GDPR compliance, not as an afterthought
Memra is built in the EU, for the EU. Every design decision puts data privacy first.
EU data residency
All data is stored in EU data centers in Germany. Single-region EU deployment -- your memories, metadata, embeddings, and cache never leave the European Union. No US replication, no multi-region complexity.
Complete data erasure
When you delete a tenant or request account erasure, Memra executes a 6-step deletion cascade:
- Memory content files -- Deleted from content storage, including all versions
- Metadata index -- All index rows removed for the target scope
- Embedding vectors -- Deleted from vector storage
- PII tokens -- Purged from the encrypted vault (AES-256-GCM)
- Cache entries -- Cleared using tenant-scoped keys (
embed:{account}:{tenant}:*) - Audit log entry -- Deletion logged to
gdpr_audit_logwith timestamp and scope
Data portability
Export all your data in one API call. Memories, metadata, and project configuration -- everything you need to migrate. The GET /v1/export endpoint returns a structured JSON export of your complete account, fulfilling GDPR Article 20 (Right to Data Portability).
Sub-processors
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenAI | Embedding generation | Memory content (masked if Privacy Shield enabled) | US (API only, no storage) |
| Stripe | Billing and payments | Email, payment method, subscription data | US (PCI DSS compliant) |
| Resend | Transactional email | Email address, notification content | EU region |
| Sentry | Error monitoring | Error traces (memory content scrubbed) | EU ingest |
| Simple Analytics | Privacy-friendly website analytics | Page views only (no personal data, no cookies, no IPs) | EU |
| EU Infrastructure Provider | Infrastructure | All data (encrypted at rest) | Falkenstein, Germany |
Website analytics & cookies
This website does not use cookies for tracking and does not require a consent popup.
We use Simple Analytics for privacy-friendly website analytics. Simple Analytics collects no personal data, sets no cookies, does not fingerprint visitors, and stores no IP addresses. It is fully GDPR, PECR, and CCPA compliant without requiring consent.
The only external resource loaded on public pages is Alpine.js via the jsDelivr CDN, which is a functional necessity for the website to operate. This falls under legitimate interest (GDPR Article 6(1)(f)) as no alternative exists for delivering required frontend functionality. jsDelivr does not set cookies or track users.
Session cookies are only set when you log in to your dashboard -- never on public marketing pages.
Privacy by design
Memory IDs are UUIDs -- not user-identifiable. Tenant IDs are user-chosen strings that you control. Memra stores no PII unless the customer explicitly puts it in memory content.
For customers who need additional protection, the Privacy Shield feature provides automatic PII detection and deterministic masking. Emails, phone numbers, and IDs are replaced with consistent pseudonyms before storage -- Your embedding provider never sees raw PII.
