POLICYv0.4.2EU-HOSTED

Privacy
in plain English.

Engram is built around one principle: your memory belongs to you. This document explains exactly what we see, what we don't, and why the architecture makes the difference.

Last updated · 2026-05-09 · effective immediately
PRINCIPLE · 01

Local-first

Your memories live on your disk in a SQLite file. Always.

PRINCIPLE · 02

E2E encrypted

Cloud transit is ciphertext only. We hold no decryption keys.

PRINCIPLE · 03

Zero telemetry

No analytics, no pixels, no fingerprinting. Ever.

1 · What we collect

Engram is a local-first product. On the Free tier we collect nothing at all — the server runs entirely on your machine, with no account required.

On the Pro tier, we collect the minimum needed to operate sync and billing:

  • Email address — used for account identification, receipts, and recovery.
  • Stripe customer ID — used to look up subscription state. Billing is handled by Polar (Merchant of Record); we never see your card.
  • Sync transit metadata — size, timestamp, memory type. Used to route encrypted blobs between your devices.
  • Encrypted transit blobs — XChaCha20-Poly1305 ciphertext. We can't read these and won't try.

2 · What we never see

  • Your memory content — it's encrypted with your master key before any byte leaves your machine.
  • Your local files — sources like Drive, Notion, and Obsidian are indexed on your device. We never receive the source material.
  • Telemetry, analytics, fingerprinting — none. No Google Analytics, no Sentry, no PostHog, no third-party pixels. The dashboard makes a single request, to our API, for your sync state.

3 · How encryption works

The Pro tier's E2E sync uses a standard scheme that we deliberately kept simple and auditable:

  • Master key derivation — your passphrase is run through Argon2id (m=64MB, t=3, p=1) to derive a 256-bit master key. Only your devices ever hold this key.
  • Content encryption — each transit blob is encrypted with a per-blob nonce using XChaCha20-Poly1305. Authentication is built into the construction.
  • Device pairing — when you pair a new device, the existing device wraps the master key with a shared secret negotiated over a short-lived pairing channel (you scan a QR or type a 6-digit code).

The dashboard at engram-mcp.com decrypts in-browser using a key received over the same local pairing channel. We never send the key over our infrastructure in clear.

4 · Third-party sources

When you connect Drive, Notion, or any other source, the OAuth flow grants access tokens that are stored locally on your machine, in a system keychain when available. We do not proxy any source traffic through our servers — your device talks directly to Google, Notion, etc.

5 · Data retention

  • Transit blobs — automatically purged 30 days after acknowledgement, or 30 days after upload if no device pulls them down.
  • Account email / Stripe ID — kept for the duration of your subscription, plus 12 months for legal/tax reasons, then deleted.
  • Server logs — request logs retain IP + endpoint for 14 days, then rotated. No payload is logged.

6 · Your rights

Engram is operated from the EU and follows GDPR. You can:

  • Access — request a copy of all the data we hold about you (which is small: email, Stripe ID, sync metadata).
  • Delete — close your account at any time; we purge your records within 30 days.
  • Export — your memory store is a local SQLite file. Copy it, open it with any SQL tool, or use engram export.
  • Object — email us with any concern and we'll respond within 7 days.

7 · Subprocessors

We use the smallest possible set of third-party services. Each one only sees the data strictly needed for its role:

  • Cloudflare — sync transit storage (R2) and edge compute (Workers). Sees encrypted blobs and metadata only. Hosted in EU.
  • Polar (Merchant of Record) — billing. Sees your email and payment information directly. We never see your card.
  • Stripe — used by Polar under the hood. Same scope as Polar.
  • Postmark — transactional emails (receipts, password resets). Sees your email + the email body.

8 · Contact

For any privacy question, write to privacy@engram-mcp.com. We respond within 7 working days.


This policy may evolve as Engram does. Material changes will be announced on the changelog and the Discord, with at least 14 days' notice for active Pro subscribers.