Privacy Policy

Last updated: April 20, 2026

The short version

Your memories are yours. We store them so the Service works, process them with AI so they’re searchable, and never sell them or use them to train anyone’s models. Sub-processors are listed below. You can export or delete everything at any time.

Who we are

memax (“memax”, “we”, “us”) is operated by MemaxLabs, Inc. This policy explains what data we handle when you use memax.app, the memax CLI, the memax SDK, and our hosted MCP server.

What we collect

Account information

When you sign in with GitHub or Google, we receive your email, name, avatar URL, and the provider’s stable user ID. If you link both providers, we keep both identities tied to one account. We do not receive your password.

Your content

Anything you push to memax: notes, transcripts, code snippets, files, and metadata you attach (titles, topics, source tags). This includes content captured by AI agents you connect (Claude Code, Codex, Cursor, ChatGPT, and similar) when you authorize them to write to memax on your behalf.

File attachments

Original files you attach to a memory (PDFs, images, documents) are uploaded directly from your browser to our object storage using short-lived signed URLs. We store the file, its filename, and content type.

Hub and team data

If you create or join a hub, we store the hub name, your role (owner, admin, member), and any invites you send. Memories you explicitly publish to a hub are visible to other hub members according to their role.

API keys and agent grants

When you generate an API key, we store a one-way hash of the key along with a short prefix for identification, the scopes you chose, and the time it was last used. We never store the raw key. When an AI agent connects via OAuth, we record the agent and the grant so you can revoke it later.

Usage and operational logs

We log API requests (including IP address and user agent) for reliability, debugging, abuse prevention, and rate limiting, and we log which memories were retrieved for a query so we can improve relevance. We do not record keystrokes, mouse movements, or browsing activity outside memax.

Product analytics (optional)

When enabled in our deployment, we use PostHog to record high-level events (page views, feature usage, errors) tied to your account ID. We do not send the contents of your memories, queries, or files to the analytics pipeline.

Waitlist and pre-launch signups

If you join the waitlist before getting an invite, we collect your email and the optional context you provide (use case, role, tools you use). We use this to prioritize invites and to send you status updates about your spot in line.

How we use your data

  • To run the Service: store, index, search, and serve your memories back to you and to agents you authorize.
  • To organize, summarize, and answer questions over your content using the AI sub-processors listed below.
  • To meter usage against the limits of your plan and to bill you (when paid plans are active).
  • To send transactional email (sign-in confirmations, hub invites, security notices, account changes). These are required and cannot be opted out of while your account is active.
  • To send occasional product updates and tips to the email on your account. You can opt out at any time using the unsubscribe link in any such email or from your account settings.
  • To detect and prevent abuse, fraud, and security incidents.
  • To comply with legal obligations and to enforce our Terms.

Sub-processors

We share data with the providers below only as needed to operate the Service. None of them are permitted to use your content to train their own models.

  • Anthropic (United States) — Claude models for classification, summarization, query rewriting, and answer synthesis. Receives the memory text or query needed for each operation. Anthropic does not train on API inputs or outputs.
  • Voyage AI (United States) — Embeddings used to power semantic search. Receives memory text and queries. Voyage does not train on API inputs.
  • Resend (United States) — Transactional and product email delivery. Receives recipient email, subject, and message body.
  • Cloudflare R2 (global) — Object storage for memory file attachments. Stores the files at rest.
  • Neon (United States) — Managed database hosting. Stores accounts, memories, and operational records.
  • Upstash (United States) — Managed cache for short-lived results, rate-limit counters, and usage metering.
  • Fly.io (United States) — Hosting for the API server and background worker.
  • Vercel (United States) — Hosting for the memax.app web application and docs.memax.app developer hub.
  • PostHog (United States, optional) — Product analytics for high-level usage events. Disabled in deployments where the integration is not configured.
  • GitHub, Google (United States) — OAuth identity providers. We exchange tokens with them only when you sign in or link an account.

We’ll update this list before adding a new sub-processor that handles personal data or memory content.

How we don’t use your data

  • We don’t sell your data.
  • We don’t use your content to train AI models — ours or anyone else’s.
  • We don’t show ads.
  • We don’t share your data with anyone outside the sub-processors above, except when we’re legally required to (and we’ll push back on overbroad requests).
  • We don’t read your content for any purpose other than running the Service. Engineers may access account data on a need-to-know basis to debug a specific issue.

Access boundaries

Memories are private by default and invisible to other users unless you explicitly publish them to a hub. Within a hub, content is visible only to other hub members at the role you chose. We enforce account isolation at the data layer, not just in application code.

Security

All traffic is served over HTTPS. Data at rest is encrypted by our infrastructure providers. API keys are stored as one-way hashes, and sign-in sessions use short-lived access tokens.

No system is perfectly secure. If you believe you’ve found a vulnerability, email security@memaxlabs.com and we’ll respond within two business days.

Where your data lives

Our primary infrastructure is hosted in the United States. Some sub-processors (notably Cloudflare R2) operate globally and may cache or serve data from other regions. If you’re in the EEA, the UK, or Switzerland, your data may be transferred to the United States; we rely on the providers’ standard contractual clauses for those transfers.

How long we keep things

  • Memories, files, and account data: until you delete them or close your account.
  • Deleted agent configs are retained in a tombstoned state for 30 days so you can restore them, then permanently removed.
  • Operational logs and short-lived caches: kept only as long as needed to operate the Service.
  • Closed accounts: content is removed from active systems within 30 days of confirmation. Backups roll off on their normal cycle (up to 30 additional days).

Your rights

  • Access: View any memory through the app, CLI, or API.
  • Export: Download your memories as plain text or markdown via the CLI or API. There is no proprietary lock-in.
  • Correct: Edit any memory or your profile from the app.
  • Delete: Remove individual memories at any time, or request full account deletion (see Contact below).
  • Object & restrict: If you’re in the EEA, the UK, Switzerland, California, or another jurisdiction with applicable privacy law, you can ask us to restrict or stop processing your data, withdraw consent, or lodge a complaint with your local data protection authority.
  • No sale, no “sharing”: We do not sell personal information and do not share it for cross-context behavioral advertising under the CCPA/CPRA.

Cookies and local storage

We don’t set tracking cookies. The web app uses your browser’s localStorage to keep your sign-in token, the currently active hub, and your interface preferences (locale, recent navigation). When PostHog is enabled, it stores its own anonymous distinct ID in localStorage. Sign-out clears the memax keys.

Children

memax is not directed to children under 13 (or under 16 in the EEA), and we do not knowingly collect data from them. If you believe a child has created an account, email us and we’ll delete it.

Changes

We may update this policy. If we make a change that materially reduces your rights or expands how we use your data, we’ll tell you in the app or by email before it takes effect. The “last updated” date above always reflects the current version.

Contact

Privacy questions, data export requests, or account deletion requests: privacy@memaxlabs.com. General questions: team@memaxlabs.com. We aim to respond within five business days and to complete verified deletion requests within 30 days.