Dememo
DememoLegal

Privacy

Privacy Policy

This policy explains what personal data Dememo collects, why we use it, who receives it, and what controls users have when using the Dememo web app, MCP server, and connected workflows.

Effective April 10, 2026Contact privacy@dememo.ai

Overview And Scope

This Privacy Policy explains how Dememo collects, uses, discloses, stores, and otherwise processes personal data in connection with the Dememo website, web application, MCP server, APIs, AI-assisted workflows, connected integrations, billing flows, and support operations.

This policy applies when you create or use a Dememo account, join a workspace, upload or create content, connect external accounts, use Dememo through ChatGPT, Codex, or another MCP-compatible client, or otherwise interact with us about the service.

If another organization invites you into a Dememo workspace, some processing may also be directed by that workspace's administrators or managers. This policy still describes Dememo's own processing of the personal data involved.

Who We Are And How To Contact Us

Dememo is responsible for the processing described in this Privacy Policy.

For privacy questions, access requests, correction requests, deletion requests, or other privacy inquiries, contact privacy@dememo.ai. We may need to verify your identity and authority before acting on a request, especially where a request could affect workspace data, other users, or legally retained business records.

Workspaces, Organizational Accounts, And Administrator Controls

If you use Dememo through a workspace created, managed, or paid for by an employer, client, agency, or other organization, that organization may control or administer the workspace and the content associated with it.

Workspace owners, administrators, and other authorized managers may be able to add or remove members, change roles, view shared workspace content, manage connected accounts or publishing settings at the workspace level, and request deletion or retention actions affecting workspace data.

Where appropriate, Dememo may need to work with the relevant workspace administrator to respond to privacy or access requests that relate to organizational workspace data. Your organization may also have its own policies governing your use of Dememo.

Personal Data We Collect

The categories of personal data we process depend on how you use Dememo. They generally include the following:

  • Account, identity, and contact data, such as your email address, display name, user identifier, workspace role, invited-member status, and related account metadata managed through Supabase Auth and associated profile tables.
  • Authentication and session data, such as magic-link sign-in events, session state, OAuth client identifiers, granted scopes, and technical session metadata needed to authenticate users, maintain sessions, and secure access to the service.
  • Workspace, collaboration, and content data, such as workspace names, brands, projects, files, uploads, guidelines, prompts, generated outputs, comments, edit history, approvals, scheduling records, and other content you create, upload, or store in Dememo.
  • Connected-account and social publishing data, such as linked platform, account handle, display name, avatar URL, profile URL, page or organization selection data, connection status, reconnect flags, publish status, webhook payloads, and related metadata for accounts you choose to connect.
  • Billing and transaction data, such as plan, seat count, billing interval, subscription status, Stripe customer and subscription identifiers, invoice and event metadata, credit usage records, billing errors, and accounting or tax records. Payment card details are processed by Stripe and are not stored by Dememo.
  • Operational, observability, and security data, such as timestamps, request identifiers, workspace identifiers, project identifiers, conversation identifiers, tool arguments and results, error details, raw invocation logs, compaction payloads, runtime error payloads, audit records, and security events used to operate, debug, monitor, improve, and protect the service.
  • Device, browser, network, and usage data, such as IP address, browser or device metadata, timezone and coarse location signals when made available by the client or browser, and product usage events needed to render the service, enforce security, localize scheduling, and troubleshoot issues.
  • Browser-stored data, such as locally stored current workspace selection, draft email input, transient UI state, temporary thinking snapshots, and last-opened conversation identifiers stored in localStorage or sessionStorage on your device.
  • Communications data, such as support emails, privacy requests, and, if enabled, transactional notification emails relating to social publishing failures or reconnect requirements.

Sources Of Personal Data

  • Directly from you, when you sign up, log in, upload files, create or edit workspace content, send prompts, contact support, submit privacy requests, or connect accounts.
  • From other authorized users in your workspace, such as when they invite you, assign work to you, share content with you, or identify you in workspace records.
  • From the browsers, devices, and MCP-compatible clients you use to access Dememo, including ChatGPT, Codex, or other clients that send App Requests to Dememo and receive App Responses back.
  • From payment, authentication, model, workflow, notification, and infrastructure providers that support the service.
  • From external services or URLs you ask Dememo to access, ingest, transform, or publish to on your behalf.
  • From connected social platforms and Zernio when you authorize account linking, publishing, validation, or account-status refresh actions.

How We Use Personal Data

  • To authenticate users, maintain sessions, and control access to workspaces, brands, projects, and MCP tools.
  • To create, store, organize, process, and return workspace content, files, prompts, outputs, comments, scheduling records, and other records needed to complete your requests.
  • To run AI-assisted features, including generation, naming, summarization, ingestion, search, scheduling, transformation, collaboration, and related workflow execution.
  • To operate the Dememo MCP server and connected app flows, including receiving App Requests, executing requested tools, and returning App Responses to compatible clients.
  • To connect and manage third-party accounts you explicitly link, including social-account connection, page or organization selection, publishing, scheduling, validation, health checks, reconnect flows, and status refresh actions.
  • To operate billing, subscription, seat management, checkout, invoicing, crediting, usage metering, and accounting workflows.
  • To send service-related communications, such as magic links, security notices, account or billing updates, workspace notices, support replies, and if enabled, operational email notifications.
  • To maintain logs, detect fraud or abuse, investigate incidents, troubleshoot errors, measure performance, improve prompts and workflows, and maintain observability for AI-assisted and MCP-assisted features.
  • To enforce our terms, protect users, satisfy legal obligations, respond to lawful requests, and establish, exercise, or defend legal claims.

Legal Bases For Processing

Where applicable law requires a legal basis for processing, Dememo generally relies on the following bases, depending on the context:

  • Contract or steps taken at your request, where processing is necessary to create an account, provide the service, operate a workspace, execute a requested tool call, or perform another action you asked us to take.
  • Legitimate interests, where processing is reasonably necessary to secure the service, prevent abuse, maintain logs, debug failures, improve prompts and workflows, manage connected integrations, and operate Dememo responsibly.
  • Consent, where required by law or where a feature depends on a permission-based integration or a consent-based processing step.
  • Legal obligation, where processing is required to comply with applicable law, accounting obligations, tax obligations, lawful requests, or other regulatory duties.
  • Establishment, exercise, or defense of legal claims, where records must be retained or reviewed for dispute handling, investigations, or enforcement.

How AI Processing And MCP Processing Work

When you use AI-assisted features, Dememo may send prompts, file excerpts, metadata, and relevant workspace context to model providers or routing providers needed to complete the feature you requested. Depending on the feature, Dememo may also persist raw invocation logs, compaction payloads, tool-call logs, error records, and usage records as described in this policy.

When you use Dememo through ChatGPT, Codex, or another MCP-compatible client, Dememo may receive App Requests from that client and may return App Responses containing the data necessary to fulfill your request. Those clients may separately process prompts, conversation content, App Requests, and App Responses under their own terms and privacy practices. Dememo does not control that separate processing.

We aim to minimize responses and avoid returning secrets or unnecessary diagnostics through Dememo tools. We do not intentionally return passwords, API keys, MFA codes, or similar credentials through app features.

Browser Storage, Cookies, And Similar Technologies

Dememo uses browser-based storage and provider-managed session technologies to keep you signed in, remember workspace context, and preserve temporary UI state.

  • Supabase session persistence used to maintain authenticated sessions in the browser.
  • localStorage entries used for convenience and continuity, such as current workspace selection and certain last-opened conversation references.
  • sessionStorage entries used for short-lived UI state, such as draft email input and temporary chat or thinking snapshots.
  • We do not currently use the web app as an advertising-cookie platform and do not currently sell personal data or share it for cross-context behavioral advertising.
  • You can clear browser storage through your browser settings, but doing so may sign you out or remove convenience features and temporary UI state.

Connected Accounts, Social Publishing, And Public Posting

If you connect a third-party account, Dememo may receive and store the account and connection data needed to complete the connection and operate the linked feature.

Dememo processes transient connection tokens only as needed to complete the connection flow. We do not intentionally keep upstream temporary access tokens or refresh tokens in our application database after the handoff step.

If you ask Dememo to publish or schedule content to a connected social platform, the content, media, timestamps, platform selections, and related metadata may be shared with Zernio and the relevant platform. Once published, that content may become visible to the audience of the destination platform and may also remain subject to that platform's own retention and visibility rules.

Who We Share Personal Data With

We share personal data only where needed to operate the service, complete your instructions, comply with law, protect the service, or carry out a corporate transaction. Categories of recipients include the following:

  • Workspace members, approvers, administrators, and other authorized users in your workspace, to the extent your use of Dememo is collaborative or the relevant content is shared within that workspace.
  • Infrastructure, authentication, database, file-storage, API, and realtime service providers used to operate Dememo, including Supabase.
  • AI and model-routing providers used to process prompts, files, metadata, and outputs for requested features, including OpenRouter and any downstream model providers selected through OpenRouter.
  • Billing and payment providers, including Stripe, for subscriptions, customer records, hosted checkout, billing portal access, invoicing, and payment operations.
  • Social connection and publishing providers, including Zernio and the underlying social platforms you choose to connect or publish to.
  • Document conversion providers, including CloudConvert, when you upload Office documents that we convert to PDF for knowledge-ingest workflows.
  • Workflow orchestration providers, including Trigger.dev, for background jobs, retries, scheduled tasks, validation tasks, and operational workflow execution.
  • Transactional communication providers, such as Resend if enabled for a given workflow, to deliver operational email notifications.
  • OpenAI or another compatible client when you intentionally use Dememo through that client and request a Dememo tool action.
  • Professional advisers, auditors, insurers, acquirers, successor entities, courts, regulators, or law enforcement where disclosure is reasonably necessary for compliance, protection, or transaction purposes.

International Data Transfers

Dememo and its service providers may process personal data in countries other than the country where you are located, including the United States and other countries where our providers operate.

Where applicable law requires transfer safeguards, we rely on appropriate contractual, technical, and organizational measures designed to protect personal data in connection with those transfers.

Data Retention

We retain different categories of personal data for different periods, depending on operational need, legal obligations, security requirements, and the nature of the feature involved.

  • Raw model invocation logs, raw runtime payloads, compaction payloads, and associated log blobs are retained for up to 30 days for observability, debugging, service improvement, abuse prevention, and security.
  • Security and audit logs, including MCP tool call logs and related operational audit records, are retained for up to 12 months.
  • Billing, subscription, credit, accounting, and tax-related records are retained for as long as required by applicable accounting and tax law.
  • Workspace content, collaboration records, files, prompts, generated outputs, and related workspace data are retained until you delete them or the workspace is deleted, unless we need to retain them longer for backups, legal obligations, dispute resolution, incident investigation, or the establishment, exercise, or defense of legal claims.
  • Account, profile, and workspace-membership records are generally retained while your account and relevant workspaces remain active and thereafter as reasonably necessary for account administration, compliance, and dispute handling.
  • Connected-account and social-publishing records are retained while the connection or publishing history is needed to operate the feature, maintain records, enforce terms, resolve disputes, or satisfy legal or security obligations.
  • Browser-stored data remains on your device until cleared by you, overwritten, or removed by the browser or application flow.
  • Deletion requests are currently handled manually through privacy@dememo.ai. Dememo does not currently offer a self-serve account deletion or workspace deletion flow in the web app.
  • Deleted data may persist for a limited period in backups, disaster recovery copies, cache layers, or residual logs before those copies are overwritten or expire in the ordinary course.

Security

  • We use authentication controls, scoped workspace permissions, row-level access controls, authenticated API calls, and provider-managed infrastructure protections to protect data.
  • We use logging, monitoring, and operational controls intended to detect misuse, failures, and security issues.
  • We attempt to minimize secrets in tool responses and sanitize certain error details before returning them through public-facing app surfaces.
  • No system is perfectly secure. You should avoid uploading payment card data, medical data, government identifiers, passwords, API keys, or other highly sensitive credentials unless we have clearly stated that a specific supported feature requires that data.

Your Rights And Choices

Depending on your location and the applicable law, you may have rights to request access to personal data, request correction, request deletion, request portability, object to certain processing, request restriction of processing, withdraw consent where consent is the basis, appeal a denial of a rights request, and lodge a complaint with a supervisory authority.

  • You can sign out of Dememo and manage your active session through the product.
  • You can disconnect linked social accounts from the Dememo interface.
  • You can delete or remove many workspace items directly in the product, depending on the feature.
  • If you use Dememo through ChatGPT or another client, you can also disconnect the app or revoke its authorization from that client.
  • Access, correction, deletion, objection, restriction, portability, and account or workspace privacy requests are currently handled manually by contacting privacy@dememo.ai.
  • We may deny or narrow a request where permitted by law, including where we need to protect other users, preserve legally required records, complete security investigations, or retain accounting records.
  • We will not discriminate against you for exercising privacy rights granted by applicable law.

Additional U.S. State Privacy Disclosures

If U.S. state privacy laws apply to you, this section supplements the rest of this Privacy Policy.

Depending on how you use Dememo, in the preceding 12 months we may have collected the categories of personal data described in Personal Data We Collect, from the sources described in Sources Of Personal Data, for the purposes described in How We Use Personal Data, and disclosed those categories to the recipient categories described in Who We Share Personal Data With.

  • Dememo does not currently sell personal data for money and does not currently share personal data for cross-context behavioral advertising as those concepts are used in certain U.S. state privacy laws.
  • Dememo does not currently use or disclose sensitive personal information for the purpose of inferring characteristics about consumers beyond what is reasonably necessary to provide the service, secure the service, or comply with law.
  • You may have rights, depending on your state, to know, access, correct, delete, obtain a portable copy of certain data, opt out of certain targeted advertising or profiling practices, appeal a denied request, and use an authorized agent where permitted by law.
  • To exercise a request, appeal a decision, or submit a request through an authorized agent, contact privacy@dememo.ai. We may require verification of identity, authority, and the scope of the request before taking action.

Sensitive Data, Restricted Data, And Children's Data

Dememo is not designed to collect PCI data, PHI, government-issued identifiers, passwords, API keys, MFA or OTP codes, or other comparable secrets as part of ordinary app use.

Do not upload restricted or special-category data unless it is strictly necessary for a supported feature and we have clearly disclosed that need in advance.

Dememo is not intended for children under 13, and you must not use Dememo to send us personal information about children under the applicable age of digital consent where doing so would violate applicable law or platform policy.

Automated Processing

Dememo uses automated systems and AI-assisted processing to generate, summarize, transform, classify, schedule, validate, and route content and actions you request.

Dememo does not currently use fully automated decision-making that produces legal or similarly significant effects about you without meaningful human involvement.

Third-Party Services And Links

Dememo may link to or rely on third-party services, websites, clients, and platforms. Their privacy practices are governed by their own terms and notices, not this Privacy Policy.

If you instruct Dememo to fetch, ingest, transform, or publish content involving a third party, that third party may receive the network, file, content, or account data necessary to complete the action.

Business Transfers And Legal Disclosures

We may disclose or transfer personal data in connection with an actual or proposed merger, acquisition, financing, restructuring, asset sale, bankruptcy, or similar corporate event, subject to appropriate confidentiality and legal protections where applicable.

We may also disclose personal data where reasonably necessary to comply with law, respond to lawful process, protect users, investigate fraud or abuse, enforce our terms, or establish, exercise, or defend legal claims.

Changes To This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date on this page and may provide additional notice where appropriate.

Your continued use of Dememo after an updated Privacy Policy takes effect means the updated policy will apply to your future use of the service.

Contact

Questions, deletion requests, access requests, and privacy inquiries can be sent to privacy@dememo.ai.