Privacy Policy
Engram (theengramapp.com) · Operated by Arun Kumar Rathinam
Effective date: June 7, 2026 · Last updated: June 7, 2026
1. Introduction
Engram ("we", "us", "our") is a memory and context layer that sits on top of AI providers. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights over it.
By using Engram, you agree to the practices described in this policy.
2. Who We Are
Engram is operated by Arun Kumar Rathinam, an individual based in Pune, Maharashtra, India. For privacy-related queries, contact us at:
Email: privacy@theengramapp.com
3. What Data We Collect
3.1 Account Data
- Email address — used for authentication and account management
- Encrypted password — managed by Supabase Auth, never stored in plain text
3.2 Conversation Data
- Messages you send and receive during chat sessions
- Conversation titles and metadata (timestamps, AI provider used)
- All message content is encrypted at rest using AES-256-CBC encryption
3.3 AI Provider API Keys
- API keys you provide for Claude, OpenAI, or Gemini
- Stored encrypted at rest using AES-256-CBC encryption
- Decrypted only at the moment of use, never logged or exposed
3.4 Profile Data
- Your timezone — detected automatically on signup and used to provide accurate time context to the AI
- Last seen timestamp — used to calculate time since your last session
3.5 Memory Data
- Facts and preferences extracted from your conversations
- Stored with Mem0 (see Section 6 — Third Party Services)
- Organised by AI provider — your Claude memories are separate from your GPT-4 and Gemini memories
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing the chat service | Contract performance |
| Injecting memory and time context into AI responses | Contract performance |
| Improving response continuity across sessions | Contract performance |
| Sending password reset emails | Contract performance |
| Complying with legal obligations | Legal obligation |
We do not use your data for advertising. We do not sell your data to third parties. Ever.
5. Data Retention
| Data type | Retention period |
|---|---|
| Messages and conversations | 60 days from creation |
| Account and profile data | Until account deletion |
| API keys | Until deleted by you or account deletion |
| Memory data (Mem0) | Until deleted by you or account deletion |
After 60 days, messages are automatically deleted from our database. Memories extracted from those conversations remain in Mem0 until you delete them manually or delete your account.
6. Third Party Services
Engram uses the following third party services to operate. Each receives some of your data:
6.1 Supabase (Database and Authentication)
- What they receive: Your email, encrypted passwords, encrypted messages, encrypted API keys, profile data
- Purpose: Database storage and user authentication
- Location: EU region
- DPA: Supabase maintains a Data Processing Addendum available at supabase.com/legal
- Privacy policy: supabase.com/privacy
6.2 Mem0 / Embedchain Inc. (Memory Layer)
- What they receive: Your conversation messages in plaintext — specifically, your messages are decrypted and sent to Mem0 for memory extraction
- Purpose: Extracting and storing meaningful facts about you to provide continuity across sessions
- Important: Mem0 receives your conversation content in plaintext. This is necessary for the core memory feature to work. If you do not want your conversations processed by Mem0, use the Private Conversation toggle available on each conversation.
- Location: United States
- DPA: Mem0 maintains a Data Processing Addendum available at mem0.ai
- Privacy policy: mem0.ai/privacy-policy
6.3 Vercel (Hosting)
- What they receive: Request metadata, server logs
- Purpose: Hosting and serving the application
- Location: Global CDN
- Privacy policy: vercel.com/legal/privacy-policy
6.4 AI Providers (Claude, OpenAI, Gemini)
- What they receive: Your messages and system context (including AI-generated memory summaries) at the time of each request
- Important: You connect your own API key directly. You have a direct relationship with your chosen AI provider under their terms of service. Engram is not responsible for how AI providers process your data.
- Anthropic privacy policy
- OpenAI privacy policy
- Google privacy policy
6.5 Cloudflare (DNS)
- What they receive: Request metadata
- Purpose: DNS resolution and DDoS protection
- Privacy policy: cloudflare.com/privacypolicy
7. Your Rights
Regardless of where you are located, you have the following rights:
7.1 Right to Access
You can view all memories Engram has stored about you at any time via Settings → Memory.
7.2 Right to Rectification
You can delete individual memories that are incorrect via Settings → Memory.
7.3 Right to Erasure (Right to be Forgotten)
You can delete your entire account and all associated data via Settings → Delete Account. This permanently deletes:
- Your profile and account
- All conversations and messages
- All stored API keys
- All memories from Mem0 across all providers
7.4 Right to Data Portability
You can export individual conversations using the export feature. Contact us at privacy@theengramapp.com for a full data export.
7.5 Right to Restrict Processing
You can mark any conversation as Private to prevent it from being used for memory extraction. Private conversations are not sent to Mem0.
7.6 Right to Object
You can contact us at privacy@theengramapp.com to object to any processing of your data.
EU/UK Users — GDPR Rights
If you are located in the EU or UK, you have additional rights under GDPR including the right to lodge a complaint with your local supervisory authority.
Indian Users — DPDP Act Rights
If you are located in India, you have rights under the Digital Personal Data Protection Act 2023 including the right to access, correct, and erase your personal data.
8. Data Security
We take data security seriously:
- All messages and API keys are encrypted at rest using AES-256-CBC
- All data in transit is encrypted using HTTPS/TLS
- API keys are decrypted only at the moment of use, never logged
- We use Row Level Security in our database — you can only access your own data
- We do not store passwords in plain text
9. Private Conversations
Engram provides a Private Conversation toggle on each conversation. When enabled:
- That conversation is excluded from memory extraction
- Its content is never sent to Mem0
- It is still stored encrypted in our database for your own reference
Use this for sensitive conversations you do not want used to build your memory profile.
10. Children's Privacy
Engram is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at privacy@theengramapp.com and we will delete it promptly.
11. International Data Transfers
Your data may be transferred to and processed in countries outside your own, including the United States and the EU. Where required by law, we rely on Standard Contractual Clauses and Data Processing Agreements with our processors to ensure your data is protected.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page. Continued use of Engram after changes constitutes acceptance of the updated policy.
13. Contact Us
For any privacy-related questions, requests, or complaints:
Email: privacy@theengramapp.com
Operator: Arun Kumar Rathinam, Pune, Maharashtra, India
We aim to respond to all privacy requests within 30 days.
This Privacy Policy was last updated on June 7, 2026.