Neuroloom

Privacy Policy

How we collect, use, and protect your data. Written for developers, not lawyers.

Effective: April 13, 2026·Updated: May 25, 2026

Overview

This Privacy Policy describes how Endless Galaxy Studios LLC ("Neuroloom," "we," "us," or "our") collects, uses, and protects information when you use Neuroloom — a coding agent memory platform — including our API, MCP server, and web dashboard (collectively, the "Service").

The short version:We store what you send us, we use it to run the Service, and we don't sell it or train models on it.

1. Information We Collect

1.1 Account Information

When you create an account or workspace, we collect:

  • Email address — for authentication and account communications
  • Workspace configuration — workspace name, settings, and preferences

1.2 Memory Content

The core of the Service is memory storage. When your AI agents or integrations write memories to Neuroloom, we store:

  • Memory content — the text you or your agents submit (decision records, code patterns, task context)
  • Memory metadata — timestamps, tags, file path associations, and connections between related memories

What we do not store: Neuroloom does not receive or store your source code. When the CodeWeaver integration is used, parsing happens entirely on your machine. Only structural metadata — symbol names and file paths — is transmitted to our servers.

1.3 API Usage and Access Logs

We log API requests for operational purposes:

  • API key identifier (we store a SHA-256 hash — not the key itself)
  • Request timestamps, endpoint paths, HTTP status codes, response times
  • Request volume and usage patterns per workspace

These logs are used to operate the Service, diagnose errors, and enforce usage limits. Logs are retained for 90 days.

1.4 Error Tracking (Sentry)

We use Sentry for error monitoring. Sentry is always active because errors affect the reliability of a service you depend on. When an error occurs, Sentry captures:

  • Stack traces
  • Request context (endpoint, HTTP method, status code)
  • Anonymized user/workspace identifiers for error grouping

Sentry does not capture memory content or your API payloads.

1.5 Retrieval Quality Evaluation (Optional, off by default)

Neuroloom includes an optional, workspace-level quality evaluation flag (evaluation_consent). When enabled:

  • Every retrieval event is logged: the query, which memories were shown, and subsequent tool actions within 15 minutes
  • Logged events are periodically sent to language models hosted by SiliconFlow and DeepInfra for quality scoring — to calibrate our retrieval pipeline
  • Scores are used to improve retrieval quality — not to train any model
  • Both providers process data transiently (not stored to disk). DeepInfra is SOC 2 and ISO 27001 certified. SiliconFlow processes interaction data only as instructed and is under no obligation to store it

This flag is off by default. When the flag is off, only a simple retrieval counter is incremented — no content is sent to any third-party model. Error tracking remains active regardless of this setting.

1.6 Cookies and Browser Storage

The Neuroloom web dashboard uses:

  • Session cookies — to maintain your authenticated session (strictly necessary)
  • Local storage — to preserve workspace preferences and UI state

We do not use third-party advertising cookies or cross-site tracking. The marketing site uses PostHog for privacy-respecting analytics.

2. How We Use Your Information

We use the information we collect for:

  • Providing the Service — storing, searching, and retrieving memories
  • Authentication — verifying your identity, managing access
  • Service reliability — diagnosing errors, monitoring performance
  • Usage tracking — rate limiting, usage-based billing
  • Retrieval quality evaluation — for workspaces that opt in, measuring whether retrieved memories were useful to calibrate our search pipeline (see §1.5)
  • Security — detecting abuse, preventing unauthorized access
  • Communication — service updates, security notices

We do not use your memory content to train AI models without your opt-in consent — neither ours nor anyone else's. Your memories serve one primary purpose: to answer your queries when you ask for relevant context. If you choose to opt in for a workspace (see §1.5), your memories are also used for internal quality evaluation. We do not and will not repurpose your memories for advertising, analytics sold to third parties, or model training without your explicit opt-in consent and a policy update.

3. Data Sharing and Third Parties

We do not sell your data. We do not share your memory content with third parties except as described below.

3.1 Infrastructure Providers

  • Railway — our hosting provider. Data resides on Railway-managed infrastructure in the United States.

3.2 AI Processing — Search

Memory content is processed by DeepInfra to generate embeddings that power semantic search. DeepInfra processes data in memory only — not stored to disk, not used for model training. DeepInfra is SOC 2 and ISO 27001 certified.

3.3 AI Processing — Quality Evaluation

For workspaces that have enabled the optional quality evaluation flag (§1.5), retrieval event data is periodically sent to SiliconFlow and DeepInfra for quality scoring using language models hosted on their infrastructure. Both providers process this data transiently — not stored to disk, not used for model training. DeepInfra is SOC 2 and ISO 27001 certified. SiliconFlow processes data as a neutral service provider and does not store interaction data beyond request fulfillment.

3.4 Error Tracking

Sentry receives anonymized error reports as described in Section 1.4.

3.5 Legal Requirements

We may disclose information if required by law, court order, or governmental authority.

3.6 Business Transfers

If Neuroloom is acquired or merges with another company, your data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

4. Workspace Isolation

Neuroloom is a multi-tenant platform. Each workspace is completely isolated — your workspace data is inaccessible to other workspaces.

This isolation is enforced at the database query level: every query is filtered by workspace ID. Cross-workspace data access is not possible by design.

5. Data Retention

Data TypeRetention
Memory contentUntil you delete it. Deletion removes all associated data.
API logs90 days (rolling)
Error logs (Sentry)90 days
Evaluation injection logs90 days (raw logs), then aggregated into summary statistics. Deleted immediately when workspace is deleted.
LLM judge scoresRetained for the lifetime of the associated memory feedback record. Deleted when workspace is deleted. Only collected for workspaces with evaluation consent enabled.
Account dataDeleted within 30 days of account closure. Legal/accounting records may be retained longer.

6. Security

We protect your data with:

  • Encryption at rest — Database storage encrypted via Railway-managed PostgreSQL
  • Encryption in transit — All traffic uses TLS
  • API key hashing — Keys stored as SHA-256 hashes; we cannot retrieve originals
  • Workspace isolation — Database-level tenant separation

No system is perfectly secure. Report vulnerabilities to security@neuroloom.dev.

7. Your Rights

7.1 For All Users

  • Access — View your data through the dashboard or API
  • Deletion — Delete memories or workspaces via dashboard/API. Account closure: contact privacy@neuroloom.dev
  • Export — Export your data via the API
  • Correction — Update account info through the dashboard

7.2 EU/EEA and UK Users (GDPR)

Additional rights under GDPR:

  • Right to object to processing based on legitimate interest
  • Right to restrict processing in certain circumstances
  • Right to data portability (structured, machine-readable format)
  • Right to lodge a complaint with your data protection authority

Legal bases: Contract performance (providing the Service), legitimate interests (security, error monitoring), consent (optional retrieval quality evaluation).

Data controller: Endless Galaxy Studios LLC, Delaware, USA.

7.3 California Residents (CCPA/CPRA)

  • Right to know — Request disclosure of collected information
  • Right to delete — Request deletion (subject to exceptions)
  • Right to correct — Request correction of inaccurate information
  • Right to opt out — We do not sell or share personal information for behavioral advertising

To exercise rights: contact privacy@neuroloom.dev. Response within 45 days.

8. Children's Privacy

Neuroloom is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it promptly.

9. International Data Transfers

Neuroloom's infrastructure is hosted in the United States via Railway. If you access the Service from outside the US, your data is transferred to and processed in the US.

For EU/EEA/UK users, transfers are conducted under Standard Contractual Clauses (SCCs).

10. Changes to This Policy

We may update this Privacy Policy. When we make material changes:

  • We update the "Last updated" date at the top
  • We notify you by email or website notice at least 14 days before changes take effect

Continued use after the effective date constitutes acceptance.

11. Contact

For questions or to exercise your rights:

General: privacy@neuroloom.dev

Security: security@neuroloom.dev

Endless Galaxy Studios LLC
Delaware, USA