Legal

Privacy Policy

Last updated: July 7, 2026

This policy explains what the Necory mobile app and the necory.com website collect, why, where it goes, how long it stays, and how you can take it out or erase it. It was written from the app's actual implementation — if the app doesn't do something, this policy doesn't claim it.

Necory ("we", "us") operates the service. For anything in this policy, contact support@necory.com.

The short version: Necory stores what you deliberately save so its AI can recall it for you. Your content is encrypted in transit and at rest and isolated to your account — but it is not end-to-end encrypted, because the AI must read it to answer you. We don't sell your data and we don't show ads. You can export everything and delete everything, from inside the app.

1. Information we collect

Account information

  • Sign-in details: your email address and/or phone number, and — if you sign in with Google or Apple — the name, email, and profile photo those providers share.
  • Profile settings: display name, profile photo, preferred language (English/Arabic/Spanish), theme, and your device's timezone (used to fire reminders at the right local time).
  • One-time codes: when you sign in or reset a password by email code, we store the code only as a SHA-256 hash for up to 10 minutes; expired codes are purged automatically. Phone sign-in codes are generated, delivered, and verified by Firebase Authentication — we never see or store them.
  • Password safety check: when you set a password, we check it against the Have I Been Pwned breach database using its k-anonymity API — only the first five characters of a hash are sent, never your password.

Content you save (the point of the product)

  • Notes, links, photos, documents (PDF, Word, Excel and similar), audio files you attach, and places (coordinates and addresses you choose to share).
  • Your conversations with the AI, including attachments.
  • Money-ledger entries: the people you name, amounts, currencies, and the wording you used.
  • Explicit memories and relationships you ask Necory to keep (e.g., "Emma is my wife").
  • Reminders: their text and schedule.

Information the app derives

  • AI-generated organization: titles, summaries, and tags for saved items, plus a record of edits ("revisions") when the AI updates an item.
  • Search embeddings: numerical representations of your content that make meaning-based recall possible.
  • Learned profile observations: light patterns such as preferred tone or active hours. Every observation is visible in Settings → AI Profile, where you can confirm, dismiss, or lock it.

Usage and diagnostics

  • Analytics events (Google Analytics for Firebase): which screens are used and product events like "message sent" or "item saved", with a session identifier, your subscription plan, and your account ID. Analytics events never contain the content of your notes, messages, or files.
  • Crash, error, and performance reports (Sentry): stack traces, a trail of app events leading to an error, and app performance and stability metrics (such as start-up timing and crash-free sessions), tied to your account ID only. We configure Sentry to not collect personal details, screenshots, or screen contents.
  • Push token: a device registration token so we can deliver reminder notifications.
  • Quality review snippets: when the system flags an AI answer as possibly wrong, a snippet of that exchange — with personal identifiers redacted before storage — may be queued for our review so we can fix the AI's behavior.
  • Enforcement records: whether an account is suspended for Terms violations.

Device permissions (all optional, all user-triggered)

PermissionUsed forWhen
Camera / photo libraryAttaching photos to chat or saving them to your vaultOnly when you attach or save
MicrophoneVoice dictation — your recording is sent to Google's Gemini API, transcribed to text, and then discarded; we don't store the audio, and no on-device speech recognition is usedOnly while you hold/tap the mic
LocationSharing your current location in chat or saving a placeOnly when you tap to share; never in the background
FilesAttaching documents or audio filesOnly when you pick a file
Notifications & exact alarmsDelivering reminders on time, including when the app is closedAfter you allow the prompt
Face ID / biometricsOptional app lock. Verified entirely on your device; biometric data never reaches usOnly if you enable app lock

On the website (necory.com)

  • This website sets no cookies and runs no analytics or trackers. That's why there's no cookie banner.
  • It is served by Firebase Hosting, which processes standard request logs (IP address, user agent) to deliver the site.
  • Fonts load from Google Fonts, which receives your IP address as part of serving the font files.

2. Why we process it

  • To provide the service: storing your content, generating AI replies, computing ledger balances, firing reminders, syncing across sign-ins.
  • To secure it: authentication, abuse and rate limiting, app-integrity attestation, fraud prevention.
  • To run the business: knowing your subscription status so the right limits apply.
  • To improve quality: aggregate analytics, crash reports, and redacted AI-quality snippets.
  • We do not: sell your data, share it for advertising, or use your private content to advertise to you.

3. Who processes your data

Necory is built on established infrastructure providers acting on our behalf:

ProviderWhat it doesWhat it receives
Google Firebase / Google CloudAuthentication, database, file storage, server functions, push notifications, analytics, app-integrity checks. Hosted in the United States.Your account data and content
Google Gemini APIGenerates AI replies, transcribes voice recordings, creates search embeddingsThe messages, attachments, and retrieved content needed for each reply
SentryCrash, error, and performance monitoringCrash and error reports plus performance and stability metrics, tied to your account ID; configured to exclude personal details and content
ResendSends transactional email (sign-in codes, password reset, welcome)Your email address and the email content
Apple App Store / Google Play + RevenueCatSubscription billing and entitlement managementPurchase and subscription status. We never see your card number.
OpenStreetMapRenders small map previews for saved placesYour IP address and the map area requested, when a preview loads
Have I Been PwnedPassword breach checkingOnly the first five characters of a password hash (k-anonymity)
Apple / Google geocodingTurning shared coordinates into a readable addressThe coordinates you chose to share

When you contact support@necory.com, your message is processed by our email provider like any email.

4. Where your data lives, and transfers

Your data is stored and processed on Google Cloud infrastructure in the United States. If you use Necory from outside the US, your information is transferred to and processed in the US. Jurisdiction-specific transfer mechanisms (e.g., for EU/UK users) are identified for legal review; contact us with any questions in the meantime.

5. Security

  • TLS encryption for all traffic; encryption at rest on Google Cloud.
  • Server-side security rules bind every record to your account — no other user can access it, and AI operations are locked to your signed-in account.
  • Sign-in codes stored only as hashes; single-use; 10-minute expiry; brute-force rate limits.
  • Production apps attest integrity via Firebase App Check.
  • Service credentials are kept in a managed secrets vault, never in code or client apps; raw error details go to internal logs, never to clients.
  • Not end-to-end encrypted — the AI must read your content to answer you, so our systems process it in readable form. We say this everywhere it matters. See Security.

6. How long we keep things

DataRetention
Your content (vault, conversations, ledger, memories, reminders)Until you delete it
Items you delete30 days in trash (restorable), then permanently erased
Conversations you deleteRemoved along with their messages when you delete them
Data-export archivesDownload links expire after 7 days; expired archives are deleted
One-time sign-in codes10 minutes, then purged
Deleted account30-day recovery window, then all content, files, and profile data are permanently erased
Analytics and crash dataHeld by Google Analytics and Sentry for their standard limited retention periods

7. Your rights and controls

  • Access & portability: Settings → Export gives you your entire dataset (readable HTML + JSON + media), on any plan.
  • Correction: edit any item, memory, or profile field in the app; tell the AI to update or forget things.
  • Deletion: per item, per conversation, all data at once, or the whole account — see Account deletion.
  • AI memory control: confirm, dismiss, or lock every learned observation in Settings → AI Profile.
  • Notifications: controlled by your device's system settings.
  • Depending on where you live, you may have additional statutory rights (e.g., under GDPR or CCPA). Email support@necory.com from your account address and we'll honor the rights that apply to you.

8. Children

You must be at least 13 years old to use Necory, and if you are under 18 you need a parent or guardian's permission. Necory is not directed to children under 13, and we don't knowingly collect their data. If you believe a child under 13 has created an account, contact us and we will delete it.

9. Changes to this policy

If we change this policy in a meaningful way, we'll update the date above and inform you in the app before the change takes effect. The current version always lives at necory.com/privacy.

10. Contact

support@necory.com