memacta
Sign In

Privacy Policy

Last updated: 2026-04-22

1. What We Collect

  • Account data: email address, display name, password hash (bcrypt), profile image URL.
  • Uploaded photos (Persona training): reference photographs you provide to train a Persona LoRA model.
  • Face embeddings (biometric data — see §2): a numerical vector derived from your face geometry, used for identity consistency across Generations.
  • Generated content: prompts, model selections, output images and videos, and associated metadata.
  • Billing data: subscription tier, credit balance, transaction history. Payment instrument details are held exclusively by Stripe — we never see raw card numbers.
  • Technical data: IP address, browser user agent, request logs, error traces (Sentry), and Upstash rate-limit counters.
  • Cookies and session tokens: NextAuth.js session cookies for authentication; an anonymous generation counter stored in a first-party cookie for unauthenticated trial use.

2. Biometric Data Notice (BIPA / Texas CUBI / GDPR Art. 9)

When you train a Persona, memacta derives a face embedding — a mathematical representation of the geometry of the face in your reference photos. This constitutes biometric data under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifiers Act (CUBI), and qualifies as special-category data under GDPR Article 9.

  • Consent: By proceeding past the Persona consent checkpoint, you explicitly consent to memacta computing and storing your face embedding. You may withdraw consent at any time by deleting the Persona.
  • Purpose limitation: Face embeddings are used solely for identity consistency within your Generations. They are never shared with third parties or used for any purpose other than running the Persona feature for your account.
  • Retention: Face embeddings are retained for the lifetime of the Persona and for a maximum of 12 months after the Persona's last generation use. You may request deletion at any time by archiving or deleting the Persona.
  • Right to delete: Delete any Persona via its settings page, or submit a deletion request to privacy@memacta.ai. We will confirm and complete deletion within 30 days.
  • No sale: We will never sell, lease, trade, or profit from your biometric data.

3. Why We Collect Your Data

  • Providing the service: account authentication, credit tracking, Persona training, image/video generation.
  • Safety and abuse prevention: prompt moderation, rate limiting, detection of policy violations, CSAM hash scanning.
  • Billing: managing subscriptions and credit packs via Stripe.
  • Communications: transactional emails (email verification, password reset, training-complete notifications) via Resend.
  • Service improvement: aggregate, anonymised analytics on feature usage. We do not perform individual-level behavioural profiling for advertising.

4. AI Training — We Do Not Train on Your Content

memacta does not use your uploaded photos, Persona data, prompts, or generated outputs to train foundational AI models, now or in the future, without your explicit opt-in consent. Your creative assets belong to you. Any future opt-in programme will be clearly presented, voluntary, and compensated.

5. Data Processors and Third-Party Services

memacta uses the following sub-processors. Each receives only the minimum data required for their function:

fal.ai — AI Model Inference

Receives prompts, reference images, LoRA parameters, and model configurations to execute generation requests. Outputs are returned to memacta and stored on your behalf. Privacy Policy

Stripe — Payment Processing

Handles subscription billing and credit pack purchases. Stripe stores payment instrument details; we receive only a customer token and billing status. Privacy Policy

Resend — Transactional Email

Sends verification, password reset, and notification emails. Receives your email address and the email body. Privacy Policy

Supabase — Database and Storage

Hosts the PostgreSQL database containing your account, library, credit ledger, and Persona data. Also provides object storage for reference photos and generated media files. Privacy Policy

Sentry — Error Monitoring

Captures application errors and performance traces. May receive truncated stack traces, browser metadata, and anonymised user IDs. No prompt content or generated media is forwarded to Sentry. Privacy Policy

Upstash — Rate Limiting

A Redis-compatible store used to track per-user request counts for rate limiting. Receives anonymised user or IP identifiers and request counts. No prompt or media content is stored. Privacy Policy

Vercel — Hosting and Edge Network

Hosts and serves the memacta web application. Vercel logs include IP addresses, request paths, and response codes for up to 30 days. Privacy Policy

6. Cookies and Analytics

We use the following cookies:

  • Session cookie (next-auth.session-token): secure, HttpOnly, Strict SameSite. Required to maintain your login session.
  • CSRF token (next-auth.csrf-token): required for form submission security.
  • Anonymous generation counter: a first-party cookie tracking how many free generations an unsigned-out visitor has used. Expires after 7 days.

We do not use third-party advertising cookies. We do not use Google Analytics, Meta Pixel, or similar tracking scripts.

7. Data Retention

  • Account data and generation history: retained while your account is active. After 12 months of inactivity your account is flagged for archive; you will receive an email notification before deletion.
  • Biometric data (face embeddings): deleted within 30 days of Persona deletion or 12 months after last use, whichever is sooner.
  • On-request deletion: permanent deletion within 30 days of a verified deletion request.
  • Server / error logs: up to 30 days (Vercel) and up to 90 days (Sentry), then auto-expired.
  • Billing records: retained for 7 years as required by tax and accounting regulations.

8. Your Rights

Depending on your jurisdiction you have the right to:

  • Access (GDPR Art. 15): request a copy of the personal data we hold about you.
  • Rectification (GDPR Art. 16): correct inaccurate data via Account Settings.
  • Erasure (GDPR Art. 17 / CCPA): delete your account and all associated data.
  • Portability (GDPR Art. 20): export your generation history and Persona LoRA files on request.
  • Restriction and objection (GDPR Art. 18–19): restrict specific processing activities.
  • Opt-out of sale (CCPA / CPRA): we do not sell personal data. Nothing to opt out of.

To exercise any right, email privacy@memacta.ai. We respond within 30 days. Identity verification may be required for deletion requests.

9. Children's Privacy

memacta is not available to users under 18. We do not knowingly collect data from minors. Persona photo uploads are screened for estimated age; uploads that appear to depict a minor are automatically rejected. If you believe a minor has provided us data, contact privacy@memacta.ai and we will investigate and delete within 72 hours.

10. Contact

For all privacy-related enquiries: privacy@memacta.ai. Mailing address: [USER TO FILL: company mailing address]. Data Protection Officer (if applicable): [USER TO FILL: DPO name and contact or "Not yet appointed — contact privacy@memacta.ai"].

Terms of ServiceDMCA PolicyAI Likeness PolicyContact