Your data. Your rules.
Plain-language commitments and security practices for developers who need to trust the tools they ship with.
Last updated: April 13, 2026
Our Commitments
Your data doesn't train our models
Your data is your data — we're not here to change that. Your memories, code context, architectural decisions? They're never used to train, fine-tune, or improve any AI model. Not without your explicit permission.
Your data is never sold or shared
Your data is... still your data. Who you are, your email, all of it — it stays with you. Never sold to third parties, never shared with advertisers, never monetized in any way. Not now, not later. Not ever.
Your data is yours. Delete it anytime.
Because it's yours, export or delete it whenever you want. No forms, no approval process, no waiting period. Deletion is immediate — but also permanent. No going back. No questions asked.
Analytics are opt-in, off by default
We collect anonymized, aggregate usage metrics (such as API call counts, error rates, etc.) to keep things reliable. Data sharing is controlled by a workspace flag — off by default.
Security Practices
Implementation details for developers and security-conscious users.
Data
Data Privacy
All data access paths are scoped to a single workspace. Cross-tenant access is not possible through the API. Memory content is never included in logs.
Data Retention
Workspace data is retained for the duration of your subscription. Deletion is immediate and permanent — workspace deletion cascades to all memories, sessions, and observations. User account deletion anonymizes personal information while preserving audit trail integrity.
Data Residency
All data is stored in the United States. Production infrastructure runs on Railway (US region). AI inference is processed by DeepInfra (see Sub-processors).
Backups
Database backups are managed by our infrastructure provider with daily snapshots and point-in-time recovery capability.
Sub-processors
AI processing (embeddings and inference) is handled by DeepInfra (SOC 2, ISO 27001 certified). Data is processed in memory only — not stored to disk, not used for model training. We do not route workspace data through any other third-party AI provider.
Access & Identity
Tenant Isolation
Every database query is scoped to a single workspace. There are no shared memory pools. All reads and writes include a workspace filter.
Access Control
Authentication uses short-lived signed tokens with explicit algorithm validation. Passwords are hashed using an adaptive algorithm that increases cost as hardware improves. Administrative actions are written to an append-only audit log. Records are preserved even when associated user accounts are removed.
Encryption
All data is encrypted at rest (Railway-managed PostgreSQL) and in transit (TLS). API credentials are stored as one-way hashes — we physically cannot recover them. OAuth tokens are encrypted with a separate key.
Infrastructure & Operations
Infrastructure
Services run as unprivileged processes in isolated containers. Cross-origin requests are validated against an origin allowlist. API endpoints are rate-limited.
Error Tracking (Sentry)
We monitor for crashes and exceptions to maintain service reliability. Error reports contain stack traces and request context — no memory content is included. This operates independently of your analytics preference.
Vulnerability Disclosure
Security researchers can report vulnerabilities to security@neuroloom.dev. We investigate all reports and aim to acknowledge receipt within 72 hours.
Have a security questionnaire? We'll fill it out.
Send it overFor the full legal details, see our Privacy Policy.