Privacy Policy

Last updated: April 2026

What we collect

Memset collects the minimum data necessary to provide the service:

  • Account information: Email address, display name, and hashed password (or OAuth provider ID).
  • Memories: Content you explicitly store via /remember, the CLI, API, or dashboard. We do not access your AI conversations unless you choose to save them or enable optional features like Ghost Memory (which processes conversation context locally in your browser to find relevant memories).
  • Usage metadata: Memory counts, tier, last active timestamp. No behavioral tracking or analytics.

How we use your data

  • To store and retrieve your memories when you request them.
  • To generate vector embeddings (via OpenAI) for semantic search. Only your memory content is sent; never your email, password, or account details.
  • To manage your subscription and billing (via Stripe).

AI processing

Several features use OpenAI's API to process your data. In every case, only the minimum necessary content is sent. Your email, password, and account details are never included. Under OpenAI's API data usage policy, API inputs and outputs are not used to train their models.

  • Semantic search — Memory content is sent to OpenAI's embedding model (text-embedding-3-small) to enable meaning-based search.
  • Contradiction detection — When you store or update a memory, nearby memories are compared using a language model (gpt-4o-mini) to flag contradictions.
  • Synthesis & insights — Memory content is sent to a language model (gpt-4o-mini) to generate thematic clusters and summaries.
  • Learning recommendations — A summary of your memory topics (not full content) is sent to a language model (gpt-4o-mini) to suggest learning paths.
  • Career analysis — Career-related memory content is sent to a language model (gpt-4o-mini) to generate skill graphs and career insights.
  • Voice memos — When you upload an audio file, it is sent to OpenAI's speech-to-text model (Whisper) for transcription. The audio is processed transiently and is not stored by OpenAI.
  • Photo OCR & image analysis — When you upload an image, it is sent to OpenAI's vision model (GPT-4o) for text extraction or visual Q&A. The image is processed transiently and is not stored by OpenAI.

What we never do

  • We never train AI models on your data.
  • We never sell, share, or monetize your data.
  • We never read your memories unless you request support.
  • We never use third-party analytics or ad trackers.

Browser extension

The Memset browser extension communicates only with our API. It does not read, log, or transmit your browsing history or any data from sites other than supported AI platforms.

  • /remember & /recall — Activated only when you type a command. Captures content you explicitly choose to save.
  • Ghost Memory — An opt-in feature that injects relevant memories as context into your AI conversations. You can disable it at any time from the extension popup.
  • Style Memory — When enabled, the extension observes high-level patterns in your messages (e.g. detail level, tone) to build a communication style profile. No message content is stored or transmitted — only aggregate style signals.

Data storage & security

Your data is stored in a PostgreSQL database hosted on Railway (US region). Passwords are hashed with bcrypt. API keys are hashed and only the prefix is stored. All API communication uses HTTPS/TLS. Database access is restricted to the application service only.

Your rights (GDPR / CCPA)

  • Export: Download all your data at any time via Settings or CLI (memset export).
  • Delete: Permanently delete your account and all data from Settings.
  • Portability: Export as JSON or Markdown — take your brain anywhere.

Third-party services

  • OpenAI: For embeddings, language model analysis, speech-to-text, and vision processing as described in the AI Processing section above. API data is not used to train OpenAI models.
  • Stripe: For payment processing. We never see your full card number.
  • Railway: Infrastructure hosting (PostgreSQL, Redis, API).
  • Google / Microsoft: If you connect a calendar or use OAuth login, we access event data or profile information via their APIs using tokens you authorize. OAuth tokens are encrypted at rest.
  • Slack / Microsoft Teams: If you connect a Slack or Teams workspace, messages sent to the bot are processed through our API to store and recall memories. Workspace and user link data is stored to route commands.
  • WorkOS: If your organization uses enterprise SSO (SAML/OIDC), authentication flows are handled through WorkOS as our identity provider.
  • Email delivery: Transactional emails (account verification, digests) are sent through our email service provider. Only your email address and the message content are shared.

Contact

For privacy questions or data requests (access, deletion, export), email [email protected].