Privacy Policy
Effective date: 4 March 2026
1. Data Controller
Neomem ("we", "our", or "us") is the data controller for the personal data processed through our platform at neomem.co and related services (the "Service").
Contact: privacy@neomem.co
If you are located in the European Economic Area (EEA) and we do not have an establishment in the EEA, our EU representative can be contacted at the same address. We will appoint a formal EU representative as required under Article 27 of the GDPR as our EU user base grows.
2. Categories of Personal Data We Collect
Account data
Name, email address, and hashed password. If you sign in via Google OAuth, we receive your name, email address, and profile picture from Google.
Organisation data
Organisation name, your role (owner, admin, or member), and team membership.
User-generated content
Sources you upload, wiki pages, skills, project notes, and chat messages. This content may contain personal data about you or third parties.
Derived data
Vector embeddings generated from your documents, text extracts created during document processing, and AI-generated responses. These are derived from your content and treated as personal data.
Technical data
IP address, browser type and version, device information, pages visited, and interaction patterns. Collected via server logs and essential cookies.
3. Purposes and Legal Basis for Processing
Under Article 6 of the GDPR, we process your data on the following legal bases:
| Purpose | Data involved | Legal basis |
|---|---|---|
| Account creation and authentication | Account data | Contractual necessity (Art. 6(1)(b)) |
| Storing and organising your documents | User-generated content | Contractual necessity (Art. 6(1)(b)) |
| Generating vector embeddings for semantic search | Document text sent to AI providers | Contractual necessity (Art. 6(1)(b)) |
| AI chat responses grounded in your knowledge base | Queries and document excerpts sent to AI providers | Contractual necessity (Art. 6(1)(b)) |
| Service-related communications | Email address | Contractual necessity (Art. 6(1)(b)) |
| Security, fraud prevention, and abuse detection | Technical data, account data | Legitimate interest (Art. 6(1)(f)) |
| Aggregated usage analytics for service improvement | Technical data (anonymised) | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, we have conducted a balancing test and determined that your rights and freedoms are not overridden by our interests. You may object to processing based on legitimate interest at any time (see Section 9).
Providing your account data is a contractual requirement — if you do not provide your name and email, we cannot create an account for you. Uploading content is voluntary but necessary to use the core features of the Service.
4. How We Process Your Documents
Neomem uses Retrieval Augmented Generation (RAG) to power AI-assisted knowledge retrieval. Here is what happens to your data:
- Upload and storage: Your document is uploaded to secure cloud storage (encrypted at rest). The original file is stored in an organisation-scoped path.
- Text extraction: Text is extracted from the document on our processing infrastructure and stored in our database.
- Embedding: The text is split into chunks and sent to a third-party AI provider to generate vector embeddings for semantic search. The provider processes this data under their API terms, which state that API inputs and outputs are not used to train their models.
- AI chat: When you ask a question, semantically relevant chunks are retrieved and sent (along with your query) to a large language model to generate a response grounded in your content. Our AI providers do not retain your data after processing the request.
We do not use your documents, embeddings, or conversations to train any AI model. Your content is used solely to provide the Service to you.
5. Data Isolation and Multi-Tenancy
Every piece of data — sources, embeddings, wiki pages, skills, and chat sessions — is scoped to your organisation at the database level. All database queries include organisation-level filtering. There is no mechanism for cross-organisation data access.
Within an organisation, access is further controlled by project-level permissions (private, team, or organisation-wide) and user roles (owner, admin, member).
6. Data Recipients and Processors
We share your personal data with the following categories of third-party processors, each of which processes only the minimum data necessary:
| Category | Data shared | Purpose |
|---|---|---|
| Cloud storage provider | Uploaded documents | Encrypted file storage |
| Database hosting providers | Account data, content, metadata, embeddings | Application and search databases |
| AI embedding provider | Document text chunks | Vector embedding generation |
| AI inference provider | User queries, relevant document excerpts | Language model responses for chat |
| Application hosting provider | Technical data (requests, logs) | Service delivery |
| OAuth tokens (during sign-in flow only) | Social authentication |
A full list of named sub-processors is available on request by emailing privacy@neomem.co.
We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertising platforms, data brokers, or information resellers.
7. International Data Transfers
Your data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for each transfer:
- For processors certified under the EU-US Data Privacy Framework, transfers are made under the European Commission's adequacy decision.
- For other processors, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, included in our data processing agreements.
You may request a copy of the safeguards we use for international transfers by contacting privacy@neomem.co.
8. Data Retention
| Data category | Retention period |
|---|---|
| Account data | While account is active + 30 days after deletion request |
| Uploaded documents | Until deleted by user or account closure |
| Derived data (embeddings, text chunks) | Deleted when the source document is deleted |
| Wiki pages and skills | Until deleted by user or account closure |
| Chat session history | Until deleted by user or account closure |
| Server and application logs | 30 days |
| Encrypted backups | Rotated every 90 days |
When you delete a document, we delete the original file, the extracted text, the vector embeddings, and any associated metadata. When you delete your account, all personal data is removed within 30 days. Encrypted backups containing deleted data are rotated within 90 days.
9. Your Rights
Under the GDPR and applicable data protection laws, you have the right to:
- Access (Art. 15) — Request a copy of the personal data we hold about you.
- Rectification (Art. 16) — Correct inaccurate or incomplete personal data.
- Erasure (Art. 17) — Request deletion of your personal data, including documents, embeddings, and derived data.
- Restriction (Art. 18) — Request that we restrict the processing of your personal data in certain circumstances.
- Portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format. You can export your sources, wiki pages, skills, and project data from within the application.
- Object (Art. 21) — Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, contact privacy@neomem.co. We will respond within one month. Complex or numerous requests may take up to three months, and we will inform you of any extension.
10. Automated Decision-Making
Neomem uses AI to retrieve and rank content from your knowledge base and to generate responses to your queries. This processing assists you in finding and using your own information — it does not make automated decisions that produce legal effects or similarly significant effects on you. All AI outputs are informational and require your review before acting upon them.
11. Cookies and Similar Technologies
We use strictly necessary cookies only. These cookies are essential for the Service to function and cannot be switched off. They include a session cookie for authentication and a CSRF protection token.
We do not use analytics cookies, advertising cookies, or third-party tracking cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive. If we introduce non-essential cookies in the future, we will implement a consent mechanism before setting them.
12. Google API Services User Data
When you sign in with Google, we access your name, email address, and profile picture. This data is used solely to create and maintain your Neomem account and display your profile within the application. It is stored in our database and retained for the duration of your account.
We do not share your Google user data with any third party except as described in Section 6 (data processors necessary to operate the Service). We do not use Google user data for advertising, creditworthiness assessments, or any purpose beyond providing the Service.
Neomem's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
13. Security
We implement the following security measures:
- TLS encryption for all data in transit
- Encryption at rest for stored documents
- Cryptographic password hashing
- Multi-tenant data isolation at the database query level
- Role-based access control within organisations
- Session-based authentication with CSRF protection
No method of transmission or storage is 100% secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay, as required by Articles 33 and 34 of the GDPR.
14. Children
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on this page with a new effective date. If we change how we use Google user data, we will notify you and obtain your consent before applying the new use. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
16. Contact
For questions about this Privacy Policy, to exercise your data rights, or to raise a concern about our data practices, contact us at privacy@neomem.co.