Memmo Privacy Policy — Beta

Effective Date: February 16, 2026

Beta Notice: Memmo is currently in private beta, available by invitation only. This Privacy Policy reflects the current state of the app and the data we actually collect today. As the Service evolves, this policy will be updated to reflect new features and data practices.

Introduction

Memmo, LLC (“Memmo,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Memmo mobile application and related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

• Name
• Email address
• Password (encrypted, stored by Auth0 — we never see your password)
• Profile photo (optional)

Content:

• Photos and videos you upload
• Text entries and captions

Family and Contact Information:

• Child names and birth dates (for child archives)
• Transfer age settings
• Email addresses of people you invite as co-curators, space members, or recipients

1.2 Information Collected Automatically

Device Information:

• Device type and operating system
• App version

Usage Information:

• Features you use and actions you take within the app
• Error logs and crash reports

Media Metadata (EXIF):

When you upload photos or videos, we capture all standard EXIF metadata embedded in the file. This includes but is not limited to:

• Date and time the photo/video was taken
• Image/video dimensions and orientation
• GPS location (latitude and longitude) — if present in the file
• Camera make, model, and settings

We store the raw EXIF data as-is from your files. This metadata enables features like timeline ordering and may enable future features (e.g., location-based memories, auto-suggested dates).

2. How We Use Your Information

We use your information to:

• Provide the Service — store and display your content, enable sharing with your designated recipients
• Process your uploads — optimize images, transcode video, generate thumbnails
• Enable sharing — deliver content to the people you choose to share with
• Send notifications — push notifications for new deliveries and app updates
• Improve the Service — understand how features are used, identify and fix bugs
• Provide support — help you when something goes wrong

We do not:

• Sell your data to third parties
• Display advertising
• Train AI models on your content
• Build marketing profiles from your usage

3. How We Share Your Information

3.1 With Your Designated Recipients

When you share a Memory with someone, they receive:

• The content (photos, videos, text)
• Your name and profile photo
• The sharing chain (who shared with whom)

When you co-curate an archive, other curators can see:

• Content saved to that archive
• Who added each item

3.2 With Service Providers

We share information with third-party service providers who help us operate the Service:

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

3.3 For Legal Reasons

We may disclose your information if required by law, including:

• To comply with a subpoena, court order, or legal process
• To respond to lawful requests from government authorities
• To protect our rights, property, or safety
• To investigate violations of our Terms of Service

3.4 Business Transfers

If Memmo is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your information.

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored in the United States using Amazon Web Services (AWS) infrastructure:

• Database: AWS RDS (PostgreSQL) with encryption at rest
• Media files: AWS S3 with encryption at rest (customer-managed encryption keys) and versioning enabled
• Backups: AWS Backup with daily snapshots (7-day retention) and weekly snapshots (12-week retention)

4.2 Security Measures

We implement industry-standard security measures:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS
• Encryption at rest: All stored data and media are encrypted — media files use customer-managed encryption keys (AWS KMS) with automatic annual key rotation
• Access controls: Role-based database access with principle of least privilege
• Secure authentication: JWT tokens with short expiration, secure token storage on device
• Signed URLs: Media files are accessed via time-limited, cryptographically signed URLs — not publicly accessible
• Infrastructure monitoring: CloudWatch alarms for system health, CloudTrail for audit logging

4.3 Your Security Responsibilities

You are responsible for:

• Keeping your login credentials confidential
• Using a strong, unique password
• Logging out on shared devices

5. Data Retention

5.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service.

5.2 Deleted Content

• Trash: Deleted items are recoverable for 14 days, then permanently deleted
• Moments: Expire automatically after 14 days

5.3 Closed Accounts

When you request account closure, a 30-day cancellation period begins during which you can reverse your decision. After the cancellation period expires, your account data and unshared content will be removed from our active systems. It may take up to an additional 90 days for data to be fully purged from backups. In total, permanent deletion may take up to 120 days from the date of your request.

Content you previously shared with others remains in their accounts — once shared, a Memory belongs to the recipient as well.

5.4 Beta Data

During the beta period, we may need to reset or migrate data as part of development. We will make all reasonable efforts to avoid resetting or losing your data, and we will notify you in advance if a reset becomes necessary.

6. Children’s Privacy

6.1 Child Archives

Parents and guardians can create archives for their children. These archives contain content about the child, curated by adults. The child is the subject, not the user.

6.2 Children Under 13

• Children under 13 are not permitted to create Memmo accounts
• We do not knowingly collect personal information from children under 13
• All content in a child’s archive is uploaded and managed by parents or authorized curators

6.3 COPPA Compliance

If you believe a child under 13 has created an account, please contact us immediately at privacy@memmo.io. We will investigate the report and take appropriate action, which may include restricting or deleting the account and associated data.

7. Your Rights and Choices

7.1 Access

You can view all your data within the app at any time.

7.2 Correction

You can update your account information and edit your content at any time within the app.

7.3 Deletion

You can:

• Delete individual items (they move to Trash for 14 days, then are permanently deleted)
• Close your account entirely by contacting support@memmo.io

Note: Deleting content from your account does not affect copies shared with others.

7.4 Notifications

You can manage notification preferences in the app settings. Some communications (like security alerts) cannot be opted out of.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time as the Service evolves. We will notify you of material changes by:

• Posting the updated Privacy Policy on the Service
• Sending you a notification through the app or email

The “Last Updated” date at the top indicates when the policy was last revised.

9. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Privacy Inquiries: privacy@memmo.io

General Support: support@memmo.io

This Privacy Policy is effective as of February 16, 2026.