Memoniq
Privacy Policy
How Memoniq collects, uses, protects, exports and deletes account, study, AI and payment data.
Last updated: May 7, 2026
1. Controller and contact
The data controller is Roberto Coscia, Italy, website memoniq.app.
For privacy, security, access, export or deletion requests: infomemoniq@gmail.com.
This notice describes Memoniq, a Next.js/Supabase web app that creates AI study materials from files, web sources, audio, video, images and text provided by users.
2. Data we process
| Category | Examples |
|---|---|
| Account | Email, Supabase user ID, language, optional display name/avatar, plan, trial/subscription status. |
| Study materials | Notebooks, categories, uploaded files, extracted text, OCR, extracted images, selected YouTube/website/Google Drive sources. |
| AI content | Summaries, flashcards, quizzes, mind maps, podcasts, lesson mode, oral exams, chats, enhancements, generated images and metadata. |
| Progress | Study state, spaced repetition, mastery, quiz/flashcard answers, display preferences and local settings. |
| BYOK keys | API keys entered by the user for AI/image/TTS providers. They are stored encrypted in the database and may also be cached in browser localStorage. |
| Optional integrations | Google Drive Picker, YouTube/OAuth configuration and video upload, local providers such as LM Studio/Ollama/Piper/Kokoro. |
| Technical and security | Session cookies, app logs, rate limiting, error events, IP/security metadata processed by hosting and security systems, terms/privacy consent. |
3. Purposes and legal bases
- Contract: account creation, notebook storage, source processing, AI generation, exports, sharing and plan management.
- Consent or user choice: sending content to selected AI providers, using BYOK keys, importing from Google Drive, connecting YouTube, using microphone or TTS.
- Legitimate interests: security, abuse prevention, rate limiting, debugging, reliability improvements and support.
- Legal obligations: accounting, payments, authority requests, disputes and privacy rights.
4. Recipients and providers
Memoniq uses technical processors and user-selected providers. Content is sent only when needed for the requested feature.
| Provider or category | Role | Data processed |
|---|---|---|
| Supabase | Auth and database | Account, profile, notebooks, materials, encrypted keys, sessions. |
| Cloudflare R2 / Supabase Storage | File storage | Uploaded files, images, temporary exports and material assets. |
| Vercel | Hosting and technical analytics | Requests, technical logs, aggregated performance/visit data. |
| Stripe | Payments and subscriptions | Payment data handled by Stripe; Memoniq receives status, plan and billing identifiers. |
| AI/BYOK providers | Generation, chat, vision, TTS, transcription | Text, images, prompts, audio or metadata needed for the request, depending on the selected provider. |
| Google Drive / YouTube | Optional import/export | Selected files only, required OAuth tokens, YouTube configuration and metadata. |
| Image and web providers | Search and source verification | Search queries, URLs and short extracts when the user enables the feature. |
Some providers may process data outside the EEA. Users should also review the privacy policy and terms of the provider they choose, especially in BYOK mode.
5. AI, BYOK and local models
- BYOK keys are encrypted server-side with AES-256-GCM and used by the runtime only to execute requests authorized by the user.
- Keys are not shown to admins, are not printed in logs and are not included in plaintext data exports to reduce leakage risk.
- The localStorage cache makes the app smoother, but it stays in the browser: use protected devices and sign out on shared devices.
- With LM Studio/Ollama or local TTS configured by the user, processing can stay on the device. Cloud features send only the data needed to the selected provider.
- Edge TTS and other browser services may connect directly from the browser to the external provider.
7. Retention and deletion
- Accounts, notebooks, sources and materials remain until the account is active or the user deletes them.
- Shared links remain active until revoked or until the related account/material is deleted.
- Payment data is retained by Stripe under its obligations; Memoniq stores only plan and accounting information needed for the service.
- Feedback and technical logs may be kept for security, support and improvement; if you delete your account, feedback is anonymized where possible.
- Caches, backups and infrastructure logs may require a technical deletion period.
8. Security measures
- Supabase authentication, Row Level Security and server-side ownership checks.
- Encrypted BYOK keys, TLS/HTTPS, HSTS, CSP, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
- Rate limits, plan limits, origin checks on sensitive routes, input validation, file size limits and SSRF protection for external URLs.
- Service role access is limited to server code and used only after auth/ownership verification.
- Data exports avoid plaintext API secrets and localStorage is isolated between accounts in the same browser.
No system is 100% secure. If a security incident occurs, we will handle notification and communication under applicable law.
9. Your rights
Under the GDPR you may request access, rectification, deletion, restriction, portability, objection and withdrawal of consent where applicable. You can export or delete your account from Account settings.
You may also contact us by email. You have the right to lodge a complaint with the competent supervisory authority.
Non-EU users
Where local law applies, we recognize equivalent rights where required. For California users: we do not sell or share personal information for cross-context behavioral advertising; you may request access and deletion. The service is not directed to children under 13.
10. Children, sensitive data and responsibility
Memoniq is designed for university students and not for children under 13. Do not upload health data, biometric data, ID documents, children's data or highly sensitive materials unless strictly necessary and authorized.
Users are responsible for having rights to uploaded materials and for verifying AI-generated content accuracy.
11. Updates
We may update this notice when features, providers or legal requirements change. The date above shows the latest revision.
For material changes, we will notify registered users with reasonable notice when technically possible.