Privacy Policy
Effective Date: 5 April 2026 · Last Updated: 5 April 2026
1. Introduction & Who We Are
Parametric Memory Limited (“Parametric Memory,” “we,” “us,” or “our”) operates the parametric-memory.dev website and the Parametric Memory SaaS platform (the “Service”). We take your privacy seriously and are committed to transparent practices around how we collect, use, and protect your data.
- Legal Entity: Parametric Memory Limited, New Zealand
- Data Controller: Parametric Memory Limited
- Main Purpose: We provide an AI-augmented memory platform that stores conversation history as “memory atoms” using a Markov-Merkle data structure, allowing AI assistants (like Claude) to retain and retrieve context across conversations.
- Website: parametric-memory.dev
- Jurisdiction: Governed by New Zealand law, with compliance for GDPR (EU/UK users), CCPA/CPRA (California users), and the Australian Privacy Principles (Australian users).
Contact: privacy@parametric-memory.dev
2. What Data We Collect
2.1 Account Information
When you create an account, we collect your email address, account creation date, account type (free or paid subscription), and authentication tokens and session identifiers.
2.2 Memory Atoms & Conversation History
The core of our Service is storing your AI conversation history as “memory atoms.” This includes raw conversation text (your prompts and AI responses), metadata (timestamp, conversation ID, model used), processed atoms (semantic tags, embeddings, Markov-chain relationships), and historical versions for audit purposes.
Important: Memory atoms are stored on a private, customer-specific DigitalOcean droplet (your “substrate”). You retain full ownership. We do not use your memory atoms to train models or improve our Service beyond operational necessity.
2.3 Usage & Analytics Data
We collect basic server-side analytics from access logs: API request metadata, error logs, and request timing. We do not use any third-party analytics services or tracking scripts. No client-side analytics cookies are set.
2.4 Payment Information
When you subscribe to a paid plan, we collect your billing email, Stripe customer ID, payment method information (card last 4 digits and expiry only), subscription dates, and invoices. We do not store full credit card numbers. Stripe handles all payment processing and PCI compliance.
2.5 Technical & Infrastructure Data
To operate your substrate and monitor Service health: droplet ID, IP address, resource usage, container logs, API key (stored as SHA-256 hash in our database — the raw key is shown once at creation only), and health check responses.
3. How We Use Your Data
We use your data only for the following purposes, each with a lawful basis under GDPR Article 6:
| Purpose | Lawful Basis | Retention |
|---|---|---|
| Provide the Service | Contractual necessity (Art. 6(1)(b)) | Account duration + 30 days |
| Authenticate you | Contractual necessity (Art. 6(1)(b)) | Account duration + 7 days |
| Process payments | Contractual necessity (Art. 6(1)(b)) | 7 years (tax/audit) |
| Send transactional emails | Contractual necessity (Art. 6(1)(b)) | Until account deletion |
| Improve the Service | Legitimate interest (Art. 6(1)(f)) | 14 days (server logs) |
| Detect fraud & abuse | Legitimate interest (Art. 6(1)(f)) | 30 days |
| Comply with law | Legal obligation (Art. 6(1)(c)) | As required by law |
We will never sell your data to third parties, use your memory atoms to train AI models without explicit consent, or use your email for marketing without consent.
4. Data Retention & Deletion
4.1 Active Account Data
- Account information: Retained for the duration of your account
- Memory atoms: Retained while your account is active
- Server logs: Access and error logs retained for 14 days for operational debugging
4.2 After Account Deletion
- Email and authentication records deleted immediately
- Memory atoms deleted from your substrate within 24 hours
- Backups retained for 30 days as a safety measure, then permanently deleted
- Anonymized analytics may be retained indefinitely
- Stripe retains billing records for 7 years for tax compliance
5. Who We Share Your Data With
We use the following sub-processors to operate the Service, each with a Data Processing Agreement in place:
5.1 Stripe, Inc. — Payment Processing
Processes payments, stores billing records, issues invoices. Data: billing email, Stripe customer ID, payment method info. Location: United States. Stripe Privacy Policy
5.2 DigitalOcean, LLC — Infrastructure & Hosting
Hosts your memory substrate, provides DNS, SSL, and uptime monitoring. Data: droplet configuration, API keys (hashed), logs, IP address. Location: United States. DigitalOcean Privacy Policy
5.3 Resend, Inc. — Email Delivery
Sends transactional emails (account confirmations, billing receipts). Data: email address and email content. Location: United States. Resend Privacy Policy
We do not sell, rent, or share your personal data with third parties except when required by law, to prevent fraud, or with your explicit written consent.
6. International Data Transfers
For GDPR users (EU/UK): New Zealand holds an adequacy decision from the European Commission, meaning transfers to Parametric Memory (NZ entity) are lawful under GDPR Article 45 without additional safeguards. For transfers to US-based sub-processors (DigitalOcean, Stripe, Resend), we rely on Standard Contractual Clauses (SCCs) under GDPR Article 46.
For Australian users: Data transfers comply with the Australian Privacy Principles (APPs).
For California users: Sub-processors are engaged as CCPA “Service Providers” and are prohibited from using your data for any purpose other than providing the Service.
7. Your Rights
7.1 All Users
- Right to access your personal data (free of charge, within 30 days)
- Right to correct inaccurate data
- Right to delete your data (we comply within 30 days except where legally required)
- Right to data portability (request your data in JSON format)
- Right to withdraw consent
- Right to lodge a complaint with your local privacy regulator
7.2 GDPR Rights (EU/UK Users)
Additional rights under GDPR: right to restrict processing (Art. 18), right to object (Art. 21), right regarding automated decision-making (Art. 22 — memory atoms are not used for automated decisions affecting your legal rights), and right not to be discriminated against for exercising your rights.
To exercise GDPR rights: email privacy@parametric-memory.dev with “GDPR Data Request.” Response within 30 days.
7.3 California Rights (CCPA/CPRA)
California residents have the right to know, delete, correct, opt-out of data sales (we do not sell personal data), and non-discrimination. Submit requests to privacy@parametric-memory.dev with “California Privacy Request.” Response within 45 days.
7.4 Australian Rights (Privacy Act 1988)
Right to access and correct personal information, and to complain to the Office of the Australian Information Commissioner (OAIC). Response within 30 days.
7.5 New Zealand Rights (Privacy Act 2020)
Rights to access and correct your information under Information Privacy Principles 6–9, and to complain to the NZ Privacy Commissioner. Response within 20 days.
8. Cookies & Tracking
We only use essential cookies required for the Service to function. We do not use any analytics, advertising, or tracking cookies.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
mmpm_session | Authenticate your session after magic link login. httpOnly, secure, sameSite=lax. | Essential | 30 days |
mmpm_redirect | Store post-login redirect destination. Cleared immediately after use. | Essential | 15 minutes |
Both cookies are essential for the Service to function and cannot be disabled. Because we set no analytics or tracking cookies, no cookie consent banner is required.
9. Data Security
All data in transit uses TLS 1.3 encryption. Memory atoms at rest are encrypted with AES-256. API key hashes use SHA-256 with salt. Your substrate is logically isolated — no cross-tenant data sharing is architecturally possible.
The Markov-Merkle data structure provides cryptographic verification: each atom's position in the tree is mathematically verified, making tampering detectable. In the event of a data breach, we will notify affected users within 72 hours and report to relevant regulators.
10. AI-Specific Disclosures
Memory atoms are processed using semantic analysis (embeddings, NLP) and Markov chaining (probabilistic linking for future retrieval). Memory retrieval is probabilistic, not deterministic — outputs may be inaccurate, inferred, or incomplete. You should verify critical memory outputs independently.
Your data is not used to train Claude or any third-party AI model. When you connect via MCP and retrieve a memory atom, that atom is sent to Anthropic's servers only during the live MCP call and is subject to Anthropic's Privacy Policy.
11. Children & Minors
The Service is not intended for users under 18 years old. We do not knowingly collect personal data from children. If we become aware of an underage account, we will delete it and all associated data within 30 days. Contact privacy@parametric-memory.dev if you believe a child has created an account.
12. Data Breach Notification
In the event of a breach, we will notify affected users directly via email within 72 hours (or as required by local law), notify relevant regulators (NZ Privacy Commissioner, EU/UK DPA, relevant US state authorities), and provide details of what data was affected, how the breach occurred, and what steps we are taking to remediate.
13. Changes to This Policy
We will email you at least 30 days before any material change. Material changes require your affirmative consent (e.g., new data uses requiring opt-in under GDPR). Continued use after notice constitutes acceptance of non-material changes.
14. How to Contact Us
For privacy requests: privacy@parametric-memory.dev — we respond within 30 days and will verify your identity before disclosing personal data.
You can also lodge a complaint with your local regulator:
- New Zealand: Office of the Privacy Commissioner
- EU/UK: Your local Data Protection Authority (e.g., ICO in the UK, CNIL in France)
- California: California Attorney General
- Australia: Office of the Australian Information Commissioner (OAIC)
15. Summary of Rights by Location
| Location | Governing Law | Response Time | Regulator |
|---|---|---|---|
| New Zealand | Privacy Act 2020 | 20 days | NZ Privacy Commissioner |
| EU / UK | GDPR / UK GDPR | 30 days | Local DPA / ICO |
| California | CCPA / CPRA | 45 days | California CPPA |
| Australia | Privacy Act 1988 | 30 days | OAIC |
Parametric Memory Limited · New Zealand · privacy@parametric-memory.dev