no training
We don't train on your data
Project content is read by the service to power coordination and broadcast. It is never used to train models — ours or anyone else's.
trust
Where your content lives, who handles it, what we never do with it.
This page covers the hosted service at memoturn.ai. Memoturn is open source under MIT — if you self-host, you control the substrate and the policy. The legally binding version is the privacy policy.
- Stage
- Open source · MIT
- Runtime
- Edge-only · Cloudflare
- Response time
- 3 business-day response
sub-processors
Who handles your data, and why.
Every party that processes a byte of your project content. No silent third parties — if it's not on this list, it doesn't see your data.
| Provider | Role | What it processes |
|---|---|---|
| Cloudflare | Edge runtime | Workers, Durable Objects, KV, R2, Hyperdrive. Hosts every read and write of your project content. The per-project Durable Object serializes claims and fans events out over WebSockets; R2 stores turn payloads; Hyperdrive pools connections to Postgres. |
| Neon | Managed Postgres | Stores account, project, turn, decision, rule, and presence rows. Connection-pooled through Cloudflare Hyperdrive. |
| Google, GitHub | OAuth | Used only if you sign in via OAuth. The provider returns a subject ID we store against your account; we never see the upstream password. |
what we never do
Three things we will not do with your data.
Stated negatively on purpose. The trust signal isn't what we promise; it's what we structurally cannot do without breaking the contract below.
no tracking
We don't run third-party tracking
No analytics scripts, no ad pixels, no session-replay tools on the dashboard or the marketing surface. The only events we log are operational (request metadata, 30-day retention).
no resale
We don't sell personal data
Account email, OAuth subject ID, and project content are processed only to deliver the service. They are not shared with advertisers, brokers, or affiliates.
scope and caveats
Pre-1.0 software. Behavior may change between releases, including breaking API changes. The hosted service has no formal SLA; uptime is best-effort.
Operational logs (request metadata: IP, user agent, response status, latency) are retained 30 days for rate-limiting, abuse prevention, and the observability dashboard. Project content is retained for the lifetime of the project. Vendor reviews, security questionnaires, and DPAs are handled directly — we respond within 3 business days.
Vulnerability disclosure is documented in SECURITY.md. Coordinated, private disclosure required — please don't open a public issue.
questions about scope or compliance?
Talk to us.
Vendor reviews, security questionnaires, DPAs, or a private disclosure — we respond within 3 business days.