Privacy Policy

Version 2.0 · Last updated: May 23, 2026

Introduction

Adam Duchemann, operating as memrly ("we," "our," "us"), provides a private photo and video sharing mobile application ("memrly" or the "Service"). We believe your memories belong to you and the people you share them with. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding your data.

By creating a memrly account, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Data We Collect

1.1 Account Information

When you create an account, we collect:

Your name and profile picture
Email address (used for authentication and account communications)
Authentication credentials via Google Sign-In or Apple Sign-In

All users must create an account to access memrly. There is no anonymous or guest access.

1.2 Photos and Videos

When you upload content to albums, we store:

Your photos and videos in their original or processed quality
Thumbnails generated from your media
Captions you add to your content
Media metadata (dimensions, file size, duration for videos)

1.3 Activity Data

To provide the Service, we collect:

Likes and comments on photos and videos
Album membership and invitation records
Notification preferences you configure

1.4 Device Information

For push notification delivery, we store:

Your device push notification token
Device platform (iOSAndroid)

1.5 Payment Information

Subscription and purchase payments are processed entirely by Apple (App Store)Google (Play Store) and RevenueCat (our subscription management provider). We do not collect, store, or have access to your credit card numbers, bank account details, or other payment instruments. We receive only:

Subscription tier and status (active, expired, cancelled)
Purchase receipts for entitlement verification
Transaction identifiers for support purposes

1.6 Product Analytics

To understand how memrly is used and to improve it, we rely on two complementary streams of usage data:

Server-side metrics — aggregated, anonymized data computed on our own infrastructure (Supabase), such as upload rates and retention trends. This is not linked to identifiable information and is never shared.
PostHog — a third-party product-analytics service, hosted in the European Union, that records interaction events (for example page views, button taps, and conversion steps) against a pseudonymous identifier. We never send your photos, videos, names, email addresses, or message content to PostHog.

On our website, PostHog loads only after you accept our analytics banner; if you decline, no analytics cookies are stored and no events are sent. You can change your choice at any time by clearing your browser's site data for memrly. The memrly mobile app uses the same event-based product analytics, without cookies.

We do not use analytics to build advertising profiles, and we never sell, rent, or trade your data.

2. How We Use Your Data

We use your personal data exclusively for the following purposes:

Providing the Service: storing and delivering your photos and videos to authorized album members
Account management: authentication, account recovery, and subscription management
Communications: sending push notifications about album activity (configurable in settings), payment reminders, and important service updates
Content moderation: detecting and removing prohibited content to maintain platform safety (see Section 3)
Service improvement: analyzing anonymized, aggregated usage patterns to improve app features and performance
Engagement and retention: limited automated analysis of your account activity (such as how often you use the Service, which features you use, and your subscription status) to identify users who may benefit from a reminder, a tip, or a discount, and to send relevant in-app or email messages. This activity constitutes profiling within the meaning of Article 4(4) GDPR. Its lawful basis is our legitimate interest under Article 6(1)(f) GDPR in retaining users and improving the Service. You can object to this processing at any time, free of charge, by contacting support@memrly.com. We do not make any decisions with legal or similarly significant effects based on this profiling.
Legal compliance: responding to legal requests and enforcing our Terms of Service

We never use your photos to train AI or machine learning models
We never sell your data to third parties
We never show you ads
We never engage in behavioural advertising

3. Content Moderation and AI Scanning

To maintain a safe platform and comply with legal obligations, uploaded photos and videos may be automatically scanned using artificial intelligence and machine learning technologies. This scanning is designed to detect prohibited content, including but not limited to:

Child sexual abuse material (CSAM)
Graphic violence
Other content that violates our Acceptable Use Policy

Content flagged by automated systems is reviewed by a human moderator before any action is taken against your account. If prohibited content is confirmed, we may remove the content, suspend or terminate your account, and report the matter to relevant authorities, including the National Center for Missing & Exploited Children (NCMEC) and law enforcement, as required by law.

4. Permissions We Request

Permission	Purpose
Camera	To take photos and videos directly in the app
Photo Library	To upload existing photos and save images to your device
Microphone	To record audio when capturing videos
Contacts	To help you invite friends to albums. We do not store or upload your contacts to our servers.
Notifications	To alert you about new photos, comments, and album activity. Fully customizable in settings.

All permissions are optional. The app functions without granting any permission, though some features require specific permissions to operate.

5. Third-Party Services

We use the following third-party services to operate memrly. Each service processes only the minimum data required for its function:

Service	Purpose	Data Shared	Location
Supabase	Database and authentication	Account data, album data, activity records	European Union
Cloudflare R2	Media file storage	Photos, videos, thumbnails	Global (distributed CDN)
Google Sign-In	Authentication	Email, name, profile picture	United States
Apple Sign-In	Authentication	Email, name	United States
RevenueCat	Subscription management	Anonymous user ID, purchase receipts	United States
Expo	Push notification delivery	Device push token, platform	United States
PostHog	Product analytics	Pseudonymous usage events (no photos, names, or message content)	European Union

We do not share your photos, videos, or personal data with any of these services beyond what is strictly necessary for their function. We do not sell, rent, or trade your personal data to any third party.

6. Data Storage and International Transfers

Your data is stored in the following locations:

Database (account information, album data, activity records): Supabase servers in the European Union
Media files (photos, videos, thumbnails): Cloudflare R2 distributed storage network (global)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, transfers of personal data to third-party services outside the EEA are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards as required by applicable law.

7. Data Security

We protect your data with:

Encrypted connections (HTTPS/TLS) for all data in transit
Encryption at rest for stored data
Row-level security policies ensuring you can only access data you are authorized to see
Secure token storage on your device (iOS KeychainAndroid Keystore)
Private albums accessible only to invited members
Regular security assessments of our infrastructure

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Retention

8.1 Active Accounts

Your data is retained for as long as your account is active and you maintain a valid subscription (if applicable).

8.2 Subscription Cancellation, Expiry, or Payment Failure

If your paid subscription is cancelled, expires, or your subscription payment fails and the App StoreGoogle Play cannot collect after their retry attempts, your subscription becomes inactive and your account moves to the free starting state. Your existing content is then placed in a freeze period during which it is preserved but you cannot use the paid features of your former tier. The freeze period depends on the tier you were on:

Personal — 365 days
Organizer — 180 days
Creator — 90 days

If you renew or upgrade before the end of the freeze period, your full content is restored. If you do not renew, at the end of the freeze period plus a 24-hour grace window we reduce the content stored on your account to the limits of the free starting state, deleting the oldest items above that limit.

8.3 Voluntary Account Deletion

If you choose to delete your account through the app's settings, deletion is processed immediately: your account information, profile and personal data are permanently and irreversibly deleted from our systems and from the third-party services listed in Section 5, in line with their respective deletion policies. We recommend exporting any content you wish to keep before initiating deletion.

8.4 Albums on Account Deletion

When you delete your account, all albums you own are also deleted. Album members receive a 30-day notice to download any content they contributed before deletion occurs.

9. Your Rights

9.1 All Users

Regardless of your location, you can:

Access your data — view all your photos, comments, and profile information in the app
Delete your content — remove any photo, comment, or album you own at any time
Delete your account — permanently remove your account and all associated data (see Section 8.3)
Control notifications — customize or disable all notification types in settings
Revoke permissions — disable camera, contacts, or other permissions in your device settings at any time

9.2 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

Right of access — request a copy of all personal data we hold about you
Right to rectification — request correction of inaccurate personal data
Right to erasure ("right to be forgotten") — request deletion of your personal data
Right to data portability — receive your data in a structured, commonly used, machine-readable format
Right to restrict processing — request that we limit how we use your data
Right to object — object to processing of your data for specific purposes
Right to withdraw consent — withdraw consent at any time where processing is based on consent
Right to lodge a complaint — file a complaint with your local data protection supervisory authority

To exercise any of these rights, contact us at support@memrly.com. We will respond within 30 days.

Lawful basis for processing:

Processing activity	Data categories	Lawful basis (Art. 6 GDPR)	Retention
Account creation and authentication	Name, email, profile picture, sign-in token	Performance of contract — Art. 6(1)(b)	Lifetime of account + 30 days
Hosting and delivery of user media	Photos, videos, thumbnails, captions, metadata	Performance of contract — Art. 6(1)(b)	Per Section 8 of this Policy
Detection of unlawful content (CSAM, violence)	Uploaded media (transient processing)	Legal obligation — Art. 6(1)(c) and legitimate interest — Art. 6(1)(f)	Hashes retained per regulator guidance
Push notifications	Device push token, platform	Consent — Art. 6(1)(a) — revocable in settings	Until revoked or account deleted
Subscription billing and entitlement	Receipts, transaction IDs, subscription tier	Performance of contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c)	Tax-retention period (typically 7–10 years)
Anonymised usage analytics	Aggregated, non-identifying counters	Out of scope of GDPR if truly anonymised	Indefinite (aggregate)
Trust and safety enforcement	Reports, moderation decisions, ban records	Legitimate interest — Art. 6(1)(f) and legal obligation — Art. 6(1)(c)	As long as needed to enforce ban-evasion rules
Engagement and retention messaging	Account activity, feature usage signals, subscription status	Legitimate interest — Art. 6(1)(f); right to object under Art. 21	Until account deleted or objection raised

9.3 California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

Right to know — request disclosure of the categories and specific pieces of personal information we collect
Right to delete — request deletion of your personal information
Right to opt-out of sale — we do not sell your personal information to third parties. As we do not sell data, there is no need to opt out.
Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at support@memrly.com. We will verify your identity and respond within 45 days.

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify affected users and relevant authorities in accordance with applicable law in each jurisdiction.

For GDPR users: we will notify the relevant supervisory authority within 72 hours and affected users without undue delay when required. For US users: we will notify affected residents in accordance with applicable state data breach notification laws.

11. Children's Privacy

memrly is intended for users aged 13 and above. If you are below the digital-consent age in your country of residence, you may use the Service only with verifiable consent from your parent or guardian. The applicable digital-consent age varies between European Union Member States: 13 in some States (for example Portugal), 15 in France, 16 in others (for example Germany). If you believe a user below the applicable age has created an account, please contact support@memrly.com and we will promptly delete the account and all associated data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you through the app or by email at least 30 days before the changes take effect
Provide a summary of what has changed

Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, contact us at:

Email: support@memrly.com

For GDPR-related inquiries, you may also contact your local data protection supervisory authority (e.g., CNIL in France, CNPD in Portugal).

14. Data-Protection Contact

memrly is operated from the European Union and therefore is not required to appoint an EU representative under Article 27 GDPR. memrly is not currently required to appoint a Data Protection Officer under Article 37 GDPR. If you have any questions, requests or complaints regarding personal data, please contact support@memrly.com. We will reply within 30 days, extendable to 90 days for complex requests, with notice to you.

This Privacy Policy is governed by the laws of Portugal. For users in the European Union, the provisions of the GDPR apply. For users in California, the provisions of the CCPA apply. For users in other jurisdictions, applicable local data protection laws apply in addition to this policy.

Revision History

v2.0 — May 23, 2026: Added PostHog analytics disclosure (§1.6, §5).
v1.0 — May 9, 2026: Initial published version.