Privacy Policy

Our commitment to protecting your personal information

Last Updated: March 7, 2026
Effective: March 7, 2026
GDPR & CCPA Compliant

Basic Policy

Our Privacy Commitment

Kazuki Masuda (hereinafter "Provider") considers the protection of your personal information as our highest priority. We comply with Japanese Personal Information Protection Act, GDPR, CCPA, and other applicable laws, conducting data processing with emphasis on transparency and reliability.

Scope of Application

This Privacy Policy explains how we collect, use, store, and share personal information regarding the use of Memly services (Web, iOS, and Android versions).

Information We Collect

2.1 Information You Provide Directly

Account Information

  • • Email address
  • • Password (encrypted)
  • • Display name
  • • Profile picture (optional)

Payment Information

  • • Credit card information*
  • • Billing address
  • • Transaction history
  • *Processed by payment providers

2.2 Learning Content

  • • Uploaded learning materials (PDF, images, text, etc.)
  • • AI-generated flashcards
  • • Learning progress data (accuracy rates, review history, etc.)
  • • Learning settings and customization information

2.3 Automatically Collected Information

Technical Information

  • • IP address
  • • Browser information
  • • OS and device information
  • • Access date and time

Usage Information

  • • Page viewing history
  • • Feature usage patterns
  • • Error logs
  • • Performance data

How We Use Information

Primary Uses

Service Provision

Account management, AI problem generation, learning progress tracking

Customer Support

Inquiry response, technical support

Payment Processing

Billing, refund processing

Improvement & Analysis

Service Improvement

Feature enhancement, bug fixes, new feature development

Usage Analysis

Usage statistics, performance analysis

Security

Fraud prevention, security enhancement

Marketing Use (Consent-Based)

The following uses are only conducted with your explicit consent:

  • • New feature and service announcements
  • • Promotional and campaign information
  • • Learning improvement tips and advice

* Consent can be withdrawn at any time

Information Sharing

Important Principle

We never sell, rent, or provide your personal information to third parties for commercial purposes. We do not provide personal information to third parties without your consent except in the following limited cases.

4.1 Sharing Necessary for Service Provision

Payment Processors

Stripe Inc. and others (credit card processing)

Cloud Service Providers

Vercel Inc., Supabase Inc. (data storage and processing)

AI Service Providers

OpenAI, Google, etc. (processed in de-identified form for AI problem generation)

4.2 Legal Disclosure Requirements

We may disclose personal information to the minimum extent necessary in response to legal requirements, court orders, or requests from government agencies.

5.GDPR & CCPA Compliance

5.1 Cookie Use and Consent Management

Cookie Consent

Except for essential cookies, we use cookies only after obtaining your explicit consent. A cookie consent banner is displayed on your first visit, and functional cookies are restricted if you do not consent.

Essential Cookies (No consent required)

Necessary for maintaining login status and security protection

Functional Cookies (Consent required)

Saving learning settings, remembering UI preferences

Analytics Cookies (Consent required)

Anonymized usage statistics for service improvement

5.2 Profiling and Automated Decision-Making

AI Learning Algorithm

Memly analyzes your learning patterns to suggest optimal review timing through profiling. This profiling aims to improve your learning effectiveness and does not involve disadvantageous automated decision-making.

Purpose of Processing: Providing individually optimized learning experiences

Processing Logic: Spaced repetition algorithm based on forgetting curve theory

Your Rights: Right to object to profiling, right to manual setting changes

5.3 Third-Party Sharing Details

Prior Consent Principle

Third-party sharing of personal data is conducted only after obtaining your explicit consent, except where permitted by law. Consent is obtained specifically and individually, and can be withdrawn at any time.

Sharing Requiring Consent

  • • Marketing purposes
  • • Statistical and analytical purposes
  • • Joint use for new service development

Sharing Not Requiring Consent

  • • Legal requirements
  • • Emergency protection of life or body
  • • Service providers (under appropriate supervision)

5.4 Pseudonymized and Anonymized Information

We may use your learning data as pseudonymized information for service improvement and new feature development. Processing is conducted with appropriate technical measures, and matching with original personal data is prohibited.

Purpose of Processed Information Use

  • • Learning algorithm improvement
  • • New learning feature development
  • • Statistical analysis for service quality improvement

Data Security

Technical Safeguards

  • • SSL/TLS encrypted communication
  • • Database encryption
  • • Access control and authentication
  • • Regular security audits
  • • Intrusion detection systems

Organizational Safeguards

  • • Employee education and training
  • • Minimized access privileges
  • • Regular access rights review
  • • Incident response system
  • • Third-party security certification

Data Breach Response

In the unlikely event of a data breach, we will notify supervisory authorities and affected customers within 72 hours in accordance with applicable laws.

Your Rights

Right of Access

Right to request disclosure of personal data we hold

Available from account settings

Right to Rectification

Right to request correction of inaccurate personal data

Editable from account settings

Right to Erasure (Right to be Forgotten)

Right to request deletion of personal data

Handled through account deletion

Right to Data Portability

Right to request data transfer

Available through export function

Right to Restriction

Right to request restriction of data processing

Contact support

Right to Object

Right to object to data processing

Contact support

How to Exercise Your Rights

1

Self-service through account settings

2

Contact support team (admin@memly.ai)

3

Response within 30 days after identity verification

International Data Transfers

Transfer Destinations

To provide our services, we may transfer your personal data to the following countries/regions:

🇯🇵 Japan

Headquarters location

🇪🇺 EU

Adequacy decision

🇺🇸 United States

Standard contractual clauses

Safeguards

For transfers to countries without adequacy decisions, we implement appropriate safeguards such as EU Standard Contractual Clauses (SCCs), approved codes of conduct, and certification mechanisms.

Data Retention Period

Active Users

Account InformationDuring use
Learning DataDuring use
Log Data2 years

After Account Deletion

Account Information30 days
Learning Data90 days
Payment Records7 years*

*Period required by law

Children's Privacy Protection

Children Under 13

We do not knowingly collect personal information from children under 13. If children under 13 use our service, parental consent is required.

For Parents

  • • Parental consent required for child account creation
  • • You can request to view or delete your child's personal information
  • • Contact admin@memly.ai for any questions

CCPACalifornia Privacy Rights

Your California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • • Right to know what personal information is collected
  • • Right to know if personal information is sold or disclosed
  • • Right to say no to the sale of personal information
  • • Right to delete personal information
  • • Right to non-discrimination for exercising your rights

Note: We do not sell your personal information.

In-App Purchases & Subscription Data

Apple App Store Purchases

Subscription purchases on iOS are processed through Apple Inc.'s App Store payment system. We do not have direct access to your payment information (credit card numbers, etc.) linked to your Apple ID. Such data is processed in accordance with Apple Inc.'s Privacy Policy.

Purchase-Related Data We Collect

  • • Subscription type (plan name, duration)
  • • Purchase and renewal dates
  • • Subscription status (active, expired, cancelled, etc.)
  • • Purchase receipt information (Apple-issued verification tokens)

* This information is used solely for service provision and subscription management

Google Play Store Purchases

Purchases on Android are processed through Google LLC's payment system. Similar to Apple, we do not have direct access to your credit card or payment details.

Advertising Identifiers & Tracking

App Tracking Transparency (ATT)

On iOS, Memly complies with Apple's App Tracking Transparency framework. We will request your explicit permission before tracking your data across other companies' apps and websites. Declining tracking does not affect the core functionality of the service.

Advertising Identifiers (IDFA / GAID)

Current Usage

Memly does not currently use IDFA (iOS) or GAID (Android) for advertising purposes. If advertising features are introduced in the future, this policy will be updated and appropriate consent will be obtained.

Analytics & Performance Measurement

We may collect anonymized app usage data for the purpose of improving service quality. This data is not used to personally identify you.

Third-Party SDKs & Services

Memly uses the following third-party SDKs and services for service provision and improvement. Each service processes data in accordance with its own privacy policy.

Supabase (Auth & Database)

  • • User authentication data
  • • Application data

RevenueCat (Billing)

  • • Subscription status
  • • Purchase transactions

OpenAI / Google AI (AI Processing)

  • • Learning content (anonymized)
  • • Text for flashcard generation

Vercel (Hosting)

  • • Access logs
  • • Performance data

Account & Data Deletion

How to Delete Your Account

You have the right to request deletion of your account and associated data at any time. Account deletion can be performed through the following methods:

1

In-App Deletion

Settings > Account > Delete Account

2

Email Request

Send a deletion request to admin@memly.ai

Data That Will Be Deleted

  • • Account information (email, display name, profile picture)
  • • Learning data (flashcards, progress, review history)
  • • Personal settings and customization
  • • Uploaded learning materials

Important Notes

  • • A 30-day grace period allows account recovery after deletion
  • • After the grace period, data is permanently deleted
  • • Data required by law (payment records, etc.) is retained for the legally mandated period
  • • App Store subscriptions must be cancelled separately through Apple Settings

Push Notifications

Purpose of Push Notifications

Memly may send push notifications for the following purposes:

  • • Study reminders (review timing notifications)
  • • Important service announcements
  • • Security alerts

Managing Notifications

Push notifications can be disabled at any time through the app settings or your device settings. Disabling notifications does not affect the core functionality of the service.

Data Collected

We collect your device's push notification token for the purpose of delivering notifications. This token is used solely for notification delivery and is not used to personally identify you.

Privacy Inquiries

For questions or inquiries about personal information handling, please contact us at:

Data Protection Officer (DPO)

Memly

Representative: Kazuki Masuda

Email: admin@memly.ai

Address: Aoyama Marutake Building 6F, 3-1-36 Minami-Aoyama, Minato-ku, Tokyo 107-0062, Japan

Complaints to Supervisory Authorities

If you are dissatisfied with our handling of personal information, you may file a complaint with supervisory authorities such as your local data protection authority.