Privacy Policy

Memo Labs, Inc. ("Memo," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at heymemo.ai or use the Memo platform and related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Who We Are

Memo Labs, Inc. is a Delaware corporation providing an AI-powered e-commerce optimization platform. For the purposes of applicable data protection laws, Memo acts as both a Controller (for data we collect directly from our website visitors and account holders) and a Processor (for data we process on behalf of our customers through platform integrations). Our Data Protection Agreement governs processing activities where we act as a Processor.

2. Information We Collect

2.1 Information You Provide Directly

Account information: Name, email address, company name, job title, and password when you register for a Memo account.
Contact and support: Messages, feedback, and information you submit through our contact form, support channels, or email communications.
Billing information: Payment details processed through our third-party payment processors (we do not store full credit card numbers).
Integration credentials: OAuth tokens, API keys, and connection configurations you authorize to connect third-party platforms (Shopify, Meta Ads, Google Ads, etc.) to Memo.

2.2 Information Collected Automatically

Usage data: IP address, browser type and version, operating system, referring URLs, pages visited, time spent on pages, and other diagnostic data.
Device information: Device type, screen resolution, language settings, and other device identifiers.
Performance data: Service response times, error rates, and API usage patterns for operational monitoring.

2.3 Information From Connected Platforms

When you connect third-party platforms to Memo via OAuth or API integration, we access and process data as authorized by you. This may include:

Shopify: Store configuration, product catalog, order data, customer information, and analytics.
Meta Ads: Campaign structure, performance metrics, audience data, and ad creative.
Google Ads: Campaign data, keyword performance, impression share, and conversion metrics.
Google Analytics: Traffic sources, user behavior, conversion events, and audience segments.
Other integrations: Data from any additional platform you choose to connect (e.g., Klaviyo, Gorgias, Triple Whale).

The specific categories of data accessed depend entirely on which integrations you choose to connect and the permissions you grant. You can review and revoke these permissions at any time through your account settings.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service delivery: To provide, operate, maintain, and improve the Memo platform and its features.
AI-driven optimization: To analyze your e-commerce data, generate insights, make recommendations, and autonomously optimize your paid media, CRO, SEO, and retention strategies.
Personalization: To tailor the Service to your specific brand, products, and customer base.
Communication: To send transactional emails, product updates, security alerts, and administrative messages. You cannot opt out of transactional communications, but you may opt out of promotional emails at any time.
Customer support: To respond to inquiries, troubleshoot issues, and provide technical assistance.
Analytics and improvement: To monitor usage patterns, diagnose technical problems, measure Service performance, and inform product development decisions.
Security: To detect, prevent, and address fraud, abuse, and security incidents.
Legal compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

Contractual necessity: Processing is necessary to perform our contract with you (e.g., providing the Service you signed up for).
Legitimate interests: Processing is necessary for our legitimate interests (e.g., improving our Service, ensuring security, and preventing fraud), provided those interests are not overridden by your data protection rights.
Consent: Where you have given explicit consent for a specific processing purpose (e.g., marketing communications). You may withdraw consent at any time.
Legal obligation: Processing is necessary to comply with a legal obligation (e.g., responding to lawful requests from public authorities).

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

5.1 Service Providers and Sub-processors

We engage trusted third-party companies and individuals to facilitate our Service, provide infrastructure, perform Service-related functions, or assist us in analyzing how our Service is used. These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. Our current Sub-processors are listed in our Data Protection Agreement.

5.2 Connected Platforms You Authorize

At your direction, Memo interacts with third-party platforms you connect (Shopify, Meta, Google, etc.). Data flows between Memo and these platforms as necessary to deliver the Service. We do not share your data with these platforms beyond what is required for the integration to function, and we only act on the permissions you explicitly grant.

5.3 Legal and Compliance

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), to protect and defend the rights or property of Memo, to prevent or investigate possible wrongdoing in connection with the Service, to protect the personal safety of users or the public, or to protect against legal liability.

5.4 Business Transfers

If Memo is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy:

Account data: Retained while your account is active and for up to 90 days after account deletion, unless a longer retention period is required by law.
Platform integration data: Retained for the duration of your subscription and deleted within 90 days of termination, in accordance with our DPA.
Usage analytics: Aggregated and anonymized usage data may be retained indefinitely for product improvement purposes.
Backup data: Encrypted backups are retained for up to 90 days in accordance with our backup rotation policy.

You may request deletion of your data at any time by contacting us at [email protected]. We will respond to deletion requests within 30 days.

7. Your Privacy Rights

7.1 GDPR Rights (EEA and UK Users)

If you are located in the EEA or UK, you have the following rights under the GDPR:

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request that we correct inaccurate or incomplete personal data.
Right to erasure ("right to be forgotten"): You may request that we delete your personal data, subject to certain exceptions.
Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability: You may request a copy of your personal data in a structured, machine-readable format.
Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time.

7.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to know: You may request disclosure of the categories and specific pieces of personal data we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
Right to delete: You may request deletion of personal data we have collected from you, subject to certain exceptions.
Right to correct: You may request correction of inaccurate personal data.
Right to opt out of sale/sharing: We do not sell personal data and have not done so in the preceding 12 months. We do not share personal data for cross-context behavioral advertising.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

7.3 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request. If you have an unresolved privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.

8. International Data Transfers

Memo is based in the United States, and your personal data is primarily processed and stored in the United States and the European Union (Germany and Finland, via Hetzner infrastructure). When we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, we implement appropriate safeguards as required by law, including EU Standard Contractual Clauses. Details are available in our Data Protection Agreement.

9. Security

We implement and maintain industry-standard technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls with least-privilege principles
Multi-factor authentication for administrative access
Regular security reviews and patch management
Network segmentation and firewall protection

A detailed description of our security measures is available in our Data Protection Agreement. No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

10. Cookies and Tracking Technologies

We use the following categories of cookies and tracking technologies:

Essential cookies: Required for the website and Service to function. These cannot be disabled.
Analytics cookies: We use Plausible Analytics (self-hosted, privacy-first) and Google Analytics to understand how visitors interact with our website. Plausible does not use cookies or collect personal data. Google Analytics uses cookies to track usage patterns.
Functional cookies: Used to remember your preferences and provide enhanced functionality.

You can control cookie settings through your browser preferences. Most browsers allow you to refuse or delete cookies. Note that disabling cookies may affect the functionality of certain parts of the Service.

11. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or through an in-product notice at least 30 days before the change becomes effective. The "Effective date" at the top of this policy indicates when it was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Mail: Memo Labs, Inc., 8 The Green, Suite B, Dover, DE 19901, United States
Contact form: heymemo.ai/contact