1. Introduction

This Privacy Policy explains how Memochat ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our web application at memochat.app ("the Service"). We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

2.1 Account Data

When you sign in via Google OAuth, we receive and store the following information from your Google account:

  • Full name
  • Email address
  • Profile picture URL

This data is used to create and manage your Memochat account. We do not access your Google password or any other Google account data.

2.2 Conversation Content

When you paste a ChatGPT shared conversation link, we retrieve the publicly available transcript from that URL. This content is processed by our AI pipeline to generate your study materials (flashcards, quizzes, and notes). The generated materials are stored in our database and associated with your user account.

We do not access your ChatGPT account or any private conversations. We only process content from publicly shared links that you explicitly provide.

2.3 Generated Study Materials

All flashcards, quizzes, and notes generated from your conversations are stored in our database. This includes the content of the cards, questions, answers, note text, and associated metadata (titles, emoji labels, creation dates).

2.4 Subscription and Payment Data

When you subscribe to a paid plan or purchase a Booster Pack, payment is processed by Stripe. We store the following in our database:

  • Your Stripe customer ID
  • Your Stripe subscription ID
  • Your plan type (free or pro)
  • Generation usage counts and reset dates
  • Booster credit balance

We do not store your credit card number, bank account details, or other sensitive payment information. All payment processing is handled directly by Stripe. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.

2.5 User Preferences

We store your language preference (English, Spanish, or Italian) to provide a localized experience.

2.6 Notion Integration Data

If you choose to connect your Notion workspace for exporting study notes, we store the Notion OAuth access token, workspace ID, and workspace name. This connection is entirely optional and can be disconnected at any time from your account settings.

2.7 Analytics Data

We use Datafast, a privacy-focused analytics service, to track conversion events (e.g., completed purchases). Datafast may assign a visitor ID for this purpose. We do not use cookies for tracking, and no personally identifiable analytics data is stored on our servers.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Service: To process your conversation links, generate study materials, and deliver them to you.
  • Account management: To create, authenticate, and maintain your user account.
  • Subscription management: To manage your plan, track usage limits, and process payments.
  • Export functionality: To send your study notes to Notion or generate PDF files when you request it.
  • Localization: To display the Service in your preferred language.
  • Service improvement: To understand usage patterns and improve the Service (using aggregated, non-identifying data).

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contractual necessity (Art. 6(1)(b)): Processing your account and conversation data is necessary to provide the Service you requested.
  • Legitimate interest (Art. 6(1)(f)): Aggregated analytics to improve the Service.
  • Consent (Art. 6(1)(a)): Optional integrations such as the Notion connection, which you can revoke at any time.

5. Data Sharing and Third-Party Processors

We share your data with the following third-party service providers, solely for the purposes described above:

  • Supabase (database hosting and authentication) – Your account data, study materials, and preferences are stored in Supabase. Supabase Privacy Policy
  • Google (OAuth authentication) – We use Google Sign-In to authenticate you. Only your name, email, and profile picture are shared. Google Privacy Policy
  • OpenAI (AI content generation) – The conversation transcript you submit is sent to OpenAI's API for processing. OpenAI Privacy Policy
  • Stripe (payment processing) – Your payment information is handled exclusively by Stripe. Stripe Privacy Policy
  • Notion (optional export) – If you connect your Notion workspace, your study notes are sent to Notion when you initiate an export. Notion Privacy Policy
  • Datafast (analytics) – Minimal conversion tracking data. Datafast Privacy Policy

We do not sell, rent, or trade your personal data to any third party.

6. Data Retention

Your account data and generated study materials are retained for as long as you maintain an active account. If you delete your account, we will delete your personal data and study materials within 30 days, except where retention is required by law.

Payment records may be retained for a longer period to comply with financial and tax regulations.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • All data is transmitted over HTTPS (TLS encryption).
  • Database access is controlled via Row Level Security (RLS) policies, ensuring that users can only access their own data.
  • Authentication is handled through industry-standard OAuth 2.0 protocols.
  • Sensitive API keys and secrets are stored as environment variables and never exposed to the client.

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Portability: Request a machine-readable copy of your data.
  • Restriction: Request that we limit the processing of your data.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent (e.g., Notion integration), you may withdraw it at any time.

To exercise any of these rights, please contact us at the email address provided below.

9. Cookies

Memochat uses only essential cookies required for authentication and session management (set by Supabase Auth). We do not use advertising cookies, tracking cookies, or third-party marketing cookies.

10. Children's Privacy

Memochat is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us and we will take steps to delete such information.

11. International Data Transfers

Your data may be processed and stored in servers located outside your country of residence, including in the United States (e.g., by Supabase, OpenAI, and Stripe). Where data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: support@memochat.app