Privacy Policy

Last updated: May 27, 2026

WorkingMemory ("we", "our", "us"), operated by Dualis Logic, LLC (d/b/a WorkingMemory), is a personal knowledge management service available as a web app, installable PWA, native iOS and Android apps, and (for legacy users) WhatsApp. This policy describes the personal data we collect, how we use it, and the rights you have over it.

1. Data We Collect

• Account identifiers — your email address (used for magic-link login); for legacy users, your phone number
• Content you send — voice notes, text messages, and uploaded documents
• Derived data — transcriptions of your voice notes, structured items ("cognitive nodes") classified from your input, and vector embeddings used for semantic retrieval
• Reminders and preferences — scheduling info, timezone, language
• Payment information — handled by Stripe; we receive subscription status and limited card metadata, never full card numbers
• Push notification credentials — Web Push endpoint and keys (web), APNs or FCM tokens (mobile)
• Device and usage data — IP address, browser and OS, app build version, and aggregate analytics on the marketing site
• Cookies and similar technologies — see Section 8

2. How We Use Your Data

• Transcribe voice notes into text
• Classify and organize your input into structured items
• Provide semantic search across your knowledge base
• Deliver reminders via web push, mobile push, or message
• Process subscription payments
• Maintain service security, prevent abuse, and debug errors
• Measure aggregate traffic on our marketing site (workingmemory.ai) to improve it

We do not use your content to train AI models, and our LLM providers operate under enterprise terms that prohibit training on customer data.

3. Third-Party Processors

We rely on the following categories of providers. A complete current list is available on request:

• Cloud infrastructure — Cloudflare (Workers, D1 database, R2 storage, Email Routing, Workers AI); data encrypted at rest
• Large language models — Google Vertex AI (Gemini), Cloudflare Workers AI
• Speech-to-text — Groq
• Error and crash reporting — Sentry; payloads are scrubbed of message content
• Payment processing — Stripe
• Web analytics — Google Analytics 4, on our marketing site only (not the application)
• Messaging delivery — WhatsApp Business API, for legacy users only

4. Legal Basis (UK / EU GDPR)

We process personal data on the following bases:

• Contract — to provide the service you subscribed to
• Legitimate interests — fraud prevention, debugging, aggregate analytics
• Consent — push notifications, marketing-site analytics cookies (where required)
• Legal obligation — tax records, responding to lawful requests

5. Data Retention

• Defrag plan — raw voice recordings are deleted after 30 days. Transcriptions and structured items are retained while your account is active.
• Archive plan — raw recordings retained while your account is active.
• Soft-deleted items — recoverable for 12 months, then permanently removed.
• After cancellation — all data retained for 90 days, then permanently deleted.
• Backups — production backups are kept for up to 30 days.
• Server logs — kept for 30 days for security and debugging.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of your data
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and data (see our Data Deletion page)
• Portability — receive a structured export of your data
• Object — object to processing based on legitimate interests
• Withdraw consent — disable push notifications, opt out of analytics

California residents have analogous rights under the CCPA / CPRA, including the right to know, delete, correct, and limit use of personal information. We do not sell personal information.

To exercise any right, email support@workingmemory.ai. We respond within 30 days.

7. International Transfers

We are based in the United States. If you access the service from outside the US, your data will be transferred to and processed in the US and in other jurisdictions where our processors operate. Where required by applicable law, we rely on Standard Contractual Clauses or equivalent safeguards.

8. Cookies and Tracking

• The application (app.workingmemory.ai) uses a strictly necessary first-party cookie for authentication (HttpOnly refresh token). It is not used for tracking.
• The marketing site (workingmemory.ai) uses Google Analytics 4, which sets _ga and _ga_* cookies for aggregate traffic analysis. You can opt out via the Google Analytics Opt-out Browser Add-on. Where legally required, we will display a consent banner.
• We do not use third-party advertising or cross-site tracking cookies.

9. Data Security

Data is encrypted in transit (TLS) and at rest (Cloudflare D1 and R2). Authentication uses short-lived access tokens with refresh-token rotation; native mobile clients store tokens in the operating system's secure store (Keychain on iOS, EncryptedSharedPreferences on Android). Production access is limited to a small number of authorized personnel under multi-factor authentication.

10. Children's Privacy

WorkingMemory is not intended for users under 16. We do not knowingly collect data from children. If we learn we have, we will delete it.

11. Changes to This Policy

We may update this policy. Material changes will be announced via in-app notification or email at least 14 days before they take effect. The "Last updated" date above always reflects the current revision.

12. Contact

Email: support@workingmemory.ai
Controller: Dualis Logic, LLC (d/b/a WorkingMemory), United States.