UltraMemory Privacy Policy
Effective Date: June 22, 2026
This Privacy Policy explains how UltraMemory, operated by LogicLabsAI LLC, a Georgia, USA limited liability company ("UltraMemory", "we", "us", or "our"), collects, uses, shares, and protects personal information in connection with the Ultra-Memory service (styled "UltraMemory"), a standalone, multi-tenant, billable agent-memory service for Hermes Agent users and any MCP (Model Context Protocol) client. The Service stores, recalls, consolidates, and gates AI "memories" on behalf of customers, and is exposed via a REST API and an MCP Streamable-HTTP endpoint.
This Policy applies to:
- our marketing website at https://ultramemory.us;
- our customer application at https://app.ultramemory.us;
- our API at https://api.ultramemory.us; and
- our MCP endpoint at the path
/mcp(Streamable HTTP, HTTPS only).
1. The Two Roles UltraMemory Plays (Controller vs. Processor)
UltraMemory plays two distinct legal roles depending on the data in question, and this distinction determines who is responsible for individuals' data-protection rights. Please read this section first, because it frames the entire Policy.
1.1 Memory Content — we are a PROCESSOR; the customer is the CONTROLLER. "Memory Content" means the facts, observations, and related data that a customer stores, recalls, consolidates, and gates through the Service. For Memory Content, UltraMemory acts as a processor (a "service provider" / "contractor" under U.S. state privacy laws) that processes data solely on the customer's behalf and on the customer's documented instructions. The customer is the controller (or, where the customer is itself a processor for a further party, the relevant controller's processor). The customer decides what personal data, if any, is placed into Memory Content. Our processing of Memory Content is governed by our Data Processing Addendum (DPA), not by the controller-side terms of this Policy.
1.2 Account, billing, and security/audit data — we are an independent CONTROLLER. For the data we collect to create and administer customer accounts, to bill for the Service, to secure the Service, and to keep our audit trail, UltraMemory acts as an independent controller. This Policy primarily describes that controller-side processing.
1.3 Where to direct requests about Memory Content. Because the customer is the controller of Memory Content, requests from individual end users or data subjects concerning Memory Content (for example, access, correction, or deletion of a fact stored about a person) should be directed to the customer that stored that data, not to UltraMemory. If we receive such a request directly, we will, where we are able to identify the relevant customer, promptly refer the request to that customer and, unless legally required to act otherwise, will not respond substantively except on the customer's instructions. We will assist our customers in responding to these requests as set out in the DPA.
2. Categories of Personal Information We Process, and Their Sources
We are precise about what we do and do not collect. The categories below reflect the data the Service actually handles. The sources are: (a) directly from the customer or its authorized users (for example, when an account is created or data is submitted through the API/MCP); (b) automatically from operation of the Service (for example, a request correlation identifier); and (c) from our sub-processors (for example, the identity provider that brokers sign-in, or the payment processor).
| # | Category | Description | Role | Typical source |
|---|---|---|---|---|
| 2.1 | Memory Content | Customer-supplied facts/observations, with fields including entity, attribute, value, rationale, source, confidence, scope, and bitemporal validity timestamps. This is the most sensitive category and may contain personal data about the customer's own data subjects — the customer decides what to store. | We are processor; customer is controller | Customer / authorized users (via API/MCP) |
| 2.2 | Vector embeddings | Numeric vectors derived from Memory Content (Voyage voyage-3.5, 1024-dimensional) used for semantic search; stored in the primary database. Treated as derived from, and on the same footing as, the Memory Content they represent. | We are processor | Derived from Memory Content |
| 2.3 | Playbook entries & calibration/metamemory | Learned trigger/strategy records and confidence-gate parameters and feedback events. Tenant-scoped operational data. | We are processor | Generated from customer use |
| 2.4 | Account & authentication identity | Email address, external identity subject identifier, authentication provider, administrator flag, and login timestamps. | We are controller | Customer / authorized users; identity provider |
| 2.5 | API keys | Stored only as keyed HMAC-SHA256 hashes; the raw key is never stored. Authentication is bearer-token based. | We are controller | Generated by the Service |
| 2.6 | Tenant / subscription metadata | Tenant identifier, plan tier, status, Stripe customer/subscription identifiers, subscription status, and period end. | We are controller | Customer; payment processor |
| 2.7 | Billing events | External event identifiers used for idempotency. No card data. | We are controller | Payment processor |
| 2.8 | Audit logs | Append-only and database-enforced immutable; record actor + action + object IDs + counts + gate decisions only — never Memory Content values, plus a per-request correlation identifier. | We are controller | Generated by the Service |
| 2.9 | Request metadata | A request correlation identifier used to trace and support requests. | We are controller | Generated by the Service |
2.10 What we do NOT collect. We do not collect precise geolocation, device fingerprints, advertising identifiers, biometric data, or payment card numbers, and we do not sell or share personal data for cross-context behavioural advertising. Client IP addresses and User-Agent strings are NOT logged or stored by the application. Where our optional error-monitoring sub-processor is enabled, it is configured with PII disabled and does not receive request bodies, Memory Content, authentication headers, or cookies (see Sections 4 and 8).
2.11 Payment card data. Card and payment-method data are handled solely by our payment processor (Stripe) and are never stored by UltraMemory. We receive only billing-related metadata such as subscription status and external identifiers.
2.12 Sensitive personal information. For the data we process as a controller (Sections 2.4–2.9), we do not intentionally collect "sensitive personal information" as defined under the CPRA and comparable U.S. state laws (for example, government identifiers, precise geolocation, racial or ethnic origin, religious beliefs, health, sex life or sexual orientation, biometric data for unique identification, or the contents of mail/email/messages not directed to us). Account credentials are limited to email address and a federated identity subject; we use them only to authenticate and provide the Service and never to infer characteristics about you. Memory Content may contain categories that are sensitive or special-category data, but that determination and any associated legal basis rest with the customer-controller under the DPA (see Section 1).
2.13 Categories disclosed for a business purpose. In the preceding 12 months we have disclosed the controller-side categories above to our service providers/sub-processors for a business purpose only (as listed in Section 4) — for example, account identity to the identity provider, and tenant/billing metadata to the payment processor. We have not sold or shared any category of personal information (see Section 10).
3. Purposes of Processing and Legal Bases (GDPR Article 6)
For the controller-side personal information we process, the table below maps each purpose to its legal basis under Article 6 of the EU/UK GDPR. (Our processing of Memory Content is performed on the customer-controller's instructions under the DPA; the customer is responsible for establishing the legal basis for that processing.)
| # | Purpose | Data used | GDPR Art. 6 legal basis |
|---|---|---|---|
| 3.1 | Create and administer accounts; authenticate users; provide access to the API/MCP and customer app | Account & authentication identity (2.4); API keys (2.5); tenant metadata (2.6) | Art. 6(1)(b) — performance of a contract |
| 3.2 | Process subscriptions, payments, and renewals | Tenant/subscription metadata (2.6); billing events (2.7) | Art. 6(1)(b) — contract; and Art. 6(1)(c) — legal obligation (tax/accounting) |
| 3.3 | Secure the Service, prevent fraud and abuse, enforce rate limits, and maintain the integrity and availability of a multi-tenant system | Request metadata (2.9); account identity (2.4); audit logs (2.8) | Art. 6(1)(f) — legitimate interests (securing our systems and our customers' data) |
| 3.4 | Maintain a tamper-evident audit trail of administrative and security-relevant actions | Audit logs (2.8) | Art. 6(1)(f) — legitimate interests; and Art. 6(1)(c) — legal obligation, where applicable |
| 3.5 | Provide support and operational communications about the Service | Account identity (2.4); request metadata (2.9) | Art. 6(1)(b) — contract; and Art. 6(1)(f) — legitimate interests |
| 3.6 | Comply with law, respond to lawful requests, and establish, exercise, or defend legal claims | As relevant to the matter | Art. 6(1)(c) — legal obligation; and Art. 6(1)(f) — legitimate interests |
Where we rely on legitimate interests (Art. 6(1)(f)), we have balanced those interests against the rights and freedoms of the individuals concerned. You may object to such processing as described in Section 9.
4. How We Share Personal Information (Sub-Processors and Recipients)
We do not sell personal information, and we do not share it for cross-context behavioural advertising (see Section 10). We disclose personal information only to the categories of recipients below, each bound by appropriate contractual obligations, and as required by law.
4.1 Sub-processors. We engage the sub-processors listed on our Sub-processors page (incorporated by reference; see the "Sub-processors" link on https://ultramemory.us). The current categories are:
- Cloud infrastructure (Amazon Web Services, Inc.) — compute, primary database (PostgreSQL with pgvector), cache, object storage, load balancing and web application firewall, key management, secrets management, audit logging, monitoring, notifications, content delivery, certificates, and networking. AWS hosts all customer data at rest, in the United States (region us-east-1). Status: live.
- Text embedding generation (Voyage AI) — to compute the vector embeddings used for semantic recall, Memory Content text is transmitted to Voyage. Voyage is, besides AWS, the only sub-processor that receives Memory Content. Location: United States. Status: live.
- Authentication / identity management (Supabase, Inc.) — manages customer/operator email and external identity subject, and brokers Google sign-in. Does not receive Memory Content. Location: United States. Status: live.
- Sign-in identity provider (Google LLC) — OAuth 2.0 sign-in (email and basic profile), brokered via Supabase. Location: United States. Status: live.
- Payment processing and subscription billing (Stripe, Inc.) — billing contact and subscription status; card and payment data are handled solely by Stripe and never stored by UltraMemory. Location: United States / EU. Status: activating (currently a no-op billing seam being switched to live Stripe).
- Application error monitoring (Sentry — Functional Software, Inc.) — configured to send no request bodies, no Memory Content, and no PII (authentication headers and cookies are scrubbed). Location: United States. Status: optional / enabled only when configured.
- Authoritative DNS (Cloudflare, Inc.) — DNS for ultramemory.us only; not in the data path. Location: global anycast. Status: live.
- Source-code hosting and CI/CD (GitHub, Inc., a Microsoft company) — does not process customer personal data or Memory Content; listed for transparency as an operational vendor and not a processor of customer personal data. Location: United States. Status: live.
4.2 Sub-processor changes. We will give at least 30 days' prior notice of any new or replacement sub-processor, and a customer-controller may object on reasonable data-protection grounds as described in the DPA. We impose data-protection obligations on our sub-processors that are no less protective than those that apply to us, and we remain responsible for their performance.
4.3 Legal disclosures and corporate transactions. We may disclose personal information where required to comply with applicable law, legal process, or enforceable governmental request, or to protect our rights, users, or the security of the Service. If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to the protections of this Policy.
4.4 No advertising or data brokers. We do not disclose personal information to advertising networks, data brokers, or analytics providers for cross-context behavioural advertising. The recipients above receive personal information only as service providers/processors acting on our documented instructions for the business purposes described.
5. International Data Transfers
Our primary processing takes place in the United States (AWS us-east-1). If you access the Service from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal information may be transferred to, and processed in, countries that may not provide the same level of data-protection law as your home jurisdiction. The recipients of any such transfer are the sub-processors identified in Section 4 (primarily Amazon Web Services and Voyage AI, which are located in the United States).
Where such transfers occur, we rely on appropriate safeguards, including, as applicable, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, each incorporated by reference where applicable. These safeguards are supplemented by technical measures including encryption in transit and at rest (see Section 8). You may request a copy of the relevant transfer safeguards by contacting us at the address in Section 15.
6. Data Retention
We retain personal information only for as long as necessary for the purposes described in this Policy, and then delete or anonymise it.
- 6.1 Memory Content (and derived embeddings). Retention is controlled by the customer-controller under the DPA. By default, on termination of a customer's subscription the customer may export its Memory Content, and UltraMemory deletes Memory Content within 30 days of termination, except for (a) copies required to be retained by law, and (b) copies in tamper-evident audit logs or backups, which cycle out on their normal schedule. Deletion is an operator-fulfilled process performed within the stated timeframe; we do not currently offer fully self-service programmatic per-record erasure tooling.
- 6.2 Account, tenant, and billing data. Retained for the life of the account, plus any further period required for tax, accounting, audit, or other legal obligations.
- 6.3 Audit logs. Append-only and immutable at the database layer; retained for security and accountability and cycled out per our standard schedule. Audit logs never contain Memory Content values.
- 6.4 Backups. Operated via AWS RDS point-in-time recovery (approximately 7 days). Data in backups is overwritten or aged out on the normal backup cycle.
7. Personal-Data Breach Notification
If we become aware of a personal-data breach affecting personal information we process as a controller, we will notify affected individuals and/or the competent supervisory authority where required by, and within the timeframes set by, applicable law (under the GDPR, a controller notifies the supervisory authority without undue delay and, where feasible, within 72 hours). Where we process Memory Content as a processor, we will notify the affected customer-controller without undue delay and in any event within 72 hours of becoming aware, as set out in the DPA, so that the controller can meet its own notification obligations.
8. How We Protect Your Data (Security)
We maintain technical and organisational measures designed to protect personal information appropriate to the risk. The measures below are accurate descriptions of measures currently in place. We do not hold, and do not claim, any security certification or attestation (for example, we do not hold SOC 2, ISO 27001, PCI-DSS, or HIPAA certification). The Service currently runs in a single availability zone (no multi-availability-zone failover); resilience relies on automated instance recovery and point-in-time recovery (see Section 6.4) rather than on any uptime or high-availability guarantee.
- 8.1 Encryption in transit. TLS 1.2 or higher everywhere; database connections require TLS (
sslmode=require); cache transit encryption is enabled. - 8.2 Encryption at rest. AWS KMS customer-managed keys with automatic rotation; a separate, dedicated key encrypts the audit-log trail, separating data access from audit integrity.
- 8.3 Tenant isolation. A single API-key-to-tenant resolution chokepoint, plus PostgreSQL Row-Level Security (FORCE RLS) on every tenant-scoped table; the application connects via a least-privilege, non-owner database role.
- 8.4 Access control. No SSH (administration is via AWS Systems Manager Session Manager only); no public IP addresses on compute or data tiers; private subnets with least-privilege security groups; human access via single sign-on with temporary credentials; workload access via IAM roles; zero static long-lived cloud keys; CI/CD authenticates via keyless OIDC.
- 8.5 Secrets management. All secrets are fetched from AWS Secrets Manager at runtime; nothing is kept in source code, container images, or
.envfiles; the database master password is on automatic rotation; API keys are stored only as keyed HMAC-SHA256 hashes (the raw key is never stored). - 8.6 Auditing and detection. Multi-region AWS CloudTrail with log-file validation (tamper-evident) writing to a versioned, access-restricted, encrypted bucket; seven CIS-aligned detective alarms (root-account use, unauthorized API calls, console sign-in without MFA, console authentication failures, trail tampering, IAM policy changes, and KMS key disable/delete) raise real-time alerts; the application audit log is append-only and immutable at the database layer.
- 8.7 Application hardening. Strict schema validation on every endpoint; per-API-key rate limiting; idempotent writes (content-hash deduplication); append-only database migrations; the MCP interface is served over Streamable HTTP with Origin validation (to defend against DNS-rebinding) and over HTTPS only. MCP currently authenticates via bearer tokens; OAuth 2.1 / PKCE is planned but not yet live.
- 8.8 Data minimisation in logs. Memory Content is never written to logs; error monitoring scrubs authentication headers and cookies and transmits no request bodies and no PII; client IP addresses and User-Agent strings are not logged by the application.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security; however, we work to protect personal information and to maintain and improve these measures over time.
9. Your Privacy Rights and How to Exercise Them
The rights available to you depend on where you live and on whether the data concerned is held by us as a controller or as a processor. For Memory Content, please direct your request to the relevant customer (the controller); see Section 1.3. For data we hold as a controller, the following applies.
9.1 Rights under the GDPR / UK GDPR. Subject to conditions and exemptions, you have the right to: access your personal data; rectify inaccurate data; erase data ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests; and withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing). You also have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.
9.2 Rights under the CCPA/CPRA and other U.S. state laws. Subject to conditions and exemptions, you have the right to: know/access the categories and specific pieces of personal information we collect, the sources, the business or commercial purposes, and the categories of third parties to whom we disclose it; delete personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (note: we do not sell or share — see Section 10); limit the use and disclosure of sensitive personal information (note: we do not collect sensitive personal information for our own controller purposes — see Section 2.12); and non-discrimination for exercising your rights. Where applicable, comparable rights under other U.S. state privacy laws (including the right to appeal a decision on your request) are honoured.
9.3 How to exercise your rights. You may submit a request by emailing privacy@ultramemory.us, or through your account in the customer app at https://app.ultramemory.us. To protect your privacy, we will take reasonable steps to verify your identity before acting, generally by confirming control of the account email. You may use an authorized agent to submit a request on your behalf, subject to verification of the agent's authority. We will respond within the timeframes required by applicable law. We will not discriminate against you for exercising any of these rights.
10. We Do Not Sell or Share Your Personal Information, and We Do Not Train AI Models on Your Memory Content
10.1 No sale or sharing. We do not "sell" your personal information and we do not "share" it for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA and other applicable U.S. state privacy laws. We do not receive money or other valuable consideration in exchange for personal information, and we do not have actual knowledge of selling or sharing the personal information of consumers under 16 years of age.
10.2 No model training on Memory Content. We do not use your Memory Content (including the embeddings and any consolidated memories derived from it) to train, retrain, or fine-tune any artificial-intelligence or machine-learning model — neither our own models nor any third party's. Memory Content text is transmitted to our embedding sub-processor (Voyage AI) only to compute the vectors used for your own semantic recall, and not for any model-training purpose.
11. Cookies and Similar Technologies
The customer application at https://app.ultramemory.us uses strictly-necessary authentication and session cookies only, which are required to log you in and keep you securely signed in. We do not use advertising cookies, cross-site tracking cookies, or third-party tracking technologies. Because the authentication cookies are strictly necessary to deliver a service you have requested, they do not require consent under applicable law; you can block or delete cookies through your browser settings, but doing so may prevent you from signing in or using the Service.
12. Children's Privacy
The Service is intended for business users and is not directed to children. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under that age in contravention of applicable law, we will take reasonable steps to delete it. If you believe a child has provided us personal information, please contact us at privacy@ultramemory.us.
13. Automated Decision-Making and Profiling
The Service includes a "metamemory gate" and related consolidation logic. These operate on the customer's own data to decide whether, and with what confidence, to surface or store a memory; they assist the customer's own application and do not make decisions that produce legal effects concerning, or similarly significantly affect, individuals within the meaning of Article 22 of the GDPR. We do not use these mechanisms to make solely-automated decisions about individuals on our own account.
14. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will update the "Effective Date" above and, where appropriate, provide additional notice (for example, by email or through the customer app). We encourage you to review this Policy periodically. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy, to the extent permitted by law.
15. Contact Us and Representatives
If you have questions about this Policy or our privacy practices, or wish to exercise your rights, please contact us:
- Privacy enquiries and rights requests: privacy@ultramemory.us
- Legal: legal@ultramemory.us
- Security: security@ultramemory.us
- Data protection officer (if appointed): dpo@ultramemory.us
- Postal address: 5229 Leecroft Drive, Sugar Hill, GA 30518
EU / UK representative. If we are required to appoint a representative in the European Union and/or the United Kingdom under Article 27 of the EU/UK GDPR (because we offer the Service to, or monitor, individuals in those territories without an establishment there), the representative's details will be provided here.
Governing law. This Policy and any dispute relating to it are governed by the laws of the State of Georgia, USA, without prejudice to any mandatory data-protection rights you have under the law of your place of residence.
This Privacy Policy addresses UltraMemory's controller-side processing. UltraMemory's processing of customer Memory Content as a processor is governed by the Data Processing Addendum (DPA) between UltraMemory and the customer-controller, which prevails over this Policy with respect to that processing.