Reflect Memory

Privacy Policy

Last updated: April 2026

1. Overview

Reflect Memory Inc. ("we," "our," or "us") is a privacy-first AI memory system. We store only what you explicitly choose to save. You control what gets stored, who can access it, and when it gets deleted. We do not sell, rent, or trade your data.

2. What We Collect

We collect and store the following:

  • Account information: Email address (for magic link sign-in). We do not collect passwords.
  • Memory content: The title, content, tags, and metadata of memories you create. This is user-authored data you explicitly write or approve.
  • Technical data: IP address and request logs for security, rate limiting, and operational debugging. Logs are retained for a limited period and do not include memory content.

Version history: When you edit a memory, previous versions are retained so you can review changes. Version history is tied to your account and follows the same access and deletion rules as the memory itself.

We do not collect: browsing history, location data, or any information from your AI conversations that you do not explicitly choose to save to Reflect Memory.

3. How We Use Your Data

  • Provide the Reflect Memory service to you
  • Enable AI integrations (ChatGPT, Claude, Cursor, etc.) to read and write memories at your request
  • Respond to support inquiries
  • Enforce security, prevent abuse, and comply with legal obligations

We do not use your memory content for training AI models, targeted advertising, or any purpose other than delivering the service you signed up for.

4. Team Sharing

If you belong to a team workspace, you may choose to share individual memories with your team. Shared memories become visible to other authenticated members of that team. You control which memories are shared; nothing is shared automatically. Team administrators can manage membership but cannot modify your personal memories.

5. Data Storage and Security

Storage: Memory data is stored in an isolated SQLite database with per-user scoping. Your data is never mixed with other users' data. We use automated backups to secure, encrypted storage.

Transmission: All data transmitted between your devices, our API, and connected AI tools uses HTTPS/TLS encryption.

Access control: All access requires authentication via API keys, OAuth tokens, or SSO. When you connect an AI tool (ChatGPT, Claude, Cursor, etc.), you explicitly consent through an OAuth authorization flow that grants a per-user token scoped to your account. We use timing-safe comparison and industry-standard practices for credential validation.

Audit logging: We maintain structured security audit logs (authentication events, access patterns, rate-limit triggers) for abuse prevention and compliance. Audit logs do not contain memory content and are pruned according to a configurable retention period (default 90 days).

6. Your Rights

You have the right to:

  • Access: View all memories and account data via the dashboard or API
  • Delete: Remove individual memories or your entire account and all associated data at any time. Deleted memories are soft-deleted and purged within 30 days
  • Export: Retrieve your data via the API in standard formats
  • Correct: Edit or update your memories and account information
  • Object and restrict: Contact us to object to processing or request restrictions

To exercise these rights, use the dashboard or contact us at privacy@reflectmemory.com.

7. Third-Party Services

We use the following third parties:

  • Hosting (Railway): Server infrastructure for the API and database
  • Backups (Cloudflare R2): Encrypted database backups
  • AI models (OpenAI, Anthropic, etc.): Used only when you invoke the query feature to generate summaries from your memories. Memory content is sent only to the model provider you choose, and only for that request

Each provider has its own privacy policy. We do not share your data with advertisers or data brokers.

8. GDPR and International Compliance

For users in the European Economic Area and United Kingdom, we process your data on the following bases: (1) contract performance (providing the service you requested), (2) legitimate interests (security, abuse prevention), and (3) consent where required. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

We support data subject access requests, deletion requests, and portability. We do not engage in automated decision-making or profiling. You have the right to lodge a complaint with your supervisory authority.

9. Data Retention

Memories are retained until you delete them. Trashed memories are purged within 30 days. Security and operational logs are retained for a limited period necessary for debugging and compliance. Backups are retained according to our backup retention policy.

10. Enterprise and Self-Hosted Deployments

For enterprise customers using our self-hosted or isolated-hosted deployment options, all memory data, authentication credentials, and database files remain entirely within the customer's own infrastructure. No data leaves the customer's network unless they explicitly configure external model providers. Self-hosted deployments are governed by the customer's own data policies in addition to this policy.

11. Children

Reflect Memory is not intended for users under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

12. Changes

We may update this policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance.

13. Contact

For privacy-related questions or requests, contact:

privacy@reflectmemory.com

Reflect Memory

Privacy Policy | Reflect Memory