MemothMemoth

Privacy Policy

Effective date: March 28, 2026
Last updated: April 3, 2026

1. Overview

Memoth (“we”, “our”, “us”) is an AI-powered voice notes application operated by Artlink Live Ltd., a company registered in Israel. This Privacy Policy explains how we collect, use, store, and protect your information when you use Memoth on any platform — iPhone, iPad, Mac, Apple Watch, WhatsApp, or our website (memoth.com).

By using Memoth, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the service.

2. Information We Collect

2.1 Account Information

  • Name, email address, and profile photo (provided during sign-up via Apple, Google, or email through our authentication provider, Clerk)
  • Authentication tokens and session data (managed by Clerk)
  • IP address and device identifiers collected during authentication
  • Phone number (only if you voluntarily link WhatsApp for the voice bot feature)

2.2 Audio Recordings

  • Audio is recorded and stored locally on your device
  • When you use cloud processing (available on Pro and Pro Plus plans), audio is temporarily uploaded to our servers via Amazon S3 for the sole purpose of transcription
  • Audio files are permanently deleted from our servers immediately after transcription is complete — typically within minutes. An automated cleanup job runs hourly to ensure no files persist beyond one hour.
  • WhatsApp voice messages sent to the Memoth bot are processed in real-time and are not stored on our servers after processing

2.3 Transcripts, Summaries, and AI-Generated Content

  • All transcripts, summaries, action items, categories, and speaker identifications are generated by AI and stored locally on your device using an on-device database
  • If you enable iCloud Sync, this data syncs across your Apple devices via Apple's iCloud infrastructure — we do not have access to your iCloud data
  • We do not retain your transcripts, summaries, or notes on our servers beyond the temporary processing window required to deliver results to your device

2.4 Usage and Billing Data

  • Monthly audio processing duration (in seconds) for subscription limit enforcement
  • API usage logs recording which features you use, timestamps, and processing duration — never the content of your recordings or transcripts
  • Subscription tier and purchase history (managed by RevenueCat and Apple)

2.5 Device and Technical Data

  • Device type, operating system version, and app version for compatibility and diagnostics
  • IP address and approximate location (country/region level) for security and abuse prevention

2.6 Analytics

  • We use PostHog for product analytics to understand how Memoth is used and to improve the product
  • Analytics events may include identifiers such as your account ID, device type, app version, and feature usage. We do not send recording content, transcript text, summaries, action items, or personal notes to PostHog
  • On iPhone and iPad, we also enable session replay for product diagnostics. Text inputs are masked before capture. Session replay is used only to understand app behavior and diagnose issues, not for advertising or cross-app tracking
  • Analytics data is collected under legitimate interest for product improvement. You may object to analytics processing by contacting us at privacy@memoth.com

3. How We Process Your Data

3.1 Purposes of Processing

  • To provide the service: Audio transcription, AI-powered analysis (summaries, action items, categories, speaker identification), and cross-device sync
  • To enforce usage limits: Tracking monthly audio processing duration against your subscription tier
  • To manage your account: Authentication, subscription management, and customer support
  • To improve the product: Product analytics help us understand usage patterns, diagnose bugs, and improve performance
  • To ensure security: Fraud prevention, abuse detection, and maintaining service integrity

3.2 Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing, we rely on:

  • Contract performance (Article 6(1)(b) GDPR) — Processing necessary to provide the transcription, AI analysis, and sync features you signed up for
  • Legitimate interest (Article 6(1)(f) GDPR) — Analytics, diagnostics, fraud prevention, and service improvement, where our interests do not override your rights
  • Consent (Article 6(1)(a) GDPR) — Where required, such as linking your WhatsApp account or opting into cloud AI processing

3.3 Processing Paths

Memoth offers two processing paths:

  • On-device processing: Audio is transcribed locally using Apple's Speech Recognition framework. Your audio never leaves your device. AI features are limited in this mode.
  • Cloud processing (Pro/Pro Plus): Audio is securely uploaded to our servers, transcribed by AssemblyAI, and analyzed by AI providers (Anthropic Claude, OpenAI, or Google Gemini via the Vercel AI Gateway). Results are streamed back to your device, and audio is deleted from our servers immediately after processing.

4. AI Processing and Transparency

Memoth uses artificial intelligence to generate transcripts, summaries, action items, categories, and speaker identifications. We believe in full transparency about how your data interacts with AI systems.

4.1 No Training on Your Data

We do not use your recordings, transcripts, summaries, or any content to train AI models. We contractually require all third-party AI providers to refrain from using your data for model training. Specifically:

  • AssemblyAI — We have opted out of their model improvement program. Your audio is not used for training.
  • Anthropic (Claude) — API data is never used for model training per their commercial terms.
  • OpenAI — API data is not used for model training by default per their business terms.
  • Google (Gemini) — We use only the paid API tier, which prohibits Google from using your data for model training.

4.2 AI-Generated Content Disclaimer

AI-generated content (transcripts, summaries, action items, categories) may contain errors, omissions, or inaccuracies. These outputs are AI-assisted approximations and should not be treated as verbatim records or relied upon without independent verification. We are not responsible for decisions made based on AI-generated content.

4.3 EU AI Act Transparency

In compliance with the EU AI Act, we disclose that Memoth uses automated AI systems for speech-to-text transcription and natural language analysis. Content generated by these systems is produced by AI, not by humans. You should always verify important information from AI-generated outputs before acting on it.

5. Third-Party Services

Memoth relies on the following third-party services to provide its features. Each service processes only the minimum data necessary for its function. We maintain Data Processing Agreements (DPAs) with each provider.

5.1 Transcription

  • AssemblyAI — Speech-to-text transcription with speaker identification. Audio is transmitted securely (TLS 1.3) and encrypted at rest (AES-256). We have opted out of their model training program. Transcription results are deleted from AssemblyAI immediately after we retrieve them. EU processing (Dublin) is available for European users. AssemblyAI Privacy Policy

5.2 AI Analysis

Transcript text (not audio) is sent to one of the following AI providers via the Vercel AI Gateway for generating summaries, action items, and categories:

  • Anthropic (Claude) — Does not use API data for model training. Retains data for 7 days, then deletes. Anthropic Commercial Terms
  • OpenAI — Does not use API data for model training by default. Retains data for up to 30 days for abuse monitoring. OpenAI Business Terms
  • Google (Gemini) — Paid API tier only; does not use data for model training. Retains data for a limited period for security monitoring. Gemini API Terms

5.3 Authentication

  • Clerk — Manages user accounts, sign-in (via Apple, Google, or email), and session tokens. Clerk stores data in the European Union (Germany, with backup in Ireland). Clerk acts as a data processor on our behalf. Clerk Privacy Policy

5.4 Subscription Management

  • RevenueCat — Manages in-app subscriptions and purchase validation. Collects device type, OS, purchase history, and app user IDs. Data stored on AWS in the United States, protected by Standard Contractual Clauses. SOC 2 Type II certified. RevenueCat Privacy Policy

5.5 Infrastructure

  • Amazon Web Services (S3) — Temporary audio file storage during cloud processing only. Files are uploaded via pre-signed URLs with short expiration and deleted immediately after transcription.
  • Vercel — Application hosting, serverless functions, and AI Gateway routing. Processes API requests but does not store user content. Vercel Privacy Policy
  • Neon — PostgreSQL database hosting for user accounts, usage logs, and pipeline job tracking. Does not store recordings, transcripts, or summaries. Neon Privacy Policy

5.6 Analytics

  • PostHog — Product analytics. Collects usage events, device type, app version, and account-linked identifiers needed to understand product behavior across sessions. On iPhone and iPad, session replay is also enabled for product diagnostics. Text inputs are masked before capture. PostHog does not receive recording content, transcripts, summaries, action items, or personal notes. You may object to analytics by contacting us at privacy@memoth.com. PostHog Privacy Policy

5.7 Device Sync

  • Apple iCloud — Cross-device sync is managed entirely by Apple via iCloud/CloudKit. We do not have access to your iCloud data. Apple's own privacy policy governs this data. Apple Privacy Policy

6. International Data Transfers

Artlink Live Ltd. is based in Israel. Depending on your location and the services you use, your data may be transferred to and processed in different jurisdictions:

  • Israel ↔ EU/EEA: Israel has been granted an adequacy decision by the European Commission (reaffirmed 2024), meaning data flows freely between the EU/EEA and Israel without additional safeguards.
  • United States: Several of our sub-processors (AssemblyAI, OpenAI, RevenueCat, AWS, Vercel, Neon) are based in the United States. These transfers are protected by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs).
  • European Union: Clerk stores authentication data in Germany (backup in Ireland). AssemblyAI offers EU processing (Dublin) for European users.

We ensure that all international data transfers are accompanied by appropriate safeguards as required by applicable data protection laws.

7. Data Retention

Data TypeRetention Period
Audio files on our serversDeleted immediately after transcription (minutes). Hourly cleanup job ensures no file persists beyond 1 hour.
AssemblyAI transcription resultsDeleted from AssemblyAI immediately after retrieval.
Pipeline job records (our database)Deleted within 1 hour of job completion via automated cron.
AI provider data (Anthropic/OpenAI/Google)Retained by providers for 7–30 days for security monitoring, then deleted. Not used for training.
Usage logs (processing duration, timestamps)Retained while your account is active and for the current billing period. Contains no content.
Account data (name, email)Retained while your account is active. Deleted upon account deletion request.
Local data (on your device)Under your control. Remains on your device until you delete it.
iCloud synced dataManaged by Apple. Deletion in the app propagates via iCloud.

8. Data Security

  • All data in transit is encrypted via TLS 1.2 or higher (TLS 1.3 preferred)
  • Audio files at rest are encrypted with AES-256 by our sub-processors
  • Audio uploads use pre-signed S3 URLs with short expiration times, limiting access windows
  • Authentication uses industry-standard JWT tokens with short expiration periods
  • Our backend runs on Vercel's serverless infrastructure with automatic security updates and isolation
  • Database access is restricted to authenticated API routes with JWT verification and subscription validation
  • We conduct regular security reviews and follow industry best practices for application security

9. Your Rights Under GDPR (EU/EEA/UK)

If you are located in the European Economic Area, the United Kingdom, or a jurisdiction with similar protections, you have the following rights:

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate personal data
  • Right to Erasure — Request deletion of your personal data (“right to be forgotten”)
  • Right to Data Portability — Receive your data in a structured, machine-readable format. You can export recordings and transcripts directly from the app.
  • Right to Restrict Processing — Request that we limit how we use your data
  • Right to Object — Object to processing based on legitimate interest, including analytics
  • Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint — You may file a complaint with your local data protection supervisory authority
  • Automated Decision-Making — Memoth uses AI to generate transcripts and summaries. These are assistive tools, not automated decisions with legal or similarly significant effects. You may request human review of any output.

To exercise any of these rights, contact us at privacy@memoth.com. We will respond within 30 days.

10. Your Rights Under CCPA/CPRA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete — Request deletion of your personal information
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing — We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your privacy rights

Categories of Personal Information Collected

  • Identifiers (name, email, phone number, IP address)
  • Commercial information (subscription tier, purchase history)
  • Internet/electronic activity (usage logs, analytics events)
  • Audio/visual data (voice recordings processed temporarily)
  • Inferences (AI-generated summaries, categories, action items)

Automated Decision-Making Technology (ADMT)

Memoth uses automated AI processing to generate transcripts, summaries, action items, and categories from your voice recordings. This processing is integral to the service and does not produce decisions with legal or similarly significant effects. You may contact us to learn more about this processing.

11. Your Rights Under Israeli Privacy Protection Law

Under Israel's Privacy Protection Law (as amended by Amendment 13, effective August 2025), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to the processing of your data

Contact us at privacy@memoth.com to exercise these rights.

12. We Do Not Sell Your Data

Memoth does not sell, rent, trade, or otherwise disclose your personal data to third parties for monetary or other valuable consideration.

  • Your recordings and transcripts are stored locally on your device and synced via Apple iCloud — we do not have access to your iCloud data
  • We do not serve advertisements and have no advertising partners
  • We do not share your data with data brokers or data aggregators
  • Third-party services receive only the minimum data necessary to perform their specific function (transcription, AI analysis, authentication, subscription management)

13. WhatsApp Bot

The Memoth WhatsApp bot (available on Pro plans) allows you to send voice messages for transcription and AI analysis:

  • You must explicitly opt in and link your phone number in the Memoth app before using the bot
  • Your phone number is stored solely to link your WhatsApp messages to your Memoth account
  • Voice messages you send to the bot are processed in real-time and are not stored on our servers after processing completes
  • The bot is a task-oriented transcription service — it processes voice messages only and does not read, access, or store your other WhatsApp messages or conversations
  • Transcription results are sent back to your WhatsApp chat and saved to your Memoth account
  • WhatsApp usage counts toward your monthly transcription limit
  • You can unlink your WhatsApp account at any time from the Memoth app settings, which will delete your phone number from our systems
  • WhatsApp's own Privacy Policy and Terms of Service also apply to your use of their platform

14. Children's Privacy

Memoth is not intended for use by children. You must be at least 13 years old to use Memoth (or 16 years old in jurisdictions where GDPR requires parental consent for minors under 16).

We do not knowingly collect personal information from children under these age thresholds. If we learn that we have collected data from a child below the applicable age, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@memoth.com.

15. Cookies and Tracking Technologies

On our website (memoth.com), we use:

  • Essential cookies — Required for authentication and session management. These cannot be disabled.
  • Analytics (PostHog) — Usage events and technical diagnostics to improve our website. You may opt out via your browser settings or by contacting us.

We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technologies.

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR
  • We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
  • We maintain an incident response process and will take immediate steps to contain and remediate any breach
  • Notification will include: the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:

  • For material changes, we will provide at least 30 days' advance notice via the app and/or email before the changes take effect
  • The “Last updated” date at the top of this page will be revised
  • Continued use of Memoth after the effective date of changes constitutes acceptance of the updated policy
  • If you do not agree with the changes, you may delete your account before the changes take effect

18. Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing our data protection practices and compliance. You may contact our DPO for any data protection inquiries:

dpo@memoth.com
Artlink Live Ltd.
Israel

19. Contact Us

For general privacy questions or to exercise your rights, contact us:

Email: privacy@memoth.com
Data Protection Officer: dpo@memoth.com

Artlink Live Ltd.
Israel