Privacy Policy
Last updated: 24 March 2026 · Effective date: 24 March 2026 · Version 1.0
Your privacy is the foundation of everything we build at ReMemo. This policy explains — in plain language and in full legal detail — exactly what data we collect, how it is processed, where it is stored, and what rights you hold under applicable law.
Table of Contents
- Who We Are
- Scope of This Policy
- Important Notice — Wellness Tool, Not a Medical Device
- Data Architecture: On-Device First
- What Data We Collect and How
- Legal Bases for Processing (GDPR Article 6 & 9)
- On-Device AI Mode (Apple Intelligence)
- Online AI Chat Mode — Third-Party AI Providers
- Data Retention
- Data Security
- International Data Transfers
- Your Rights Under GDPR
- Children's Privacy
- Cookies and Analytics
- Third-Party Links
- Changes to This Policy
- How to Contact Us
- Supervisory Authority
1. Who We Are
ReMemo ("ReMemo", "we", "us", or "our") is a software product developed and operated from Dublin, Ireland. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Data Protection Acts 1988–2018 (Ireland), ReMemo acts as the data controller in respect of personal data processed through our mobile application and this website.
2. Scope of This Policy
This Privacy Policy applies to:
- The ReMemo mobile application available on Apple iOS and iPadOS ("the App").
- The ReMemo marketing website located at rememo.app and all subdomains ("the Site").
- Any email communications you initiate with us, including waitlist sign-ups.
- Any care-home or institutional licence agreements entered into with ReMemo.
This policy does not apply to third-party services, websites, or applications that may be linked from within our App or Site. We encourage you to review the privacy notices of any third-party services you use.
3. Important Notice — Wellness Tool, Not a Medical Device
ReMemo is a wellness and memory-support tool. It is not a medical device, and it is not intended to diagnose, treat, cure, or prevent Alzheimer's Disease, dementia, or any other medical condition.
ReMemo has been designed in accordance with EU Medical Device Regulation (EU MDR) 2017/745, Rule 11 classification criteria. As a software application whose intended purpose is to provide cognitive support, memory prompts, and lifestyle assistance — rather than to drive clinical decisions or provide diagnostic outputs — ReMemo falls outside the definition of a medical device under EU MDR 2017/745 and is correspondingly exempt from the conformity assessment procedures applicable to such devices.
We nonetheless apply the principles of privacy-by-design, data-minimisation, and security-by-default as required under GDPR, and follow best-practice standards consistent with ISO/IEC 27001 and ISO 29101 in our product design and data-handling processes. Nothing in this policy or in the App constitutes medical advice. Users should always consult qualified healthcare professionals for any medical concerns.
4. Data Architecture: On-Device First
ReMemo is architected around a strict on-device data model. This is not a marketing claim — it is a fundamental technical and legal design principle that underpins every feature of the App.
What stays on your device — always
- All memory entries and personal notes
- Voice recordings and voice-pattern models
- Photos and media attached to memories
- Family member profiles and relationship maps
- Daily routines, reminders, and schedules
- Longitudinal cognitive interaction logs
- Conversation history with the AI companion
What may leave your device — only with your consent
- Message text sent during Online AI Chat sessions
- Waitlist email address (website only)
- Anonymised, aggregated crash/diagnostic data (if opted in)
The default mode of the App uses Apple Intelligence — on-device machine learning inference that never transmits your data to external servers. All AI processing occurs locally on your iPhone or iPad using Apple's on-device neural engine. ReMemo does not have access to, and does not receive, any output from Apple Intelligence beyond what is displayed on your own screen.
5. What Data We Collect and How
The following table sets out all categories of personal data processed in connection with ReMemo, together with the source, purpose, and applicable legal basis.
| Category | Examples | Source | Stored |
|---|---|---|---|
| Identity data | Name, date of birth, photo | User input | On-device only |
| Voice data | Voice recordings, speaker model | Microphone | On-device only |
| Memory entries | Personal stories, photos, notes | User input | On-device only |
| Interaction logs | Session timestamps, feature usage | App telemetry | On-device only |
| Online chat messages | Text sent to third-party AI (opt-in only) | User input | Transmitted to AI provider; not stored by ReMemo |
| Waitlist email | Email address, role | Website form | Encrypted Postgres database (Vercel/Neon) |
| Crash reports | Stack traces, device model, OS version | Opt-in diagnostics | Anonymised; no PII |
* We do not collect, infer, or process any special category data (Article 9 GDPR) — including health data — unless it is explicitly entered by the user into their own memory journal on their own device, in which case it never leaves that device.
6. Legal Bases for Processing (GDPR Article 6 & 9)
Under GDPR, every processing activity must rest on a valid legal basis. The following table maps each processing activity to its applicable legal basis under Article 6(1) GDPR (and, where relevant, Article 9(2) GDPR for special-category data).
Performance of a contract (Art. 6(1)(b))
Providing the core App functionality; enabling the on-device memory companion; processing waitlist registrations to notify users of App availability.
Legitimate interests (Art. 6(1)(f))
Anonymised crash reporting and aggregate App analytics to improve stability and user experience, where such processing does not override the fundamental rights and freedoms of data subjects. We conduct legitimate-interest assessments (LIAs) for all such activities.
Consent (Art. 6(1)(a) and Art. 9(2)(a))
Online AI Chat mode — the user explicitly enables this feature and is informed that their message text will be transmitted to a third-party AI provider before any data leaves the device. Consent is freely given, specific, informed, and unambiguous. It can be withdrawn at any time by toggling off Online AI Chat mode in the App settings.
Compliance with legal obligation (Art. 6(1)(c))
Retaining transaction records and communications as required by applicable Irish and EU law (e.g., tax, consumer protection).
7. On-Device AI Mode (Apple Intelligence)
The default AI mode in ReMemo uses Apple Intelligence, Apple Inc.'s suite of on-device machine learning models available on compatible iPhone and iPad devices running iOS 18 and later. When you use this mode:
- No data leaves your device. All inference is performed entirely on your local device hardware using Apple's Neural Engine. ReMemo does not transmit any of your personal data, memory entries, voice data, or conversation history to any server — including our own.
- ReMemo has no visibility into your data. Because all processing is local, we have no technical ability to access, copy, or use any of the information you enter into the App when using On-Device AI mode.
- Apple's privacy practices apply. The on-device AI functionality is governed by Apple Inc.'s own privacy policy and the terms of your Apple ID agreement. ReMemo is not responsible for Apple's processing of any data that Apple may collect through its operating system or services.
- No profiling, no advertising. We do not use your data in this mode — or in any mode — for profiling, advertising, behavioural tracking, or any purpose unrelated to directly providing you with the memory companion service.
8. Online AI Chat Mode — Third-Party AI Providers
Online AI Chat mode is entirely optional and opt-in. It is disabled by default. You must explicitly activate it in App settings before any data is transmitted externally.
When you choose to enable Online AI Chat mode, the text of the messages you send in a chat session may be transmitted to a third-party AI service provider ("AI Provider") in order to generate responses. The following conditions apply:
What is transmitted
Only the text content of the individual message(s) you send during an online chat session is transmitted to the AI Provider. Your stored memories, voice data, photos, family profiles, and all other App data remain on your device and are never transmitted to the AI Provider.
What we do not do with this data
- We do not store the content of your online chat messages on our servers.
- We do not use your chat messages to train AI models.
- We do not sell, rent, share, or disclose your chat content to any party other than the AI Provider, and solely for the purpose of generating the response you requested.
- We do not link your chat messages to any other personal data held about you.
AI Provider obligations
We contract with AI Providers under Data Processing Agreements ("DPAs") that comply with GDPR Article 28. AI Providers are instructed to process your message data solely to provide the requested AI response and not for any other purpose, including model training, advertising, or profiling. Relevant AI Providers' own privacy policies apply to their handling of data transmitted to them.
Sensitive information warning
We strongly recommend that you do not include sensitive personal information — such as full names, medical details, financial information, or any information concerning a third party — in messages sent via Online AI Chat mode. If you are assisting a person with dementia who cannot fully appreciate the implications of data sharing, please exercise appropriate care and use On-Device AI mode wherever possible.
Withdrawing consent
You may withdraw your consent to use Online AI Chat mode at any time by disabling the feature in App Settings → AI Mode → On-Device. Withdrawal of consent does not affect the lawfulness of any processing that occurred prior to withdrawal.
9. Data Retention
We apply the principle of storage limitation under GDPR Article 5(1)(e) — personal data is kept for no longer than is necessary for the purposes for which it is processed.
| Data category | Retention period | Deletion mechanism |
|---|---|---|
| All on-device App data | Until you delete the App | Delete App from device; or clear App data in Settings |
| Waitlist email address | Until App launch + 90 days, or until deletion requested | Email privacy@rememo.app with subject "Delete my data" |
| Online AI Chat messages | Not stored by ReMemo; AI Provider retention subject to their policy | Contact AI Provider directly; or do not use this feature |
| Anonymised crash reports | 12 months rolling | Automatically purged; opt out in App Settings |
| Legal/contractual records | 7 years (Irish Statute of Limitations) | Archived; access restricted |
10. Data Security
We implement appropriate technical and organisational measures ("TOMs") to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with GDPR Article 32.
On-device encryption
All App data is stored within the iOS app sandbox and protected by iOS Data Protection (AES-256) tied to your device passcode. Files are classified at the 'Protected Until First User Authentication' level or higher.
Transport Layer Security
All network communications from the App (including Online AI Chat mode) use TLS 1.3 or higher with certificate pinning to prevent man-in-the-middle attacks.
Database security (waitlist)
Waitlist email addresses are stored in an encrypted PostgreSQL database hosted on infrastructure meeting SOC 2 Type II standards. Access is restricted by role-based controls and audited.
No passwords stored
We do not maintain user account passwords. Authentication is handled entirely through Apple's Sign-in with Apple or device-level biometric authentication.
Minimal data collection
Privacy-by-design means we do not collect data we do not need. The smallest possible dataset is processed to deliver each feature.
Security testing
We conduct regular code reviews and, prior to major releases, commission independent security assessments of the App and any backend infrastructure.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and will notify affected data subjects without undue delay where required under Article 34.
11. International Data Transfers
ReMemo is based in Ireland, which is a member state of the European Union. Most data processing is entirely on-device and therefore involves no international transfer at all.
Where data is transferred outside the European Economic Area ("EEA") — for example, when Online AI Chat messages are sent to AI Providers whose infrastructure is located in the United States or other non-EEA jurisdictions — we ensure that such transfers are protected by one or more of the following safeguards:
- An adequacy decision by the European Commission under GDPR Article 45 (e.g., where the recipient country has been deemed to offer equivalent protection).
- Standard Contractual Clauses ("SCCs") approved by the European Commission under GDPR Article 46(2)(c), supplemented by a Transfer Impact Assessment ("TIA") where required.
- Binding Corporate Rules or other approved transfer mechanisms where applicable.
You may request a copy of the relevant transfer safeguards by contacting us at privacy@rememo.app.
12. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights in respect of personal data we process about you. These rights apply to the extent provided for under applicable law and may be subject to exemptions in certain circumstances.
Right of access (Art. 15)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with supplementary information about the processing.
Right to rectification (Art. 16)
You have the right to have inaccurate personal data corrected, and incomplete data completed, without undue delay.
Right to erasure / 'right to be forgotten' (Art. 17)
You have the right to request the deletion of personal data we hold about you where one of the specified grounds applies (e.g., the data is no longer necessary, you withdraw consent, you object and there are no overriding legitimate grounds).
Right to restriction of processing (Art. 18)
You have the right to request that we restrict our processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.
Right to data portability (Art. 20)
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to object (Art. 21)
You have the right to object at any time to processing of your personal data based on our legitimate interests or the performance of a task in the public interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights related to automated decision-making and profiling (Art. 22)
ReMemo does not subject any data subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. This right is therefore not engaged in our current processing activities.
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent (e.g., Online AI Chat mode), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
How to exercise your rights
To exercise any of the above rights, please contact our data protection contact at privacy@rememo.app with the subject line "GDPR Data Request". We will respond within one calendar month of receipt of your request (extendable by a further two months where necessary, with notice). We may need to verify your identity before processing your request. There is no charge for submitting a request.
13. Children's Privacy
ReMemo is designed for use by adults, including older adults and their family caregivers. The App is not directed to children under the age of 16 (or the applicable digital age of consent in the relevant EU Member State).
We do not knowingly collect personal data from individuals under 16. If you believe a child under 16 has provided us with personal data (for example, by submitting their email address to our waitlist without parental consent), please contact us immediately at privacy@rememo.app and we will take steps to delete such data promptly.
14. Cookies and Analytics
Mobile App: The ReMemo App does not use cookies.
Website: Our marketing website (rememo.app) uses minimal, privacy-respecting analytics provided by Vercel Analytics. Vercel Analytics is designed to be privacy-friendly and does not use cookies or fingerprinting techniques to track individual users. It collects aggregated, anonymised information about page visits and referral sources for the purpose of understanding how our Site is used and improving its content.
We do not use Google Analytics, Facebook Pixel, advertising cookies, or any third-party tracking technology on our Site. If this changes in the future, we will update this policy and, where required by law, obtain your consent before placing non-essential cookies on your device.
15. Third-Party Links
Our App and Site may contain links to third-party websites, applications, or services (for example, links to research papers or to Apple's website). We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party services you access through links from our App or Site. This policy applies only to information collected by ReMemo.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other legitimate business reasons. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Display a prominent notice within the App or on the Site for a period of at least 30 days following the change.
- Where required by law or where the change materially affects your rights, seek your fresh consent before the new version takes effect.
Your continued use of the App or Site after the effective date of a revised policy constitutes your acceptance of the updated terms, subject to any consent requirements noted above. We encourage you to review this policy periodically.
17. How to Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us:
Email: privacy@rememo.app
General enquiries: hello@rememo.app
Postal address: ReMemo, Dublin, Ireland
We aim to respond to all privacy-related enquiries within 5 business days.
18. Supervisory Authority
If you are located in the EEA and believe we have not addressed your concerns satisfactorily, you have the right to lodge a complaint with your local data protection supervisory authority. As ReMemo is established in Ireland, our lead supervisory authority under the GDPR one-stop-shop mechanism is:
Data Protection Commission (DPC) — Ireland
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
Phone: +353 (0)1 765 0100 · Lo Call: 1800 437 737
You may also lodge a complaint with the supervisory authority in your country of residence or place of work within the EU/EEA.
Privacy is built in, not bolted on.
At ReMemo, we chose an on-device-first architecture precisely because we believe intimate memories — especially those of people living with dementia — deserve the highest level of protection. Your data is yours. It stays on your device. That's a promise, not just a policy.
© 2026 ReMemo. All rights reserved. This Privacy Policy was last reviewed by our legal team on 24 March 2026.