Neuroloom

Privacy Policy

How we collect, use, and protect your data. Written for developers, not lawyers.

Effective: April 13, 2026·Updated: April 13, 2026

Overview

This Privacy Policy describes how Endless Galaxy Studios LLC ("Neuroloom," "we," "us," or "our") collects, uses, and protects information when you use Neuroloom — a coding agent memory platform — including our API, MCP server, and web dashboard (collectively, the "Service").

The short version:We store what you send us, we use it to run the Service, and we don't sell it or train models on it.

1. Information We Collect

1.1 Account Information

When you create an account or workspace, we collect:

  • Email address — for authentication and account communications
  • Workspace configuration — workspace name, settings, and preferences

1.2 Memory Content

The core of the Service is memory storage. When your AI agents or integrations write memories to Neuroloom, we store:

  • Memory content — the text you or your agents submit (decision records, code patterns, task context)
  • Memory metadata — timestamps, tags, file path associations, and connections between related memories

What we do not store: Neuroloom does not receive or store your source code. When the CodeWeaver integration is used, parsing happens entirely on your machine. Only structural metadata — symbol names and file paths — is transmitted to our servers.

1.3 API Usage and Access Logs

We log API requests for operational purposes:

  • API key identifier (we store a SHA-256 hash — not the key itself)
  • Request timestamps, endpoint paths, HTTP status codes, response times
  • Request volume and usage patterns per workspace

These logs are used to operate the Service, diagnose errors, and enforce usage limits. Logs are retained for 90 days.

1.4 Error Tracking (Sentry)

We use Sentry for error monitoring. Sentry is always active because errors affect the reliability of a service you depend on. When an error occurs, Sentry captures:

  • Stack traces
  • Request context (endpoint, HTTP method, status code)
  • Anonymized user/workspace identifiers for error grouping

Sentry does not capture memory content or your API payloads.

1.5 Analytics Telemetry (Optional)

Neuroloom includes an optional, workspace-level analytics telemetry flag. When enabled, usage patterns are collected (memory write/read frequency, feature usage).

This flag is off by default. Error tracking remains active regardless of this setting.

1.6 Cookies and Browser Storage

The Neuroloom web dashboard uses:

  • Session cookies — to maintain your authenticated session (strictly necessary)
  • Local storage — to preserve workspace preferences and UI state

We do not use third-party advertising cookies or cross-site tracking. The marketing site uses PostHog for privacy-respecting analytics.

2. How We Use Your Information

We use the information we collect for:

  • Providing the Service — storing, searching, and retrieving memories
  • Authentication — verifying your identity, managing access
  • Service reliability — diagnosing errors, monitoring performance
  • Usage tracking — rate limiting, usage-based billing
  • Security — detecting abuse, preventing unauthorized access
  • Communication — service updates, security notices

We do not use your memory content to train AI models. Your memories are used exclusively to serve your queries.

3. Data Sharing and Third Parties

We do not sell your data. We do not share your memory content with third parties except as described below.

3.1 Infrastructure Providers

  • Railway — our hosting provider. Data resides on Railway-managed infrastructure in the United States.

3.2 AI Processing

Memory content is processed by DeepInfra to power search and analysis features. DeepInfra processes data in memory only — not stored to disk, not used for model training. DeepInfra is SOC 2 and ISO 27001 certified.

3.3 Error Tracking

Sentry receives anonymized error reports as described in Section 1.4.

3.4 Legal Requirements

We may disclose information if required by law, court order, or governmental authority.

3.5 Business Transfers

If Neuroloom is acquired or merges with another company, your data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

4. Workspace Isolation

Neuroloom is a multi-tenant platform. Each workspace is completely isolated — your workspace data is inaccessible to other workspaces.

This isolation is enforced at the database query level: every query is filtered by workspace ID. Cross-workspace data access is not possible by design.

5. Data Retention

Data TypeRetention
Memory contentUntil you delete it. Deletion removes all associated data.
API logs90 days (rolling)
Error logs (Sentry)90 days
Account dataDeleted within 30 days of account closure. Legal/accounting records may be retained longer.

6. Security

We protect your data with:

  • Encryption at rest — Database storage encrypted via Railway-managed PostgreSQL
  • Encryption in transit — All traffic uses TLS
  • API key hashing — Keys stored as SHA-256 hashes; we cannot retrieve originals
  • Workspace isolation — Database-level tenant separation

No system is perfectly secure. Report vulnerabilities to security@neuroloom.dev.

7. Your Rights

7.1 For All Users

  • Access — View your data through the dashboard or API
  • Deletion — Delete memories or workspaces via dashboard/API. Account closure: contact privacy@neuroloom.dev
  • Export — Export your data via the API
  • Correction — Update account info through the dashboard

7.2 EU/EEA and UK Users (GDPR)

Additional rights under GDPR:

  • Right to object to processing based on legitimate interest
  • Right to restrict processing in certain circumstances
  • Right to data portability (structured, machine-readable format)
  • Right to lodge a complaint with your data protection authority

Legal bases: Contract performance (providing the Service), legitimate interests (security, error monitoring), consent (optional analytics).

Data controller: Endless Galaxy Studios LLC, Delaware, USA.

7.3 California Residents (CCPA/CPRA)

  • Right to know — Request disclosure of collected information
  • Right to delete — Request deletion (subject to exceptions)
  • Right to correct — Request correction of inaccurate information
  • Right to opt out — We do not sell or share personal information for behavioral advertising

To exercise rights: contact privacy@neuroloom.dev. Response within 45 days.

8. Children's Privacy

Neuroloom is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it promptly.

9. International Data Transfers

Neuroloom's infrastructure is hosted in the United States via Railway. If you access the Service from outside the US, your data is transferred to and processed in the US.

For EU/EEA/UK users, transfers are conducted under Standard Contractual Clauses (SCCs).

10. Changes to This Policy

We may update this Privacy Policy. When we make material changes:

  • We update the "Last updated" date at the top
  • We notify you by email or website notice at least 14 days before changes take effect

Continued use after the effective date constitutes acceptance.

11. Contact

For questions or to exercise your rights:

General: privacy@neuroloom.dev

Security: security@neuroloom.dev

Endless Galaxy Studios LLC
Delaware, USA