Privacy Policy

MnemoShare LLC ("MnemoShare", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website (mnemoshare.com), purchase our software, or use our services, including our cloud-hosted (SaaS) and self-hosted deployment models.

1. Information We Collect

1.1 Information You Provide

When you purchase a license, subscribe to our SaaS service, or create an account, we collect:

• Account Information: Name, email address, company name, job title
• Billing Information: Payment method details (processed by our payment providers PayPal and Square), billing address
• Communications: Support tickets, feedback, and correspondence with our team

1.2 Information Collected Automatically

When you visit our website or use our services:

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, time spent, referring URLs
• Log Data: IP address, access times, error logs
• Cookies: Session identifiers, preferences (see Cookie Policy below)

1.3 License Validation Data

When MnemoShare software validates your license, it transmits:

• License Key (encrypted)
• Deployment ID (unique identifier for the installation)
• Software version number
• Server hostname (optional, for your reference only)

1.4 SaaS Infrastructure Data

For SaaS customers, we additionally collect and process data necessary to operate and maintain your cloud-hosted instance:

• Instance Metadata: Subdomain, tenant identifier, subscription tier, provisioned resources
• Operational Logs: Application health metrics, error logs, resource utilization (CPU, memory, storage), and uptime data
• Authentication Events: Login timestamps, session counts, and authentication method used (for security monitoring and anomaly detection)

We do NOT routinely collect or inspect: File contents, the substance of data stored within your instance databases, or decrypted Customer Data. See Section 5 for details on our SaaS data handling practices.

2. How We Use Your Information

We use collected information to:

• Provide Services: Issue and validate license keys, provision and maintain SaaS instances, provide software updates, deliver support
• Process Payments: Complete transactions, send invoices, manage subscriptions
• Operate Infrastructure: Monitor system health, perform maintenance, ensure availability and security of SaaS instances
• Communicate: Send service updates, security alerts, and (with consent) marketing materials
• Improve Products: Analyze usage patterns to enhance features and performance
• Legal Compliance: Meet regulatory requirements, prevent fraud, enforce our terms

3. Information Sharing

We do not sell your personal information. We may share information with:

3.1 Service Providers

• Payment Processors: PayPal and Square process payments on our behalf
• Email Services: SendGrid delivers transactional and marketing emails
• Analytics: Google Analytics helps us understand website usage
• Cloud Infrastructure: DigitalOcean and Amazon Web Services host our website, SaaS instances, and related infrastructure
• Object Storage: DigitalOcean Spaces provides encrypted object storage for SaaS customer files

3.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, property, or safety.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Security

We implement appropriate technical and organizational measures to protect your information:

• TLS encryption for all data in transit
• AES-256-GCM encryption for Customer Data at rest
• Per-organization isolation with dedicated encryption keys and storage
• Access controls and authentication requirements
• Regular security assessments
• Employee security training

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5. SaaS Customer Data Handling

5.1 Data Encryption and Isolation

All Customer Data stored within your SaaS instance is encrypted at rest using AES-256-GCM with per-organization encryption keys. Files are stored in isolated, per-customer S3-compatible storage buckets. Database records are similarly isolated per tenant. This encryption architecture means that even with infrastructure-level access, Customer Data cannot be read without the corresponding decryption keys and deliberate action to decrypt.

5.2 No Intentional Access to Customer Data

MnemoShare does not intentionally access, view, or decrypt Customer Data. We will never deliberately open, read, download, or decrypt files that you or your users have uploaded to your MnemoShare instance. We do not monitor the content of your transfers, review your audit logs for non-security purposes, or inspect your organizational data.

5.3 Maintenance and Incidental Exposure

In the course of operating, maintaining, troubleshooting, and securing the SaaS infrastructure, our personnel may encounter limited metadata or system-level information, such as:

• File names and paths visible in storage bucket listings or application logs
• Database record metadata such as collection names, document counts, or index structures visible during database maintenance
• User account information such as usernames, email addresses, or organization names stored in the application database
• System logs that may reference file operations, transfer activity, or error details

Any such incidental exposure is limited to what is necessary for the maintenance task at hand. Personnel who encounter Customer Data incidentally are bound by confidentiality obligations and are prohibited from using or disclosing such information for any purpose other than performing the authorized maintenance activity.

5.4 When We May Access Infrastructure

MnemoShare may access Customer infrastructure components (not decrypted data) for the following limited purposes:

• Applying security patches, software updates, and infrastructure upgrades
• Investigating and resolving technical issues, outages, or performance degradation
• Responding to Customer-initiated support requests
• Monitoring for and responding to security threats or incidents
• Ensuring compliance with our Acceptable Use Policy
• Complying with valid legal process (e.g., court orders, subpoenas)

5.5 Data Portability and Deletion

SaaS customers may export their data at any time through the MnemoShare application interface. Upon subscription termination, Customer Data is retained for thirty (30) days to allow for export, after which it is permanently deleted from our systems, including all encrypted files, database records, and backups.

6. Data Retention

We retain information for as long as necessary to:

• Provide our services and fulfill the purposes described in this policy
• Comply with legal obligations (e.g., tax records for 7 years)
• Resolve disputes and enforce agreements

License validation records are retained for the duration of your subscription plus 2 years. SaaS Customer Data is retained for 30 days following subscription termination (see Section 5.5). You may request deletion of your personal data (see Your Rights below).

7. Cookies and Tracking

Our website uses cookies and similar technologies. When you first visit our site, you will be asked to choose which categories of cookies you consent to. You can change your preferences at any time using the cookie settings link in our site footer.

7.1 Essential Cookies

These cookies are strictly necessary for the website to function. They cannot be disabled.

7.2 Analytics Cookies

These cookies help us understand how visitors interact with our website, allowing us to improve the user experience. They are only set if you consent to analytics cookies.

We configure Google Analytics with IP anonymization enabled. Analytics data is used in aggregate form and is not linked to your personal identity.

7.3 Marketing Cookies

These cookies are used to measure the effectiveness of our advertising campaigns. They are only set if you consent to marketing cookies.

7.4 Managing Your Cookie Preferences

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in our website footer. You can also control cookies through your browser settings. Note that disabling essential cookies may affect site functionality.

If your browser sends a Do Not Track (DNT) signal, we will respect it and disable all non-essential cookies automatically.

When you revoke consent for analytics or marketing cookies, we actively delete those cookies from your browser. Previously collected data that has been anonymized and aggregated cannot be individually removed.

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

8.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): Processing necessary to fulfill our service agreement with you — including license validation, SaaS instance provisioning, account management, and support.
• Legitimate Interest (Art. 6(1)(f)): Website analytics, security monitoring, infrastructure maintenance, and product improvement, where our interest does not override your data protection rights.
• Consent (Art. 6(1)(a)): Analytics and marketing cookies, marketing emails, and optional behavioral tracking. You can withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c)): Tax records, fraud prevention, and compliance with applicable laws.

8.2 Your Data Subject Rights

• Right of Access (Art. 15): Request a copy of the personal data we hold about you, including information about how it is processed.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data when it is no longer needed for the purpose it was collected, or when you withdraw consent.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Restriction (Art. 18): Request restriction of processing while we verify accuracy or assess an objection.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent for analytics/marketing cookies and marketing emails at any time without affecting prior processing.

To exercise these rights, contact us at info@mnemoshare.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

8.3 Data Protection Officer

For GDPR-related inquiries, contact our privacy team at privacy@mnemoshare.com.

9. International Transfers

Your information may be transferred to and processed in the United States, where our servers are located. For transfers from the EEA/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as appropriate safeguards under GDPR Article 46(2)(c). Our sub-processors (PayPal, Square, SendGrid, Google, DigitalOcean) maintain their own SCCs or equivalent safeguards. You may request a copy of the applicable safeguards by contacting us.

10. HIPAA and Healthcare Data

10.1 Self-Hosted Deployments

MnemoShare does not access, process, or store PHI for self-hosted deployments. File encryption, access controls, and audit logging are performed entirely within your self-hosted deployment.

10.2 SaaS Deployments

For SaaS deployments where Customer Data may include PHI, MnemoShare implements administrative, physical, and technical safeguards as required under HIPAA. All PHI is encrypted at rest (AES-256-GCM) and in transit (TLS). Our personnel do not intentionally access or decrypt PHI. Any incidental exposure during infrastructure maintenance is governed by our BAA and internal data handling policies. SaaS customers handling PHI must have an executed BAA in place.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

11.1 Your CCPA Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completing transactions).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (payment details) for processing your transactions — no secondary purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

11.2 Categories of Personal Information

In the preceding 12 months, we may have collected the following categories:

11.3 How to Exercise Your Rights

Submit a verifiable consumer request by emailing privacy@mnemoshare.com or calling us. We will verify your identity before processing. You may designate an authorized agent to make a request on your behalf. We will respond within 45 days (extendable by an additional 45 days if necessary).

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or our privacy practices, please contact: