Privacy Policy

Effective date: June 14, 2026  ·  Last updated: June 14, 2026

Anansi ("we", "us", "our") provides a memory API and Slack integration that helps teams and developers give AI applications persistent, synthesized memory. This policy explains what data we collect, how we use it, and your rights.

1. Who this policy applies to

This policy covers:

• Developers — individuals and organisations who use the Anansi API, SDK packages, or Slack app.
• End-users — people whose content is ingested into Anansi by a developer application (e.g. a chatbot user whose conversation is stored).
• Workspace members — Slack users in workspaces where the Anansi bot has been installed.

2. Data we collect

2a. Via the developer API

• Content you ingest — text, documents, or URLs you send to POST /v1/ingest. We store the raw content and a semantic embedding vector.
• User identifiers — the userId strings you supply. We never see the real-world identity behind a userId unless you include it in the content.
• Synthesised profiles — facts, context, and entity graphs we extract from ingested content via our LLM synthesis pipeline.
• API usage logs — timestamps, endpoint paths, status codes, and quota counts. No request bodies are written to logs.

2b. Via the Slack integration

• Public channel messages — content from channels you select during onboarding. Direct messages and private channels are never read.
• Per-person profiles — for each message author, we build a personal memory profile (facts, current activity, temporal timeline) from their public messages.
• Slack user IDs — used to attribute messages to individuals. We resolve display names via the Slack API for readability.
• OAuth tokens — stored encrypted (AES-256-GCM) and used only to read channels you have authorised.

3. How we use your data

• To provide the memory synthesis service — storing, embedding, and synthesising content.
• To enforce usage quotas and rate limits per API key.
• To send outbound webhooks to URLs you configure.
• To improve the service (anonymised, aggregated usage metrics only — never your content).

We do not sell, rent, or share your data with third parties for marketing. We do not train our own models on your content.

4. Sub-processors

We use the following third-party services to operate Anansi:

• GitHub Models / OpenAI — LLM inference for synthesis and embeddings. Your content is sent to these providers as part of synthesis; their data processing agreements apply.
• Railway / Supabase / Upstash — hosting, database, and Redis queue infrastructure. Data is stored in the region configured at deploy time.
• Stripe — payment processing. We share only billing-relevant identifiers.

5. Data retention

• Memory chunks without a TTL are retained until you delete them (via DELETE /v1/memory or the developer portal).
• Chunks with a TTL are automatically excluded from synthesis after expiry and purged within 30 days.
• Synthesised profiles and entity graphs are deleted when you delete the associated workspace or developer account.
• API usage logs are retained for 90 days.
• Backups are retained for 30 days.

6. Your rights

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of data we hold about you.
• Deletion — request erasure. For API users: use DELETE /v1/memory. For Slack workspace members: use /memory forget-me in Slack, which immediately purges your personal profile and stops future attribution.
• Correction — request correction of inaccurate data.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.

To exercise any right, email anansi.memory@gmail.com. We respond within 30 days (15 days for CCPA requests).

7. Legal basis for processing (GDPR)

• Contract — processing necessary to provide the API service you have subscribed to.
• Legitimate interests — security logging, abuse prevention, and aggregated analytics. We have assessed these interests do not override your fundamental rights.
• Consent — for Slack per-person memory; workspace admins consent on behalf of their workspace during OAuth. Individual members may withdraw via /memory forget-me.

8. Security

We use AES-256-GCM encryption for stored secrets (OAuth tokens, API keys). Data in transit is protected by TLS 1.2+. Access to production databases is restricted to automated services via private networking. We conduct periodic security reviews.

9. Children's data

Anansi is not directed at children under 16. We do not knowingly collect data from minors. If you believe we have inadvertently done so, contact us at the address below.

10. International transfers

Data may be processed in the United States and other countries where our sub-processors operate. For transfers from the EEA/UK, we rely on Standard Contractual Clauses with our sub-processors.

11. Changes to this policy

We may update this policy. Material changes will be announced via email to account holders at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

12. Contact

For privacy questions or to exercise your rights:

• Email: anansi.memory@gmail.com
• Post: Anansi, Attn: Privacy, [Address]