Legal

Privacy Policy

Effective date: June 10, 2026

Last updated: June 10, 2026

This Privacy Policy explains how LeadHash LLC ("LeadHash," "we," "us," or "our"), a Virginia limited liability company operating the Nuramem service ("Nuramem," the "Service"), collects, uses, discloses, and protects information about you. It also describes the rights you have over your information under the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

Please read this Policy together with our Terms & Conditions. If you do not agree with this Policy, do not use the Service.

Beta notice. Nuramem is currently offered as a closed beta. Features, data flows, and sub-processors described here reflect the beta as of the effective date and may change. We will update this Policy and the "Last updated" date when they do.

1. The short version

Nuramem is a cross-model memory layer for AI. It stores your memory records — decisions, plans, people, references, learnings, and state — and synthesizes them into a compressed model of who you are, so the AI tools you use (such as Claude, ChatGPT, or Gemini) can load it at the start of a session.

We host your memory. Your records are stored in Nuramem-managed databases on Google Cloud, encrypted and isolated per user. Synthesizing your records into a usable self-model is the core of the product, and it requires our systems — and the AI providers listed in Section 6 — to read your memory content. LeadHash is the data controller for that content, and we protect it accordingly.

Two rights are built into the product and always self-serve: you can export everything at any time, and when you delete, delete means deleted — your records are physically erased from our live systems, typically within a minute, and residual copies expire from encrypted backups within seven days.

We do not sell your personal information, and we do not use the content of your memory records to train AI models — and our AI sub-processors are not permitted to either.

2. Who is responsible for your information (controller)

LeadHash LLC is the data controller for the personal information processed through the Service — including your account identity, usage logs, support communications, and the content of the memory records you create. For content contributed to a shared project, we process it on behalf of the project and all its members under the project's access-control settings.

Contact for privacy matters:

LeadHash LLC
Attn: Privacy
7918 Jones Branch Dr, 4th Flr Suite #404
McLean, VA 22102, United States
Email: privacy@nuramem.ai

3. Information we collect

3.1 Information you provide

Account and identity data. When you sign up, you authenticate through our identity provider (Auth0/Okta). Depending on the login method you choose (email and password, GitHub, or Microsoft), we receive an account identifier and basic profile data such as your email address and name.
Memory content you create. The decisions, plans, people, references, learnings, and state records you save through the Service. These are stored on our infrastructure (see Section 4).
Shared-project content. If you create or join a shared project, the records, project name, and related content you contribute are stored on our infrastructure and are visible to the project's members.
Support and communications. Information you provide when you contact us, give feedback, or report a problem.

3.2 Information we generate or collect automatically

Derived representations of your content. To make memory fast and useful, we generate and store data derived from your records: synthesized self-models (the compressed picture of you that assistants load) and search embeddings (numerical vectors that power semantic search). Both are derived from your memory content and are deleted with it.
Service and security logs. Technical logs such as IP address, timestamps, request metadata, client/AI-tool identifiers, and error diagnostics, used to operate, secure, and debug the Service.
Usage data. Limited operational metrics about how the Service is used (for example, that a memory was loaded or consolidated), used to maintain and improve reliability and performance.

3.3 Information we do not intentionally collect

Nuramem is not designed to collect special-category data (such as health, biometric, or precise-location data). Because you control what you write into your memory, please avoid storing sensitive personal information you would not want persisted. You are responsible for the content you choose to save.

4. Where your information is stored

All of your data is stored in Google Cloud–managed databases operated by Nuramem in the us-central1 region (United States):

Category	Where it lives
Memory records, episodes, and synthesized self-models	Google Cloud SQL (PostgreSQL), encrypted at rest, isolated per user
Search embeddings (derived from your content)	The same Google Cloud SQL database
Short-lived cache of your current self-model	Redis (Google Cloud Memorystore)
Shared-project content, membership, and the sign-in identity mapping	Google Cloud Firestore (currently being consolidated into the same Cloud SQL database)
Sign-in credentials	Our identity provider, Auth0 (Okta) — identity only; Auth0 never receives memory content

Sensitive operational secrets are managed through Google Secret Manager. Database backups are encrypted and retained for seven days, after which they expire automatically.

5. How we use your information (and our legal bases)

We use information for the following purposes. Where GDPR applies, the lawful basis for each is noted.

To provide the Service — authenticate you, save and retrieve your memory records, search them, and load them into the AI tools you connect. Legal basis: performance of a contract.
To synthesize and compress your memory — this is the core of the product. Our systems read the content of your records and use large language models (operated by the AI sub-processors in Section 6) to synthesize them into a compressed self-model, and generate search embeddings so your memory can be found instantly. Legal basis: performance of a contract. We do not use your memory content to train our own or third parties' foundation models, and our AI sub-processors are contractually barred from training on it.
To secure and maintain the Service — monitor for abuse, debug, prevent fraud, and ensure reliability. Legal basis: legitimate interests in operating a secure service.
To communicate with you — service notices, security alerts, project invitations you trigger, and responses to your requests. Legal basis: performance of a contract and legitimate interests.
To comply with law — meet legal, regulatory, and enforcement obligations. Legal basis: legal obligation.
With your consent — for any use we describe to you and for which we ask consent (for example, optional product communications). Legal basis: consent, which you may withdraw at any time.

We do not engage in solely automated decision-making that produces legal or similarly significant effects about you.

6. How your information is shared

We share information only as described here. We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

AI tools you connect. When you connect an AI client (such as Claude Desktop, ChatGPT, or a Gemini interface) to Nuramem, your memory is delivered to that client at your direction so it can load your context. Your use of those third-party AI tools is governed by their own terms and privacy policies, not ours.
Sub-processors. These are the service providers we use, and exactly what each one touches:
- Google Cloud — hosting, databases, cache, and encrypted backups. Processes memory content as our infrastructure provider.
- Anthropic — synthesizes your records into your self-model. Processes memory content; barred from training on it.
- Google (Gemini API) — generates the search embeddings behind semantic search. Processes memory content; barred from training on it.
- Auth0 (Okta) — sign-in and identity only. Never receives memory content.
- Resend — sends project-invitation emails only (the invitee's address and the project name). Never receives memory content.
- Microsoft and GitHub — only if you choose those login methods; identity only.
This is the complete list as of the effective date. Questions about it go to privacy@nuramem.ai.
Within shared projects. Content you contribute to a shared project is visible to other members of that project according to its access-control settings.
Legal and safety. We may disclose information if required by law, subpoena, or legal process, or where we believe in good faith that disclosure is necessary to protect rights, safety, or property.
Business transfers. If LeadHash is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.

7. International data transfers

We are based in the United States and your data is stored in the United States (Google Cloud, us-central1). If you access the Service from outside the United States, your information is transferred to, stored, and processed in the United States.

Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent UK and Swiss mechanisms. You may request a copy of the relevant safeguards by emailing privacy@nuramem.ai.

8. Data retention

Memory records and everything derived from them (self-models, embeddings, cache entries) are retained while your account is active and until you delete them.
When you delete — a record, a project, or your whole account — the data is physically erased from our live systems, typically within a minute. Residual copies expire from encrypted backups within seven days. Deletion is real erasure, not deactivation or flagging.
Account and identity data are retained while your account is active and erased when you delete your account.
Shared-project content is retained for the life of the project or until deleted by an authorized member.
Logs and operational data are retained for a limited period appropriate to security and debugging needs, then deleted or aggregated.

We may retain limited information longer where required to comply with law, resolve disputes, or enforce our agreements.

9. Your rights

9.1 Everyone — built into the product

Two rights are stronger here than the industry norm, and both are self-serve — no email, no ticket, no waiting period:

Export everything, anytime. Download a complete copy of your memory — every record, episode, and self-model — from the management app (or directly via GET /v1/account/export).
Delete means deleted. Deleting your account physically erases your records from our live systems, typically within a minute; residual copies expire from encrypted backups within seven days. Most services deactivate or flag — we erase.

9.2 GDPR/UK GDPR rights (EEA, UK, Switzerland)

You have the right to: access your personal data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.

9.3 CCPA/CPRA rights (California)

You have the right to: know what personal information we collect and how we use and disclose it; access and obtain a copy of it; correct inaccurate information; delete it (subject to exceptions); and not receive discriminatory treatment for exercising your rights. We do not sell or share personal information for cross-context behavioral advertising, so no opt-out of sale/sharing is required — but you may still contact us to exercise any applicable right.

9.4 How to exercise your rights

Email privacy@nuramem.ai with your request. We will verify your identity (typically by confirming control of the account email) before acting. We respond within the timeframes required by applicable law (generally within 30 days under GDPR and 45 days under CCPA, extendable as permitted). Authorized agents may submit CCPA requests on your behalf with proof of authorization.

10. Security

We use industry-standard measures to protect information, including encryption in transit (TLS), encryption at rest for all stored data, per-user isolation enforced at the database layer (row-level security), least-privilege access for our services, secret management for credentials, encrypted backups, and access controls on our infrastructure. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your own account credentials and the AI tools you connect.

11. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact privacy@nuramem.ai and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice (such as by email or an in-product notice). Your continued use of the Service after an update takes effect constitutes acceptance of the revised Policy.

13. Contact us

Questions, requests, or complaints about this Policy or your information:

LeadHash LLC
Attn: Privacy
7918 Jones Branch Dr, 4th Flr Suite #404
McLean, VA 22102, United States
Email: privacy@nuramem.ai

This document reflects Nuramem's actual data architecture. It is not legal advice.