Privacy Policy (GDPR) — Memia

This Privacy Policy describes how Memia (hereinafter “Memia”, “we”) collects and processes your personal data when you use the Memia website and web application (hereinafter the “Service”).

Memia undertakes to process your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable French data protection law.

1. Data controller

The data controller is Memia (publisher of the Service). Full identification details (legal name, address, company registration where applicable) are provided in the legal notice of the website.

Contact: for any question relating to data protection, you can contact us via the website contact page.

2. Personal data processed

Depending on your use of the Service, we may process the following categories of data:

• Account identification data: email address, account identifier, information necessary to create and manage your account.
• Content data: content you enter/import into the Service (e.g., notes, text, flashcards, titles, questions/answers), as well as content generated from your requests.
• Usage data: information relating to your use of the Service (e.g., pages visited, actions performed, technical logs), to the extent necessary for operation, security, and improvement of the Service.
• Technical data: IP address, browser and device information, technical identifiers, diagnostic data.
• Payment data: Memia does not collect or store your full bank card details. Payments are processed by Stripe. Memia may process billing-related information (e.g., payment status, transaction identifiers, subscription plan) in order to provide the Service.
• Support data: information you provide when you contact support (message, category, possible attachments, communication history).

3. Purposes and legal bases

We process your personal data for the following purposes:

• Provision of the Service and performance of the contract: account creation, access to features, credit management, performance of subscribed plans.
  Legal basis: performance of a contract (Article 6(1)(b) GDPR).
• Payments, invoicing, and subscription management: transaction management, fraud prevention, payment tracking, dispute management.
  Legal basis: performance of a contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) as applicable.
• Security, abuse prevention, and operational maintenance: account security, detection of abnormal activity, logging.
  Legal basis: legitimate interest (Article 6(1)(f)), and legal obligation where applicable.
• Service improvement: technical analysis, bug fixes, usability improvements.
  Legal basis: legitimate interest (Article 6(1)(f)) and/or consent (Article 6(1)(a)) where required.
• Support and communication: responding to your requests and assistance.
  Legal basis: performance of a contract (Article 6(1)(b)) or legitimate interest (Article 6(1)(f)).
• Usage analysis and product improvement (aggregated/anonymized data where possible): statistical analysis of the use of the Service (e.g., performance, UX, journeys), improvement of features and Service quality, including improving recommendation algorithms and AI-assisted features.
  Legal basis: legitimate interest (Article 6(1)(f)), to the extent such processing is necessary to improve the Service and implemented with data minimization measures (aggregation/anonymization where possible).
• Audience measurement via third-party tools (if enabled): collection of audience metrics (traffic statistics, page performance) through an analytics tool. Depending on configuration and applicable law, these trackers may require your consent.
  Legal basis: consent (Article 6(1)(a)) where required for trackers and, where applicable, legitimate interest when exempt audience measurement applies (to be confirmed depending on configuration).
• Personalization / recommendations and optimization (if enabled): personalize certain aspects of the Service (e.g., onboarding optimization, content/deck recommendations, understanding needs) based on usage data, ideally aggregated/anonymized where possible. If non-essential trackers are required, they will be subject to your consent.
  Legal basis: legitimate interest (Article 6(1)(f)) when such processing does not rely on trackers requiring consent, and/or consent (Article 6(1)(a)) when non-exempt trackers are used.

3.1. Contact form

When you use the contact form available at /contact, we process the information necessary to receive your request, respond to it, and ensure follow-up.

Data collected

Depending on the fields you complete, we may collect:

• Identity and contact details: first name, last name, email address.
• Request content: subject, message.
• Category: support, bug, suggestion, other.
• Follow-up information: ticket identifier, status, and communication history related to your request.

Purposes

This data is used to:

• process your request (support, assistance, complaint, question);
• ensure follow-up through our internal request management interface (ticketing system);
• improve support quality and Service reliability (analysis of reported issues, without targeted advertising).

Legal basis

• Legitimate interest: providing effective customer support and continuity of the Service.
• Pre-contractual measures / performance of the contract: where your request concerns access to the Service, account creation, an order, or performance of a subscription.

Processing via a ticketing system

Requests submitted via the contact form are not automatically sent by email: they are stored in our database in order to be processed and tracked through a ticketing interface (ticket creation, message recording, and communication history).

Retention period

Information related to the contact form is kept for the time necessary to process your request, then archived for a limited period to ensure follow-up and continuity of support (for example, in case a case file is reopened). Unless otherwise required by law, we aim for a maximum retention of 3 years from the last exchange related to the ticket.

4. Processors and recipients

Your data may be processed by service providers acting as processors, only on behalf of Memia and to the extent necessary to provide the Service, including:

• Hosting and infrastructure: hosting provider / infrastructure platform for the Service.
• Database and authentication: Supabase.
• Payments: Stripe (payment processing).
• AI provider: technical provider enabling content generation from your requests and content.

Memia does not sell your personal data and does not resell data to third parties.

5. Transfers outside the European Union

Depending on the location of our service providers, certain data may be transferred outside the European Union. When this happens, Memia implements appropriate safeguards (e.g., standard contractual clauses) and, where necessary, additional measures to ensure an adequate level of protection.

6. Retention periods

Retention periods vary depending on the data and purposes. For guidance:

• Account data: kept for the duration of your account, then deleted or anonymized depending on legal and operational constraints.
• Content data: kept as long as you keep it in your account (subject to technical backups and legal obligations).
• Billing data: kept for the period required by accounting and tax obligations.
• Technical logs: kept for a limited period necessary for security, abuse prevention, and diagnostics.

7. Your rights

In accordance with the GDPR, you have the following rights:

• Right of access to your data;
• Right to rectification;
• Right to erasure (“right to be forgotten”);
• Right to restriction of processing;
• Right to object (in particular where processing is based on legitimate interest);
• Right to data portability where applicable;
• Right to withdraw your consent at any time where processing is based on it.

You may exercise these rights via the contact page. To protect your account, proof of identity may be requested in case of reasonable doubt.

If, after contacting us, you believe that your rights are not respected, you may lodge a complaint with the CNIL (French data protection authority).

8. Security

Memia implements reasonable technical and organizational measures to protect your data (access controls, encryption where relevant, logging, backups, data minimization). As no measure can provide absolute security, a residual risk remains.

9. Cookies and trackers

The Service may use cookies and similar technologies ("cookies/trackers"). Some are strictly necessary for the operation of the Service; others may be used for audience measurement, personalization or optimization depending on the Service configuration and, where applicable, subject to your consent.

9.1. Strictly necessary cookies

These cookies/trackers are essential for the Service to work (e.g., session maintenance, authentication, security, fraud prevention, load balancing, saving your essential choices). They cannot be disabled through our systems when they are necessary to provide the Service. Legal basis: legitimate interest and/or performance of a contract (Article 6(1)(f) and/or 6(1)(b) GDPR).

9.2. Audience measurement / analytics (optional)

Depending on the Service configuration, Memia may use an audience measurement tool to understand traffic, detect issues and improve performance. Where these trackers are not exempt, they are used only after obtaining your consent.

• Potential tools (to be confirmed depending on deployment): [Analytics tool name], [Analytics tool name], etc.
• You can accept/refuse these trackers via the cookie manager (see 9.4).

9.3. Personalization / optimization (optional)

Memia may analyze usage data to improve the Service and personalize certain features (e.g., onboarding optimization, content/deck recommendations, improving journeys, and optionally informing you about updates/offers if enabled).

Where possible, these analyses are performed on aggregated and/or anonymized data. If non-essential cookies/trackers are required for these purposes, they will be set/read only with your consent. Memia does not use advertising/targeting cookies without your agreement.

9.4. Managing cookies

You can choose at any time to accept, refuse or configure optional cookies/trackers. You can also withdraw your consent at any time, without retroactive effect, by revisiting your choices.

If a cookie manager is available on the website, it allows you to change your preferences. Otherwise, this section acts as an entry point while we deploy such a manager.

9.5. Retention periods

Retention periods for cookies/trackers vary depending on their type and purpose (strictly necessary, audience measurement, personalization). They may be consulted in the cookie manager when available. We avoid keeping optional trackers longer than necessary for the stated purposes.

10. Changes

Memia may amend this Policy to reflect legal, technical, or operational developments. The update date will appear in the header. In the event of a material change, we may inform you by an appropriate means.

11. Contact

For any question relating to this Policy or to your personal data, contact us via the Contact page.