memoria
LegalRead as markdown

Privacy Policy

Last updated: 2026-05-28

Effective date: 2026-05-28

1. Introduction

Welcome to the privacy policy of Premex AB ("we", "us", or "our"). We operate the website located at https://memoria.premex.se and are committed to protecting your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our services. Please read it carefully.

Our principal place of business is located at: Jerikovägen 12, 141 32 Huddinge

Company registration number: 559253-4134

2. Data Controller

Premex AB is the data controller responsible for your personal data.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted regarding any data protection matters:

3. Information We Collect

Personal Data

We may collect the following categories of personal data that you voluntarily provide to us:

  • Full name

  • Email address

  • Photos or avatars

Usage Data

We automatically collect certain information when you visit, use, or navigate our services:

  • IP address

  • Browser type and version

  • Operating system

  • Referring URLs

  • Pages visited and time spent

  • Date and time of access

  • Error logs and crash reports

Device Information

We collect information about the device you use to access our services, including:

  • Device type and model
  • Operating system and version
  • Unique device identifiers
  • Browser type and version
  • Screen resolution and colour depth
  • Language preferences

Cookies and Tracking Technologies

We use cookies and similar tracking technologies (pixels, web beacons, and local storage) to collect and store information about your interactions with our services.

Obligation to Provide Data

Providing certain personal data is necessary in order to use our services and enter into a contract with us. You will not be able to create an account, store memories, generate or query the knowledge graph, or use the Memoria API and MCP server.

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

  • Consent — you have given us clear consent to process your personal data for a specific purpose

  • Contract — processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract

  • Legal obligation — processing is necessary for compliance with a legal obligation to which we are subject

  • Legitimate interests — processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests

Purpose-to-legal-basis mapping:

Service provision, account management, and authentication — Contract performance (GDPR Art. 6(1)(b)). Billing, invoicing, and statutory accounting records — Legal obligation (Art. 6(1)(c), Swedish Bokföringslagen). Service analytics, abuse prevention, platform security, and product improvement — Legitimate interests (Art. 6(1)(f)). Marketing communications and optional product update emails — Consent (Art. 6(1)(a)), which you may withdraw at any time.

Where we rely on consent as a legal basis, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Use Your Data

We use the information we collect for the following purposes:

  • To provide, operate, and maintain our services

  • To improve and personalise user experience

  • To communicate with users, including responding to inquiries

  • To process transactions and manage billing

  • To monitor and analyse usage trends and service performance

  • To detect, prevent, and address fraud or security issues

  • To comply with legal obligations and enforce our terms

  • To provide customer support

  • To manage user accounts and authentication

6. Data Sharing and Third Parties

We may share your personal data with the following categories of third parties:

  • Cloud hosting and infrastructure providers

  • Email and communication service providers

  • Payment processors

  • Security and fraud prevention services

  • Legal and compliance advisors

  • Government authorities (when required by law)

We require all third parties to respect the security of your personal data and to treat it in accordance with applicable law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your data for specified purposes and in accordance with our instructions.

6.3 Payment Processors

We use third-party payment processors to handle payment transactions securely. Your payment information is transmitted directly to the payment processor and is not stored on our servers. The payment processors we use include:

  • Stripe

6.4 Social Login Providers

If you choose to register or log in using a social media or single sign-on account, we receive certain personal data from the social login provider as a third-party source. In accordance with GDPR Article 14(2)(f), we identify each provider we use as a source of personal data and disclose the categories of data we receive.

The social login providers we use are:

  • Google

Categories of personal data we receive from these providers:

  • Full name

  • Email address

  • Profile picture

  • Unique provider user ID

  • Verified email status

The specific data received depends on the provider you use and the permissions you grant during the authorisation flow. You can review and revoke our access at any time through the security or connected-apps settings of your social login account.

7. International Data Transfers

We primarily process and store your data within the country or region where our services are operated. If we need to transfer your data internationally in the future, we will update this policy and ensure appropriate safeguards are in place.

8. Data Retention

We retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Default retention period: As long as necessary for the stated purpose

We apply the following specific retention periods for different categories of data:

  • Account data: retained for the duration of the account plus 30 days after deletion

  • Transaction records: retained for 7 years for tax and legal compliance

  • Log files: retained for 90 days

  • Backup data: retained for 6 months

Detailed retention schedule:

Memory data (entities, edges, episodes, playbooks) — retained for the duration of the active brain plus 30 days after explicit deletion of the brain or account via the dashboard or API. Account profile data — duration of the account plus 30 days after deletion. Authentication and OAuth session records — 30 days after expiry. Billing and statutory accounting records — 7 years (Swedish Bokföringslagen 7 kap. 2 §). Server access and security logs — 90 days. Encrypted backups — 6 months on a rolling basis.

When the retention period expires, we will securely delete or anonymise your personal data in accordance with our data disposal procedures.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL)

  • Encryption of data at rest

  • Access controls and role-based permissions

  • Regular security audits and vulnerability assessments

  • Multi-factor authentication for staff access

  • Regular data backups with encryption

  • Data processing agreements with all sub-processors

  • Incident response and data breach notification procedures

  • Pseudonymisation and anonymisation where appropriate

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

Data Breach Notification

In accordance with the General Data Protection Regulation (GDPR):

  • Supervisory Authority Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
  • Individual Notification: Where a data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 of the GDPR. This notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
  • Record Keeping: We maintain records of all personal data breaches, including those not requiring notification, as part of our accountability obligations under the GDPR.

In the event of a breach requiring notification, we will notify: the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at https://www.imy.se

10. Your Rights

10.1 Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of Access — You can request a copy of the personal data we hold about you.
  • Right to Rectification — You can request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure — You can request that we delete your personal data (the "right to be forgotten"), subject to certain legal exceptions.
  • Right to Restrict Processing — You can request that we limit the processing of your personal data in certain circumstances.
  • Right to Data Portability — You can request a machine-readable copy of the personal data you have provided to us.
  • Right to Object — You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent — Where we process data based on your consent, you can withdraw that consent at any time.
  • Right Not to Be Subject to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

To exercise any of these rights, please contact us at privacy@premex.se. We will respond to your request within one month.

If you believe that we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority: the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at https://www.imy.se

Swedish Data Protection Law

In addition to the GDPR, we comply with the Swedish Act with Supplementary Provisions to the EU General Data Protection Regulation (Lag 2018:218) and the Swedish Electronic Communications Act (LEK 2022:482), which implements the ePrivacy Directive. The supervisory authority for data protection in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY). You may contact IMY at https://www.imy.se if you have concerns about our processing of your personal data.

11. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected personal data from a child under 16, we will promptly delete that information. If you believe that we may have collected data from a child, please contact us at privacy@premex.se.

12. Do Not Track Signals

We honour Do Not Track (DNT) signals sent by your browser. When we detect a DNT signal, we disable tracking, analytics, and advertising cookies for your browsing session.

13. Automated Decision-Making

We do not use solely automated decision-making, including profiling, that would have a legal or similarly significant effect on you.

15. Third-Party Links

Our services may contain links to third-party websites and services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you by email, by posting a prominent notice on our website, and by updating the "Last updated" date at the top of this page.

The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically. If material changes affect the legal basis on which we process your data, we will seek renewed consent where required.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer: dpo@premex.se

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority: the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at https://www.imy.se