Privacy

For every signed-in user we store the projects you create, the dimensions and nodes inside them, and an append-only commit log of changes. We also store OAuth state (clients you've connected, access and refresh tokens) and any long-lived API keys you've issued for CLI use.

Memory is intimate data. We treat dimension content as more sensitive than the average notes-app row and apply the practices in our SECURITY.md to protect it.

• Row-level security on every table — only you can read your projects.
• Tokens hashed at rest — a database dump does not yield usable access credentials.
• Optional encryption at rest for dimensions — opt in per project, with a passphrase only you hold. We cannot recover encrypted content if the passphrase is lost. We say so before you enable it.
• Audit log of privileged events on your account, retained 90 days, visible to you only.
• Session cookies are HttpOnly and Secure. We do not set tracking cookies, so there is no cookie banner.

We do not sell or rent your data. We do not feed your dimensions to anyone's training set. Your project content is sent to the AI clients youconnect (Claude Desktop, Cursor, ChatGPT, etc.); those providers' own privacy policies apply once the data enters their systems.

• Supabase (database, auth) — US East
• Vercel (hosting) — global edge
• Anthropic (only when you connect Claude) — when invoked

You can export everything we hold about you at /account. You can delete your account from the same page. Deletion is immediate and irreversible; backups are purged within 30 days.

Suspected security issues: open a private advisory on GitHub. Privacy questions: same place, or email the maintainer.