Privacy Policy

1. General Information and Definitions

This Privacy Policy describes how Memsolus ("we", "our", or "Platform") collects, uses, stores, shares, and protects your personal data, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD). For the purposes of this policy: "Personal Data" means any information related to an identified or identifiable natural person; "Data Subject" is the natural person to whom the personal data relates; "Processing" means any operation performed on personal data; "Controller" is Memsolus, responsible for decisions regarding the processing of personal data; "Workspace" is the isolated environment within the Platform where your data and settings are stored.

2. Data Collected

We collect the following categories of data: (a) Registration data provided by you: name, email address, and password; (b) Social authentication data: when using login via Google, GitHub, or Discord, we receive your name, email, and public identifier from the provider — we do not receive or store your provider password; (c) Usage data collected automatically: IP address, browser user-agent, access time, and session identifier, recorded with each authentication and API operation; (d) Billing data: processed directly by Stripe, Inc. — we do not store credit card numbers on our servers; (e) Memory content: texts, metadata, and information you voluntarily store on the Platform through the API, SDK, MCP Server, or dashboard; (f) Audit data: automatic records of operations performed on the account, including source IP and action type, for security and compliance purposes.

3. Legal Basis for Processing (LGPD Art. 7)

Each data processing activity performed by Memsolus has a specific legal basis: (a) Contractual performance (Art. 7, V): memory processing, authentication, account management, billing, and provision of the contracted service; (b) Legitimate interest of the controller (Art. 7, IX): audit logging, fraud detection, abuse prevention, platform security, and service improvement, always respecting your fundamental rights and freedoms; (c) Legal obligation compliance (Art. 7, II): maintenance of tax records and data required by applicable legislation; (d) Consent (Art. 7, I): use of analytical cookies and sending marketing communications, revocable at any time.

4. Use of Information

We use your data exclusively to: provide, operate, and maintain the Platform; process your memories with artificial intelligence models for embedding generation, categorization, and semantic search; authenticate your access and manage sessions; process billing and manage your subscription; record audit trails for security and compliance; send operational notifications about the service; and comply with legal obligations. We do not use the content of your memories to train proprietary or third-party artificial intelligence models.

5. Processing by Artificial Intelligence Providers

To provide semantic search, categorization, and natural language processing functionalities, stored content may be sent to third-party artificial intelligence providers selected and managed exclusively by Memsolus. The Platform uses multiple AI providers with redundancy to ensure service availability and quality. This processing is performed exclusively for the execution of the contracted service. AI providers act as data processors under Memsolus's instructions and are contractually obligated not to retain, use, or train models with your data. The selection and management of providers is Memsolus's sole responsibility, and provider access credentials are stored with bank-grade encryption.

6. Security and Data Protection

Security is a fundamental pillar of Memsolus. Our architecture was designed with security from the ground up (security by design), following industry best practices, OWASP recommendations, and LGPD requirements. We implement multiple layers of protection: sensitive data at rest is protected with bank-grade authenticated encryption, with unique keys derived per record; data in transit is protected by TLS protocol on all connections; user passwords are processed with state-of-the-art secure hashing algorithms with multiple layers of protection, making brute force attacks impractical; tokens and access credentials are hashed before storage — the original value is never persisted. Our infrastructure runs on cloud providers with geographic redundancy, using isolated containers, private networks, and automated encrypted backups. Each request passes through a fixed-order security validation chain — rate limiting, workspace isolation, quota verification, and feature verification — before reaching business logic.

7. Authentication, Access, and Data Isolation

We support multiple authentication methods with defense in depth: access tokens with rotating refresh; two-factor authentication via authenticator apps (TOTP) and email codes, with protected recovery codes; social login via Google, GitHub, and Discord with request forgery protection; and API Keys with granular permissions organized by resource. Sensitive account management endpoints are protected by authenticated session-only access — API keys cannot access account data, change passwords, or manage 2FA. Each account supports multiple simultaneous sessions, individually manageable with selective or bulk revocation. Each workspace operates with complete isolation by design. Memories, settings, API keys, webhooks, and member data are segregated by workspace across all application layers. A global guard validates ownership or membership before allowing any operation, preventing IDOR (Insecure Direct Object Reference) attacks. The guard supports 4 access levels: Owner, Admin, Member, and Viewer. Isolation is verified on each request — there is no cross-workspace access on any endpoint.

8. Auditing, Monitoring, and Abuse Protection

We automatically log a comprehensive set of events covering all relevant operations: authentication, account management, 2FA, API keys, workspace and member operations, data operations, webhook configuration, billing, and exports. The audit trail includes differentiated visibility levels for compliance and diagnostics. Critical security actions generate automatic alerts for immediate investigation. The Platform implements multiple layers of abuse protection: request limiting by IP and by account; plan limit verification before each operation; plan-enabled feature verification; denial-of-service attack protection at the infrastructure layer; and account enumeration protection mechanisms in authentication operations.

9. Incident Response and Responsible Disclosure

We maintain a structured security incident response process. In the event of a confirmed breach that may pose relevant risk to data subjects, we will notify affected users and the National Data Protection Authority (ANPD) within a reasonable timeframe, as required by LGPD (Art. 48). We perform root cause analysis and implement preventive fixes for each incident. If you discover a vulnerability, we ask that you report it responsibly via the email provided at the end of this policy. Do not take actions that could compromise other users' data. We investigate all reports with maximum priority and confidentiality.

10. Data Sharing

We do not sell, rent, or trade your personal data. Sharing occurs exclusively in the following cases: (a) Stripe, Inc. — payment processing and subscription management, as a data processor; (b) AI Providers — as described in Section 5, under contractual instruction and only for service execution; (c) Cloud infrastructure providers — hosting and storage, with encryption at rest and in transit; (d) Legal obligation compliance — when required by competent authority, through court order or valid administrative procedure; (e) Workspace members — when inviting members to your workspace, they will have access to shared data in that environment, according to assigned permissions (Owner, Admin, Member, or Viewer). Each workspace operates with complete isolation — data from one workspace is inaccessible to another.

11. Cookies and Tracking Technologies

We use essential cookies for authentication, session management, and Platform operation — these are strictly necessary and do not require consent. Analytical cookies, when used, are activated only with your prior consent and serve exclusively to improve the user experience. You can manage your cookie preferences at any time through your browser settings. Disabling essential cookies may prevent the Platform from functioning properly.

12. Your Rights as a Data Subject (LGPD Art. 18)

Under the LGPD, you have the right to: (I) confirmation of the existence of data processing; (II) access to your personal data; (III) correction of incomplete, inaccurate, or outdated data; (IV) anonymization, blocking, or deletion of unnecessary data or data processed in non-compliance; (V) data portability — export in JSON format through the Platform's export functionality, available in account settings, with a link valid for 48 hours; (VI) deletion of personal data processed based on consent; (VII) information about entities with which your data has been shared; (VIII) information about the possibility of not providing consent and its consequences; (IX) revocation of consent at any time. To exercise your rights, access your account settings or contact our Data Protection Officer.

13. Data Retention and Deletion

We retain your data while your account is active and as necessary to provide the service. You can configure your own retention policy in workspace settings, defining periods for automatic archiving and deletion of inactive memories. Automatic deletion is executed daily according to configured periods. When you request account deletion, your personal data, sessions, and access tokens are invalidated immediately. Remaining data is removed according to the applicable retention period. Audit data is maintained for the legally required period for compliance purposes and may be anonymized after that period.

14. Shared Workspaces

When creating or participating in a shared workspace, be aware that: the workspace owner can invite members with different access levels (Owner, Admin, Member, Viewer); authorized members will have access to workspace memories and settings according to their permissions; quota consumption (requests, memories, tokens) by members is counted against the workspace owner's account; when leaving or being removed from a workspace, you lose access to the data contained therein, but the owner retains the data already stored.

15. Minors

Memsolus is not intended for users under 18 years of age. We do not intentionally collect personal data from children or adolescents. If we become aware that we have collected data from a minor without verifiable consent from their legal guardian, we will promptly delete such information, in accordance with Art. 14 of the LGPD.

16. International Data Transfer

Your data may be transferred and processed on servers located outside of Brazil, including by the AI and infrastructure providers mentioned in this policy. These transfers are carried out based on Art. 33 of the LGPD, through contractual clauses that ensure an adequate level of personal data protection, and are subject to the technical safeguards described in Section 6.

17. Data Protection Officer (DPO)

Under Art. 41 of the LGPD, Memsolus has appointed a Data Protection Officer responsible for accepting complaints and communications from data subjects, receiving communications from the National Data Protection Authority (ANPD), and guiding employees on data protection practices. To contact the DPO, use the email indicated at the end of this policy.

18. Changes to This Policy

This policy may be updated periodically to reflect changes in our data processing practices or legal requirements. Substantial changes will be communicated by email or Platform notification with a minimum of 15 days advance notice. Continued use of the service after changes take effect constitutes acceptance of the updated policy. Previous versions of this policy may be requested from the Data Protection Officer.

Data Protection Officer (DPO)

To exercise your rights as a data subject, clarify questions about data processing, or file a complaint, contact our Data Protection Officer.