Privacy Policy

Caura Innovations Ltd ("Caura", "we", "us"), a company incorporated in Israel, operates MemClaw, a persistent-memory service for LLM-based agents.

For data you provide when creating an account, subscribing, and using our websites, we act as the Controller. For memory content you submit through the API, we act as a Processor on your behalf; that relationship is governed by our Data Processing Addendum.

Contact for privacy matters: privacy@caura.ai. Registered office: Caura Innovations Ltd, Israel (address to be inserted).

Account data. Email address, display name (optional), organisation name (optional), bcrypt-hashed password, GitHub profile (username, email, avatar URL) if you sign in with GitHub.

Billing data. Handled by our Merchant of Record, Paddle. We receive billing country, subscription plan, renewal dates, and a Paddle customer identifier. We do not receive full card numbers.

Usage data. API request counts, storage usage, plan limit counters, timestamps.

Server logs. Client IP addresses (from the x-forwarded-for header) captured at authentication events, request paths, response codes, and user-agent strings.

Support and communication data. The contents of emails you send to our support or privacy addresses.

Analytics. Our marketing site does not use third-party analytics or tracking cookies.

Memory content you submit through the API is processed under the DPA solely to provide the Service (storage, retrieval, semantic search, entity extraction, and inference against LLM and embedding providers you have opted into). We do not analyse, mine, sell, share, or use Customer memory content to train machine-learning models.

Performance of a contract — to provide the Service you signed up for and to manage our relationship with you.

Legitimate interests — security logging, abuse and fraud prevention, aggregated product analytics. We have balanced these against your rights and conducted internal assessments available on request.

Consent — only where required. We do not currently set non-essential cookies.

Legal obligation — tax and accounting records, responses to lawful requests from authorities.

Account data: retained for the duration of your account. Following deletion of your account, data is purged across production systems within 30 days. Database backups are retained up to 90 days on a rolling basis and are overwritten on rotation; we do not selectively delete records within individual backups.

Memory content: retained for the duration of your subscription. Deleted within 30 days of a verified deletion request sent to privacy@caura.ai or via a dashboard delete-account action.

Authentication IP logs: retained for 90 days, then purged.

Billing records: retained for up to 7 years to meet Israeli and EU tax and accounting obligations.

Support and privacy email: retained for 24 months.

We engage third-party sub-processors to help operate the Service. The current list is at /legal/subprocessors. We provide at least 30 days' notice of material changes.

Caura is established in Israel, which benefits from a European Commission adequacy decision (Commission Decision 2011/61/EU). Transfers from the EU/EEA to Caura in Israel do not require additional safeguards.

Our primary hosting sub-processor is Google Cloud Platform, with production data in the us-central1 region (United States). Transfers to the United States rely on Google's participation in the EU-US Data Privacy Framework and Standard Contractual Clauses. Further detail is in the Annexes to the DPA.

We maintain a security programme described at /legal/security. Key measures include:

— At-rest encryption of all persistent storage via Google-managed keys on Google Cloud Platform (Cloud SQL PostgreSQL, Cloud Storage, Memorystore Redis). In-transit encryption (TLS 1.2+) on all external and internal traffic.

— PostgreSQL Row-Level Security policies enforcing per-tenant isolation on tables containing Customer data.

— Bcrypt-hashed passwords; API keys stored as salted hashes.

— Least-privilege IAM on GCP; 2FA required for administrative access; audit logging of privileged operations.

— Authentication-event IP logging with 90-day rotation.

If you are in the EU/EEA or UK, you have the rights of access, rectification, erasure, restriction, portability, and objection under the GDPR / UK GDPR. If you are in Israel, you have the rights of access, correction, and deletion under the Protection of Privacy Law 5741-1981. If you are a California resident, you have the rights to know, delete, correct, and opt out of the sale or sharing of personal information under the CCPA / CPRA — we do not sell or share personal information as those terms are defined.

To exercise any right, email privacy@caura.ai. We respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may ask you to verify your identity before acting.

We do not subject you to automated decisions with legal or similarly significant effects.

MemClaw is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate action.

You may lodge a complaint with your supervisory authority. In Israel, this is the Privacy Protection Authority (PPA). In the EU, your national data protection authority. In the UK, the Information Commissioner's Office (ICO).

We may revise this Privacy Policy from time to time. Material changes will be communicated by email to account owners and posted here with a new effective date.