Privacy Policy

Version 1.0 — Last updated: 7 April 2026

1. Who we are

Memrease is a family memory companion service that helps families share stories and spark gentle daily conversations with elderly relatives. Memrease is operated by Jon Dean ("we", "us", "our") as a sole trader registered in England.

We are the data controller for the personal data processed through this service. You can contact us about any privacy matter at privacy@memrease.app.

2. What data we collect

Curators (family members who create and manage memories):

  • Email address and authentication credentials
  • Display name and family name you provide during onboarding
  • Memory stories (free-text narratives about family events)
  • Photos, audio recordings, and documents you upload
  • Dates, places, and other contextual details you attach to memories
  • Consent records (which permissions you granted and when)

Recipients (the person receiving daily memory prompts, typically an elderly relative):

  • Display name (provided by the curator on their behalf)
  • A hashed PIN used to access the service (we never store the PIN itself)
  • Conversation messages — both their typed or spoken replies and the AI-generated responses
  • Usage timestamps (when prompts were viewed and replied to)

Technical data collected automatically:

  • IP address hash (stored with consent records only, not tracked elsewhere)
  • API usage logs (token counts and estimated costs for AI processing — no personal content is stored in these logs)

3. Special category data

Memory stories may contain information about health conditions, religious beliefs, or other special category data as defined under UK GDPR Article 9. We process this data only with your explicit consent (which you provide during onboarding) and solely for the purpose of generating personalised conversation prompts. We do not use special category data for any other purpose.

4. How and why we use your data

  • Providing the service — storing your memories, generating daily prompts, and facilitating conversations with recipients.
    Legal basis: performance of a contract (UK GDPR Art. 6(1)(b)).
  • AI processing — sending memory stories and conversation messages to Anthropic's Claude AI to generate personalised prompts and responses.
    Legal basis: explicit consent (Art. 6(1)(a)), obtained during onboarding. You can withdraw consent at any time (see Section 8).
  • Security — PIN hashing, session token management, and access logging to protect your account and data.
    Legal basis: legitimate interest (Art. 6(1)(f)) in maintaining the security of the service.
  • Service improvement — aggregated, non-identifiable usage statistics (e.g. total conversations per day) to understand how the service is used.
    Legal basis: legitimate interest (Art. 6(1)(f)). You can object to this processing (see Section 8).

We do not sell your data, share it with advertisers, or use it for profiling or marketing purposes.

5. Who we share your data with

We use the following third-party processors to operate the service:

  • Supabase Inc. — database hosting, file storage, and server-side functions. Your data is stored in the EU (Ireland, eu-west-1). Supabase acts as a data processor under a standard Data Processing Agreement.
  • Anthropic PBC (United States) — AI processing of memory stories and conversations using the Claude API. Anthropic does not retain API input or output data beyond the duration of each request and does not use it to train models. See Anthropic's privacy policy.
  • Vercel Inc. (United States) — web application hosting and content delivery. Vercel processes requests and may temporarily log IP addresses for security purposes.

We do not share your data with any other third parties.

6. International data transfers

Your stored data (memories, messages, photos) is held in the EU (Ireland). When you use the service, memory stories and conversation messages are sent to Anthropic and Vercel in the United States for AI processing and web delivery. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner. You can request a copy of these safeguards by emailing us.

7. How long we keep your data

  • Account and family data — retained for as long as your account is active. If you delete your account, all data is removed within 30 days.
  • Memories and media — retained until you delete them or delete your account.
  • Conversations and messages — retained for as long as the associated memory exists. Conversations are not shared outside your family.
  • API usage logs — retained for 12 months for billing and service monitoring, then automatically deleted. These logs contain no personal content.
  • Consent records — retained for 6 years after consent is withdrawn or the account is deleted, as required for legal compliance.

8. Your rights

Under UK GDPR you have the following rights. To exercise any of them, email privacy@memrease.app and we will respond within one month.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct any inaccurate data.
  • Erasure — ask us to delete your data. You can also delete memories and your account directly from the Settings page.
  • Restrict processing — ask us to temporarily stop processing your data while we resolve a concern.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on our legitimate interests.
  • Withdraw consent — you can withdraw consent for AI processing at any time via the Settings page or by emailing us. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

9. Automated decision-making

Memrease uses AI to generate conversation prompts and responses based on memory stories. This processing is automated but does not produce decisions with legal or similarly significant effects. The AI does not make decisions about eligibility, access, or any other matter that affects your rights. All AI-generated content is conversational in nature.

10. Cookies and local storage

Memrease uses browser local storage (not cookies) to maintain your sign-in session. Recipients use browser session storage for their temporary session token, which is cleared when the browser tab is closed. We do not use tracking cookies, third-party analytics, or any advertising technologies.

11. Children

Memrease is designed for adults. Curator accounts require you to be at least 18 years old. If you believe a child under 18 has provided personal data through the service, please contact us and we will delete it promptly.

12. How we protect your data

All data is encrypted in transit (TLS 1.2+) and at rest. Recipient PINs are hashed with bcrypt before storage. Session tokens are cryptographically signed. Access to the database is restricted to authenticated users and server-side functions operating under the principle of least privilege.

13. Complaints

If you are unhappy with how we handle your personal data, please contact us first at privacy@memrease.app so we can try to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk/make-a-complaint

14. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through a notice in the service before the changes take effect. The version number and date at the top of this page will always reflect the current version.

← Back to Memrease