Privacy Policy

Last updated: 29 July 2025

We welcome you to MemoChat, our website at www.memochat.net and/or our iOS and Android Mobile application (collectively our "Platform"). In the below Privacy Policy, we inform you about the scope of the processing of your Personal Data. MemoChat proceeds with all data processing procedures (e.g., collection, processing, and transmission) in accordance with Estonia's Personal Data Protection Act and the EU's General Data Protection Regulation ("GDPR").

Responsible for data processing

Responsible for data processing in accordance with the provisions of Estonian law and GDPR is:

AnimaTech OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
Web: www.memochat.net
E-Mail: info@memochat.net

The Supervisory Authority

The competent data protection authority in Estonia is:

Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
Web: https://www.aki.ee

General information on data processing

In the course of our business and platform operations, we process data, and this data is generally transferred to our Amazon Web Services (AWS) server and we also use AWS for the provision of our website.

All Personal Data that we obtain from you via the platform will only be processed for the purposes described in more detail below. This is done within the framework of the respective legal regulations mentioned or only with your consent. In particular, Estonian law and GDPR specify when data processing is permitted. MemoChat collects Personal Data if:

• You have given your consent,
• The data is necessary for the fulfillment of a contract / pre-contractual measures,
• The data is necessary for the fulfillment of a legal obligation, or
• The data is necessary to protect the legitimate interests of our company, provided that your interests are not overridden.

MemoChat processes and stores your Personal Data only for the period of time required to achieve the respective processing purpose or for as long as a legal retention period (in particular Estonian commercial and tax law) exists. Once the purpose has been achieved or the retention period has expired, the corresponding data is routinely deleted.

Processing of Automatically Collected Data

a) Collection of access data and log files

We also collect data on every access to our website. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g., for the clarification of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the respective incident is finally clarified. The legal basis for the data processing is our legitimate interest in providing an appealing website.

b) Use of cookies

To improve the services provided on the website, we use cookies that collect information about your usage behavior. Cookies are files that your web browser stores on your hard drive when you visit a website. Cookies may, under certain circumstances, personally identify you either directly (for example, with an e-mail address) or indirectly (for example, with a unique identification code of a cookie, an IP address or the identification code of a device). The data stored may include the pages you visit, the date and time of your visit, and other tracking information. For more information, please refer to our Cookie Policy.

c) Downloading the APP

The APP can be downloaded from the "Google Playstore" a service offered by Google Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, US, if you are resident outside the EU and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland if you are a resident within the EU, or the Apple App service "App Store" a service of Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, US, if you are resident outside the EU and Apple Distribution International Ltd, Hollyhill Industrial Estate, Hollyhill Ln, Knocknaheeney, Cork, Ireland, if you are a resident within the EU, to install our APP. Downloading it may require prior registration with the respective App store and/or installation of the respective App store software.

d) Installing the APP

As far as we are aware, Google collects and processes the following data: License check, network access, network connection, WLAN connections, and location information. However, it cannot be ruled out that Google also transmits the information to a server in a third country. We cannot influence which Personal Data Google processes with your registration and the provision of downloads in the respective App store and App store software. The responsible party in this respect is solely Google as the operator of the Google Play Store.

As far as we are aware, Apple collects and processes the following data: device identifiers, IP addresses, location information, it cannot be excluded that Apple also transmits the information to a server in a third country. This could in particular be Apple Inc. One Apple Park Way, Cupertino, California, USA, 95014. We cannot influence which Personal Data Apple processes with your registration and the provision of downloads in the respective app store and app store software. The responsible party in this respect is solely Apple as the operator of the Apple App Store.

e) Device information

Google and Apple may collect information from and about the device(s) you use to access the APP, including hardware and software information such as IP address, device ID and type, device-specific and APP settings and properties, APP crashes, advertising IDs (AAID), information about your wireless and mobile network connection such as your service provider and signal strength; information about device sensors such as accelerometer, gyroscope, and compass.

f) Purchases

When you make In-app purchases, we (Google and Apple on our behalf) may collect the following data from you to process the purchase:

• Android or Apple user ID
• Email address
• Payment confirmation from the payment data collected by Apple or Google
• Device IP and device serial number to link the purchase history to the device

g) Firebase

We use the Google Firebase developer platform and related features and services provided by Google LLC and Google Ireland Limited for push notifications and analytics. Google Firebase is a platform for developers of apps for mobile devices. The Google Firebase developer platform offers a variety of features. A list of these features can be found at: https://firebase.google.com/terms/. Firebase's key security and privacy information can be found here: https://firebase.google.com/support/privacy

Firebase logs are retained for 90 days and include anonymized device identifiers, Firebase tokens, and user engagement data (e.g., message read and delivery status).

Data processing when you use our services

a) Contacting us

If you contact us, we process the following data from you for the purpose of processing and handling your request: first name, last name, e-mail address, and, if applicable, other information if you have provided it, and your message. The legal basis for the data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations (Art. 6 para. 1 lit. b GDPR) and/or our overriding legitimate interest in processing your request (Art. 6 para. 1 lit. f GDPR).

b) Profile and account

If you create a user account, you will receive a unique ID from us and you are required to provide a username, nickname, and public ID. You may optionally add a profile photo. This allows us to identify you as a user and gives you the opportunity to manage your account, use our services and manage your purchases. Within your profile you are able to delete your account at any time. Your data will be processed on the basis of contractual necessity (Art. 6 para. 1 lit. b GDPR) and your consent (Art. 6 para. 1 lit. a GDPR).

c) When using our services

We process the data of our registered users in order to be able to provide our contractual services as well as to ensure the security of our services and to be able to develop it further. The required information is identified as such in the context of the information required for the provision of services and billing.

Of course, in the course of operating the Services, we also process your chats with other users and the content you transmit.

Our Security Model:

• Text Messages: Encrypted using AES-256-CBC with salt on our servers (server-side encryption). Messages are encrypted when stored and decrypted when retrieved by users.
• Files and Audio Messages: Encrypted on your device before upload using unique per-chat encryption keys. We cannot decrypt these files as the encryption occurs client-side before reaching our servers.
• Data in Transit: All communications are secured using HTTPS/TLS encryption.

Some of the Personal Data you provide may be considered "special" or "sensitive". This includes Personal Data concerning for example your health, racial or ethnic origins, sexual orientation, and religious beliefs. By choosing to provide this data, you consent to our processing of that data.

You have choices about the Personal Data you upload and share. You don't have to provide Personal Data; however, Personal Data helps you to get more from our Services. It's your choice whether to include special category data and to make that special category data public. Please do not upload or add data that you would not want to be available.

The legal basis for the processing of your personal and special category data is the establishment and implementation of the user contract for the use of the service as well as your consent. We store the data until you delete your user account. Insofar as legal retention periods are to be observed, storage also takes place beyond the time of deletion of a user account.

You may withdraw your consent and request us to stop using and/or disclosing your personal and special category data by submitting your request to us in writing to info@memochat.net.

Duration of data storage

We only store Personal Data for as long as it is necessary for the purposes for which it is processed or for as long as any consent you have given us has been revoked by you. Insofar as statutory retention obligations must be observed, the storage period for certain data may be up to 10 years, irrespective of the processing purposes.

Specific retention periods:

• Account Data: Retained until you delete your account, at which point personal data is anonymized
• Message Data: Retained based on user settings, with options for 24-hour deletion, 1-week deletion, 1-month deletion, or longer retention for active accounts. All message data is deleted upon account deletion
• Log and Usage Data: Retained for up to 12 months to aid performance and troubleshoot issues
• Push Notification Tokens: Expire with the session or upon logout

Obligation to provide Personal Data

You are not obliged to provide us with Personal Data. However, depending on the individual case as described above, the provision of certain Personal Data may be necessary for the provision of the services. If you do not provide us with this Personal Data, we may not be able to provide the requested service.

Do Not Sell

We do not sell data to third parties.

Authorizations and Access

We may request permission to store your APP data including your Internet Connection and Network, Camera, Audio, Video, Photos and Gallery of your device. The legal basis for data processing is our legitimate interest and the provision of contractual or pre-contractual measures. You can deny access on your device via the Settings/Notifications/ options of your device; however, this means that our APP may not function as intended.

Push messages

When you use the app, you will receive so-called push messages from us, even if you are not currently using the App. These are messages that we send you as part of the performance of the contract. You can adjust or stop receiving push messages at any time via the device settings of your device.

Transfer of Personal Data

We will not disclose or otherwise distribute your Personal Data to third parties unless this:

• Is necessary for the performance of our services,
• You have consented to the disclosure, or
• The disclosure of data is permitted by relevant legal provisions.

However, we are entitled to outsource the processing of your Personal Data in whole or in part to external service providers acting as processors within the framework of Estonian law and GDPR.

Our main third-party partners include:

• Firebase (Google LLC) for notifications and user engagement analytics
• Amazon Web Services (AWS) for secure server hosting
• Synervoz SDK for enhanced communication features

These providers may process data outside the EU. We implement appropriate safeguards, including Standard Contractual Clauses (SCCs), to ensure GDPR compliance.

The service providers commissioned by us however will process your data exclusively in accordance with our instructions and we remain in accordance with Estonian law and the GDPR responsible for the protection of your data.

We may also disclose Personal Data to third parties if we are legally obliged to do so e.g., by court order or if this is necessary to support criminal or legal investigations or other legal investigations or proceedings at home or abroad or to fulfill our legitimate interests.

Automated decision-making

Automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR does not take place at MemoChat.

Your data subject rights

Every data subject has:

• The right to information according to Art. 15 GDPR,
• The right to rectification according to Art. 16 GDPR,
• The right to deletion according to Art. 17 GDPR,
• The right to restriction of processing pursuant to Art. 18 GDPR, and
• The right to data portability under Art. 20 GDPR.

Further, you can revoke consent, in principle with effect for the future.

Furthermore, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). We would, however, appreciate the chance to deal with your concerns before you approach a data protection supervisory authority.

Finally, you also have a right to object according to Art. 21 GDPR. This applies, on grounds relating to data processing on the basis of my legitimate interest and also to profiling.

If you object, we will no longer process your Personal Data unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Please contact us at any time with questions and suggestions regarding data protection and to enforce your rights as a data subject.

Security

State-of-the-art internet technologies are used to ensure the security of your data. We employ robust measures to protect your data:

Hybrid Encryption Model:

• Text Messages: Server-side encryption (SSE) using AES-256-CBC with salt. Each message is encrypted differently using unique salt values.
• Files and Audio Messages: Client-side encryption with per-chat keys before S3 upload. We cannot decrypt these files as encryption occurs on your device.
• Data in Transit: HTTPS/TLS encryption for all communications.
• Data Fragmentation: S3 file encryption and segmentation for enhanced data security.

For secure storage of your data, the systems are protected by firewalls that prevent unauthorized access from outside. In addition, technical and organizational security measures are used to protect the Personal Data you have provided against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons.

Updating your information

If you believe that the information we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so within your account or by contacting us using info@memochat.net.

Withdraw your consent

You may withdraw your consent and request us to stop using and/or disclosing your Personal Data for any or all purposes by submitting your request to us using info@memochat.net.

Please note that your withdrawal of consent will not prevent us from exercising our legal rights (including any remedies) or undertaking any steps as we may be entitled to at law.

Changes and updates

We kindly ask you to regularly inform yourself about the content of our Privacy Policy. We will amend our Privacy Policy as soon as changes to the information processing activities we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

Concerns and Contact

If you have any concerns about a possible compromise of your privacy or misuse of your personal information on our part, or any other questions or comments, you can contact us using info@memochat.net.