Memoniq
Privacy Policy
How Memoniq collects, uses, protects, exports and deletes account, study, AI and payment data.
Last updated: May 7, 2026
1. Controller and contact
The data controller is Roberto Coscia, Italy, website memoniq.app.
For privacy, security, access, export or deletion requests: infomemoniq@gmail.com.
This notice describes Memoniq, a Next.js/Supabase web app that creates AI study materials from files, web sources, audio, video, images and text provided by users.
2. Data we process
| Category | Examples |
|---|---|
| Account | Email, Supabase user ID, language, optional display name/avatar, plan, trial/subscription status. |
| Study materials | Notebooks, categories, uploaded files, extracted text, OCR, extracted images, selected YouTube/website/Google Drive sources. |
| AI content | Summaries, flashcards, quizzes, mind maps, podcasts, lesson mode, oral exams, chats, enhancements, generated images and metadata. |
| Progress | Study state, spaced repetition, mastery, quiz/flashcard answers, display preferences and local settings. |
| Optional provider keys | Personal API keys entered by the user for supported AI/image/TTS/search providers. They are stored encrypted in the database and may also be cached in browser localStorage. |
| Managed AI keys | Provider keys owned by Memoniq for default AI/image features. They are server-side environment secrets and are never sent to the browser. |
| Optional integrations | Google Drive Picker, YouTube source import/transcript features, local providers such as LM Studio/Ollama/Piper/Kokoro. |
| Technical and security | Session cookies, app logs, rate limiting, error events, IP/security metadata processed by hosting and security systems, terms/privacy consent. |
3. Purposes and legal bases
- Contract: account creation, notebook storage, source processing, AI generation, exports, sharing and plan management.
- Consent or user choice: sending content to AI providers for requested features, using optional personal provider keys, importing from Google Drive, connecting YouTube, using microphone or TTS.
- Legitimate interests: security, abuse prevention, rate limiting, debugging, reliability improvements and support.
- Legal obligations: accounting, payments, authority requests, disputes and privacy rights.
4. Recipients and providers
Memoniq uses technical processors, managed AI providers and user-selected providers. Content is sent only when needed for the requested feature.
| Provider or category | Role | Data processed |
|---|---|---|
| Supabase | Auth and database | Account, profile, notebooks, materials, encrypted keys, sessions. |
| Cloudflare R2 / Supabase Storage | File storage | Uploaded files, images, temporary exports and material assets. |
| Vercel | Hosting and technical analytics | Requests, technical logs, aggregated performance/visit data. |
| Stripe | Payments and subscriptions | Payment data handled by Stripe; Memoniq receives status, plan and billing identifiers. |
| Managed AI and optional providers | Generation, chat, vision, TTS, transcription | Text, images, prompts, audio or metadata needed for the request, depending on the active provider and plan. |
| Google Drive / YouTube source import | Optional source import | Selected files, video URLs, transcripts and source metadata needed to create study materials. |
| Image and web providers | Search and source verification | Search queries, URLs and short extracts when the user enables the feature. |
Some providers may process data outside the EEA. Users should also review the privacy policy and terms of any optional provider they configure.
5. Managed AI, optional provider keys and local models
- Managed AI keys are stored only as server environment secrets. They are not exposed through APIs, UI state, localStorage or data exports.
- Managed AI usage is protected by authentication, ownership checks, rate limits, plan limits and usage counters.
- Optional provider keys are encrypted server-side with AES-256-GCM and used by the runtime only to execute requests authorized by the user.
- Keys are not shown to admins, are not printed in logs and are not included in plaintext data exports to reduce leakage risk.
- The localStorage cache makes the app smoother, but it stays in the browser: use protected devices and sign out on shared devices.
- With LM Studio/Ollama or local TTS configured by the user, processing can stay on the device. Cloud features send only the data needed to the selected provider.
- Edge TTS and other browser services may connect directly from the browser to the external provider.
7. Retention and deletion
- Accounts, notebooks, sources and materials remain until the account is active or the user deletes them.
- Shared links remain active until revoked or until the related account/material is deleted.
- Payment data is retained by Stripe under its obligations; Memoniq stores only plan and accounting information needed for the service.
- Feedback and technical logs may be kept for security, support and improvement; if you delete your account, feedback is anonymized where possible.
- Caches, backups and infrastructure logs may require a technical deletion period.
8. Security measures
- Supabase authentication, Row Level Security and server-side ownership checks.
- Encrypted optional provider keys, TLS/HTTPS, HSTS, CSP, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
- Rate limits, plan limits, origin checks on sensitive routes, input validation, file size limits and SSRF protection for external URLs.
- Service role access is limited to server code and used only after auth/ownership verification.
- Data exports avoid plaintext API secrets and localStorage is isolated between accounts in the same browser.
No system is 100% secure. If a security incident occurs, we will handle notification and communication under applicable law.
9. Your rights
Under the GDPR you may request access, rectification, deletion, restriction, portability, objection and withdrawal of consent where applicable. You can export or delete your account from Account settings.
You may also contact us by email. You have the right to lodge a complaint with the competent supervisory authority.
Non-EU users
Where local law applies, we recognize equivalent rights where required. For California users: we do not sell or share personal information for cross-context behavioral advertising; you may request access and deletion. The service is not directed to children under 13.
10. Children, sensitive data and responsibility
Memoniq is designed for university students and not for children under 13. Do not upload health data, biometric data, ID documents, children's data or highly sensitive materials unless strictly necessary and authorized.
Users are responsible for having rights to uploaded materials and for verifying AI-generated content accuracy.
11. Updates
We may update this notice when features, providers or legal requirements change. The date above shows the latest revision.
For material changes, we will notify registered users with reasonable notice when technically possible.