Privacy Policy
Effective date: February 11, 2026
This Privacy Policy explains how Memex ("we", "us", "our") collects, uses, stores, and protects your information when you use the memex.email service ("Service"). We believe in being straightforward about data practices. We collect what we need to run the Service, and nothing more.
1. What Data We Collect
Account and Identity Data
- Email addresses of tag owners, members, and senders
- Tag ownership records linking email addresses to the tags they own or belong to
- Configuration preferences such as forwarding mode, retention settings, and membership roles
Message Data
- Message metadata: sender address, recipient address, subject line, timestamps, message IDs, and delivery headers
- Message content: the body of emails sent to tag addresses, stored for archival and search purposes
- Attachments: files attached to messages sent to tag addresses
Operational Data
- Audit logs: records of actions taken within the Service (tag creation, membership changes, policy updates)
- Delivery logs: records of message routing and forwarding for debugging and reliability
- Access logs: IP addresses and timestamps when you access the web archive (retained for a limited period)
Data We Do Not Collect
- We do not use tracking pixels in forwarded emails
- We do not build advertising profiles
- We do not scan message content for advertising or profiling purposes
- We do not collect data from third-party sources to supplement your profile
2. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Routing and delivering email to tag members | Email addresses, message content, metadata |
| Storing messages in the searchable web archive | Message content, metadata, attachments |
| Forwarding messages according to tag configuration | Email addresses, message content, forwarding preferences |
| Providing the tag management web interface | Email addresses, tag configuration, membership data |
| Enforcing retention policies | Message metadata, retention settings |
| Maintaining audit trails | Action logs, timestamps, email addresses |
| Troubleshooting delivery issues | Delivery logs, message metadata |
| Preventing abuse and enforcing our policies | Email addresses, access logs, usage patterns |
3. Storage and Security
Your data is stored on Cloudflare R2, a globally distributed object storage service. All data is encrypted at rest using Cloudflare's infrastructure encryption. Data in transit is encrypted using TLS.
Our architecture is edge-native: data is processed on Cloudflare's global network without centralized origin servers. This means your data is processed at the network edge closest to where it is needed, using Cloudflare Workers and Durable Objects.
We follow security best practices including:
- Encryption at rest for all stored data
- TLS encryption for all data in transit
- Access controls and authentication for management operations
- Regular review of access logs and security practices
4. Data Retention
Message retention is configurable per tag. Tag owners can set retention policies that automatically delete messages after a specified period (for example, 30 days, 90 days, 1 year, or indefinite).
- Default retention: Messages are retained indefinitely unless the tag owner configures a different policy
- Deleted tags: When a tag is deleted, its messages and associated data are permanently removed within 30 days
- Account deletion: When you request deletion of your data, we remove your information within 30 days, except where retention is required by law
- Operational logs: Delivery and access logs are retained for up to 90 days for debugging and abuse prevention, then automatically deleted
- Audit logs: Retained for the lifetime of the tag, as they are a core feature of the Service
5. Third Parties
We share data with third-party service providers only as necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Infrastructure (compute, storage, DNS, inbound email routing) | All data processed by the Service passes through Cloudflare infrastructure |
| Amazon SES | Outbound email delivery | Recipient email addresses, message content, and headers for forwarded messages |
These providers process data on our behalf and are bound by their own privacy and security commitments. We do not sell, rent, or share your data with any other third parties. We do not share data for advertising purposes.
6. Cookies and Tracking
We use minimal cookies, limited to what is necessary for the Service to function:
- Session cookies: Used to maintain your authenticated session when accessing the web management interface. These are temporary and expire when you close your browser or after a short inactivity period.
- No analytics cookies: We do not use third-party analytics services or tracking cookies.
- No advertising cookies: We do not serve ads and do not use advertising trackers.
7. Your Rights
Regardless of where you are located, we provide the following rights to all users:
- Access: You can request a copy of all data we hold about you, including your messages, membership records, and configuration data.
- Deletion: You can request deletion of your data. For tags you own, this includes all messages and configuration. For tags you are a member of, this includes your membership record. We will process deletion requests within 30 days.
- Export: You can request an export of your data in a standard, machine-readable format (such as MBOX for email messages and JSON for configuration data).
- Correction: You can request correction of inaccurate information we hold about you.
- Objection: You can object to specific processing activities. We will honor your objection unless we have a compelling legitimate reason to continue processing.
To exercise any of these rights, contact us at privacy@memex.email. We will respond within 30 days.
8. International Data Processing and GDPR
Memex is built on Cloudflare's edge network. Your data is processed at Cloudflare edge locations around the world, close to where it is accessed. This means data may be processed in multiple jurisdictions.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland:
- We process your data on the basis of contract performance (providing the Service you use) and legitimate interest (operating and improving the Service, preventing abuse)
- Where we transfer data outside the EEA, we rely on Cloudflare's data processing agreements and standard contractual clauses
- You have the right to lodge a complaint with your local data protection authority
For users in California, we comply with applicable provisions of the California Consumer Privacy Act (CCPA). We do not sell personal information. The rights described in Section 7 above apply to all users, including California residents.
9. Children
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the effective date at the top of this page
- Notify active users by email at least 30 days before the changes take effect
- Post a summary of what changed
11. Contact
For questions or concerns about this Privacy Policy, or to exercise your data rights, contact us at privacy@memex.email.
For general inquiries about the Service, contact hello@memex.email.