Privacy Policy
Last updated: May 19, 2026
This page covers what we collect on the marketing site at engram.page and on purchases. The Engram app at app.engram.page has its own in-product privacy notice covering your notes and account data.
Controller
For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws, the data controller responsible for your personal data is:
Rasbandit Software Solutions LLC, d/b/a Engram 7533 S Center View Ct, Ste N #6048 West Jordan, UT 84084, USA Privacy contact: privacy@engram.page
We have not appointed a Data Protection Officer because our processing does not meet the threshold criteria under GDPR Art. 37 (we do not engage in large-scale systematic monitoring or large-scale processing of special categories of data).
What we collect on this site
We use PostHog for analytics. We have configured PostHog to not set tracking cookies and to not record sessions. Anonymous browsing data (page views, scroll depth, button clicks) is collected in memory for the duration of your visit and discarded when you close the tab.
When you join the waitlist, we collect:
- The email address you provide;
- A SHA-256 hash of that email, used as a pseudonymous identifier in our analytics so we can measure funnel performance without storing your raw email in PostHog. A hash is treated as pseudonymous personal data under GDPR;
- The referral source that brought you here, if any (see the Referral section below).
Referral and campaign attribution
If someone referred you via a link like engram.page/?via=alice, or you arrived via a campaign with utm_* parameters, we may remember that source in your browser's tab-scoped session storage so we can credit the referrer if you sign up before closing the tab. The data clears automatically when you close the tab. We do not set a tracking cookie and we do not write to persistent or third-party storage.
EU/EEA/UK visitors. Storing referral information on your device is not strictly necessary for the operation of the site. If you visit from the European Economic Area, the United Kingdom, or Switzerland, attribution storage applies only where you have consented (for example, by clicking a referral link with knowledge of these terms). If you do not wish attribution to be recorded, do not click referral links or use private/incognito browsing.
Payments and Paddle
When you purchase a paid plan, the transaction is processed by Paddle.com, acting as the Merchant of Record and the legal seller of the Service. Paddle is PCI-DSS Level 1 certified and handles all cardholder data directly. Paddle collects your payment method, billing address, and any tax identifiers required for invoicing. We never see or store your payment card number or any other primary account number.
From Paddle we receive: your email, the country and state used for tax determination, the plan you bought, the amount, and the transaction ID. We use this information to provision your account, recognise renewals and cancellations, and to handle support and refunds. Paddle's own data practices are described in the Paddle Privacy Notice.
To exercise privacy rights over payment data held by Paddle (for example, deletion or access requests under GDPR or CCPA), contact us at privacy@engram.page and we will coordinate with Paddle on your behalf.
Legal basis for processing (GDPR Art. 6)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data only where one of the following legal bases applies:
| Purpose | Legal basis (Art. 6) |
|---|---|
| Providing the Service to paid subscribers (account, sync, billing) | Contract — Art. 6(1)(b) |
| Waitlist email collection and confirmation | Consent — Art. 6(1)(a) |
| Transactional notifications (receipts, security alerts) | Contract — Art. 6(1)(b) |
| Analytics, product improvement, fraud and abuse prevention | Legitimate interests — Art. 6(1)(f) |
| Tax and billing-record retention | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, you have the right to object (see "Your rights" below). Where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
Sub-processors
A sub-processor is a third-party service that processes personal data on our behalf to operate Engram. The full current list:
| Sub-processor | Purpose | Data categories | Location | EU/UK transfer safeguard |
|---|---|---|---|---|
| Paddle | Merchant of Record, billing, tax, refunds | Email, billing address, payment method, tax data | US / EU | SCCs |
| Cloudflare | Marketing site hosting (Workers), bot check (Turnstile), CDN | IP address, user agent, request data | Global edge | DPF (EU/UK/Swiss) + SCCs |
| Resend | Transactional + marketing email delivery | Email address, message content | US | DPF (EU/UK) + SCCs |
| PostHog | Cookieless product + marketing analytics | Pseudonymous hash-based identifiers; in-memory session events | US | DPF (EU) + SCCs |
| Clerk | Authentication, session management, JWT issuance | Email, password hash, session metadata | US | DPF (EU/UK/Swiss) + SCCs |
| Fly.io | Application hosting (Phoenix backend at app.engram.page) | All API traffic; encrypted note ciphertext at rest | US (multi-region) | DPF (EU/UK/Swiss) + SCCs |
| Tigris | Encrypted attachment object storage (S3-compatible) | Encrypted attachment ciphertext | US | SCCs |
| Qdrant Cloud | Vector search index for semantic recall | Quantized embeddings; no plaintext content | US / EU | DPF (EU) + SCCs |
| Voyage AI | Embedding generation for semantic search | Chunked note text at inference time; not retained for training under our contract | US | SCCs |
| Sentry | Error monitoring and crash reporting | Error stack traces with PII scrubbing; user ID only | US | DPF (EU) + SCCs |
Each sub-processor acts under a written data processing agreement with us. We do not share your data with any third parties beyond those listed here. Material additions to this list will be announced with reasonable notice via this page and email to active customers.
International data transfers
Several sub-processors above are based in the United States. If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to the US for processing.
We rely on the Standard Contractual Clauses issued by the European Commission under Implementing Decision (EU) 2021/914 — and the UK International Data Transfer Addendum where applicable — as the primary legal mechanism for these transfers. Where a sub-processor additionally self-certifies under the EU-US Data Privacy Framework (DPF) or the UK extension to the DPF, we may rely on that adequacy mechanism in addition to the SCCs. Specific safeguards in place for each sub-processor are available on request to privacy@engram.page.
Data retention
We retain personal data only as long as necessary for the purposes described above:
- Waitlist email: retained until you unsubscribe; deleted within 30 days of unsubscription.
- Analytics events: retained for up to 90 days, then aggregated and the raw events deleted.
- Account records and Engram's own copy of subscription data: retained for the life of your account, then deleted within 30 days of account deletion.
- Billing records held by Paddle as Merchant of Record: retained per Paddle's own retention schedule (typically up to 10 years for tax compliance under applicable law).
- Your notes and attachments: retained until you delete them or your account; deleted from primary storage within 30 days and from all backups within 90 days of deletion.
- Support correspondence: retained for 2 years from the date of the last message, then deleted.
Security
We implement administrative, technical, and physical safeguards designed to protect personal data:
- Encryption in transit (TLS 1.2 or higher) for all connections;
- Encryption at rest using AES-256 for note content and attachments;
- Least-privilege access controls; administrative access is logged and reviewed;
- Continuous monitoring (Sentry error tracking) and incident-response procedures;
- Regular review of sub-processor security postures;
- Network isolation between the marketing site (Cloudflare Workers) and the application (Fly.io).
No method of transmission or storage is perfectly secure; we cannot guarantee absolute security. If you believe you have discovered a security vulnerability, please email security@engram.page.
Breach notification
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by GDPR Art. 34. Notification will be by email to the address on your account.
Your rights
Depending on where you live, you have some or all of the following rights regarding the personal data we hold about you. To exercise any of them, email privacy@engram.page from the address on your Engram account. We will respond within 30 days (60 days for complex requests, with notice).
- Access: request a copy of the personal data we hold about you (GDPR Art. 15; CCPA right to know).
- Rectification: ask us to correct inaccurate or incomplete data (GDPR Art. 16; CCPA/CPRA right to correct).
- Erasure: ask us to delete your personal data (GDPR Art. 17 "right to be forgotten"; CCPA right to delete). Some records required by tax law are retained per the schedule above.
- Restriction: ask us to limit processing while a dispute is resolved (GDPR Art. 18).
- Portability: receive your data in a structured, machine-readable format (GDPR Art. 20). Your notes are already plain Markdown — you can export them at any time from the app.
- Objection: object to processing based on our legitimate interests (GDPR Art. 21).
- No automated decision-making: we do not subject you to decisions based solely on automated processing — including profiling — that produce legal effects concerning you or significantly affect you (GDPR Art. 22).
- Withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting prior lawful processing.
- Opt out of sale or sharing: we do not sell personal data and do not share it for cross-context behavioral advertising (CCPA/CPRA). No action required on your part.
- Non-discrimination: we will not deny service, charge different prices, or provide a different quality of service because you exercised any of these rights.
- Lodge a complaint: EU/EEA residents may complain to their national data-protection supervisory authority (GDPR Art. 77; see EDPB list of members); UK residents may contact the Information Commissioner's Office; California residents may contact the California Privacy Protection Agency.
Authorised agents may submit requests on your behalf with signed proof of authorisation. We will verify your identity before fulfilling any access or deletion request.
Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has provided personal data to Engram, contact privacy@engram.page and we will delete it promptly. For residents of the EU/EEA, where the applicable age of digital consent is higher (typically 16, varying by member state down to 13), parental consent is required for users under that age.
What we do not do
- We do not use Google Analytics or any third-party tracking pixel.
- We do not share data with advertising networks.
- We do not fingerprint your browser or device.
- We do not track you across other websites.
- We honor browser-level Global Privacy Control (GPC) signals as required by CCPA/CPRA: a GPC signal is treated as a valid opt-out of any sale or sharing of personal information. Our analytics scripts also do not fire when we detect a Do Not Track (DNT) signal.
Changes to this Policy
We may update this Privacy Policy from time to time. If we make a material change, we will give reasonable notice by email or by posting a notice on the site before the change takes effect. The "Last updated" date at the top of this page reflects the most recent change.
Contact
Privacy-specific questions: privacy@engram.page. Security reports: security@engram.page. General support: support@engram.page.
Rasbandit Software Solutions LLC, d/b/a Engram 7533 S Center View Ct, Ste N #6048 West Jordan, UT 84084 USA