Privacy Policy
Last updated: 2026-05-07
Privacy in one sentence
Memoir encrypts everything on your device before it leaves your hands. We — and anyone else — cannot read your private entries.
The short version
Memoir is private journaling. Your writing stays on your devices. We — and the cloud — can't read it.
- Every memory, photo, and audio note is encrypted on your device with a key only your device holds (AES-256-GCM).
- We have no servers that store decrypted content. The CloudKit sync we use is encrypted-at-rest by Apple and re-encrypted by Memoir before upload.
- We don't run analytics, no third-party trackers, no ads, no behavioural profiling.
- The only opt-in network feature is the public feed, where the leader of a family can publish a signed memory for relatives to read.
What stays on your device only
- All memory titles, bodies, moods, and locations.
- All photo, video, and audio attachments.
- Audio transcripts produced by on-device speech recognition.
- OCR text extracted from photos via on-device Vision framework.
- Memory embeddings used for semantic search.
The encryption key (the "master key") lives in your Apple Keychain and never leaves the keychain. We cannot recover it for you if it is wiped — that is the trade-off for true end-to-end encryption. Keep a backup of your encrypted export.
What CloudKit syncs (encrypted)
If you have iCloud sign-in enabled, Memoir syncs the encrypted blobs to your iCloud private database. Apple sees:
- The fact that record N was created or modified at timestamp T — metadata Apple uses for sync.
- The encrypted byte payload, which Apple cannot decrypt.
Apple does not see plaintext titles, bodies, moods, locations, or attachments. The same applies to family shares: each share has its own AES-256 key wrapped via X25519 ECDH for each participant. No one in the chain — not Apple, not us, not other family members — can read another member's private entries.
The public feed (opt-in)
One person per family can be designated as "leader" and may publish individual memories to the public feed at /app/feed. Published posts are:
- Signed with the leader's Ed25519 key, so we can verify authorship without requiring authentication.
- Stored in plaintext on our backend, because they are public by the author's choice.
- Accessible to anyone who visits the feed URL — no login, no cookies.
You can delete a published post at any time from the iOS or macOS app. The deletion is propagated to our server within seconds. We do not cache deleted content beyond that propagation window.
What we never collect
- IP addresses — stripped from access logs immediately on ingestion.
- Device identifiers — no IDFA, no IDFV, no fingerprinting.
- Crash reports tied to a user — we use Apple's anonymised aggregate crash reporter only.
- Third-party analytics SDKs — no Firebase, no Sentry, no Mixpanel, no Amplitude.
- Advertising data — Memoir has no ads, no ad network integrations.
Data export and deletion
Export everything via Settings → Backup → Export. The export is an encrypted JSON archive that only your master key can decrypt. We recommend keeping it on a USB drive or another Apple device.
To delete everything from this device, remove the Memoir app. Your iCloud data is deleted via the standard iCloud data management flow (Settings → Apple ID → iCloud → Manage Account Storage → Memoir → Delete). To delete public-feed posts, sign in as the leader on any of your devices and tap "Unpublish all".
Memoir does not maintain a user account on our servers. There is no "delete account" flow because there is no account to delete.
Children
Memoir is not directed at children under 13. We do not knowingly collect information about children. If you believe a child under 13 has used Memoir in a way that has transmitted data to us (e.g. via the public feed), please contact us at privacy@memoir.app and we will investigate promptly.
Changes to this policy
We will update this page when we change anything material. The "last updated" date at the top reflects the most recent change. We do not push notifications for minor wording corrections, but will notify prominently for any change that materially affects how your data is handled.
Contact
Questions about privacy: privacy@memoir.app.
We aim to respond within 5 business days.