Legal
Privacy Policy
Last updated: 8 April 2026
1. Who we are
This Privacy Policy describes how Memoir(“Memoir”, “we”, “us”) processes personal data when you use the Memoir service at memoir.gift.
Controller: MemoirRegistered legal name: VMB Support
Amsterdam, the Netherlands
hi@memoir.gift
We process personal data in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG). Read this policy together with our Terms and Conditions, which govern use of the Service; this policy focuses specifically on personal data processing.
2. What data we process and why
We collect and use personal data only for the purposes set out below and on the legal bases indicated.
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account & project | E-mail, project name, occasion metadata, IP/browser (technical logs) | Provide the Service, manage your project and payments, security, support | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for security and fraud prevention where applicable |
| Photographs & user text | Images you upload; captions or notes you add; derived outputs (previews, Film) | Generate Preview and Film; store temporarily for processing; automatic deletion per retention schedule | Performance of a contract (Art. 6(1)(b)); where images qualify as special category data (Art. 9), processing may rely on explicit consent or another applicable Art. 9 ground as assessed for your use case — see Section 3 |
| Payment data | Transaction references via Mollie (we do not store full card numbers) | Process payments, refunds, accounting | Performance of a contract (Art. 6(1)(b)); legal obligation for tax/financial records (Art. 6(1)(c)) |
| Support & communications | Messages you send to us; complaint details | Respond to requests and resolve disputes | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
3. Special category data (photos)
Photographs may reveal racial or ethnic origin, health, or biometrics. Such data may be treated as special category data under Article 9 GDPR. Memoir uses your uploads only to fulfil your request to create a Film, in line with our Terms. Consult your own legal advisor if you upload images of other people; you are responsible for having a valid legal basis to share their data with us. We do not use your photos to train third-party AI models.
4. Recipients and subprocessors
We use carefully selected service providers who process data on our instructions (processors). They may include:
- Supabase — database, authentication, and object storage (primary region EU / eu-west where configured)
- Vercel — application hosting and edge delivery
- Mollie — payment processing
- fal.ai — media generation (e.g. Kling AI)
- Stability AI (or its subprocessors) — audio generation where used
- E-mail / transactional providers — delivery of service e-mails
A written data processing agreement is in place with processors where required by law. The list above is illustrative; we can provide an up-to-date list on request at hi@memoir.gift.
5. Transfers outside the EEA
Where a subprocessor operates outside the European Economic Area, we rely on GDPR Chapter V mechanisms (for example the EU Commission's standard contractual clauses) and, where appropriate, a transfer impact assessment. Details of specific transfers are available on request.
6. Retention
| Data | Retention |
|---|---|
| Original uploaded photographs (source) | Automatically deleted within 90 days of upload (unless a shorter period applies by product configuration or earlier deletion on request) |
| Delivered HD Film (download link / file) | Available for 90 days after delivery, then may be removed from our systems |
| Invoices & payment records | As required by Dutch tax and accounting law (typically 7 years) |
| Server / security logs | Short-term technical retention as needed for security and troubleshooting (typically days to weeks unless extended for an incident) |
7. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS), access controls, and separation of environments. No method of transmission over the Internet is completely secure.
8. Your rights
Under the GDPR you may have the right to access, rectify, erase, restrict processing, object, and data portability, and to withdraw consent where processing is based on consent. To exercise these rights, contact hi@memoir.gift. We will respond within one month unless the law allows an extension.
You may lodge a complaint with the Dutch Supervisory Authority: Autoriteit Persoonsgegevens.
9. Data breaches
In the event of a personal data breach likely to result in a risk to individuals, we will notify the competent supervisory authority within 72 hours where required, and notify affected data subjects without undue delay when required by law.
10. Changes
We may update this Privacy Policy to reflect legal, technical, or organisational changes. Material changes will be highlighted (for example via the Service or e-mail) where appropriate. The latest version is always published on this page with an updated “Last updated” date.
11. Automated processing & AI
Your Film is produced using automated pipelines and third-party AI models. We do not use your photos or this processing for automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR in relation to you as a consumer.
12. Vision / embeddings (if applicable)
If Memoir uses external vision APIs to analyse images as part of the production pipeline, such transfers are limited to what is necessary for the Service and are covered by our processor arrangements. See internal technical documentation for vendor-specific flows; ask us for details if you need them for your own compliance.
