Section 1 — About Us and How to Contact Us

1.1 Note on Data Protection Officer (DPO)

MEMOIZE AI LLC does not currently meet the thresholds under GDPR Article 37 requiring mandatory appointment of a Data Protection Officer — our processing activities do not constitute large-scale systematic monitoring as a core business activity. We maintain designated privacy contacts as listed above. If our scale of processing changes materially, we will revisit this assessment and appoint a DPO as required.

1.2 International Expansion and EU/EEA Compliance Readiness

MEMOIZE AI LLC currently operates in and targets the United States market. However, as part of our planned international growth strategy, we intend to expand our Services to merchants and End Users in the European Union and European Economic Area (EU/EEA) in the future. In preparation for this expansion, we have proactively incorporated GDPR-aligned data protection principles and EU AI Act transparency requirements throughout this Privacy Policy.

EU/EEA Article 27 Representative: Upon commencing operations targeting EU/EEA data subjects, GDPR Article 27 will require MEMOIZE AI LLC to appoint an EU Representative. MEMOIZE AI LLC will appoint an EU Representative service and publish their name, address, and contact details in this section prior to any EU-targeted marketing or merchant onboarding.

Section 2 — Who This Policy Covers

This Privacy Policy applies to:

• Merchants — Shopify store operators who subscribe to the MEMOIZE AI Services.
• End Users / Shoppers — Individual consumers whose interaction data is processed through the MEMOIZE AI Services when they engage with a MEMOIZE AI-powered Shopify store.

MEMOIZE AI LLC operates as a Data Processor with respect to End User personal data, processing it on behalf of Merchants (who are the Data Controllers). This Privacy Policy describes how MEMOIZE AI LLC processes personal data in its capacity as both a Processor (for End User data) and a Controller (for Merchant account data).

2.1 CCPA/CPRA Service Provider Designation

With respect to personal information of California consumers processed through the Services, MEMOIZE AI LLC acts as a “Service Provider” as defined under Cal. Civ. Code § 1798.140(ag). MEMOIZE AI LLC does not sell or share End User personal information, does not retain, use, or disclose such information for any purpose other than performing the Services as specified in the Terms and Conditions, and does not combine such information with personal information received from or on behalf of another person or collected from MEMOIZE AI LLC’s own interactions with consumers, except as permitted under the CCPA/CPRA.

Section 3 — What Data We Collect

3.1 Merchant Account Data (MEMOIZE AI LLC as Controller)

• Contact information: name, business name, email address, phone number, billing address
• Payment information: processed and stored by Stripe Inc. — MEMOIZE AI LLC does not store full payment card numbers
• Shopify store credentials and API access tokens (stored in hashed/encrypted form using bcrypt, cost factor 12)
• Usage data: API call volume, feature usage, account settings, conversion tracking data
• Communication data: support tickets, emails, and chat communications with our team

3.2 End User / Shopper Data (MEMOIZE AI LLC as Processor)

• Shopper interaction data: chat messages, questions, browsing context during AI-assisted sessions
• Purchase history and product preferences (via Shopify API)
• Session identifiers: email address (used as primary user identifier), session UUID, memoize_email cookie (max-age: 1 year), localStorage identifier
• Semantic memory data: 768-dimensional vector embeddings generated from Memory content using Google’s text-embedding-004 model
• Health-adjacent data (where Merchant has obtained explicit opt-in consent): allergy information, dietary preferences, medication-related queries, pregnancy status, wellness preferences, supplement regimen, and adverse reactions reported in conversation

3.3 Protected Health Information (PHI) — Tier Restrictions

Protected Health Information (PHI) as defined under HIPAA, 45 C.F.R. § 160.103, may only be processed through the Scale or Enterprise subscription plans, and only after both parties have executed a Business Associate Agreement (BAA). The Starter and Growth plans are not configured for HIPAA compliance and Merchants on these plans must not transmit, store, process, or otherwise input any PHI into the Services. In the event PHI is uploaded to a Starter or Growth plan, MEMOIZE AI LLC reserves the right to immediately suspend the account and delete such data.

3.4 Technical Data

• IP addresses, device type, browser type (for session management and security)
• API request logs (retained for 90 days for security and debugging)
• Token usage per Gemini API call; error logs and exception traces

3.5 Data We Do Not Collect

• Full payment card numbers (handled exclusively by Stripe)
• Government-issued identification numbers
• Biometric data

Section 4 — How We Use Data

We use Merchant account data to: provide and improve the Services; process payments; communicate with Merchants; ensure compliance; and for security and fraud prevention.

We use End User memory data (as Processor, on behalf of Merchants) to: provide the AI memory and personalization Services; retrieve contextual information to generate relevant AI responses; and fulfill Merchant instructions regarding data access, correction, and deletion.

MEMOIZE AI LLC commits that Shopify store updates (e.g., product catalog changes, inventory updates) will be reflected in the AI memory context within 60 minutes of the API synchronization call. Service availability includes the accuracy and retrievability of stored memory data, not only server uptime.

We do NOT use End User memory data to:

• Train, fine-tune, or benchmark any AI models
• Sell personal data to third parties
• Serve targeted advertising
• Build profiles for advertising outside of the Services
• Combine End User data across different Merchants’ accounts

4.1 Prohibited Processing Activities

The Services may not be used to:

• Engage in “social scoring,” biometric categorization, or manipulative practices prohibited under the EU AI Act (Regulation (EU) 2024/1689, Article 5)
• Make disease claims, act as a medical device without FDA clearance, or use terms implying recommendations are from a licensed healthcare professional, as prohibited under California AB 489 and applicable FTC guidelines
• Make automated eligibility determinations for credit, housing, employment, or insurance without human oversight
• Process data of individuals under 16 years of age for sale without affirmative opt-in consent
• Train competing AI systems using data obtained through the Services

4.2 Records of Processing Activities

MEMOIZE AI LLC maintains records of processing activities carried out on behalf of Merchants as required by GDPR Article 30(2), including:

• (a) the name and contact details of MEMOIZE AI LLC and each controller on whose behalf processing is carried out;
• (b) the categories of processing carried out on behalf of each controller;
• (c) transfers of personal data to third countries, including documentation of suitable safeguards; and
• (d) a general description of technical and organizational security measures.

4.3 Lawful Basis for Processing (GDPR Article 6) — Future Expansion Readiness

In anticipation of planned future expansion into EU/EEA markets, MEMOIZE AI LLC has identified the following lawful bases under GDPR Article 6 for processing Merchant account data (as Controller):

• Performance of contract (Art. 6(1)(b)): Processing necessary to provide the Services under the subscription agreement, including account management, billing, and technical support.
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement, where these interests are not overridden by the rights and freedoms of data subjects.
• Legal obligation (Art. 6(1)(c)): Retention of billing records for tax compliance and responding to lawful regulatory or legal process requests.

For End User data, MEMOIZE AI LLC acts as Processor on behalf of Merchants. The Merchant (as Controller) is responsible for establishing and documenting the lawful basis for processing End User personal data through the Services, including obtaining any necessary consents.

Section 5 — Sub-Processors and Data Sharing

We share personal data only with the following authorized sub-processors, under contractual data protection obligations:

Google Vertex AI Zero Data Retention: We engage Google Vertex AI exclusively under enterprise “Zero Data Retention” settings. Prompts sent to Gemini and corresponding responses are not logged, stored, or used by Google for any purpose, including model training, beyond the immediate API request processing window.

5.1 Sub-Processor Changes and Notification

MEMOIZE AI LLC maintains a current list of authorized sub-processors at memoizeai.com/legal/sub-processors. We provide at least thirty (30) days’ prior notice before engaging any new sub-processor or materially changing the role of an existing sub-processor, by email to the Merchant’s primary contact and by updating the sub-processor list. Merchants may object to a new sub-processor by providing written notice to legal@memoizeai.com within fifteen (15) days of notification, specifying reasonable data protection grounds for the objection. If MEMOIZE AI LLC cannot reasonably accommodate the objection, either party may terminate the affected Services upon thirty (30) days’ written notice, and the Merchant will receive a pro-rated refund of any prepaid, unused fees.

Section 6 — Consumer Health Data (Washington MHMD Act)

MEMOIZE AI LLC maintains a separate, standalone Consumer Health Data Privacy Policy as required by the Washington My Health My Data Act (RCW 19.373). That document governs all processing of consumer health data and is accessible at:

memoizeai.com/consumer-health-data-privacy-policy

A direct, prominent link to the Consumer Health Data Privacy Policy is maintained on the MEMOIZE AI LLC homepage as required by RCW 19.373.

Section 7 — Data Retention

7.1 Certificate of Destruction

Upon account termination, Merchants may request a formal Certificate of Destruction confirming that all Merchant Data and End User data have been securely erased from all active and backup systems. Requests must be submitted in writing within thirty (30) days of termination to privacy@memoizeai.com.

Section 8 — Your Rights

8.1 EU/EEA End Users (GDPR) — Future Expansion Readiness

Although MEMOIZE AI LLC does not currently target or market to EU/EEA data subjects, we have proactively adopted GDPR-aligned data protection standards in anticipation of planned future expansion into European markets. If and when we commence operations targeting EU/EEA data subjects, the following rights will apply:

EU/EEA End Users will have the right to access, rectify, erase, restrict processing, port, and object to processing of their personal data. To exercise these rights, End Users should contact the Merchant (the Data Controller) through their store. If the Merchant is unable to fulfill the request or has terminated its account, End Users may contact us directly at privacy@memoizeai.com. We will respond within 30 days.

Notwithstanding the foregoing, where a Merchant independently targets or serves EU/EEA data subjects through their Shopify store, MEMOIZE AI LLC will process such data in accordance with the GDPR-aligned standards described in this Privacy Policy and the applicable Data Processing Agreement, regardless of whether MEMOIZE AI LLC has commenced its own EU market expansion.

MEMOIZE AI LLC will assist Merchants in conducting Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35 and risk assessments required under applicable ADMT regulations, where the Services involve processing that is likely to result in a high risk to the rights and freedoms of data subjects. We will provide information necessary to complete such assessments upon reasonable request.

8.2 California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, disclose, and sell (we do not sell or share End User personal information for cross-context behavioral advertising); the right to delete; the right to correct; and the right to opt out of the sale or sharing of personal information. To exercise your rights, contact: privacy@memoizeai.com.

If a Merchant has terminated its account, California residents may exercise their CCPA/CPRA rights directly by contacting MEMOIZE AI LLC at privacy@memoizeai.com. We will verify the request and respond within the timeframes required by applicable law.

8.3 Indiana Residents (Indiana Consumer Data Protection Act)

You have the right to access, correct, delete, and obtain a copy of your personal data, and to opt out of profiling that produces legal or similarly significant effects. Requests may be submitted to privacy@memoizeai.com.

As a processor of Indiana residents’ personal data on behalf of Merchants, MEMOIZE AI LLC processes such data only on documented Merchant instructions, implements appropriate technical and organizational security measures, assists Merchants in fulfilling consumer rights requests within the timeframes required by Indiana Code § 24-15, deletes or returns all personal data upon termination, and cooperates with audits conducted by Merchants or qualified third parties.

8.4 Washington Residents

Rights related to Consumer Health Data are governed by our standalone Consumer Health Data Privacy Policy at memoizeai.com/consumer-health-data-privacy-policy.

8.5 Data Subject Request Handling

If MEMOIZE AI LLC receives a data subject request directly from an End User, we will promptly forward the request to the applicable Merchant (as Data Controller) and will not respond directly unless legally required to do so. MEMOIZE AI LLC shall respond to Merchant data subject request instructions within ten (10) business days of receipt. We process verified deletion instructions from Merchants within thirty (30) days, including purging the requesting End User’s vector embeddings, memory profiles, and chat logs.

8.6 Right to Be Forgotten / AI Memory Deletion

When you request deletion of your personal information, we execute a targeted deletion of the associated Vector Embeddings from our active database. This process ensures the AI system cannot retrieve or “remember” the deleted content in future interactions. While we delete the retrieval data (vectors), this does not constitute “exact machine unlearning” of the underlying LLM weights, as we do not train models on your data. Your specific personal data is removed from the AI’s accessible context window and cannot influence future responses.

In limited circumstances, deletion of specific data may be delayed if a sub-processor is subject to a legal preservation order or litigation hold. MEMOIZE AI LLC will notify the affected Merchant promptly if such a restriction applies and will complete deletion as soon as the legal obligation is lifted.

Section 9 — Zero Training Reuse Covenant

MEMOIZE AI LLC hereby covenants that Merchant Data and End User Memory Data shall NEVER be used to train, fine-tune, improve, or benchmark any AI model, including but not limited to Google Gemini or any successor model. This covenant applies to all sub-processors engaged by MEMOIZE AI LLC and survives termination of this Privacy Policy and the underlying Terms and Conditions.

Section 10 — Children’s Privacy (COPPA)

As a B2B service, MEMOIZE AI LLC contracts only with business entities (Merchants). We do not knowingly target, market to, or contract with children. However, because our Services process End User data on behalf of Merchants, and because some Shopify stores may serve consumers of all ages, we require Merchants to warrant in the Terms and Conditions that they will not use the Services to process personal data of children under the age of 13 without verified parental consent as required by the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.

MEMOIZE AI LLC does NOT:

• Knowingly collect personal information directly from children under 13;
• Use the AI memory engine to build persistent profiles of children under 13;
• Disclose personal information of children under 13 to third parties for advertising or non-operational purposes.

Where MEMOIZE AI LLC becomes aware that a Merchant has caused the Services to process personal data of a child under 13 without proper parental consent, MEMOIZE AI LLC will promptly delete such data and notify the Merchant of the violation. Parents or legal guardians seeking to review, correct, or request deletion of their child’s personal information should contact the Merchant directly, as the Merchant is the Data Controller for COPPA purposes.

Section 11 — Automated Decision-Making and AI Profiling

11.1 Nature of AI Processing

The MEMOIZE AI Services use AI to generate personalized product recommendations and contextual responses for Shoppers. These recommendations are based on memory data including purchase history, browsing preferences, and interaction context. This constitutes automated processing of personal data to build a consumer profile.

In accordance with the EU AI Act (Regulation (EU) 2024/1689, Article 50), the MEMOIZE AI chat widget clearly and conspicuously discloses to all End Users that they are interacting with an artificial intelligence system prior to or at the commencement of the interaction. This disclosure is mandatory and is enabled by default. It cannot be disabled by the Merchant.

11.2 ADMT Classification

The Services are designed for e-commerce product recommendations and are not intended for automated decisions regarding credit, employment, housing, healthcare eligibility, or insurance. However, depending on a Merchant’s specific use case and deployment, certain aspects of the Services may constitute “profiling” or “automated decision-making technology” under applicable law. Merchants are responsible for assessing whether their use of the Services triggers additional ADMT obligations under the EU AI Act, California ADMT regulations, or other applicable law.

11.3 California ADMT Rights

Under California’s Automated Decision-Making Technology (ADMT) regulations (effective January 1, 2026), California residents have the right to:

• (a) opt out of automated decision-making that constitutes “profiling” for purposes of producing legal or similarly significant decisions; and
• (b) receive a Pre-Use Notice explaining the logic of automated processing.

Merchants are responsible for providing this Pre-Use Notice to their California-based Shoppers before enabling MEMOIZE AI memory features.

11.4 State AI and Privacy Regulation Compliance

In addition to California’s ADMT regulations, MEMOIZE AI LLC monitors and maintains compliance with the evolving landscape of U.S. state AI and consumer privacy legislation. Merchants using the Services must comply with all applicable state AI regulations in the jurisdictions where they operate or serve consumers, including but not limited to:

• Indiana Consumer Data Protection Act (IC § 24-15): Governs processing of Indiana residents’ personal data, including profiling restrictions and consumer rights. See Section 8.3 for MEMOIZE AI LLC’s processor obligations.
• Washington My Health My Data Act (RCW 19.373): Requires standalone consumer health data privacy policy and affirmative consent for health data processing. See Section 6.
• Colorado AI Act (SB 24-205): Requires deployers of high-risk AI systems to conduct impact assessments, provide consumer disclosures, and implement risk management practices. Merchants must evaluate whether their use of the Services constitutes a “high-risk AI system” under Colorado law.
• Connecticut SB 2 (AI Governance): Requires deployers of automated decision-making systems to conduct impact assessments and provide notice to consumers when AI is used to make consequential decisions.
• Texas Data Privacy and Security Act (TDPSA): Provides consumer rights including the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
• Oregon Consumer Privacy Act: Provides consumer rights related to profiling and automated decision-making, including opt-out rights.

This list is not exhaustive. MEMOIZE AI LLC will update this Privacy Policy as additional state AI and privacy regulations take effect. Merchants are independently responsible for assessing and complying with AI-related regulations applicable to their specific use cases and jurisdictions.

11.5 Opt-Out

Shoppers may opt out of AI profiling by contacting the Merchant through which they interact with MEMOIZE AI-powered features. MEMOIZE AI LLC will delete associated memory data upon receiving a valid opt-out instruction from the Merchant.

11.6 California SB 243 Chatbot Compliance

MEMOIZE AI LLC’s memory widget is designed as a functional e-commerce personalization tool. If a Merchant deploys the widget in a manner that causes End Users to form personal or emotional attachments to the AI (anthropomorphic or relationship-simulating use cases), California SB 243 (effective January 1, 2026) may apply. Where applicable, Merchants are responsible for:

• (a) publishing suicide and self-harm safe messaging protocols;
• (b) implementing immediate redirection of End Users expressing suicidal ideation to emergency resources; and
• (c) disclosing to End Users that they are interacting with an AI system, not a human.

Section 12 — AI Transparency (System Card)

In alignment with Article 53 of the EU AI Act and as part of MEMOIZE AI LLC’s commitment to AI transparency ahead of planned international expansion, we publish the following system transparency information:

This System Card is published at memoizeai.com/ai-system-card and updated when material changes are made to the system.

Section 13 — Cookies and Tracking Technologies

MEMOIZE AI LLC uses the memoize_email cookie (maximum age: 1 year) for session continuity and to associate returning Shoppers with their memory profiles. This cookie does not contain personally identifiable information in human-readable form and is used solely for service delivery purposes.

We do not use tracking pixels, cross-site tracking, or third-party advertising cookies. Merchants are responsible for obtaining any necessary cookie consent from their End Users under applicable law (including GDPR, ePrivacy Directive, and CCPA/CPRA) before enabling MEMOIZE AI features on their stores.

Section 14 — International Data Transfers

MEMOIZE AI LLC is based in the United States. Although we do not currently target EU/EEA or UK data subjects, we have proactively established international data transfer mechanisms in preparation for planned future expansion into European and international markets. When we process personal data of EU/EEA or UK residents, we will rely on the following legal mechanisms:

• EU-U.S. Data Privacy Framework (DPF): Google LLC (for Vertex AI, Cloud SQL, Cloud Run, and Memorystore) participates in the EU-U.S. DPF, providing an adequacy-equivalent basis for transfers to Google’s infrastructure.
• Standard Contractual Clauses (SCCs): For transfers from Merchants (as Controllers) to MEMOIZE AI LLC (as Processor), we rely on the EU Commission’s SCCs (Module 2: Controller-to-Processor). For onward transfers from MEMOIZE AI LLC to sub-processors, we rely on Module 3 (Processor-to-Processor) SCCs.
• UK International Data Transfer Agreement (IDTA): For transfers involving UK data subjects, we rely on the UK IDTA or UK SCCs as applicable.

In the event the EU-U.S. Data Privacy Framework is invalidated or otherwise ceases to provide a valid transfer mechanism, MEMOIZE AI LLC shall ensure that Standard Contractual Clauses or an equivalent lawful transfer mechanism remains in place for all EU/EEA personal data transfers. MEMOIZE AI LLC conducts Transfer Impact Assessments as necessary to evaluate the adequacy of safeguards for cross-border transfers.

A copy of the applicable Standard Contractual Clauses is available upon request at privacy@memoizeai.com.

Section 15 — Security

MEMOIZE AI LLC implements commercially reasonable technical and organizational measures to protect personal data, including:

• AES-256 encryption at rest for all stored data
• TLS 1.3 encryption for all data in transit
• Role-based access controls limiting employee access to personal data
• Multi-factor authentication for all internal systems
• SOC 2 Type II aligned security practices
• Annual security assessments and penetration testing
• Incident response procedures with breach notification capability as described below

15.1 Breach Notification

In the event of a confirmed personal data breach, MEMOIZE AI LLC will notify affected Merchants without undue delay and in no event later than forty-eight (48) hours after confirmed breach discovery. For Scale and Enterprise Plans operating under a HIPAA Business Associate Agreement, notification will occur within twenty-four (24) hours as required by 45 C.F.R. § 164.410.

Breach notifications shall include, to the extent known:

• (a) the nature of the personal data breach, including the categories and approximate number of data subjects and records concerned;
• (b) the likely consequences of the breach;
• (c) the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects; and
• (d) the contact details of MEMOIZE AI LLC’s privacy team.

MEMOIZE AI LLC shall cooperate with Merchants and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

Section 16 — Changes to This Privacy Policy

We will notify Merchants of material changes to this Privacy Policy via email at least 30 days before the changes take effect. The “Last Updated” date at the top of this document reflects the date of the most recent revision. Continued use of the Services after the effective date of changes constitutes acceptance of the updated Privacy Policy.

Section 17 — Contact Us

We will respond to all verified requests within 30 days (GDPR/Indiana CDPA) or 45 days (CCPA/CPRA), with one permitted 45-day extension upon notice.

Section 18 — Governing Law and Dispute Resolution

This Privacy Policy is governed by and construed in accordance with the laws of the State of Indiana, without regard to its conflict of law provisions. Disputes related to this Privacy Policy are subject to the dispute resolution provisions set forth in the MEMOIZE AI LLC Terms and Conditions, which provide for good-faith negotiation for a period of thirty (30) days following written notice of the dispute, followed by binding arbitration under the American Arbitration Association (AAA) Commercial Arbitration Rules in Indianapolis, Indiana (Marion County), if the dispute remains unresolved.

Notwithstanding the foregoing, upon commencement of operations targeting EU/EEA data subjects, such data subjects will retain the right under GDPR Article 77 to lodge a complaint with their local supervisory authority, and under GDPR Article 79 to seek a judicial remedy before the courts of the Member State where the data subject has their habitual residence or place of work.