MemlinAI Privacy Policy Last Updated: June 3, 2026 Effective Date: June 3, 2026 Beta Notice. This is a beta version of the Service, available within the United States only to individuals and organizations eighteen years of age or older. The Service is not directed to, and Memlin does not knowingly collect data from, individuals residing within the European Economic Area, the United Kingdom, or other international jurisdictions. Features, data practices, and terms may change materially before general availability. We will notify registered beta users of material changes before they take effect. The beta Service may collect expanded system diagnostic and instrumentation data which may exceed what the production Service will collect; this data consists of operational metadata and does not include the content of your inputs or stored Memories. This Privacy Policy describes how MemlinAI, Inc., a Delaware corporation (“Memlin”, “we,” “us,” or “our”), collects, uses, discloses, retains, and otherwise processes Personal Data in connection with the websites, applications, APIs, SDKs, CLIs, MCP server environment, editor adapters, documentation, and related features that Memlin operates at https://Memlin.ai and its subdomains (collectively, the “Service”). This Privacy Policy complies with the disclosure requirements of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA/CPRA”), and other applicable U.S. data protection laws. Capitalized terms used in this Privacy Policy that are not otherwise defined here have the meanings given in the Memlin Terms of Service. 1. HOW THIS POLICY IS ORGANIZED; WHO IT APPLIES TO This Privacy Policy describes Memlin’s role as a data controller or data processor with respect to three categories of individuals: • Customers and Authorized Users. Individuals who register for or use the Service, operate or configure a Workspace, or otherwise use the Service. • End Users of Customer Applications. Individuals whose Personal Data is submitted to the Service by a Customer in the course of operating a Customer Application. With respect to End User Personal Data, Memlin acts as a “processor” or “service provider” on behalf of the Customer, who acts as the “controller” or “business.” The Customer’s own privacy policy governs the collection and use of End User Personal Data; this Privacy Policy describes Memlin’s processing as the Customer’s processor. • Website Visitors. Individuals who access the public marketing pages of Memlin.ai without creating an account. 2. SCOPE AND CORE DEFINITIONS 2.1 Personal Data As used in this Privacy Policy, “Personal Data” and “Personal Information” are used interchangeably and have the meaning given to those terms under applicable data privacy law, including the CCPA/CPRA and other applicable U.S. privacy statutes. Data that is excluded or exempted from the definition of personal data or personal information under the law applicable to the relevant processing activity is not Personal Data for purposes of that activity. Personal Data does not include “Usage Data” or “Aggregated Data”, as those terms are defined in the Terms of Service, provided that such data has been de-identified or aggregated such that it does not identify, and cannot reasonably be used to identify, any natural person. 3. PERSONAL DATA WE COLLECT 3.1 Information You Provide We collect the following categories of Personal Data when you provide it in the course of using the Service: • Account and Profile Information. Names, email addresses, usernames, and related information collected by our identity provider during registration or sign-in, as well as any profile photograph, job title, or company affiliation you choose to provide. • Customer Data Submitted to the Service. Text, code, and other content submitted to the Service by or on behalf of Customer. This content may include Personal Data about you, other Authorized Users, or End Users. Where Customer Data includes audio recordings or voice transcripts, Memlin processes such content as text and does not extract, analyze, or retain voiceprints, speech patterns, facial recognition data, or other biometric identifiers from those inputs. You are responsible for the Personal Data you include in Customer Data and for any required notices and consents from the individuals to whom that information relates. • Workspace Invitations. When you invite a team member or guest to join a Workspace by entering their email address, you represent that you have the right to share that individual’s contact information with us for the purpose of granting access and delivering the invitation. • Communications and Support Requests. Information you share when contacting our support team, reporting issues, or submitting feedback. 3.2 Information We Collect Automatically When you use the Service or visit our websites, we and our service providers automatically collect: • Device and Connection Information. IP address, device identifiers, operating system, browser type and version, language preference, and general geographic information derived from IP address. • Usage Information. Pages viewed, features used, API request volumes, error rates, session duration, performance metrics, and audit-log records associated with retrieval and write operations, and workspace interaction metrics including agent error rates, task completion patterns, and manual corrections (collected as part of Workspace Insights). • Client Software Diagnostics. When you install and run our CLI, SDKs, editor adapters, or IDE plugins, the Service automatically collects diagnostic metadata, including software version, command execution metrics, tool-call latency, and error codes. This data is processed to maintain platform security and support service quality. Our client software does not read, collect, or transmit your application source code, file contents, or credentials. • Cookies and Tracking Technologies. Our public marketing pages use cookies, clear gifs, and analytics pixels to measure traffic and campaign performance. Authenticated application sessions use separate functional cookies that are not used for marketing purposes. You may manage cookie preferences through your browser settings. See Section 8.4 for additional information. 3.3 Data Ingested from Connected Sources When you authorize the Service to connect to a third-party repository, communication platform, or data service (a “Connected Source,” such as GitHub, Notion, or Slack), we receive data from that source in accordance with the authorization scopes you grant. This may include repository metadata, file and document contents, message contents, and account identifiers. All data ingested from a Connected Source is Customer Data and is subject to the same protections described in this Privacy Policy. You are responsible for ensuring that you have all rights and consents necessary to authorize the Service to access and ingest data from each Connected Source, including any consents required from individuals whose communications are contained in that source. 3.4 Data Captured by the Scribes Memlin offers automated background capture tools called the “Scribes.” When enabled by the Workspace Owner, the Scribes automatically capture content from Authorized User agent sessions and code commits, extract candidate Memories using our models and systems, and queue them for activation in accordance with the activation threshold configured for the Workspace. The Workspace Owner controls whether the Scribes are enabled, the activation threshold applied to candidate items, and any custom credential-redaction patterns. The Scribes apply automated patterns to detect and suppress common credential formats before any candidate item is stored; they do not, by default, remove other personally identifiable information from captured content. Customers are responsible for notifying Authorized Users before enabling the Scribes and for obtaining any required consents under applicable recording and electronic communications laws. 3.5 Information from Third Parties We may receive Personal Data about you from the following sources: • Identity provider. Authentication data, including name and email address, from our identity and authentication provider when you sign in using a social or business account. • Connected Sources. Data retrieved from third-party services you have authorized, as described in Section 3.3. • Business partners and referrers. Contact information and company affiliation shared in connection with referrals, joint marketing, or business introductions. • Publicly available sources. Company information from public registers and publicly available statements, where relevant to our business relationship with you. 3.6 Bring Your Own Key (BYOK) Configurations When you use a BYOK Configuration, API calls are routed through your account with the relevant external model provider and are subject to that provider’s terms and privacy practices. Our standard data collection and processing practices described in this Privacy Policy apply to BYOK Configurations in the same manner as other Service configurations. You are solely responsible for compliance with the model provider’s terms and privacy policy. 4. HOW WE USE PERSONAL DATA We use Personal Data for the following purposes: • Providing and Operating the Service. Authenticating sign-in, provisioning Workspaces, generating and serving Memories, responding to retrieval and search requests, processing billing, and responding to support inquiries. • Security and Abuse Prevention. Detecting and preventing fraud, abuse, security incidents, and violations of the Terms of Service. • Analytics and Product Improvement. Using aggregated, de-identified data derived from the Service to understand usage patterns, evaluate and improve the Service, and develop new features. • Performance Evaluation. Using aggregated, de-identified data to evaluate Service performance, including through internal benchmarking, to measure and communicate product quality. • Workspace Insights. Generating Workspace Insights from Usage Data within your Workspace to suggest new Memories or context optimizations. Workspace Insights are derived solely from your own Usage Data, are not shared with other customers, and are not used to train any AI model. You may disable Workspace Insights at any time through Workspace Settings; see Section 8.2. • Communications. Sending service-related announcements, security alerts, billing notices, and other transactional communications. We may also send marketing emails; you may opt out at any time using the unsubscribe link in those emails or by contacting us at privacy@memlin.ai. Opting out of marketing communications will not affect transactional or service-related notices. • Other Purposes. We may use Personal Data for other purposes disclosed to you at the time of collection or with your consent. We maintain a strict separation between data collected through our public marketing pages and data processed within authenticated application sessions. Contact information submitted through public lead forms, waitlists, or newsletter fields is used for marketing and product communications only and is not commingled with Customer Data processed within Workspaces. 5. DATA USE SUMMARY The table below summarizes how we use each category of data and available opt-out choices. Data Category Processing Purposes Opt-Out / Control Available Account & Identity Information Providing the Service; communications; security No opt-out (required for Service) Customer Data / Inputs Providing the Service; generating Memories; audit logs No opt-out (required for Service) Memories Storing and serving persistent context; retrieval; audit Delete via Workspace or API Connected Source Data Ingesting context per Customer authorization; generating Memories Revoke Connected Source authorization at any time Scribes Capture Data Generating candidate Memories from sessions and commits Disable Scribes in Workspace settings at any time Usage Data Operating and improving the Service; billing No opt-out (required for Service) Workspace Interaction Metrics Generating Workspace Insights; identifying context optimizations. Disable via Workspace Settings (Section 8.2). Aggregated Data Product improvement; benchmarking No opt-out (required for Service) Billing & Transaction Data Payment processing; tax and legal compliance No opt-out (required for Service) Marketing Contact Data Promotional communications; traffic attribution Unsubscribe link or privacy@memlin.ai Client Diagnostic Telemetry Platform security; service quality No opt-out (required for Service) 6. HOW WE SHARE PERSONAL DATA We share Personal Data with the following categories of recipients. We do not sell Personal Data for monetary consideration. To the extent any sharing described below may constitute a “sale” or “sharing” under the CCPA/CPRA, you may exercise the rights described in Section 8. • Service Providers and Sub-processors. We share Personal Data with service providers that perform data processing operations on our behalf, subject to contractual obligations of confidentiality and use limitations consistent with this policy. These categories include: cloud infrastructure providers; database providers; AI model providers; identity and authentication providers; payment processors; and email service providers. • Connected Sources. When you authorize the Service to connect to a Connected Source, we share information with that source as necessary to authenticate and retrieve data on your behalf. • Other Customers. We do not share Customer Data of one Workspace with another Customer’s Workspace. Memories generated for one Workspace are isolated from those of other Workspaces by logical access controls. To the extent we offer a Memlin Library feature allowing a Workspace Owner to publish a Memory or skill to other Workspaces they administer, only the publishing Workspace Owner may initiate such sharing. • Professional Advisors. We may share Personal Data with legal counsel, accountants, auditors, and insurers in connection with the services they provide to us. • Legal Requirements. We may disclose Personal Data when required to do so by applicable law, court order, or legal process, or when we determine in good faith that disclosure is necessary to comply with a legal obligation, protect the rights, property, or safety of Memlin or others, enforce our agreements, or address fraud or security incidents. • Corporate Transactions. In connection with any actual or prospective merger, acquisition, financing, reorganization, or sale of assets, we may share or transfer Personal Data to the counterparty, successor, or acquirer. • With Your Consent. We may share Personal Data with third parties when you direct us to do so or with your consent. California Shine the Light (Cal. Civ. Code § 1798.83): Memlin does not disclose Personal Data to third parties for their own direct marketing purposes. California residents may request information about any such disclosures by contacting us at privacy@memlin.ai. 7. DATA RETENTION We retain Personal Data for as long as necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically: • Account and identity information is retained for the duration of your account and for a period of three years thereafter, to enable account reactivation, comply with legal obligations, and resolve disputes. • Customer Data and Inputs are retained until account termination, at which point they are deleted in accordance with Memlin's deletion procedures within thirty days following termination. No data retrieval access is provided post-termination; Customers are responsible for exporting any required data prior to closing their account. Following account termination, we may delete or de-identify (in accordance with applicable de-identification standards) Customer Data and Inputs from active production systems within thirty days. Personal Data held in backup storage systems during this period will be rendered inaccessible and securely deleted in accordance with our standard backup retention schedule. • Memories are retained for the duration of the active Workspace. Active Workspaces are subject to automated memory optimization (including compression, re-ranking, and removal of stale or low-relevance Memories) to maintain context quality and performance, as further described in the Terms of Service. Customers may delete Memories at any time through Workspace Settings. • Audit-log records are retained for a period consistent with Memlin’s standard services practices as may be communicated to you through the Service. • Billing and transactional records are retained for the period required by applicable tax and accounting laws. • Aggregated Data is retained indefinitely. 8. YOUR RIGHTS 8.1 Rights Under United States Privacy Laws If you are a resident of California or another U.S. state with an enacted and effective comprehensive data privacy law, you have the following rights regarding your Personal Data, subject to applicable exceptions and verification requirements: • the right to know what Personal Data we have collected, the sources of collection, the purposes for which we use it, and the categories of third parties with whom we share it; • the right to access a copy of the Personal Data we have collected about you; • the right to correct inaccurate Personal Data; • the right to request deletion of Personal Data, subject to applicable exceptions; • the right to opt out of any “sale” or “sharing” of Personal Data as defined under applicable law. We do not sell Personal Data for monetary consideration. To the extent any sharing described in Section 6 constitutes a sale or sharing under applicable law, you may opt out through Workspace Settings or by contacting us at privacy@memlin.ai; • the right to limit the use and disclosure of sensitive Personal Data. Under the CCPA/CPRA, “sensitive personal information” includes Social Security numbers, financial account credentials, precise geolocation, contents of private communications, and health information, among other categories. Memlin does not use sensitive personal information for purposes beyond those permitted without limitation under the CCPA/CPRA; and • the right not to be discriminated against for exercising these rights. You may exercise these rights through your Workspace Settings or by contacting us at privacy@memlin.ai. We will verify your request through reasonable means and respond within the time periods required by law. If we deny your request in whole or in part, you may appeal that decision by sending a written appeal to privacy@memlin.ai within sixty days of receiving our response. Your appeal should identify the request at issue and explain the basis for your objection. We will respond to your appeal within forty-five days of receipt, or such longer period as permitted by applicable law, and will inform you in writing of the action taken and the reasons for our decision. If you remain dissatisfied after our appeal determination, you may submit a complaint to the Attorney General of your state. 8.2 Opt-Out from Workspace Insights. You may disable Workspace Insights at any time through Workspace Settings. If disabled, your workspace interaction metrics will not be analyzed for recommendation purposes and Workspace Insights will not be generated for your Workspace. Disabling Workspace Insights does not affect Memlin’s right to collect and use Usage Data for other purposes described in this Privacy Policy. 8.3 Opt-Out from Marketing Communications You may opt out of marketing communications using the unsubscribe link in any marketing email we send or by contacting us at privacy@memlin.ai. We may continue to send transactional and service-related communications. 8.4 Cookies and Tracking Technologies We use the following categories of cookies and tracking technologies on our public pages: (a) essential cookies, required for the website to function; (b) functional cookies, which remember your preferences; and (c) analytics and marketing cookies, which measure traffic and campaign performance. Authenticated application sessions use only essential and functional cookies; marketing cookies are not active within the authenticated Service environment. You may manage cookie preferences through your browser settings or through any cookie preference center we make available. Disabling non-essential cookies will not affect your ability to use the Service. We recognize Global Privacy Control (“GPC”) browser signals as a valid opt-out of the sharing of Personal Data for targeted advertising purposes with respect to our public pages. GPC signals do not apply to the authenticated application environment, where Memlin acts as a service provider and does not engage in targeted advertising or the sale or sharing of Personal Data for cross-context behavioral advertising. We do not respond to “Do Not Track” signals. 8.5 Authorized Agents California residents may use an authorized agent to submit rights requests on their behalf. We will require the authorized agent to provide proof of authorization and may require you to verify your identity directly with us. 9. CHILDREN AND SENSITIVE DATA 9.1 Children. We do not knowingly collect Personal Data from individuals under the age of eighteen. If we learn that we have collected Personal Data from an individual under 18, we will delete that information promptly. If you believe we may have collected Personal Data from a minor, please contact us at privacy@memlin.ai and we will take steps to delete the information. 9.2 Sensitive Categories and Consumer Health Data The Service is not designed or intended to collect, process, or infer consumer health data as defined under state health privacy statutes, including the Washington My Health My Data Act. Customers and Authorized Users are prohibited from using the Service to collect or process data relating to medical conditions, treatment protocols, or health status. If Memlin identifies consumer health data in Customer Data, Memlin may delete such data without notice and without liability to Customer. 10. DATA PROCESSING 10.1 Data Processing Addendum A Data Processing Addendum (“DPA”) is available to enterprise customers. The terms governing its execution and incorporation are set forth in the Terms of Service, available at https://memlin.ai/terms. To request a DPA, please contact us at privacy@memlin.ai. 10.2 Data Location Memlin is headquartered in the United States. All Personal Data collected through the Service is processed in the United States. 11. SECURITY We maintain administrative, technical, and physical safeguards designed to protect Personal Data from unauthorized access, use, alteration, and disclosure. These safeguards include logical access controls, encryption in transit and at rest, automated credential detection and redaction patterns applied during data ingestion, access controls based on need to know, and routine security review of our systems and sub-processors. No system is perfectly secure, and we cannot guarantee the security of Personal Data. In the event of a security incident affecting your Personal Data, we will notify you as required by applicable law. 12. THIRD-PARTY LINKS AND SERVICES The Service and our marketing materials may contain links to third-party websites and services not operated by Memlin. We are not responsible for the privacy practices of those third parties, and this Privacy Policy does not apply to them. We encourage you to review the privacy policies of any third-party services you use. 13. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The most current version will be posted at https://Memlin.ai/privacy with an updated “Last Updated” date. If we make material changes, we will provide additional notice as required by applicable law, which may include direct notification to registered users. Your continued use of the Service after any non-material update constitutes your acceptance of the updated policy. 14. CONTACT US If you have questions about this Privacy Policy or our privacy practices, please contact us: Email: privacy@memlin.ai Attn: Legal / Privacy Vcorp Services LLC (Registered Agent for MemlinAI, Inc.) 108 W. 13th Street, Suite 100 Wilmington, DE 19801 — End of Privacy Policy —
Legal
Privacy Policy
Effective June 3, 2026. Version 2026-06-03. This page is the full canonical beta document used by onboarding acceptance.