⚠️ Founder-reviewed interim version — posted 2026-04-21. This page has been reviewed by BNC Solutions LLC's founder for accuracy about how MeMe Care actually operates. An independent attorney review is in progress. We will update this page and note the date when that review completes.

MeMe Care Privacy Policy

Effective date: 2026-04-21 Last updated: 2026-05-15 Version: 2.2

1. Who we are

MeMe Care is published by BNC Solutions LLC ("BNC", "we", "us"). MeMe Care is a voice-first mobile app that helps people understand photos of bills, mail, medication labels, screens, and possible scams by analyzing them with AI.

• Website: https://memecare.ai
• Contact / privacy requests: support@memecare.ai

This policy covers the MeMe Care mobile app on iOS and Android, our backend API (served at memecare.ai/api/*), and the memecare.ai website (including subdomains app.memecare.ai, admin.memecare.ai, and platform.memecare.ai).

2. What we collect

We collect the minimum needed to run the service.

Account data (from the trusted contact who sets up an account)

• Email address
• Phone number (optional — used for the Primary User's "Call for Help" button, not for account contact)
• Apple, Google, or email magic-link sign-in identifier
• Subscription plan and renewal status

Primary-user setup data (entered by the trusted contact or the Primary User)

• Primary User's first name (required)
• Primary User's full legal name (optional — used only to help the AI recognize whether mail is addressed to them)
• Household member names and relationships, up to 5 (optional — same purpose)
• Trusted-contact phone number the Primary User can "Call for Help"
• Preferred language (English or Spanish)

Scan metadata (created when the Primary User uses the app)

• Category (bill, medication, mail, scam, tech, home, other)
• Timestamp
• Page count
• Two flags produced by the AI: flagged_scam and flagged_unusual
• A short flag reason if one of those flags fires

Subscription records

• Plan tier (shown in-app and at memecare.ai/pricing at time of purchase)
• Receipt identifiers from Apple, Google, or Stripe
• Start, renewal, and cancellation dates

Device data

• Apple (APNs) or Google (FCM) push token (so we can send scam alerts to the trusted contact)
• App version, OS version (for crash triage)
• A locally generated device ID

3. What we do not collect or store on our servers

• We do not store raw photos beyond delivery. A scaled-down copy (1024 px, encrypted) may be stored as part of a scan-history record — see §8E for details and the retention period.
• We do not store unencrypted AI explanations. Explanation text and follow-up conversations are stored only in encrypted form scoped to the Primary User's seat — see §8E.
• We do not store audio recordings. Voice questions go to transcription and are deleted after text is returned.
• We do not collect contacts, location, browsing history, or advertising identifiers.
• We do not sell personal information. Ever.

4. What stays on the Primary User's device

These items live only on the Primary User's phone, in the device's secure storage:

• Device ID, seat ID, first name, trusted-contact phone
• Local scan history (category, timestamps, flags, and the full AI explanation text) — the primary read path; the device cache is the first place the app looks when replaying a past scan
• Voice preference, language preference, and font-size preference

Uninstalling the app erases the local device copy. If a scan-history record also exists on the server (see §8E), the server copy is unaffected by uninstalling — you must delete it explicitly in the app or via the family dashboard.

5. How we use the data

• Run the app (show the Primary User their scan, route alerts to the trusted contact)
• Send scam alerts to the trusted contact via push notification
• Process subscription payments through Apple, Google, or Stripe
• Detect abuse and rate-limit excessive requests
• Debug crashes and errors
• Comply with law

We do not use your data to train AI models. The Claude AI model that reads your pictures runs entirely inside Amazon Web Services (AWS) Bedrock — Anthropic (Claude's developer) does not receive your data, does not host the model for us, and has no access to your scans or explanations. AWS Bedrock operates under terms that prohibit use of your inputs or outputs to train any model (Anthropic's, Amazon's, or anyone else's).

About Bedrock's 5-minute prompt cache. To make follow-up questions about the same document fast and inexpensive, a scan's photo and its analysis may be held in Bedrock's temporary prompt cache for up to 5 minutes. The cache is automatically and irreversibly purged after that window; it is not used for training, logging, analytics, or any other purpose beyond serving an immediate follow-up. You can read AWS Bedrock's data handling terms at aws.amazon.com/service-terms (§75 Bedrock).

6. Who we share it with

We share only with the subprocessors we need to run the service. A current list is at memecare.ai/subprocessors and in docs/legal/subprocessors.md. Today that includes Amazon Web Services (Bedrock for AI, S3 for disaster-recovery backups), Cloudflare (infrastructure, including Email Routing for transactional email), Deepgram, OpenAI, Stripe (web billing), Apple (App Store billing and APNs push), Google (Play Billing and FCM push), and Sentry (error reporting).

We share with law enforcement only under valid legal process. We do not sell data or share it for cross-context behavioral advertising.

7. Where data is stored

Backend infrastructure (Cloudflare Workers, D1, KV, R2) operates in the United States. Subprocessors process data in the United States.

US-only service. MeMe Care is offered only to residents of the United States. We do not accept users from outside the US; accounts determined to be outside the US are suspended. If you attempt to access the service from outside the US, your request will be rejected.

8. Retention

| Data | How long | |---|---| | Family account record | Until you ask us to delete it | | Primary-user setup data | Until the trusted contact deletes the seat or the account | | Scan metadata rows | 90 days, then pruned automatically | | Wellbeing signals (family-side welfare events) | 2 years | | Safety-incident content (threat / self-harm / abuse triggering transcript) | 2 years from detection, or until counsel-signed dismissal, whichever is later — narrow disclosed exception to our zero-retention promise. See §8A. | | Safety-incident metadata (identity packet, classifier output, admin audit log) | Indefinite — required for legal + audit compliance | | CSAM incident metadata (hashes, NCMEC report IDs, identity packet) | 7 years (NCMEC guidance + potential law-enforcement needs) | | CSAM image content | Never held on our servers — Cloudflare CSAM Scanning Tool + NCMEC are the custodians | | Admin incident-console audit log (every view, export, disposition) | 7 years (tamper-evident accountability) | | Subscription records | Lifetime of the account, then 7 years for tax and audit | | Audit log (admin actions, DSARs) | 3 years for routine admin; 7 years for incident-related | | Scan-history records (AI explanation, conversation, scaled photo — encrypted, per §8E) | 180 days from creation (or last "Stop keeping" event) by default. Seniors can mark up to 50 helps as "Keep forever" to retain indefinitely. Deleted immediately on explicit delete action; all deletions are audit-logged. | | Photos / explanations / audio (ordinary path, not stored as history) | Not retained on our servers (in-memory only). Held in AWS Bedrock's prompt cache for up to 5 minutes to serve follow-up questions, then automatically purged. Not used for training. | | Voicemail audio + transcripts (Voicemail Screening add-on) | Not retained on our servers. Deleted within 5 minutes of push to the device. Audio + transcript live only on the Primary User's phone. See §8C. | | Hashed caller numbers (Voicemail Screening metadata) | Retained for the life of the seat (for scam-pattern correlation per-seat). Hashed with a per-seat salt — raw numbers discarded at ingest. | | Blocked inbound email (quarantine) | 90 days — narrow disclosed exception. See §8B. | | Conversation recording audio (optional feature) | Destroyed from our servers within ~1 hour of successful transcription. If transcription requires retry, retained up to 7 days base, extensible up to 21 days max. The Primary User can save audio to their device, which triggers our copy's deletion within ~1 hour. See §8D. | | Conversation recording transcripts and summaries (optional feature) | Retained encrypted at rest, scoped to the Primary User's seat. Not subject to the 90-day scan-metadata sweep. Deleted when the seat is deleted or an account deletion request is honored. |

8A. Safety-incident retention exception

The zero-retention promise for photos, audio, and explanations applies to ordinary-path traffic. It has one narrow, disclosed exception:

• When our automated classifiers detect apparent CSAM, a credible threat of violence against an identifiable third party, imminent self-harm indicators, or elder-abuse indicators, we create an access-controlled safety incident record. The triggering content (transcript for voice/text; hash + classifier metadata for images) is preserved in this record so that authorities can be contacted and can subsequently identify the submitter.
• Incident content is encrypted at rest, accessed only by named officers and counsel under two-factor authentication, and purged automatically at the retention boundary above unless an ongoing law-enforcement matter requires extension.
• Political content is never preserved. Our classifier filters politically-referenced content to a plain refusal; no incident is created; no authority is contacted.
• You may request a list of any incident records associated with your account by emailing support@memecare.ai, except that CSAM incident existence may not be disclosable in certain circumstances under federal law.

8C. Voicemail Screening data handling

If the Account Holder enables Voicemail Screening (a per-seat monthly add-on), the Primary User's carrier may forward unanswered calls to a MeMe Care voicemail endpoint through Conditional Call Forwarding (CCF). The following data-handling rules apply to every voicemail screened by the service.

• Zero data retention on voicemail content. Voicemail audio is received by MeMe Care, transcribed in-memory, run through the scam-screening classifier, pushed to the Primary User's device, and deleted from our servers within 5 minutes. We do not retain voicemail audio or transcripts at rest on our servers.
• Mobile device is the sole durable store. The voicemail audio file and its transcript live only on the Primary User's phone (the MeMe Care app's local storage). Deleting the voicemail on the device removes the only remaining copy. MeMe Care has no way to restore a deleted voicemail.
• Caller numbers are hashed per-seat. The calling party's phone number is hashed with a per-seat salt before any metadata row is written, so MeMe Care cannot identify callers across seats or correlate the same caller across accounts. Only the hashed value is stored; the raw phone number is discarded after hashing.
• Custom greetings are encrypted under our envelope scheme. If the Account Holder records a custom voicemail greeting for the Primary User, that greeting is encrypted at rest using the application-layer envelope encryption scheme described in §11, with a per-seat data-encryption key wrapped by a Worker-secret key-encryption key.
• Scam-suspicious voicemails may trigger a safety incident under §8A. Where a screened voicemail contains apparent CSAM, a credible threat of violence against an identifiable third party, imminent self-harm indicators, or elder-abuse indicators, the transcript is preserved in a safety-incident record under the same rules as any other Primary-User utterance, and the retention exception in §8A applies.
• Availability depends on carrier support. Voicemail Screening requires the Primary User's carrier to support Conditional Call Forwarding. At launch, we support AT&T, T-Mobile, Verizon, and US Cellular. Carriers may change CCF behavior at any time without notice. See Terms of Service §5A.

8B. Blocked inbound email (quarantine) retention exception

The email-reminder inbox feature allows a trusted contact to approve specific senders who can email reminders on behalf of the Primary User. Emails that are blocked before reaching the Primary User — due to authentication failures (DMARC / SPF / DKIM), an unrecognized recipient address, an unapproved sender, a rate-limit excess, a disallowed attachment type, or a malformed calendar invite — are retained in a quarantine store for up to 90 days.

• This content was never delivered to the Primary User and is not part of the Primary User's MeMe Care experience.
• It is stored solely to allow MeMe Care staff to investigate spoofing campaigns, abuse patterns, and configuration errors.
• The retained content may include the sender's email address, display name, subject line, and message body (plain text only, capped at 4,000 characters).
• Quarantine records are accessible only to MeMe Care staff under two-factor authentication and are automatically purged after 90 days.
• No AI model processes quarantine content; it is stored and reviewed by humans only.

8D. Conversation recordings (optional feature)

When the Primary User uses the conversation recorder, MeMe Care:

1. Records audio — Only when the Primary User actively taps "Record a conversation" on their device. The app shows a consent card the Primary User can show the other person before tapping "they said yes — start." Recording cannot start without two taps.

2. Transcribes — Audio is sent to Deepgram (BAA in place) for transcription. If transcription is unclear, we fall back to OpenAI Whisper via our Cloudflare AI Gateway (also under BAA, with collect_logs=false posture).

3. Summarizes — The transcript is sent to Anthropic Claude via AWS Bedrock (BAA in place) to generate a summary and key items.

4. Destroys the audio — Audio is deleted from our servers within approximately 1 hour of successful transcription. If we could not transcribe cleanly the first time, we may retain audio up to 7 more days (extensible up to twice, capping at 21 days total) so the Primary User or a family member can retry. The Primary User can also save the audio to their phone, in which case we destroy our copy within an hour.

5. Encrypts the transcript and summary — These are stored encrypted at rest in our database, with keys scoped to the Primary User's seat. Administrators cannot read transcript contents in MeMe Care V1.

6. Shares only when the Primary User chooses — Recordings can be marked private, shared with family, or set to inherit the seat's general activity-sharing setting. Family members on the same account can read shared recordings on app.memecare.ai and ask questions about them.

We do not use recording content for training or for any purpose other than serving the Primary User.

8E. Your past helps (encrypted scan history)

What we keep. When you use MeMe Care to scan something, we keep an encrypted copy of that help on our servers: the AI's explanation, any follow-up questions and answers, and a smaller copy of the photo you scanned (scaled down to 1024 pixels on the longest side). This lets you access your past helps from any device, or if you reinstall the app.

How it's protected. Each help is encrypted with a key that is unique to your account and stored only inside our backend systems. The encrypted data stored in our database and file storage cannot be read without that key. Only your account can unlock any of it. Our team sees only scrambled data and cannot read the content of your helps.

How long we keep it. By default, we keep each help for 180 days from when it was created (or from the last time you changed its "keep" status). After that, it is permanently deleted automatically.

Keep forever. If a particular help matters to you, tap Keep forever inside the app. We will hold onto it until you change your mind or delete it. You can keep up to 50 helps this way. Tapping "Stop keeping" restarts the 180-day countdown.

Deleting a help. Deleting a help inside the app removes everything — the explanation, the conversation, and the photo — from our servers within minutes. Every deletion is recorded in our audit log.

What we audit. Every time a help is read, shared, or deleted, we log the action in an access-controlled audit log. This log is used to detect misuse and to comply with data-protection obligations.

Anthropic still has no access. The AI that reads your documents runs on AWS Bedrock. Anthropic does not receive your documents, explanations, or conversation history. AWS Bedrock's terms prohibit using your data to train any model.

9. Your rights

Everyone

• Export your data: via the family dashboard at app.memecare.ai or by emailing support@memecare.ai
• Delete your account: via the family dashboard or by emailing support@memecare.ai

We aim to respond within 45 days. We may ask you to verify identity via the email and phone on file before we act.

California residents (CCPA / CPRA)

• Right to know what we collect and how it's used
• Right to delete
• Right to correct
• Right to opt out of sale or sharing (we don't sell or share for ads — nothing to opt out of)
• Right to non-discrimination for exercising any of these rights
• You can designate an authorized agent

New York residents

New York does not currently have a comprehensive consumer-privacy-rights law, but we honor the same rights framework available to residents of states that do: you may request access, deletion, and correction of your data by emailing support@memecare.ai. We will respond within 45 days.

We additionally comply with:

• NY SHIELD Act (NY General Business Law §899-bb) — reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of your private information.
• NY GBL §899-aa (data-breach notification) — see §11 below.
• NY Stop Hacks and Improve Electronic Data Security Act — incident-response practices documented in our Written Information Security Program.

Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Indiana, Tennessee, Kentucky, Maryland, Minnesota, and Rhode Island have substantially similar rights under their state privacy laws. You may submit requests through the family dashboard or by emailing support@memecare.ai. We honor Global Privacy Control (GPC) signals as opt-outs of any sale or sharing of personal information — though we do not sell or share for cross-context behavioral advertising.

Deceased users

If the Primary User has died, the Account Holder (or an authorized estate representative) may:

• Report the death via the family dashboard to freeze the seat and pause billing.
• Request a metadata export within 60 days.
• After 60 days, seat and scan metadata are purged except legally-required financial and safety-incident records.

A new Account Holder may assume control of an account with documentation (power of attorney, executor letters, or guardianship order) emailed to support@memecare.ai.

Biometric information (Illinois, Texas, Washington)

We do not collect, create, or retain biometric identifiers or biometric information as defined under Illinois BIPA, Texas CUBI, or Washington HB 1493:

• We do not extract, store, or compare voiceprints.
• Our AI describes document photos only — it does not analyze or describe facial features, hair color, eye color, ethnicity, or any other identifying personal characteristics of persons who incidentally appear in submitted photos.
• We do not perform facial recognition.

If biometric identifiers ever incidentally appear in a submitted photo, they are not retained (ordinary-path ZDR applies).

10. Children

MeMe Care is designed for adults (a trusted contact setting up for another adult who will be the Primary User). We do not knowingly collect data from children under 13. If you believe a child's data is in our system, email support@memecare.ai and we will delete it.

11. Security

• TLS 1.3 in transit
• Application-layer envelope encryption (AES-GCM-256) for Protected Health Information columns when operating B2B tenant workloads
• Secrets stored in Cloudflare Worker secrets and Doppler
• Zero photo/audio retention by design
• Rate limiting, abuse detection
• Principle of least privilege on admin access
• Security incidents trigger the response plan in our Written Information Security Program

No system is perfectly secure. MeMe Care is a US-only service. If we learn of a breach affecting your data:

• NY SHIELD Act (NY General Business Law §899-aa): we notify affected NY residents, the NY Attorney General, the NY Department of State, and the NY Division of State Police without unreasonable delay after discovery, consistent with §899-aa(2).
• Other US state laws: we follow each state's specific timeline (most require "without unreasonable delay"; some specify 30–90 days).
• HIPAA: we are not a HIPAA covered entity on the consumer product. Where we operate B2B workloads for HIPAA-covered entities under a Business Associate Agreement, we follow HIPAA Breach Notification Rule requirements (45 CFR §§164.400–414).

12. Legal framing

MeMe Care is an informational tool. It is not medical advice, legal advice, financial advice, or tax advice. See our Terms of Service and AI Disclosure for more.

On the consumer product we are not a HIPAA covered entity or Business Associate. For B2B tenant deployments (home-health, hospice, PACE, payers, hospitals), we may act as a Business Associate under a signed Business Associate Agreement with the tenant covered entity.

13. Changes

We will post changes to this policy on memecare.ai/privacy and update the "Last updated" date. Material changes will be announced in-app at least 30 days before they take effect and may require re-acceptance per Section 13A of the Terms of Service.

14. Contact

Questions, complaints, or requests: support@memecare.ai

BNC Solutions LLC 418 Broadway, Ste. N Albany, NY 12207

A Spanish-language informational translation of this Policy is available at memecare.ai/privacy?lang=es. The English version is the legally binding document.