Privacy Policy

Your privacy is important to us. It is our policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including via our website (erebyx.com), the EREBYX Core app, and associated services.

Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use our app or online services.

In the event our services contain links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy information about how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our services.

Information We Collect

Information we collect falls into one of two categories: "voluntarily provided" information and "automatically collected" information.

Voluntarily provided information refers to any information you knowingly and actively provide us when using our services and promotions.

Automatically collected information refers to any information automatically sent by your devices in the course of accessing our services.

Log Data

When you visit our website or access our servers via our app, we may automatically log standard data provided by your browser or device. It may include your device's Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details about your visit.

Additionally, when you encounter certain errors while using our services, we automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem. You may or may not receive notice of such errors at the time they occur.

Device Data

When you visit our website or interact with our services, we may automatically collect data about your device, such as device type, operating system, IP address, browser type, session timestamps, and timezone (captured via infrastructure logging — Loki / Sentry).

Personal Information

We may ask for personal information — for example, when you submit content to us, when you subscribe to our newsletter, when you register an account, or when you contact us — which may include one or more of the following:

• Name
• Email
• Home or mailing address (only if relevant to a transaction)

Sensitive Information

"Sensitive information" or "special categories of data" is a subset of personal information given a higher level of protection. Examples include information relating to racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation, sexual practices or sex life, criminal records, health information, or biometric information.

The types of sensitive information we may collect about you include:

User-generated content (memories, atoms, conversations) may contain information of any sensitive category at the user's discretion. All user-generated content is encrypted at rest with envelope encryption — XChaCha20-Poly1305 (primary), with AES-256-GCM — using per-tenant keys derived via HKDF-SHA256. At v0.1.1, EREBYX operationally holds the per-tenant Key Encryption Key for support and debugging, and may be compelled to decrypt under valid US legal process.

Content is processed in plaintext at the inference layer (third-party LLM APIs, currently DeepInfra) at the moment of atomization and embedding before being encrypted at rest for storage. Plaintext does not persist on EREBYX infrastructure outside the inference window.

Per-user zero-knowledge encryption ships in v0.2 (target Q3 2026) — at that point, encryption keys will be derived from a passphrase you control, and EREBYX will be unable to decrypt your content. Lost passphrase will mean lost memories. We will notify you when the v0.2 architecture migration becomes available; until then, the v0.1.1 architecture above applies.

We will not collect sensitive information about you without first obtaining your consent, and we will only use or disclose your sensitive information as permitted, required, or authorized by law.

Legitimate Reasons for Processing Your Personal Information

We only collect and use your personal information when we have a legitimate reason for doing so. In which instance, we only collect personal information that is reasonably necessary to provide our services to you.

Collection and Use of Information

We may collect personal information from you when you do any of the following on our services:

• Register for an account
• Sign up to receive updates from us via email or social media channels
• Use a mobile device or web browser to access our content
• Contact us via email, social media, or any similar technologies
• When you mention us on social media

We may collect, hold, use, and disclose information for the following purposes, and personal information will not be further processed in a manner incompatible with these purposes:

• To provide you with our app and platform's core features and services
• To enable you to customize or personalize your experience of our services
• To deliver products and/or services to you
• To contact and communicate with you
• For analytics, market research, and business development, including operating and improving our services
• For internal record-keeping and administrative purposes
• To comply with our legal obligations and resolve any disputes that we may have
• For security and fraud prevention, and to ensure that our sites and apps are safe, secure, and used in line with our terms of use
• For technical assessment, including to operate and improve our services

Security of Your Personal Information

When we collect and process personal information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use, or modification. Specifically: envelope encryption at rest (XChaCha20-Poly1305 primary, AES-256-GCM) with per-tenant key derivation; TLS 1.3 in transit; PostgreSQL Row-Level Security verified at startup; SHA-256 hashed API keys; argon2id-hashed account passwords.

Although we will do our best to protect the personal information you provide to us, no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security.

You are responsible for selecting any password and its overall security strength.

How Long We Keep Your Personal Information

We keep your personal information only for as long as we need to. For specific retention timelines for memory content, account data, and activity logs — see our Data Retention & Deletion Policy.

If necessary, we may retain your personal information for compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

Children's Privacy

EREBYX requires users to be at least 18 years of age. We do not knowingly collect personal information from children under the age of 13 (per the U.S. Children's Online Privacy Protection Act), and we do not aim any of our products or services at children. See our Acceptable Use Policy for our age policy in full.

Disclosure of Personal Information to Third Parties

We may disclose personal information to:

• A parent, subsidiary, or affiliate of our company
• Third-party service providers for the purpose of enabling them to provide their services
• Our employees, contractors, and/or related entities
• Our existing or potential agents or business partners
• Credit reporting agencies, courts, tribunals, and regulatory authorities, in the event of unpaid services
• Courts, tribunals, regulatory authorities, and law enforcement officers, as required by law
• Third parties that assist us in providing services or processing data
• An entity that buys, or to which we transfer all or substantially all of our assets and business

Subprocessors we currently use

• Stripe — payment processing + all commerce emails (receipts, cancellation, dunning, dispute) (US)
• MailerSend — magic-link sign-in and other transactional email required to deliver the service (US / EU edge)
• MailerLite — opt-in-only newsletter sends + Genesis_Members group management (US / EU edge)
• Cloudflare — DNS, CDN, DDoS protection (Global edge)
• DeepInfra — LLM inference + embedding generation (US) — used for memory atomization and embedding only; plaintext does not persist outside the inference window. Exits the data path when v0.2 ships full TEE-hosted inference.
• OVH Cloud (US-West, Hillsboro Oregon) — primary database + API hosting
• PostgreSQL with pgvector — self-hosted on OVH
• Better Auth — session authentication, self-hosted
• Sentry — error tracking with sensitive-data redaction
• Loki — log aggregation, self-hosted

Email handling clarification: Stripe sends all commerce-related emails (receipts, cancellation confirmations, payment-failure dunning) automatically. MailerSend sends magic-link sign-in emails and other transactional email required to deliver the service. MailerLite sends any opt-in newsletter sends only. Every newsletter email includes a one-click unsubscribe link in compliance with CAN-SPAM and applicable consent laws.

International Transfers of Personal Information

The personal information we collect is stored and processed in the United States. The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. We perform transfers in accordance with the requirements of applicable law and protect transferred information in accordance with this privacy policy.

Your Rights and Controlling Your Personal Information

Access: request details of the personal information we hold about you.

Correction: contact us if you believe information we hold about you is inaccurate. We will correct or update it within 30 days.

Deletion: request deletion of your personal information at any time via dashboard → Settings → Delete Account, or by contacting [email protected]. See our Data Retention Policy for the operational deletion process and timing.

Right to Limit Use of Sensitive Personal Information (California / CPRA § 1798.121): California residents may direct us to limit our use of sensitive personal information to specified business purposes. To exercise this right, contact [email protected] with the subject line LIMIT SENSITIVE PI.

Authorized Agent (California / CPRA): California consumers may designate an authorized agent to make rights requests on their behalf. We require written, signed authorization and may verify the consumer's identity directly. Contact [email protected] for the authorized-agent procedure.

Non-discrimination: we will not discriminate against you for exercising any of your privacy rights.

Downloading of personal information (data portability): visit your dashboard → Settings → Export. JSON format. Memory content + metadata + system state. Smaller accounts deliver via in-dashboard download; larger accounts deliver via async email link within 24 hours. Contact [email protected] for assistance.

Notification of data breaches: we will comply with applicable laws regarding any data breach notification, including state breach-notification statutes and (where applicable to EU residents in v0.2+) GDPR Article 33.

Complaints: contact [email protected] with any concern. We respond to data-rights requests within 30 days.

Marketing opt-out: opt-out instructions are included in marketing emails. Transactional emails (Welcome, Receipt, Payment-Failed, Verification) cannot be unsubscribed from while you have an active subscription — cancel via the Stripe Customer Portal to stop transactional emails.

Do Not Sell or Share My Personal Information: we do not sell or share (as those terms are defined under the CCPA/CPRA) your personal information. Period. We honor the Global Privacy Control (GPC) browser signal as an opt-out of sale/sharing in the event our practices ever change.

Use of Cookies

We use cookies to give your device access to core features of our services and to track usage and performance. See our Cookie Policy for details.

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. Any acquiring party may continue to use your personal information according to this policy.

Successor-binding commitments. Our no-training-on-user-content commitment (see Terms of Service § "No Training on User Content") binds any successor entity. We will only consummate a business transfer under terms that preserve the no-training commitment for memory content already stored as of the date of transfer, and that require the successor to honor this Privacy Policy until users are notified of any material change.

Changes to This Policy

We may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If significant, we will contact you with the new details.

U.S. State Privacy Laws (CA, CO, CT, DE, FL, IA, IN, MT, NH, NJ, OR, TN, TX, UT, VA)

The following provisions apply to residents of U.S. states with comprehensive consumer-privacy statutes, including California (CCPA / CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Florida (FDBR), Iowa (ICDPA), Indiana (INCDPA), Montana (MCDPA), New Hampshire (NHPA), New Jersey (NJDPA), Oregon (OCPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA). We honor the standards in this section regardless of your state of residence.

Do Not Track: at this time we do not respond to browser "Do Not Track" signals, because we do not engage in the cross-site tracking that DNT was designed to opt out of. We adhere to the standards outlined in this policy regardless.

California (CCPA / CPRA) — Notice of Collection

In the operation of the EREBYX service, we collect the following categories of personal information enumerated in the CCPA:

• Identifiers: name, email address, account ID, IP address, device identifiers
• Customer records: billing address (held by Stripe), payment-method tokens (held by Stripe — EREBYX does not see card numbers)
• Commercial information: subscription history, transaction history, plan tier
• Internet or other electronic network activity: usage logs, error logs, API call telemetry, session timestamps
• Inferences drawn from the above: derived categorical aggregates used to operate EREBYX (memory counts, retrieval patterns) — never sold or shared
• User-generated content: the memory content you save (encrypted at rest per § "Sensitive Information"); may contain any category of sensitive information at your discretion

Sources of personal information

• Directly from you (account signup, content you save, support emails)
• Automatically from your device (IP, browser, session telemetry — see "Log Data" and "Device Data" above)
• From our subprocessors (Stripe billing data; Better Auth session metadata; Cloudflare edge telemetry)

Business and commercial purposes

We collect each category for the purposes described in the "Collection and Use of Information" section above: providing the service, operating your account, processing payments, securing the platform, complying with law, and (with consent) marketing communications. We do not collect for secondary purposes incompatible with these.

Categories of recipients

Each category of personal information may be disclosed to (a) the subprocessors enumerated in the "Subprocessors we currently use" section above, each only for the operational purpose stated; (b) law enforcement or regulatory authorities pursuant to valid legal process; (c) a successor entity in a business transfer per § "Business Transfers." We do not sell or share your personal information with third parties for advertising, profiling, or any consideration.

Retention

Each category is retained only for as long as needed for the purpose collected. Specific retention windows by category are in our Data Retention & Deletion Policy (e.g., memory content during active subscription + 30-day grace + 90-day backup; account data through subscription + 7-year tax records; activity logs 90 days operational + 30 days raw).

Your rights (CCPA / CPRA and parallel state statutes)

• Right to Know what personal information we collect, use, and disclose
• Right to Correct inaccurate personal information
• Right to Delete personal information we have collected from you
• Right to Opt Out of sale or sharing (we do not sell or share, but the right exists if our practices ever change)
• Right to Limit Use of Sensitive Personal Information to specified business purposes (CPRA § 1798.121)
• Right to Non-Discrimination for exercising any of the above
• Right to Designate an Authorized Agent to make these requests on your behalf

To exercise any of these rights, contact [email protected]. We respond within 30 days (extendable up to 45 with notice, per statute).

No sale or share statement

In the operation of the service, EREBYX does not sell or share (as those terms are defined under the CCPA / CPRA) any personal information, including sensitive personal information. We have no plans to do so.

EU / EEA Residents — GDPR

The GDPR distinguishes between data controllers (organizations that determine the purpose and means of processing) and data processors (those that process on behalf of others). EREBYX LLC is a Data Controller with respect to the personal information you provide to us.

What we honor today (good-faith partial compliance)

• Lawful bases: we process personal information on the bases of consent, performance of a contract you have entered into with us, our legitimate interests in operating and securing the service, and compliance with applicable law.
• Data minimization and purpose limitation: we collect only what we need for the purposes described in this policy, and do not repurpose data incompatibly.
• Security: envelope encryption at rest (XChaCha20-Poly1305 primary, AES-256-GCM) with per-tenant keys, TLS 1.3 in transit, PostgreSQL Row-Level Security, hashed credentials.
• Retention limitation: per our Data Retention Policy.
• Data subject rights — best-effort honoring: we honor requests for access, correction, deletion, portability, restriction of processing, and objection. Contact [email protected] to exercise any right; we respond within 30 days (extendable to 60 days with notice for complex requests).
• No sale or training: we do not sell personal information, and we do not use memory content for model training or evaluation (see Terms of Service § "No Training on User Content").
• Breach notification: we will notify affected users without undue delay where required by applicable state or national breach-notification law.

What we do NOT yet have (transparent gap disclosure)

• Article 27 EU representative — not yet designated. To be appointed before v0.2 EU launch.
• Standard Contractual Clauses (SCCs) with our U.S.-based subprocessors — not yet executed. To be executed before v0.2 EU launch.
• Designated Data Protection Officer (DPO) — not appointed (we are below the size thresholds that mandate one, but we may appoint voluntarily as we scale).
• Data Protection Impact Assessment (DPIA) for high-risk processing — completion targeted for v0.2.
• Cross-border transfer safeguards — your personal information is currently stored and processed in the United States, and a transfer outside the EEA today would not be protected by SCCs. Once SCCs are executed (v0.2), international transfers will be protected by them.

We are tracking these commitments publicly. If you are an EU/EEA resident interested in being notified when v0.2 GDPR-compliant service launches, contact [email protected].

Other Jurisdictions (UK, Canada, Australia)

EREBYX Genesis Arche v0.1.x is offered to U.S.-based customers only. We do not currently have the structural compliance for full operation under UK GDPR, Canada PIPEDA, or Australia's Privacy Act — those jurisdictions will be supported under our v0.2 launch (target Q3 2026), at which point this section will be expanded with jurisdiction-specific disclosures.

If you are a resident of one of these jurisdictions and have questions, contact [email protected]; we honor reasonable rights requests on a good-faith basis until full structural compliance is in place.

Contact Us

Privacy and data-rights inquiries: [email protected] — response within 30 days.

General support and account questions: [email protected]

Legal notices: [email protected]

EREBYX LLC
500 Westover Drive #32317
Sanford, NC 27330, USA