Privacy Policy — Memrina
Last updated: 2025-02-17
1. Introduction
This privacy policy describes how Afeo Systems AB ("we", "us", "our"), org. nr 559335-7832, a Swedish registered company, collects, uses, stores, and protects personal data in connection with the Memrina mobile application ("the Service").
Memrina is an AI-powered homework help app designed for children aged 8–15. Children do not use the Service independently — it is the parent/guardian who creates the account, adds children, and manages all data.
Data Controller: Afeo Systems AB Email: support@memrina.se
2. What personal data we collect
2.1 Parent/guardian data
| Data | Purpose |
|---|---|
| Name | Account administration |
| Email address | Login, account recovery, communication |
| Password | Authentication (hashed, stored by Supabase Auth) |
2.2 Child data
| Data | Purpose |
|---|---|
| First name | Personalized experience in the app |
| Birth year | Adjust difficulty level |
| PIN code | Child's access to the app (hashed, never stored in plaintext) |
Note: We do not collect email addresses, phone numbers, or other contact information for children. Children do not have their own accounts.
2.3 Homework data
| Data | Purpose |
|---|---|
| Homework photos | OCR text extraction |
| Extracted text from homework | Generating study questions |
| Subject and due dates | Homework organization |
2.4 Study data
| Data | Purpose |
|---|---|
| Questions and answers | AI-based homework help |
| AI-generated responses | Educational support |
| Results and scores | Progress tracking |
2.5 Technical data
| Data | Purpose |
|---|---|
| Push notification tokens | Sending reminders |
| Device and error logs | Error reporting and improvement (via Sentry) |
2.6 Data we do NOT collect
- Location data
- Contacts or address book
- Third-party tracking or advertising
- Voice recordings (text-to-speech is processed locally on the device)
3. Legal basis for processing
We process personal data based on the following legal bases under the GDPR:
| Processing | Legal basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Contract | Art. 6.1(b) |
| Children's data and homework data | Consent (parental consent) | Art. 6.1(a), Art. 8 |
| AI-based homework help | Contract | Art. 6.1(b) |
| Error reporting | Legitimate interest | Art. 6.1(f) |
| Push notifications | Consent | Art. 6.1(a) |
Since Memrina is aimed at children under 16, parental consent is required. By creating an account and adding a child, the parent/guardian consents to the processing of the child's data.
4. How we use the data
We use personal data to:
- Provide AI-based homework help
- Create and manage user accounts
- Generate study questions based on homework
- Track the child's study progress
- Send push notifications (with consent)
- Identify and fix technical issues
- Improve the Service
We never use personal data for:
- Advertising or marketing to children
- Profiling for purposes other than education
- Sale to third parties
5. Third-party services and data processors
We use the following third-party services to provide Memrina:
5.1 Supabase (database, authentication, storage)
- Purpose: Account management, data storage, file storage
- Data shared: All account data, homework data, study information
- Location: EU (Frankfurt, Germany)
- Data Processing Agreement: Yes
- More info: supabase.com/privacy
5.2 Google Gemini 2.0 Flash (AI tutoring)
- Purpose: Generate study questions, provide educational responses
- Data shared: Homework text, student answers, conversation context
- Note: No names or personal information is sent — only educational content
- More info: cloud.google.com/terms/data-processing-addendum
5.3 Google Cloud Vision API (OCR)
- Purpose: Extract text from homework photos
- Data shared: Homework photos
- Note: Photos are processed and not permanently stored by Google
- More info: cloud.google.com/vision/docs/data-usage
5.4 OpenAI (text-to-speech)
- Purpose: Convert AI responses to speech
- Data shared: AI-generated response text (no personal data)
- Note: Only text content is sent, no identifying information
- More info: openai.com/policies/privacy-policy
5.5 Sentry (error reporting)
- Purpose: Identify and debug technical issues
- Data shared: Device information, error logs, user context (anonymized)
- More info: sentry.io/privacy
5.6 Apple / RevenueCat (subscription management)
- Purpose: Manage subscriptions and payments
- Data shared: Subscription status, transaction IDs
- Note: Payment information is handled directly by Apple — we never see card details
- More info: apple.com/legal/privacy, revenuecat.com/privacy
6. International data transfers
Primary data storage is within the EU (Supabase, Frankfurt). Some third-party services (Google Gemini, OpenAI, Sentry) may process data in the USA. In such cases, transfers are protected by:
- EU Standard Contractual Clauses (SCCs)
- Appropriate safeguards under GDPR Chapter V
No personal data is transferred without adequate safeguards.
7. Data retention and deletion
| Data type | Retention period |
|---|---|
| Account information | Until account is deleted |
| Child profiles | Until the parent removes the child or account |
| Homework data | Until the parent removes the homework or account |
| Detailed study data | 12 months, then aggregated |
| Aggregated study data | Until account is deleted |
| Error logs (Sentry) | 90 days |
Upon account deletion, all personal data is deleted within 30 days.
8. Your rights under the GDPR
As a data subject, you have the following rights:
| Right | Description | How |
|---|---|---|
| Access (Art. 15) | Request a copy of all your data | In the app: Settings → Data & Privacy |
| Rectification (Art. 16) | Correct inaccurate data | In the app or via support@memrina.se |
| Erasure (Art. 17) | Delete your account and all data | In the app: Settings → Data & Privacy → Delete Account |
| Data portability (Art. 20) | Export data in a machine-readable format | In the app: Settings → Export Data |
| Restriction (Art. 18) | Restrict processing of your data | Contact support@memrina.se |
| Objection (Art. 21) | Object to processing | Contact support@memrina.se |
| Withdraw consent | Withdraw consent at any time | Delete the child or account |
Account deletion is carried out immediately — all personal data, child profiles, homework, and study data is permanently deleted.
9. Children's privacy
Memrina takes children's privacy very seriously:
- No children's accounts: Children do not have their own accounts. Parents create and manage everything.
- Parental control: Parents can view, export, and delete their child's data at any time.
- Minimal data collection: We only collect what is necessary for the educational purpose.
- No contact information: We do not collect email, phone numbers, or other contact information for children.
- No tracking: We do not use third-party trackers or advertising tools.
- Voice: Text-to-speech is processed locally on the device — no voice recordings are stored.
- PIN security: The child's PIN is hashed and never stored in plaintext.
10. Data security
We implement the following security measures:
- Encryption in transit: All communication uses TLS/HTTPS
- Encryption at rest: Data is encrypted in the Supabase database
- Hashed passwords and PINs: Passwords and PINs are never stored in plaintext
- Access control: Row Level Security (RLS) in the database ensures users can only access their own data
- Secure authentication: Via Supabase Auth with industry-standard security
11. Cookies and tracking
Memrina uses no cookies, third-party trackers, or advertising tools. We do not track users across apps or websites.
NSPrivacyTracking is set to false in our App Store configuration.
12. Changes to this policy
We may update this privacy policy. For material changes, we will notify you via:
- In-app notification
- Email to the registered email address
Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
For questions about privacy or to exercise your rights:
Afeo Systems AB Email: support@memrina.se
If you are not satisfied with our handling, you may file a complaint with:
Swedish Authority for Privacy Protection (IMY) Website: imy.se
This privacy policy is effective from 2025-02-17.