Skip to content
Mnemoverse

Privacy Policy

Last updated: July 3, 2026

This Privacy Policy explains how Mnemoverse, operated by Eduard Izgorodin ("Mnemoverse", "we", "us", or "our"), collects, uses, discloses, retains, and lets you control personal data when you use our websites, account console, Memory API, SDKs, Model Context Protocol ("MCP") servers, and the Mnemoverse Memory app for ChatGPT (together, the "Services").

This policy applies to data Mnemoverse receives. OpenAI separately controls data it processes in ChatGPT under its own terms and privacy policy. The ChatGPT app does not request or retrieve your full chat history. Mnemoverse receives only the specific tool arguments that ChatGPT sends to perform a request and the authentication and technical data described below.

1. Data We Collect

Account and authentication data

  • Name, email address, profile image, account and organization identifiers, and authentication-provider details when you create or sign in to an account.
  • OAuth client identifier, granted scopes, a pseudonymous user subject identifier, session records, and authorization consent records.
  • OAuth access and refresh tokens and Mnemoverse API keys required to authenticate requests. Secret token values are not returned in tool outputs or written to application logs.

Memory and ChatGPT app data

The app processes only data needed for the tool the user invokes. Its current public tool inputs and outputs are:

  • memory_read: receives a natural-language search query and, optionally, a maximum result count and user-defined domain. It returns matching saved memory text, the user-defined domain, and a memory ID needed for follow-up actions.
  • memory_write: receives the text the user explicitly asks to remember and, optionally, a user-defined domain. It returns whether the memory was stored and its memory ID. The app also records limited provenance: the authenticated user identifier and client environment that performed the write.
  • memory_stats: receives no user content. It returns only the number of saved memories and the names of user-defined domains.
  • memory_feedback: receives memory IDs and an explicit helpful or unhelpful rating. It returns only the number of memories whose rating was recorded.
  • Single-memory resource: receives a memory ID and returns only that memory's ID, saved text, and user-defined domain.

To rank and manage memories, Mnemoverse internally derives embeddings, concepts, similarity and relevance measures, importance and feedback signals, and associations between memories. These derived values are not returned by the public ChatGPT app tools.

Search queries are used to retrieve memories and are not saved as new memories unless the user separately invokes memory_write. Memory content may contain personal data the user chooses to provide. The Services do not need, and users should not submit, passwords, API keys, payment-card data, MFA codes, government identifiers, protected health information, or other highly sensitive data as memory content or search queries.

Technical, security, and usage data

  • IP address, approximate country derived from IP, user agent, browser and device type, requested route, host, timestamps, and rate-limit information.
  • Random request or trace IDs, operation class, response status, duration, authentication success or rejection category, and client environment such as ChatGPT, Claude, Cursor, or API.
  • Website page views and performance data collected through Cloudflare Web Analytics. The marketing site does not use this data to build advertising profiles.

Mnemoverse application logs do not intentionally contain memory text, search text, raw tool responses, OAuth token claims, access tokens, API keys, or raw upstream error bodies. Infrastructure providers may generate their own security and network logs.

Billing and support data

  • Subscription plan, billing status, transaction identifiers, and limited payment metadata. Stripe processes full payment-card details; Mnemoverse does not store full card numbers or card security codes.
  • Messages, email address, attachments, and other information you send when requesting support, exercising privacy rights, or contacting us.

2. How We Use Data

  • Authenticate users, maintain sessions, and enforce permissions.
  • Store, search, return, organize, rate, and delete memories at the user's direction.
  • Return the minimum tool result needed to answer the user's request in ChatGPT or another connected client.
  • Secure the Services, prevent abuse, isolate user data, investigate failures, and maintain reliability.
  • Provide support, billing, service notices, and legal compliance.
  • Measure aggregate website and service performance and improve the Services.

We do not sell personal data, use memory content for advertising, or use private memory content to train public or general-purpose AI models.

3. Legal Bases

Where the GDPR, UK GDPR, or similar law applies, we process account, memory, authentication, and billing data as necessary to provide the Services you request and perform our contract with you. We process limited security, reliability, and aggregate usage data for our legitimate interests in operating and protecting the Services. We rely on consent where required for optional analytics or communications, and on legal obligations where law requires processing or retention.

4. Who Receives Data

We disclose data only as needed to the following recipient categories:

  • Connected client platforms, including OpenAI: receive the minimized tool result so it can be shown to the authenticated user. OpenAI determines how it processes ChatGPT conversations and app results under its own policies.
  • Hosting, network, database, and security providers:including Cloudflare and Railway, which deliver and protect the Services and host application workloads and data stores.
  • Monitoring providers: Axiom and Sentry may process minimized operational and error telemetry when those services are enabled.
  • Authentication providers: Google, GitHub, and our authentication software process sign-in and authorization data when you choose those methods.
  • Billing and email providers: Stripe processes payments, and Resend processes service and support email.
  • Professional advisers and authorities: where reasonably necessary for legal advice, compliance, fraud prevention, protection of rights, or a valid legal request.
  • Business transfers: a buyer, investor, or successor may receive relevant data subject to confidentiality and applicable law in a merger, financing, reorganization, or sale.

We do not permit service providers to use memory data for their own advertising.

5. Retention

  • Saved memories, domains, derived ranking data, and memory IDs: retained until the user deletes the memory or domain, or requests account deletion. Deleted active data is removed promptly; encrypted backups may retain residual copies for up to 90 days.
  • Search queries and transient tool arguments: used for the request and not stored as new memories. If captured in short-lived security or failure telemetry, retained for no more than 30 days.
  • Operational and security logs: retained for up to 30 days, except a specific security incident may require relevant records to be isolated and kept for up to 12 months.
  • OAuth authorization codes: up to 10 minutes; access tokens: up to 1 hour; sessions and refresh tokens: up to 30 days. Revoked credentials may be retained as hashes or revocation records for up to 30 days to prevent reuse.
  • Account and consent records: retained while the account is active and deleted or anonymized within 30 days after an approved account-deletion request, subject to backups and legal obligations.
  • Support communications: retained for up to 24 months after the request is closed.
  • Billing and transaction records: retained for up to 7 years where required for tax, accounting, fraud-prevention, or legal obligations.
  • Aggregate website analytics: retained for up to 13 months. Aggregated data that no longer identifies a user may be kept longer.

6. Your Controls and Rights

  • Control app access: disconnect Mnemoverse in ChatGPT at any time. Disconnecting stops new app access but does not by itself delete memories already stored with Mnemoverse.
  • Delete memory: use available Mnemoverse API or MCP deletion controls, delete a domain where supported, or contact us.
  • Credentials: revoke Mnemoverse API keys from the console and revoke connected-app access from the relevant account or client settings.
  • Access, export, correction, or deletion: request a copy of your data, correct account data, object to or restrict certain processing, withdraw consent, or request account deletion by emailing us. Withdrawal does not affect processing already performed.
  • Complaint: where applicable, complain to your local data-protection authority.

Send privacy requests to support@mnemoverse.com. We may need to verify that the requester controls the relevant account.

7. Security and International Transfers

We use encryption in transit, access controls, tenant isolation, short-lived OAuth credentials, rate limits, secret redaction, and monitoring designed to protect data. No system is completely secure. Our providers may process data in countries other than yours. Where required, we use contractual and other lawful transfer safeguards.

8. Children

The Services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. Users aged 13 to 17 should use the Services only with any consent required by local law and should not store sensitive personal information.

9. Changes to This Policy

We may update this policy as the Services or law changes. We will post the updated policy here, change the "Last updated" date, and provide additional notice when required.

10. Contact

Mnemoverse is operated by Eduard Izgorodin. For privacy questions or requests or product support, email support@mnemoverse.com.