Privacy policy

Who we are

Million Memories ("the service", "we", "us") is a permanent online archive of human memory. Pixels you place are stored indefinitely. This policy explains what personal data we collect, what we do with it, and your rights over it.

Information we collect

We collect the minimum data needed to run the service.

• Account data. Your email address, a chosen pseudonym, and a salted hash of your password. We never store passwords in clear text.
• Memory content. Anything you upload to place a memory pixel: the photo, an optional voice note, caption text, memory date, location name, and your anonymity choice for that memory pixel.
• Payment data. Stripe processes all payments. We receive a payment reference and the amount; we do not see or store your card details.
• Hearts (witness count). When you heart a memory pixel we store a one-way salted hash of your IP address — never the raw IP — so a single person can't inflate the count from one device.
• Technical data. Standard web-server logs (request paths, response codes, approximate region) for security and debugging, kept for 30 days.

How we use it

• To create and run your account.
• To publish the memories you place and make them searchable on the wall.
• To run AI safety moderation on each uploaded photo before it becomes visible.
• To send transactional emails (welcome, pixel placed, anniversary reminders) — never marketing without your consent.
• To detect fraud, abuse, and to comply with the law.

Who processes your data

We use a small set of trusted sub-processors:

• Stripe — payments.
• Supabase — database and media storage (photos, voice notes).
• Anthropic — AI safety review of uploaded photos at the moment of upload.
• Resend — transactional email delivery.
• Vercel — hosting and content delivery.

Each sub-processor signs us up to a data-processing agreement limiting use of your data to providing their service to us.

Anonymity

When you place a memory pixel you can choose to publish it as "Anonymous". In that case your pseudonym is not shown alongside the memory — but your account still exists so you can see your own placements at /account. Truly public, irrevocable anonymity is not possible: by design, your account remembers what you placed.

How long we keep your data

• Published pixels. Indefinitely. Permanence is the product.
• Account data. Until you delete your account. On deletion the account row is removed and your placed pixels become attributed to a deleted-user placeholder unless you also request specific pixels to be removed (which may not always be possible).
• Server logs. 30 days.
• Heart IP hashes. Indefinitely, but the hashes are one-way and cannot be reversed to identify you.

Your rights

If you are in the UK or EU, the GDPR gives you rights to:

• access the personal data we hold about you;
• have it corrected if inaccurate;
• have it deleted, subject to the permanence note above;
• receive a portable copy of your data;
• object to processing in certain circumstances.

To exercise any of these rights, email us using the contact address below. We aim to respond within 30 days.

Security

All transport is over TLS. Passwords are hashed with bcrypt at high cost. Backups of stored media are encrypted at rest. We log and alert on suspicious access patterns. No system is perfectly secure; we follow industry best practice and notify affected users in the event of a confirmed breach as required by law.

Children

Million Memories is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has registered, contact us and we will remove the account.

Changes to this policy

We may update this policy as the service evolves. Material changes will be announced via email to active users. The "last updated" date at the top will always reflect the current version.

Contact

For privacy questions or to exercise any right above, email privacy@millionmemories.org.