1 · What we collect
Engram is a local-first product. On the Free tier we collect nothing at all — the server runs entirely on your machine, with no account required.
On the Pro tier, we collect the minimum needed to operate sync and billing:
- Email address — used for account identification, receipts, and recovery.
- Stripe customer ID — used to look up subscription state. Billing is handled by Polar (Merchant of Record); we never see your card.
- Sync transit metadata — size, timestamp, memory type. Used to route encrypted blobs between your devices.
- Encrypted transit blobs — XChaCha20-Poly1305 ciphertext. We can't read these and won't try.
2 · What we never see
- Your memory content — it's encrypted with your master key before any byte leaves your machine.
- Your local files — sources like Drive, Notion, and Obsidian are indexed on your device. We never receive the source material.
- Telemetry, analytics, fingerprinting — none. No Google Analytics, no Sentry, no PostHog, no third-party pixels. The dashboard makes a single request, to our API, for your sync state.
3 · How encryption works
The Pro tier's E2E sync uses a standard scheme that we deliberately kept simple and auditable:
- Master key derivation — your passphrase is run through Argon2id (m=64MB, t=3, p=1) to derive a 256-bit master key. Only your devices ever hold this key.
- Content encryption — each transit blob is encrypted with a per-blob nonce using XChaCha20-Poly1305. Authentication is built into the construction.
- Device pairing — when you pair a new device, the existing device wraps the master key with a shared secret negotiated over a short-lived pairing channel (you scan a QR or type a 6-digit code).
The dashboard at engram-mcp.com decrypts in-browser using a key received over the same local pairing channel. We never send the key over our infrastructure in clear.
4 · Third-party sources
When you connect Drive, Notion, or any other source, the OAuth flow grants access tokens that are stored locally on your machine, in a system keychain when available. We do not proxy any source traffic through our servers — your device talks directly to Google, Notion, etc.
5 · Data retention
- Transit blobs — automatically purged 30 days after acknowledgement, or 30 days after upload if no device pulls them down.
- Account email / Stripe ID — kept for the duration of your subscription, plus 12 months for legal/tax reasons, then deleted.
- Server logs — request logs retain IP + endpoint for 14 days, then rotated. No payload is logged.
6 · Your rights
Engram is operated from the EU and follows GDPR. You can:
- Access — request a copy of all the data we hold about you (which is small: email, Stripe ID, sync metadata).
- Delete — close your account at any time; we purge your records within 30 days.
- Export — your memory store is a local SQLite file. Copy it, open it with any SQL tool, or use
engram export. - Object — email us with any concern and we'll respond within 7 days.
7 · Subprocessors
We use the smallest possible set of third-party services. Each one only sees the data strictly needed for its role:
- Cloudflare — sync transit storage (R2) and edge compute (Workers). Sees encrypted blobs and metadata only. Hosted in EU.
- Polar (Merchant of Record) — billing. Sees your email and payment information directly. We never see your card.
- Stripe — used by Polar under the hood. Same scope as Polar.
- Postmark — transactional emails (receipts, password resets). Sees your email + the email body.
8 · Contact
For any privacy question, write to privacy@engram-mcp.com. We respond within 7 working days.
This policy may evolve as Engram does. Material changes will be announced on the changelog and the Discord, with at least 14 days' notice for active Pro subscribers.