payment method tokens (we do not store full card numbers — see Stripe under recipients).

3.2 Data we collect automatically

  • Usage data: pages visited, features used, click events (only after consent for analytics);
  • Device data: browser type, OS, timezone, viewport;
  • Log data: IP address, timestamps, request paths, status codes.

3.3 Data from third parties

  • When you sign in with Google or Microsoft SSO, we receive your name, email, and profile picture.
  • If a colleague invites you to a workspace, we receive your email address from them.

4. Purposes & legal bases

PurposeData categoriesLegal basis (GDPR)
Operate the website & serviceAccount, log, deviceArt. 6 (1)(b) contract
Authenticate & secure accountsAccount, log, IPArt. 6 (1)(b) contract; Art. 6 (1)(f) legitimate interest
Billing & accountingBilling, accountArt. 6 (1)(b) contract; Art. 6 (1)(c) legal obligation (UGB / BAO)
Customer supportCommunication, accountArt. 6 (1)(b); Art. 6 (1)(f)
Product analyticsUsage, device (pseudonymous)Art. 6 (1)(a) consent
Marketing emails (existing customers)Account, emailArt. 6 (1)(f) legitimate interest, § 107 (3) TKG
Marketing emails (prospects)EmailArt. 6 (1)(a) consent
Fraud, abuse, securityLog, IP, usageArt. 6 (1)(f) legitimate interest
Legal claims & complianceAll relevantArt. 6 (1)(c); Art. 6 (1)(f)

Where we rely on consent (Art. 6 (1)(a)), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

5. Customer source data — memry as processor

When a customer connects a source (Slack, Notion, Google Drive, GitHub, Linear, Zoom, etc.) the data flowing through those connectors may contain personal data of the customer's employees, contractors, or third parties.

For that data:

  • memry processes it strictly on the customer's documented instructions under a Data Processing Agreement (DPA);
  • memry does not use it to train models other than the customer's own private indices;
  • memry does not sell, share, or otherwise disclose it;
  • access is permissioned and audit-logged;
  • retention follows the customer's configuration and is deleted on contract end + 30 days.

If you are an end-user of a memry customer and want to exercise data subject rights, please contact your employer's privacy team first — they are the controller.

6. Cookies & similar technologies

We use a minimal set of cookies. Details are in our Cookie Policy. In summary:

  • Strictly necessary (no consent required): session cookie, CSRF token, theme preference, cookie-consent record.
  • Analytics (consent required): Plausible Analytics — EU-hosted, cookie-less by default, no cross-site tracking.

We do not use Google Analytics, Meta Pixel, or other ad-tech trackers on memry.ai.

7. Recipients & subprocessors

We use a short list of vetted subprocessors to operate memry. Each is bound by a written contract under Art. 28 GDPR.

SubprocessorPurposeLocation
Hetzner Online GmbHHosting, storageGermany (EU)
Scaleway SASObject storage, backupsFrance (EU)
Stripe Payments Europe LtdBilling & paymentsIreland (EU); US (under SCCs)
Postmark (ActiveCampaign)Transactional emailUS (under SCCs)
Plausible Insights OÜPrivacy-friendly analyticsEstonia (EU)
Anthropic PBCOptional LLM inference (customer-opt-in)US / EU (under DPA + SCCs)

A current list is available at dpo@memry.ai. We notify customers in advance of any addition or change.

8. International data transfers

Our default infrastructure is in the EU. Where data is transferred to processors outside the EEA, we rely on:

  • EU Standard Contractual Clauses (Decision 2021/914), and
  • where applicable, the EU-US Data Privacy Framework certification of the recipient, and
  • supplementary technical measures (encryption in transit and at rest, pseudonymisation where feasible).

9. Retention

DataRetention period
Account & profileLifetime of account + 30 days after deletion
Billing records7 years (BAO § 132)
Server access logs14 days
Audit logs (customer-visible)90 days (Team) / 12 months (Scale)
Support tickets3 years
Analytics events12 months, aggregated
Marketing consent records3 years after withdrawal

10. Security

We protect data using:

  • TLS 1.3 in transit; AES-256 at rest;
  • least-privilege role-based access; mandatory 2FA for all staff;
  • encrypted backups with a 90-day rolling window;
  • annual third-party penetration testing;
  • SOC 2 Type II audit in progress (expected Q4 2026);
  • a documented incident-response plan; controller notification within 72 hours of a confirmed breach (Art. 33 GDPR).

11. Your rights as a data subject

Under GDPR you have the right to:

  • Access (Art. 15) — request a copy of the data we hold about you;
  • Rectification (Art. 16) — correct inaccurate data;
  • Erasure (Art. 17) — request deletion where no legal basis to keep it;
  • Restriction (Art. 18) — limit processing while a dispute is resolved;
  • Data portability (Art. 20) — receive your data in a machine-readable format;
  • Object (Art. 21) — particularly against direct marketing and processing based on legitimate interest;
  • Withdraw consent at any time, where processing is based on consent;
  • Not be subject to automated decisions (Art. 22) that produce legal or similarly significant effects on you. memry does not make such decisions about visitors or end-users.

To exercise any right, email privacy@memry.ai. We respond within 30 days; we may extend by two months for complex cases and will tell you if so.

12. Right to lodge a complaint

You can lodge a complaint with a supervisory authority — in Austria, the Datenschutzbehörde:

Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna
dsb.gv.at · dsb@dsb.gv.at

You may also lodge a complaint with the authority of your habitual residence or place of work.

13. Changes to this policy

We may update this policy from time to time. Material changes are announced at least 14 days in advance via email to account holders and a banner on memry.ai. The "Effective" date at the top reflects the current version. Earlier versions are archived and available on request.

14. Contact

For any privacy question, including subject-rights requests:

memry GmbH — Privacy
Email: privacy@memry.ai
DPO: dpo@memry.ai

This policy was last reviewed on 22 May 2026. Plain-language English version. Where translations are published, the English version prevails in case of conflict.