DRAFT — REQUIRES LAWYER REVIEW BEFORE LAUNCH
Working draft. Not legally binding. Lawyer review required before publication.
Mnem — Privacy Policy
Last updated: (set on lawyer review) Effective date: (set on publication)
This Privacy Policy explains what data Mnem (operated at https://mnem.live, the "Service") collects, where it is stored, who it is shared with, how long it is retained, and what rights you have over it.
1. Data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, password hash (managed by Supabase Auth, never stored as plaintext) | You provide it at signup |
| Application data | Tracked creator list, vault contents, in-app activity timestamps | Created as you use the Service |
| Recording metadata | Creator handle, recording duration, start/end timestamps, R2 storage key, Cloudflare Stream ID | Generated by the recorder |
| Audit data | IP address, user agent, timestamps of legally significant actions (first-run acknowledgment, payment events) | Captured at the time of the action |
| Payment data | Provider customer ID, payment fingerprints, subscription state | Provided by Stripe / Paddle; full card data is never stored on Mnem's systems |
| Support correspondence | Emails you send to support@mnem.live and our replies |
You initiate it |
We do not collect:
- Browsing history outside of Mnem.
- Cross-site advertising identifiers.
- Biometric data.
- Government-issued IDs (unless required for a specific compliance matter, in which case we ask you directly).
2. Where data is stored
| Storage | Data | Region |
|---|---|---|
| Supabase | Account data, application data, recording metadata, audit data | United States |
| Cloudflare R2 | Recording files (MP4) | Cloudflare's distributed network; primary residency United States |
| Cloudflare Stream | Transcoded HLS segments for playback | Cloudflare's distributed network |
| Stripe | Payment processing data | United States; subject to Stripe's privacy policy |
| Paddle | Payment processing data (when active) | Subject to Paddle's privacy policy |
| Sentry | Error logs, performance traces (PII filtered before transmission) | United States |
3. Data retention
- Account-tied application data (tracked creators, vault metadata): deleted 30 days after account deletion.
- Recording files in R2: deleted as part of the 30-day post-cancellation grace window per the Terms of Service.
- Payment audit logs: retained for 7 years for tax, compliance, and dispute defense purposes. This is not configurable.
- Banned email hashes and payment fingerprints: retained indefinitely. Necessary to enforce chargeback and fraud bans across time.
- DMCA strike records: active strikes retained for 90 days from issuance; resolved or expired strikes archived for an additional 1 year for repeat-infringer determination.
- Support correspondence: retained for 2 years.
4. Third parties we share data with
We share data with the following service providers, only as needed to operate the Service. Each is independently responsible for its own privacy practices.
- Supabase — authentication and database. https://supabase.com/privacy
- Cloudflare (R2 + Stream) — content storage and playback. https://www.cloudflare.com/privacypolicy/
- Stripe — primary payment processing. https://stripe.com/privacy
- Paddle — backup payment processing. https://www.paddle.com/legal/privacy
- Sentry — error monitoring (PII filtered). https://sentry.io/privacy/
- Email delivery provider (to be selected in Phase 4) — transactional email only.
We do not sell your data. We do not share it with advertising networks. We do not allow third-party trackers in the application.
5. Cookies
Mnem uses only essential cookies required to keep you signed in (Supabase Auth SSR cookies). No advertising cookies. No analytics cookies in v1. If we add analytics later, we will update this policy and obtain consent where required by law.
6. Your rights
Depending on where you live, you may have one or more of the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Deletion — request deletion of your account and associated data (subject to the retention exceptions above for legal compliance).
- Portability — request a machine-readable export of your data.
- Objection / restriction — object to or limit certain processing.
- Opt-out of sale (CCPA) — Mnem does not sell data; this right is preserved for the record.
To exercise any of these rights, email privacy@mnem.live from the email on file. We respond within 30 days.
7. Children's privacy
Mnem is not directed to children under 18 and we do not knowingly collect data from anyone under 18. See ToS Section 2 for age requirements. If you believe a child has provided data to us, email privacy@mnem.live and we will delete it.
8. Security
Industry-standard practices: TLS in transit, encrypted-at-rest storage at all providers, principle-of-least-privilege internal access, RLS-enforced multi-tenant data isolation, no plaintext passwords. No system is perfectly secure; if a breach occurs that affects you, we will notify you within the timeframes required by applicable law.
9. International users
The Service is operated from the United States. If you access it from elsewhere, your data is transferred to and stored in the United States. By using the Service, you consent to this transfer.
10. Changes to this policy
We may update this policy. Material changes will be communicated via email to active subscribers at least 30 days before taking effect.
11. Contact
Privacy questions or rights requests: privacy@mnem.live