Privacy Policy

Last updated: 2026-04-29

Draft — pending legal review

This is the initial published draft of the Privacy Policy for Kagura Memory Cloud. It has not yet been reviewed by an attorney. We are publishing it ahead of the public launch of memory.kagura-ai.com so that our data-handling practices are transparent while the wording is finalized. We will update this page once legal review is complete; material changes will be announced via the mechanisms described in the "Changes to This Policy" section below.

Introduction

Kagura Memory Cloud ("the Service", "we", "our", "us") is an AI memory platform operated by the data controller identified in the Data Controller section below. This Privacy Policy explains what personal data we collect, why we collect it, how we store and protect it, and the rights you have over it.

This policy is written to comply with the EU General Data Protection Regulation (GDPR), the Japanese Act on the Protection of Personal Information (APPI, 個人情報保護法), and the California Consumer Privacy Act (CCPA / CPRA), whichever is applicable to you. We follow the principles of data minimization, purpose limitation, and transparency.

Data Controller

Controller: {{TBD: DATA_CONTROLLER}}

Address: {{TBD: DATA_CONTROLLER_ADDRESS}}

Contact for privacy requests: privacy@kagura-ai.com

Jurisdiction: Japan. Data-protection law of Japan (APPI) governs this policy. Nothing in this policy affects the rights of EU / UK residents under the GDPR or those of California residents under the CCPA / CPRA.

We have not designated a separate Data Protection Officer; the controller listed above is the point of contact for all requests.

Personal Data We Collect

We collect only the data we need to run the Service. Concretely:

Identity & authentication — when you sign in via OAuth (Google or GitHub): your email address, the provider's numeric user identifier (the sub claim; for GitHub this is github_user_id), your display name (optional), your avatar URL (optional), and for GitHub the login handle. We also store the authentication provider (google / github) so repeat sign-ins attach to the same account.

Password authentication — for the initial administrator account only: a login ID and a password hash (bcrypt). Optional TOTP secret for multi-factor authentication. We never store passwords in plaintext.

Session data — an opaque session identifier stored in an HttpOnly, SameSite=Strict cookie (kagura_session) and a matching entry in Redis. Sessions expire automatically after 7 days or when you log out.

Signup allowlist — when the administrator has enabled the optional admin-configurable signup gate, we store the GitHub numeric user IDs the administrator has allowed to register, together with the username at the time of addition, the source (manual or, in a future release, github_sponsors), the current state (active / grace / revoked), and the administrator who added the entry. Matching is done on the immutable numeric ID, not the username.

Memory data — the summaries, contexts, contents, tags, and metadata you store via the remember() API, the MCP protocol, or the Web UI. You are the data controller for the contents of your memories; we process them on your behalf under the service contract.

Usage & technical data — API request counts, feature usage counters, and rate-limit accounting (for quota enforcement); source IP address and User-Agent string (for security, abuse detection, and troubleshooting); structured application logs.

Internal Observability Metrics

To monitor search quality and detect drift in our ranking system, we collect daily statistical metrics derived from your memories. This data is treated with the same legal protections as your primary memory content.

Purpose — daily monitoring of the BM25 IDF distribution per workspace context, used to detect search-quality drift and to guide ranking-model updates.

Data category — hashed representations of rare-term tokens (mmh3 32-bit integer hashes) and their document frequencies, scoped per workspace context. No raw token text is stored. The underlying table is named bm25_idf_drift_log in the source code.

Classification — this data is pseudonymous personal data under GDPR Art. 4(5) and Recital 26. Although the hash itself is opaque, we as the controller retain both the source memory text and the hash, so re-identification by reasonable means remains possible. The data therefore falls within GDPR's protective scope and is treated with the same legal safeguards as your primary memory content.

Retention — maximum 90 days. See "Data Retention" below for the broader retention framework.

Right to erasure — when you exercise your right to erasure (GDPR Art. 17 / APPI), these observability records are deleted via the same cascade as your primary memory content. See "Your Rights" below.

Legal Basis for Processing (GDPR Article 6)

We rely on the following legal bases to process your personal data:

Contract (Art. 6(1)(b)) — processing required to provide the Service you signed up for: account creation, session management, memory storage and retrieval, quota enforcement, subscription billing.

Legitimate interests (Art. 6(1)(f)) — security monitoring, abuse detection, system diagnostics, and aggregate usage analytics for capacity planning. You can object at any time by contacting us at the address above.

Legal obligation (Art. 6(1)(c)) — retention of billing records and tax-related records as required by Japanese tax law.

Consent (Art. 6(1)(a)) — reserved for future optional features (for example, product-update emails). We do not currently process any data under consent; if that changes, we will ask you explicitly and you will be able to withdraw consent at any time.

How We Use Your Data

Service provision — storing, indexing, and retrieving your memories; running hybrid search and Neural Memory features; enforcing quotas and rate limits.

Authentication & access control — verifying identity at sign-in, maintaining your session, and applying role-based and workspace-level permissions.

Security — detecting abuse, investigating incidents, blocking malicious traffic.

Support & troubleshooting — diagnosing issues you report and maintaining service reliability.

Service improvement — analyzing aggregate, non-identifying usage patterns to guide capacity planning and feature work.

What we do NOT do — we do not sell your personal data; we do not use your memory contents to train AI models; we do not share your data with advertisers; we do not use tracking or marketing cookies.

Data Storage & Security

Encryption in transit — all traffic between your device and the Service is protected by TLS 1.3.

Encryption at rest — sensitive credentials (such as TOTP secrets and future third-party API tokens) are encrypted at the application layer using Fernet (AES-128-CBC + HMAC-SHA256) before being written to the database. Database volumes and object storage are encrypted at the infrastructure layer.

Data stores — structured data lives in PostgreSQL; vector embeddings in Qdrant; session tokens in Redis.

Access control — strict role-based access controls (system admin, workspace owner / admin / member / viewer, per-context membership). Administrative access to production infrastructure is limited to the operator listed as the Data Controller above and is logged.

Backups — encrypted database backups retained for up to 30 days for disaster recovery.

Monitoring — structured application logs and infrastructure metrics for availability and security monitoring.

Data Retention

Retention periods match the values compiled into backend/src/config/retention.py in the Kagura Memory Cloud source code. If those values change, this policy is updated.

Working memory — 30 days from last access, then automatically purged unless promoted to persistent memory by the criteria documented in the codebase (access count ≥ 3, or age ≥ 7 days, or importance ≥ 0.7, or accessed from ≥ 2 clients).

Persistent memory — retained as long as your account exists, subject to plan limits:

  • Free plan: 90 days from last access, then purged.
  • Pro / Enterprise plans: retained indefinitely while the plan is active.

Session records — 7 days, then expire automatically in Redis.

Signup allowlist entries — retained while the entry is active. When an administrator revokes an entry, or (in a future release) when a sponsorship lapses, the entry enters a 30-day grace state before being purged. Entries in revoked state are purged on the next scheduled cleanup.

System logs — up to 90 days, then purged or anonymized.

Internal observability metrics — search-quality monitoring data (BM25 IDF drift logs) is retained for a maximum of 90 days. See "Internal Observability Metrics" above for full details and legal classification.

Encrypted backups — up to 30 days, then deleted.

Billing & tax records — retained for the period required by Japanese tax law (currently 7 years), even after account deletion.

Deleted accounts — when you delete your account, we purge your personal data within 30 days from our primary stores and within a further 90 days from backups as they rotate out. Billing and tax records above are the only exception.

Your Rights

Under GDPR, APPI, and CCPA / CPRA as applicable, you have the following rights:

Access — request a copy of the personal data we hold about you, and an export of your memory contents.

Rectification — correct inaccurate or incomplete data. Display name, locale, and timezone can be edited directly in your profile; other fields can be corrected on request.

Erasure ("right to be forgotten") — delete your account and associated personal data, including internal observability metrics which are removed via the same cascade. You can request erasure via the contact address below.

Data portability — receive your memory contents in a machine-readable format.

Restriction — ask us to temporarily stop processing specific data.

Objection — object to processing we base on legitimate interests.

Withdraw consent — for any processing we do based on consent (none at this time).

Lodge a complaint — if you believe we have mishandled your data you can complain to the Personal Information Protection Commission of Japan (PPC, 個人情報保護委員会) or to your local EU data-protection authority. We would appreciate a chance to address your concern first.

We respond to requests within 1 month (EU standard, GDPR Art. 12(3)), which is also within the "without undue delay" standard of APPI. Complex requests may be extended by up to 2 additional months; we will notify you if an extension is needed.

International Transfers

Primary storage is in Japan. We use reputable cloud providers (see "Third-Party Services" below) which may process data in other regions for operational reasons (for example, content delivery networks). Where data is transferred outside Japan / the EEA, transfers rely on standard contractual clauses or adequacy decisions as appropriate. We do not intentionally store user data outside Japan.

Third-Party Services

We use a small number of third-party services to operate the Service. We use only what is needed, and we do not share data beyond what each service requires to perform its function.

GitHub (github.com) — OAuth sign-in; optional sponsorship lookup (future release) for the signup allowlist. GitHub's privacy practices: GitHub Privacy Statement.

Google (google.com) — OAuth sign-in. Google's privacy practices: Google Privacy Policy.

Cloud infrastructure — compute, database, object storage, and CDN. Our provider changes are noted in the service status page.

Large language model providers — OpenAI, Anthropic, Google AI, and local-first Ollama instances are only invoked when you explicitly use a feature that calls them (for example, embeddings, reranking, summarization). Each provider's privacy practices govern how they handle the request payload; we pass only the minimum required data and do not authorize training on it.

Payment processing (future) — Stripe for subscription billing. When we enable subscriptions we will update this policy with Stripe's Data Processing Addendum reference.

We select providers that meet our data-protection standards and keep the list minimal.

Cookies

We use one strictly necessary cookie for service operation:

  • kagura_session — HttpOnly, Secure, SameSite=Strict. Required to authenticate your requests. Expires after 7 days or when you log out. No consent banner is required under GDPR ePrivacy rules for strictly-necessary cookies.

We do not set analytics, advertising, or cross-site tracking cookies. If that changes, we will add a cookie-consent banner before setting any non-essential cookie and this section will be updated.

Children's Privacy

The Service is not directed to children under 16 (GDPR Art. 8) or, in Japan, under the age a legal guardian's consent is required under the Civil Code. We do not knowingly collect personal information from children in that age range. If you believe we have done so, please contact us and we will delete the data promptly.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). Quota enforcement and rate limiting are purely technical and do not infer anything about you as a person.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We update the "Last updated" date at the top of this page.
  • We email registered users at the address we have on file (where the change warrants it).
  • We post a prominent notice on the Service.

Continued use of the Service after a material change constitutes acceptance of the updated policy. If you do not accept a material change, you may delete your account before the effective date.

Contact

Questions about this Privacy Policy, or requests to exercise your rights:

Please mark requests under GDPR / APPI / CCPA as such in the subject line so we can route them correctly.