Skip to content
← Back to MemDown

Privacy Policy

Last updated: February 2, 2026

1. Information We Collect

For Registered Users:

  • Account Information: Email address, display name (optional), password (hashed)
  • Content: Lists, list items, tags, categories you create
  • Usage Data: IP addresses (stored for 90 days for security), account activity timestamps
  • Contact Messages: If you contact us, we store your name, email, and message

For Non-Registered Users:

  • Local Storage Only: Your lists are stored locally in your browser (IndexedDB). We do not have access to this data.
  • Preferences: Display preferences stored in browser localStorage

2. How We Use Your Information

  • Provide and improve the service
  • Authenticate your account
  • Send essential emails (password resets, email verification)
  • Respond to support requests
  • Detect and prevent fraud/abuse

3. Data Storage & Security

  • Encryption: All passwords are hashed using BCrypt
  • HTTPS: All data transmission is encrypted
  • IP Retention: IP addresses automatically deleted after 90 days
  • Log Retention: Server logs retained for 30 days then automatically deleted

4. Cookies

We use strictly necessary cookies only:

  • refreshToken: HttpOnly cookie for authentication (essential for login functionality)

We do NOT use tracking, analytics, or advertising cookies.

5. Your Rights (GDPR Compliance)

You have the right to:

  • Access: Download all your data via /api/auth/export-data
  • Deletion: Delete your account and all data via Settings → Account Deletion
  • Portability: Export your data in JSON format
  • Correction: Update your profile information anytime

6. Marketing Communications

We do NOT currently send marketing emails. If we introduce marketing in the future:

  • We will email you first to request opt-in consent
  • You can opt-out anytime
  • Essential account emails (security, password resets) cannot be disabled

7. Third-Party Services

  • SendGrid: Email delivery (password resets, verifications)
  • No Analytics: We do not use Google Analytics, Facebook Pixel, or similar tracking

8. Log Sanitization

Our logs may contain technical information for debugging, but we:

  • Do NOT log your list content or personal data
  • Do NOT log email addresses (user IDs only)
  • Do NOT log passwords or authentication tokens
  • Automatically delete logs after 30 days

9. Children's Privacy

MemDown is not intended for users under 13. We do not knowingly collect data from children.

10. Changes to Privacy Policy

We may update this policy. Changes will be posted with a new "Last updated" date.

11. Contact Us

Questions about privacy? Contact us via the in-app contact form or email support@memdown.com