MemoryCode

Privacy Policy

Effective Date: 08 April 2026

Version 1.4

1. Data Controller

The data controller for the purposes of the GDPR and equivalent data protection laws is:

The Service is operated by YI STUDIO, an independent creative and technology studio based in Denmark (EU). For all privacy-related enquiries, contact us at privacy@memorycode.ai.

2. Our Core Privacy Commitment

MemoryCode is built on a Local-First architecture. All memory content you author is stored exclusively in your browser's localStorage on your own device and is never transmitted to our servers.

• Profile content (name, nickname, roles, life events, skills, cognitive chip configurations, and any other authored fields) remains on your device at all times.

• MCP configuration files are generated locally in your browser and placed on your machine by you. We do not write MCP configuration files through our servers on your behalf.

• When you use the Export / Backup feature, the data is packaged as a JSON file and downloaded directly by your browser or shared via your operating system's native share sheet. This transfer does not route through our servers.

• We do not sell, share with advertisers, or use your memory content for model training under any circumstances.

3. Data We Collect and Process

3.1 Data You Author (Local Only)

The following data exists solely on your device and is not processed by us:

Because this data never leaves your device, we are not a data controller for this content. You retain full ownership and control. Note that this data may contain sensitive personal information (such as health, financial, or relationship details). We encourage strong device-level security to protect your browser's local storage.

3.2 Functional Cookie

We set one functional cookie:

This cookie is strictly necessary for consistent Service navigation and is exempt from consent requirements under the ePrivacy Directive. It does not track your behaviour, identify you personally, or persist any memory content.

3.3 Anonymous Usage Analytics (Vercel Web Analytics)

We use Vercel Web Analytics to understand aggregate usage of the Service, configured for functional measurement only without intrusive tracking or behavioural profiling.

• No cookies are set by the analytics system.

• No cross-site tracking - your activity on MemoryCode is not correlated with activity on any other website.

• No persistent personal identifiers are collected or stored.

• Your IP address is used solely to derive an anonymous, daily-rotating hash for unique-visitor counting; the raw IP address is not retained.

Data collected includes: page URL and referring URL; approximate geographic location (country / region / city, derived from IP); device information (operating system, browser, device category); and timestamp. Used solely for aggregate statistics; not shared with advertisers or used for model training.

Legal basis: Legitimate Interest (GDPR Art. 6(1)(f)). Processing is limited to aggregated, anonymised data without persistent identifiers.

Vercel, Inc. processes this data as a data processor on our behalf. See: https://vercel.com/legal/privacy-policy

3.4 Server-Side API Calls (MCP Connectivity Testing)

In the current version, the only server-side API call related to MCP functionality is a connectivity test:

In the current version, no memory configuration content is transmitted via API under any circumstances. MCP configuration files are generated in your browser and placed on your local machine by you, following the step-by-step guidance provided in the MCP Connect panel.

We have configured server-side functions to run in the European region (Vercel fra1, Frankfurt) where operationally feasible. Static assets and cached pages may still be served via Vercel's global edge network; that path does not execute our dynamic API route code.

3.5 Hosting Platform Access Logs (Vercel Infrastructure)

Vercel's hosting infrastructure automatically generates access logs for every HTTP request to memorycode.ai, including: IP address, HTTP method, requested URL path, response status code, User-Agent string, and timestamp. These are processed by Vercel, Inc. for hosting and security services. We access them in aggregate or sampled form for security monitoring and performance diagnostics.

4. Legal Basis for Processing (GDPR)

We do not process special categories of personal data (GDPR Article 9) on our servers. Although users may enter sensitive personal information into local memory fields, this data remains on-device and is never transmitted to us. You are solely responsible for the content you choose to store locally.

5. Third-Party Services

We do not sell your data to any third party. We do not share your data with advertising networks or data brokers beyond what is described in Section 3.3.

6. MCP Integration and Agent Tool Access

6.1 Current MCP Integration: Local-First, Manual Import

In the current version of the Service, the MCP (Model Context Protocol) integration is fully local-first. No memory or configuration data is transmitted to our servers as part of the MCP workflow.

• The MCP Connect panel generates a standardised configuration JSON for your chosen AI client (Claude Desktop, Cursor, Windsurf, or compatible clients) directly in your browser.

• Step-by-step guidance is provided to help you paste this configuration into your AI client. The placement is performed by you, not by us.

• The MemoryCode MCP Server runs as a local process on your machine. It reads your local memorycode-mcp.json file and makes your memory configuration available to AI tools within your local environment. No data is transmitted to our servers during a session.

• Your memory configuration file (memorycode-mcp.json) does not leave your machine unless you deliberately share it. Once placed on your machine, the subsequent use of this file by AI tools is governed by your operating environment and the privacy policies of those AI tools, not by this Policy.

Technical Metadata in Exported Configuration Files:

Your exported MCP configuration file (memorycode-mcp.json) contains a small set of technical metadata fields embedded for product compatibility and support purposes:

These fields contain only technical product information. They do not encode personal identifiers, device fingerprints, IP addresses, user input, or any information that identifies you as an individual. They are stored solely in your local configuration file and are never transmitted to our servers under normal operation. YI STUDIO does not receive or process these fields unless you choose to share your configuration file directly with us (e.g., when requesting technical support).

Purpose limitation: These metadata fields are used exclusively for product version tracking, configuration compatibility verification, and support diagnostics. They are not used for advertising, behavioural profiling, or cross-site tracking.

6.2 How the MCP Server Starts (npx)

The MemoryCode MCP Server is distributed as an npm package and is launched automatically by your AI client. The typical flow is:

• You paste the MemoryCode MCP configuration (containing command: "npx" and the relevant arguments) into your AI client's MCP settings.

• You restart the AI client.

• The AI client reads the configuration and automatically executes npx in a local process on your machine, which downloads the MemoryCode MCP Server package from the npm public registry and starts it.

• You do not need to open a terminal or run any commands manually under normal circumstances. Manual terminal use is only required for troubleshooting (e.g., verifying npm availability in restricted network environments).

This process causes your device to connect to the npm public registry to download the server package. Your memory configuration file is read locally by the server process and is not transmitted to our servers or to the npm registry.

6.3 Local MCP Server Session Behaviour

Once running, the MemoryCode MCP Server reads your local memorycode-mcp.json file and makes your memory configuration available to AI tools within your local environment. No data is transmitted to our servers during a session.

6.4 Agent Read Tools - get_user_profile() and get_expertise()

A future version of the MemoryCode MCP Server will introduce two optional read-only tools: get_user_profile() (returns a summary of basic identity fields) and get_expertise(domain?) (returns configured skills and expertise depth).

These tools are: read-only (cannot modify local memory files); invoked locally (executed by the AI client on your machine - no data is sent to our servers); and limited to basic identity and skill data already configured in MemoryCode.

When these tools are available, we will display a clear in-application disclosure: "When you enable the MemoryCode MCP Server in an AI client, that client may query your identity and skills information during sessions to improve response quality."

6.5 Future Agent Write Capabilities

We may in a future version introduce optional features that allow AI agents, upon explicit user authorisation, to write or update content in your local MemoryCode configuration. Any such feature will: require a clear, affirmative in-application consent action; be disclosed in an updated version of this Policy prior to release; maintain a local audit log of agent-initiated write operations; and clearly distinguish between user-authored and AI-generated content.

7. Data Retention

8. localStorage - Important User Notice and Limitation of Liability

Because your memory content is stored in your browser's localStorage, you should be aware of the following risks:

• Browser data clearing: Clearing your browser's cookies and site data will permanently delete your MemoryCode profiles and memory content from that device.

• Safari / iOS Intelligent Tracking Prevention (ITP): Apple's ITP mechanism may automatically clear localStorage for websites not visited for 7 consecutive days. Your data may be deleted by the browser without warning and without any action on our part.

• Device failure or replacement: Data stored in localStorage is not backed up to any cloud service. If your device fails, is lost, or is reset, your data will be lost.

• Recommendation: Use the Backup feature (Settings -> Backup) to export your data as a JSON file and store it securely.

9. Your Rights

9.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights in relation to personal data we process about you (i.e., technical and analytical data described in Sections 3.2 to 3.5):

To exercise these rights, contact us at privacy@memorycode.ai. We will respond within 30 days. Note: because your memory content is stored exclusively on your device and is not accessible to us, we cannot retrieve, modify, or delete it on your behalf. Technical metadata embedded in your local MCP config file is also under your control and can be removed by deleting or regenerating the config file.

9.2 California Residents - CCPA / CPRA

• We do not "sell" or "share" your personal information as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

• Your memory content stays strictly on your device and is not subject to sale or disclosure to third parties for cross-contextual behavioural advertising.

• The limited technical data we process (analytics, access logs) is used solely for service operation and improvement.

To exercise any California privacy rights, contact us at privacy@memorycode.ai.

10. Data Security

• All data in transit between your browser and our servers is encrypted using HTTPS / TLS.

• Server-side API endpoints are stateless and do not persist memory content to remote databases.

• Access to hosting infrastructure and analytics dashboards is restricted to the operator.

• Your locally stored memory data is protected by your device's own security controls.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. Children's Privacy

The Service is not directed at children under the age of 13 (as defined under COPPA) or under the age of 16 in EU jurisdictions where GDPR Article 8 applies. We do not knowingly collect personal data from children below these thresholds. If you are under 16, obtain your parent or legal guardian's permission before using the Service.

If you become aware that a child has provided us with personal data without parental consent, please contact us at privacy@memorycode.ai.

12. International Data Transfers

The Service is hosted by Vercel, Inc., a US-based company. Your usage data (analytics and access logs) may be transferred to and processed in the United States. Vercel participates in the EU-U.S. Data Privacy Framework and implements Standard Contractual Clauses (SCCs) to legitimise transfers from the EEA.

Our dynamic API routes are configured to execute in the European region (Vercel fra1, Frankfurt). Vercel Web Analytics and infrastructure access logs are processed by Vercel according to their data retention and transfer policies; the applicable Vercel privacy documentation should be consulted for current specifics.

Package distribution via npm may involve connections to Fastly CDN nodes used for global delivery, which may be located outside the EEA. This involves only standard network metadata and is governed by npm's privacy policy. Memory content authored by you is not subject to international transfer as it is never transmitted to our servers.

13. Expected Future Features and Data Handling

The following provisions describe features that are planned but not yet implemented. They apply only if and when these features are actively developed, released, and enabled by you. No data flows described in this section are currently active.

13.1 One-Click MCP Configuration

We plan to introduce a one-click MCP configuration capability in a future version. When released, this Policy will be updated prior to launch to disclose: the environment in which the write operation takes place (local only, or involving a server-side intermediary); the scope of memory content accessed; and confirmation that configuration data will not be used for advertising, profiling, or model training.

13.2 Payment Processing

If paid subscription plans are introduced, payment information will be collected and processed by a third-party payment processor. We will never handle raw payment card data. The processor's own privacy policy will be presented at the point of purchase.

13.3 AI-Assisted Features

Optional AI-powered features (such as Smart Extract) may in a future version transmit user-provided documents to a third-party AI API. Such features will only activate upon your explicit confirmation and after clear disclosure.

13.4 Agent Write Capabilities

As described in Section 6.5, any feature enabling AI agents to write to your local memory configuration will require explicit in-application consent, be accompanied by a Policy update, and maintain a local audit log.

13.5 Multi-Device Sync

Any synchronisation feature involving transmission of your memory data across devices will be preceded by a clear disclosure and Policy update prior to launch.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The current version and effective date are always displayed at the top of this document and at memorycode.ai/privacy.

For material changes that meaningfully affect your rights or introduce new categories of data processing, we will provide notice via a prominent in-application banner at least 14 days prior to the changes taking effect where practicable. Your continued use of the Service after a policy update constitutes your acceptance of the revised Policy.

15. Contact

To lodge a complaint with our lead supervisory authority:

• Datatilsynet (Denmark): www.datatilsynet.dk | +45 33 19 32 00

• You may also contact the data protection authority in your country of residence.

MemoryCode Privacy Policy - v1.4 - Effective 08 April 2026