Privacy Notice
How XMemo, provided by Yonro Co., Ltd., handles user-owned memory content, account metadata, OAuth-scoped agent access, telemetry, and support diagnostics across the hosted service.
- Yonro Co., Ltd. is the controller for hosted XMemo account data and the contracting service provider for public users, unless an enterprise agreement states otherwise.
- Memory data stays scoped to the authenticated account, team, or tenant boundary.
- Token hashes, API keys, invite hashes, session secrets, and provider credentials are excluded from exports and support bundles.
- We do not sell personal data or share it for cross-context behavioral advertising.
- Auto-redaction metadata records only safe counts and status, not raw PII or deterministic content hashes.
- ChatGPT and MCP integrations use scoped authorization; public pages and app listings never ask users to paste raw bearer tokens.
Data we process
XMemo processes the information needed to store, search, recall, update, and govern user-owned memories for authenticated users and connected agents.
- Memory content provided by users or their authorized agents, including preferences, project context, decisions, reminders, and action items.
- Memory-plane records are isolated by owner, bucket, scope, team, and tenant metadata.
- Control-plane records include users, sessions, SSO providers, group mappings, tenant roles, and scoped token metadata.
- Operational telemetry is limited to safe request categories, status, latency, rate-limit signals, and redacted support diagnostics.
Purposes and legal bases
We process personal data to provide the service, secure accounts, support users, comply with law, and improve reliability. For GDPR and UK GDPR users, the legal bases are contract performance, legitimate interests, consent where required, and legal obligations.
- Contract performance covers account creation, authentication, memory storage, recall, export, deletion, support, billing, and connected-agent workflows requested by the user or customer.
- Legitimate interests cover security monitoring, abuse prevention, rate limiting, fraud detection, debugging, reliability telemetry, product safety, and service improvement, balanced against user privacy.
- Consent covers optional cookies or marketing communications if introduced; consent can be withdrawn without affecting necessary service cookies.
- Legal obligations cover tax, accounting, consumer-protection, security, dispute, and regulatory records that we are required to keep.
OAuth and agent access
The ChatGPT and MCP app surfaces use scoped authorization so clients can request only the memory permissions needed for the user's task.
- Read tools use scoped memory-read access for search, recall, explain, and listing behavior.
- Write or destructive tools require write-capable scopes and are annotated so clients can present the right level of caution.
- OAuth authorization codes, bearer tokens, cookies, provider secrets, and raw API keys are not shown in public pages, listing copy, screenshots, or tool responses.
Google Sign-In and Google user data
When a user chooses "Continue with Google," XMemo uses Google OAuth for account sign-in and requests only the `openid`, `email`, and `profile` scopes.
- Data accessed: Google account subject identifier, email address, email verification status, display name or profile name, and profile fields returned by Google Sign-In such as a profile picture URL when Google provides it.
- How we use it: to authenticate the user, create or find the user's XMemo account, link the Google identity to that account, keep the account email/display name current, issue an XMemo session, apply local MFA checks where configured, and record security/audit events for the sign-in.
- How we store it: XMemo stores the Google subject identifier, email address, email verification status, provider name, identity link metadata, account display name, session metadata, and related audit records. Ordinary Google social sign-in does not store Google access tokens or refresh tokens after the sign-in exchange is complete.
- How we share it: we do not sell Google user data, use it for advertising, provide it to data brokers or information resellers, or use it to train generalized AI or ML models. We share it only with subprocessors needed to operate, secure, audit, and support XMemo, or when required by law.
- Retention and deletion: Google identity data is retained while the account or linked identity remains active and is deleted or deactivated through the account deletion, identity unlinking, or privacy request workflows described in this notice, subject to limited backup, security, audit, dispute, and legal-retention needs.
- Protection: Google user data is protected with the same account, transport, storage, access-control, audit, and secret-handling controls described in this notice and the Trust Center.
Data we do not expose
Customer-facing exports, support diagnostics, tool responses, and public pages must not expose secrets, debug payloads, or raw infrastructure configuration.
- No API key values, token hashes, invite hashes, session secrets, provider client secrets, database URLs, or support-bundle secrets.
- No raw memory content is included in public pages or unauthenticated discovery surfaces.
- No unrelated PII, internal account IDs, trace IDs, request IDs, raw logs, or local file paths should be returned in ChatGPT-facing tool responses.
- E2E-encrypted REST writes are rejected while server-side auto-redaction is enabled because ciphertext cannot be inspected safely.
Access, export, deletion, redaction, and privacy rights
Authenticated users can manage memory records from the XMemo Console and request access, correction, export, deletion, restriction, objection, portability, or redaction workflows for their account or workspace.
- Self-service export requests return a pending operator-review contract and record the user's intent in audit events.
- Individual memory deletion and audited forget/redaction workflows preserve the required operational trail.
- Requests can be sent to privacy@xmemo.dev. We may need to verify account ownership before acting on a request.
- Users in the EEA, UK, Japan, California, and similar jurisdictions may have additional statutory rights, including the right to complain to a supervisory authority where available.
- Yonro is established in Japan; for data-protection matters, contact privacy@xmemo.dev. Where a representative is legally required for EU or UK users, we will appoint one and publish its contact here.
Retention and deletion
We keep personal data only as long as needed for the service, security, legal, accounting, dispute, backup, and audit purposes, unless a customer-specific agreement or law requires a different period.
- Active memory content is retained while the account, workspace, or tenant remains active, until deleted by the user, admin, or authorized workflow.
- Security, audit, billing, and support records are retained for the period reasonably needed to protect the service, prove actions, resolve disputes, and meet legal obligations.
- Backups and deletion logs may persist for a limited technical period after deletion, but are protected and not used for ordinary service access.
- Where retention is customer-managed, customer administrators are responsible for configuring and communicating workspace retention rules.
International transfers and subprocessors
XMemo is operated by a Japanese company and may use infrastructure or subprocessors in Japan, the United States, the EEA, or other regions depending on deployment and customer configuration.
- For EEA and UK users, transfers to Japan rely on the adequacy decisions for Japan where applicable; transfers to other regions rely on standard contractual clauses or other equivalent safeguards.
- For users in Japan, where personal data is provided to or stored by subprocessors located outside Japan, we handle such cross-border provision in accordance with the Act on the Protection of Personal Information (APPI), including by informing you of the destination countries and the relevant data-protection context, or by obtaining your consent where required.
- As part of our security control measures we maintain awareness of the external environment (the data-protection regimes of the countries where data is stored) and supervise the subprocessors that handle personal data on our behalf.
- Subprocessors are listed on the Subprocessors page and may include payment, identity, hosting, database, observability, release, and support providers.
- Third-party services process data under their own terms and privacy commitments where users or customers connect them directly.
Children, security, and incidents
XMemo is not intended for children or for users below the age required to form a binding account contract in their jurisdiction. We use commercially reasonable security measures, but no online service can guarantee perfect security or zero data loss.
- If we learn that a child used the hosted service without required consent, we may delete the account or request guardian authorization.
- We investigate security incidents and notify affected users, customers, and authorities as required by applicable law.
- XMemo does not make legal or similarly significant automated decisions about users without human involvement.
Controller: Yonro Co., Ltd. (corporate number 3420001017436), Shinagawa-cho 1-4, Hirosaki, Aomori, Japan. Privacy contact: privacy@xmemo.dev. Aligned with docs/ENTERPRISE_SECURITY_PRIVACY.md, the /me governance contract, and DSAR operations runbooks.