Privacy Policy
Last updated: 27 April 2026
1. Data controller
In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), the following details are provided about the data controller:
- Trading name: Memorly
- Email: support@memorly.io
2. Data we collect
We process the following categories of personal data:
- Account data: email address for authentication.
- User-uploaded content: photographs, titles, and messages provided by the user to generate the video. These images may contain personal data (faces, identifiable locations) of the user or third parties.
- Payment data: card or payment details are processed directly by Stripe; we do not store full card details. We retain the payment identifier, amount, and date.
- Technical data: IP address, session identifiers, browser type, and service usage logs.
3. Purposes and legal basis
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Create and manage the user account | Performance of contract (Art. 6.1.b) |
| Process photos, generate video, and deliver the service | Performance of contract (Art. 6.1.b) |
| Collect payment for the service | Performance of contract (Art. 6.1.b) |
| Comply with tax and accounting obligations | Legal obligation (Art. 6.1.c) |
| Handle queries and support | Performance of contract / legitimate interest (Art. 6.1.b/f) |
| Prevent fraud and abuse | Legitimate interest (Art. 6.1.f) |
| Send marketing communications (if applicable) | Consent (Art. 6.1.a) |
4. Retention periods
- Account and orders: for as long as the user keeps the account active.
- Uploaded photos: deleted or anonymised within a maximum of 30 days after video delivery, unless an earlier deletion request is made.
- Generated videos:retained in the user's storage for a minimum of 90 days to allow download.
- Billing data: 6 years, in accordance with applicable accounting and tax law.
- Technical logs: up to 12 months for security purposes.
5. Recipients and processors
To provide the service, we share data with the following sub-processors, with whom the required data processing agreements under Article 28 GDPR have been signed:
- Supabase Inc. (USA) — authentication and database.
- Stripe Payments Europe Ltd. (Ireland) — payment processing.
- Uploadcare Inc. (USA) — image storage and CDN.
- fal.ai (Features & Labels Inc.) (USA) — AI animation generation.
- Anthropic PBC (USA) — image analysis (Claude Vision).
- Creatomate B.V. (Netherlands) — final video editing.
- Cloudflare, Inc. (USA) — video storage (R2).
- Vercel Inc. (USA) — application hosting.
No data will be shared with other third parties unless required by law.
6. International transfers
Some of the providers listed above are located outside the European Economic Area (mainly the USA). These transfers are carried out with appropriate safeguards under Chapter V GDPR: Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, where applicable, adherence to the EU–U.S. Data Privacy Framework.
7. User rights
Users may exercise the following rights at any time:
- Access to their personal data.
- Rectification of inaccurate data.
- Erasure (“right to be forgotten”).
- Restriction of processing.
- Data portability.
- Objection to processing.
- Not to be subject to automated decisions with significant effects.
- Withdrawal of consent given.
To exercise these rights, users may write to support@memorly.io attaching a copy of an identity document.
If you consider that your rights have not been properly addressed, you may lodge a complaint with the relevant supervisory authority in your country of residence. In the EU, a list of supervisory authorities is available at edpb.europa.eu.
8. Security
We apply appropriate technical and organisational measures to ensure data security: encryption in transit (HTTPS), encryption at rest for storage, role-based access controls (RLS), and audit logs.
9. Automated decisions
Video generation involves automated processing of images using artificial intelligence models. This processing is carried out solely to produce the result requested by the user and does not produce legal effects or significantly affect the user.
10. Minors
The service is not directed at children under 14 years of age. If a user uploads photographs containing images of minors, they declare that they have the consent of those with parental responsibility or guardianship.
11. Changes to this policy
We may update this policy to reflect legal or service changes. The current version will always be available on this page, indicating the date of the last update.