User data stays in your browser.

Overview

Overview

Memorall is built around a local-first browser workflow. The extension can capture pages, manage documents, store chats, and build memory context without uploading that content to a Memorall-operated remote server.

The default data path is local storage on your device. If you provide your own OpenAI or OpenRouter key and submit prompts, files, or other content through that provider, that submitted content is handled by that provider rather than by Memorall.

Stored Data

What Memorall collects and stores

Memorall does not collect a background profile about you. It stores the information below only when you create it, import it, attach it, configure it, or explicitly save it in the extension.

• Captured web content: pages, selected text, screenshots, page metadata, and other context you explicitly choose to save.
• Chat and memory data: conversations, drafts, summaries, graph relationships, and workspace context created while using Memorall.
• Documents and files: PDFs, Markdown, spreadsheets, notes, and workspace files you import, create, or attach.
• Model assets and caches: local model files, embeddings, and related cached artifacts when you choose workflows that need them.
• Configuration data: model settings, provider configuration state, and other product preferences needed to restore your setup.
• Passwords, passkeys, API keys, and other credentials: optional account passwords, master passkeys, provider API keys, bearer tokens, local server keys, MCP headers, and similar secrets may be handled when you enter them to enable sign-in, encryption, or a provider integration.
• What Memorall does not automatically collect: Memorall does not run its own analytics pipeline for your saved content, does not sell browsing data, and does not create a server-side copy of your local workspace by default.

Passwords & Credentials

How passwords, passkeys, API keys, and secrets are handled

Chrome Web Store policy treats passwords and credentials as sensitive user data. Memorall only handles these values when you provide them directly to enable a feature. They are not sold, rented, shared with advertisers, or used to build advertising profiles.

• Optional account password: passwords and credentials saved by Memorall are stored in browser-managed extension storage and encrypted with the user's passkey. If Supabase authentication is configured for a deployment and you choose to sign in or sign up, the email address and password you enter are sent to that configured Supabase authentication service for account creation, sign-in, session management, and password verification. Memorall does not use that password for unrelated product analytics or advertising.
• Passwords entered on web pages: if page activity capture is enabled, Memorall checks password fields and other sensitive input patterns such as token, API key, authorization, credit card, PIN, OTP, and private key fields. The actual entered value is redacted before storage, and Memorall stores only a redaction marker for that sensitive field.
• Passkey and master passkey: passkeys entered in Memorall are used to protect locally saved provider configuration, including encrypting and decrypting saved passwords, API keys, tokens, and provider keys in browser-managed storage. The passkey is not transmitted to Memorall-operated servers.
• API keys and provider secrets: OpenAI API keys, OpenRouter API keys, local model server keys, MCP authorization headers, bearer tokens, and similar secrets are used only to call the provider, local service, or server that you configured.
• Storage: saved passwords, provider credentials, API keys, tokens, and encrypted credential records are kept in browser-managed extension storage on your device and encrypted with the user's passkey unless the specific third-party authentication or provider flow requires its own server-side session handling.
• Sharing: passwords and credentials are not sent to Memorall-operated infrastructure. Account passwords are sent to the configured Supabase authentication service when you use optional sign-in. API keys and tokens are sent only to the provider, local endpoint, or MCP server you configure when a request needs that credential.
• Retention and deletion: locally saved credentials can be removed from the extension, cleared through browser extension storage controls, or removed by uninstalling the extension. Data submitted to Supabase, OpenAI, OpenRouter, or another configured provider is retained according to that provider's own policy.

Local Handling

Local storage and processing

• Browser-local storage: Memorall uses browser storage surfaces such as IndexedDB, OPFS, and related local mechanisms to keep memory and document data close to the browser environment.
• Local inference paths: some workflows can run with browser-hosted runtimes or locally configured model servers such as LM Studio or Ollama instead of remote APIs.
• No mandatory sign-in for the core path: the local-first core does not require every user to create an account before using the product.
• No Memorall-hosted storage for core data: Memorall does not upload your saved pages, notes, chats, files, or graph data to Memorall-operated servers as part of the default product flow.
• User-configured external LLMs: if you add your own OpenAI or OpenRouter key, content submitted to that provider is processed through that provider's service instead of the default local-only path.
• Credential handling: saved provider credentials are used by the extension to restore authentication and make the requests you initiate. They are not sent to Memorall servers.

External LLMs

When OpenAI or OpenRouter can handle your submitted content

Memorall does not automatically share your saved workspace content with third parties. The main exception is when you choose to use your own external LLM provider key.

• User-provided OpenAI key: if you enter your own OpenAI API key and submit a prompt, file, or other content through the OpenAI integration, that submitted content is handled by OpenAI under OpenAI's own terms and privacy policy.
• User-provided OpenRouter key: if you enter your own OpenRouter API key and submit a prompt, file, or other content through the OpenRouter integration, that submitted content is handled by OpenRouter under OpenRouter's own terms and privacy policy.
• Local-first default: if you do not configure and use your own external LLM key, Memorall's privacy posture remains local-first and your saved user data remains in browser-managed local storage.

Before using OpenAI or OpenRouter with your own key, review that provider's privacy policy and terms because content submitted through that provider is handled by that provider.

Data Sharing

How data is shared with third parties

Memorall does not sell, rent, trade, or otherwise disclose your personal information to advertisers, analytics networks, data brokers, or unrelated third parties. Memorall also does not maintain a hosted Memorall database containing your local workspace content. The only provider-handling case described on this page is when you choose to use your own OpenAI or OpenRouter key:

• No Memorall server copy: Memorall does not maintain its own hosted database containing your saved pages, chats, notes, or documents from the default local-first path.
• OpenAI or OpenRouter with your own key: if you provide your own OpenAI or OpenRouter API key and submit prompts, files, or related content through that provider, that submitted content is handled by that provider under that provider's own terms and privacy policy. Memorall does not control how OpenAI or OpenRouter handle that submitted content.
• Optional Supabase authentication: if a deployment enables Supabase authentication and you choose to sign in or sign up, your email address, password, and authentication session data are handled by the configured Supabase project for account authentication.
• No other sharing: outside the user-configured OpenAI or OpenRouter path above, optional Supabase authentication, and other user-configured provider requests, Memorall does not share data with advertisers, analytics networks, data brokers, or any other third party.

Using your own OpenAI or OpenRouter key means the submitted content for that request is handled by that provider, not by Memorall.

Data Security

How data is protected

Because Memorall's core data path is local-first, most sensitive data never leaves your device and is therefore not exposed to Memorall server-side storage. The following practices apply:

• Browser security model: locally stored data is kept inside browser-managed storage (IndexedDB, OPFS, extension storage) which is isolated to the extension's origin and protected by the browser's built-in security sandbox.
• No Memorall-operated server storage: Memorall does not operate servers that store copies of your captured pages, chat history, documents, or memory objects. Data you store in the local-first path remains on your device.
• Transit security for OpenAI or OpenRouter requests: when you use your own OpenAI or OpenRouter key, requests to that provider use the provider's network path and transport security. The security posture of that remote endpoint is governed by that provider.
• API key handling: OpenAI or OpenRouter API keys you configure are stored locally in extension storage and are not transmitted to Memorall-operated infrastructure.
• Password and passkey handling: passwords and credentials saved by Memorall are stored in browser-managed extension storage and encrypted with the user's passkey. Optional account passwords are sent only to the configured authentication provider for sign-in or sign-up. Passkeys used to protect local provider configuration are handled locally for encryption and decryption.
• No guarantees for external providers: Memorall cannot guarantee the security practices of Supabase, OpenAI, OpenRouter, local model servers, MCP servers, or other user-configured providers.

Control

Deletion and retention control

• Inside Memorall: remove saved context, files, or memory objects directly from the product where those controls are available.
• Browser-level clearing: clear extension or site data using browser controls to remove locally stored records.
• Uninstall: uninstalling the extension removes the extension from the browser and typically removes its locally stored data, subject to browser behavior.
• External LLM providers: if you submitted data through your own OpenAI or OpenRouter key, retention on that provider is governed by that provider rather than by local browser storage alone.
• Authentication providers: if you used optional Supabase authentication, account and password-related records are retained by that configured provider according to its own policy and account controls.

Children's Privacy

Children's privacy

Memorall is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). Memorall does not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided personal information through Memorall, please contact us using the details in the section below so we can take appropriate action.

Updates & Contact

Changes and contact

Effective date: April 23, 2026. This policy was last updated on April 23, 2026.

This privacy policy may be updated as the product evolves. When material changes are made, the effective date above will be updated so the public page stays aligned with the current product architecture. Continued use of the extension after an update constitutes acceptance of the revised policy.

For privacy questions, data-handling inquiries, or suspected inaccuracies, you can reach us by:

• GitHub Issues: open an issue at github.com/zrg-team/memorall/issues — this is the primary support and contact channel.
• Source review: the full extension source is publicly available at github.com/zrg-team/memorall so you can verify data-handling claims against the actual code.