Legal
Last updated: 1 April 2026
This policy applies to care home operators, solicitor firms, authorised staff, and the residents and clients whose data is managed through the Memoari platform. It explains what data we collect, how we process it, the basis on which we act, and the rights available to individuals.
Memoari collects data from two distinct groups: the professional organisations that partner with us (care homes and solicitor firms) and the individuals whose vault data is managed through those organisations.
Organisational account data:: The name, job title, work email address, and organisation name of registered managers, solicitors, and other authorised staff. This data is used solely to authenticate access and administer the partnership.
Resident and client vault data:: Documents, will locations, insurance policy details, digital asset information, financial account details, and personal messages stored within individual vaults. This data is provided by or on behalf of residents and clients and is encrypted with AES-256 before storage. Memoari processes this data on behalf of the partner organisation.
Usage data:: Pages visited, features used, and session duration — collected in aggregate and used only to improve the service. We do not sell usage data to third parties.
Device data:: Browser type, operating system, and IP address, retained for security and fraud prevention purposes only.
We use organisational and vault data exclusively to:
- Provide the Memoari platform to care home operators, solicitor firms, and their authorised staff and clients
We do not use data for advertising. We do not sell data to third parties. We do not share vault contents with anyone outside the access permissions explicitly configured by the partner organisation and the individual vault holder.
Vault contents:: All documents, messages, and asset details stored in Memoari vaults are encrypted using AES-256 (Advanced Encryption Standard, 256-bit keys) before being written to our database. Encrypted data at rest is inaccessible without the corresponding decryption keys, which are stored separately from the data.
Credentials stored in vaults:: Account credentials and passwords stored within a vault are encrypted client-side before transmission. Memoari receives only ciphertext and cannot access plaintext credentials — even under legal compulsion.
Account authentication:: Staff and partner account passwords are hashed using bcrypt with a work factor of 12. They are not recoverable by Memoari staff.
Data in transit:: All connections between clients and our servers use TLS 1.2 or higher. HTTPS is enforced everywhere and HSTS headers are set.
Key management:: Encryption keys are managed through Supabase's infrastructure, with key material stored separately from encrypted data.
Access controls:: Staff access within partner organisations is scoped to their assigned role. Executor and beneficiary access is read-only, time-limited, and logged. All access events are timestamped and auditable.
Memoari acts as a data processor on behalf of care home operators and solicitor firms who deploy the platform within their organisation. The partner organisation is the data controller for their residents' or clients' personal data.
A Data Processing Agreement (DPA) is available upon request and is included as standard in all pilot and partnership agreements. The DPA sets out:
- The subject matter, duration, and nature of processing
To request a copy of our standard DPA before signing a pilot agreement, contact: legal@memoari.co.uk
Where Memoari is deployed within a care home or solicitor practice, the organisation acts as data controller for their residents' or clients' personal data. Memoari acts as data processor.
This means:
The partner organisation is responsible for:: Obtaining any necessary consent or legitimate basis for processing resident or client data; ensuring residents, clients, and their families are informed about how their vault data is held; managing individual data subject requests (access, erasure, portability) relating to their residents or clients; and ensuring Memoari's use is disclosed appropriately in their own privacy notices.
Memoari is responsible for:: Processing data only on documented instructions from the controller; implementing appropriate technical and organisational security measures; notifying the controller of any personal data breach without undue delay; not engaging sub-processors without prior written consent; and assisting the controller in fulfilling data subject requests.
Memoari will not use resident or client vault data for any purpose other than the provision of the contracted service.
Active partner agreements:: Data is retained for the duration of the active pilot or partnership agreement and for a period of 90 days after termination, to allow for data export and transition.
Post-termination:: Following the 90-day post-termination period, all organisational account data and vault contents are permanently deleted from Memoari's systems, unless a longer retention period is required by law or agreed in writing.
Access logs:: Logs of vault access events are retained for 7 years for legal and audit purposes. These logs record who accessed what and when — not the contents accessed.
Data export:: Partner organisations may request a full export of their resident or client vault data at any time. Exports are provided in JSON format within 10 business days of request.
Legal hold:: In the event of a legal dispute or regulatory investigation, we may be required to retain specific data beyond standard retention periods. We will notify the affected partner organisation where permitted by law.
Individuals whose data is held within a Memoari vault have the following rights under the UK General Data Protection Regulation (UK GDPR):
Right to access:: Individuals may request a copy of their personal data. Requests relating to vault contents should in the first instance be directed to the partner organisation (the data controller).
Right to rectification:: Individuals may correct inaccurate data through the partner organisation or, where direct vault access is provided, directly within their vault.
Right to erasure:: Individuals may request deletion of their data. Partner organisations should manage erasure requests for their own residents or clients. Memoari will action erasure requests directed to us directly within 90 days.
Right to portability:: Vault data can be exported in machine-readable JSON format. Partner organisations may request bulk exports on behalf of individuals.
Right to restrict processing:: Individuals may request that processing is restricted while a complaint is investigated.
Right to object:: Individuals may object to processing based on legitimate interests.
To exercise any of these rights directly with Memoari, contact: privacy@memoari.co.uk
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We use a small number of trusted sub-processors to operate the Memoari platform. These are disclosed in full in our Data Processing Agreement. Current sub-processors include:
- Supabase (supabase.com) — database, file storage, and authentication. Data is processed in the EU/UK under GDPR-compliant terms. Supabase is listed on the UK IDTA framework.
We do not engage advertising platforms, behavioural analytics services, or any third parties that receive personally identifiable information for their own commercial purposes. We maintain Data Processing Agreements with each sub-processor and will notify partner organisations of any changes to sub-processor arrangements.
Data controller / processor:: Memoari
General enquiries:: hello@memoari.co.uk
Data protection and DPA requests:: privacy@memoari.co.uk
Legal:: legal@memoari.co.uk
Jurisdiction:: England and Wales
We will update this policy with our Companies House registration number and registered address upon incorporation.
Response times:: We aim to respond to all data protection enquiries within 5 business days and to fulfil formal data subject requests within 30 calendar days, in accordance with UK GDPR requirements.