privacy policy
last updated · 9 july 2026
Memento.sky ("Memento") is a private journal of the people you've met. This policy explains what data the app touches, where it lives, and what we can and cannot see.
who we are
Memento is built by an indie developer. Contact: team.slowpress+memento@gmail.com.
what's stored on your device and in your icloud
The diary itself — names, moments, photos, scribbles — never leaves your devices and your private iCloud account. Specifically:
- People you log — names, the moment-of-meeting timestamp, the mascot pick, an optional photo, an optional sketch.
- Moments you attach to those people — text and timestamps.
- Linked contacts. If you link a person in your sky to someone in your phone's contacts, the details you pick (name, phone number) are copied into that person's entry. The picker is Apple's own contact-picker screen — out-of-process — so Memento only ever sees the one contact you select, never your whole address book, and it never reads your contacts in the background. You can also type a phone number or add social-media handles (Instagram, Facebook, Snapchat) by hand; those live in the same private diary entry.
This data syncs only through Apple's CloudKit private database tied to your Apple ID. We have no servers and no access to it. If you enable Apple's Advanced Data Protection in iCloud settings, your data is end-to-end encrypted such that not even Apple can read it.
what we collect off your device
Three small streams, each described below:
- Usage analytics (PostHog). From first launch, on every install, the app records a small set of key actions (
first_spot_saved,paywall_shown, etc.) plus basic app-lifecycle events (launches, foreground/background), so we can see how the app is used and improve it — no screen views, no autocapture, no PII. These events are not linked to your identity: they're tied to a random per-install id that is never joined to your name, email, or Apple ID, your IP address is discarded on receipt, and no location or GeoIP lookup is performed. Your diary — people, moments, notes, photos, scribbles — is never collected. - Subscription state (RevenueCat + Apple StoreKit). When you subscribe or restore, Apple processes the payment; RevenueCat records the subscription state and outcome. No card data — Apple never shares it with us.
- Diagnostics (Apple MetricKit). Crash reports, scroll performance, and hangs. Aggregated by Apple, delivered to Memento's local cache only. Never uploaded.
why
- The diary stays on your device because it's yours.
- Analytics tells us what to improve.
- Subscription processing keeps the lights on.
- Diagnostics keeps the app from crashing in your hand.
legal basis (gdpr)
- Legitimate interest — product analytics (pseudonymous; not linked to your identity).
- Contract performance — subscription.
sharing
- Apple — controller for the App Store, iCloud, and StoreKit. Apple's privacy policy applies to those.
- PostHog — processor, US region. PostHog, Inc. processes the usage analytics in the United States. EU/UK/Swiss→US transfers rely on PostHog's participation in the EU-US Data Privacy Framework (and its UK and Swiss extensions), with the Standard Contractual Clauses in our signed Data Processing Agreement as an additional safeguard.
- RevenueCat — processor, US region. Standard contractual clauses on file.
We never sell data, and there is no advertising or cross-app tracking of any kind.
retention
- On-device + iCloud — until you delete (settings → about → delete everything).
- PostHog — 12 months rolling.
- RevenueCat — per their retention policy.
- Apple receipts — per Apple and tax law (typically 7 years).
your rights (gdpr / similar)
- Access — settings → your sky → export your sky exports a ZIP with everything.
- Erase — settings → about → delete everything wipes local and cloud copies. It is irreversible.
- Portability — the ZIP is JSON + raw photos + scribble PNGs, machine-readable.
- Object to analytics — usage analytics run under legitimate interest. Because the events aren't linked to your identity, we can't single out and delete one person's data, and there's no per-user switch. To stop future collection entirely, delete the app; you can also write to team.slowpress+memento@gmail.com with any objection.
- Object / restrict — write to team.slowpress+memento@gmail.com and we'll honor it.
security
- iCloud at-rest encryption (Apple-held keys) by default.
- End-to-end encryption when you enable iCloud's Advanced Data Protection.
- TLS in transit for analytics and subscription telemetry.
- No Memento-side servers ever handle your diary data.
changes
This policy is versioned in our public repository (memento-legal). Changes ship with a new "last updated" date.
complaints
You can complain to us first (team.slowpress+memento@gmail.com), or directly to your local data-protection authority — for EEA / UK users, your national regulator (such as the ICO) is the typical authority.