This policy explains, in plain language, what data mnemoptic collects when you use our website or our app; why we collect it; how we store it; and what rights you have over it. It is written to align with the principles of the EU General Data Protection Regulation (GDPR), the Saudi Personal Data Protection Law (PDPL), and the California Consumer Privacy Act (CCPA), even where mnemoptic is not strictly subject to all three.
Table of contents
1. Who we are
mnemoptic is an optical-store SaaS sold to independent opticians, multi-store practices, and chains. The product, the website, and this policy are owned and operated by the mnemoptic team. The data controller for the purposes of GDPR is mnemoptic, contactable at support@mnemoptic.com. If you are an EU resident and would like to reach a designated point of contact for data-protection matters, the same address is monitored by the team member responsible for compliance and they will respond within 30 days.
"You" in this policy means the optician, optical-store owner, or staff member who interacts with mnemoptic. "Patient" or "client" means the individual whose information you, as our customer, store inside the app.
2. What data we collect
(a) Account data
When you create a mnemoptic account or buy a plan, we collect: your email address, a hashed password (we never see or store the plaintext), your shop name, your country, and the contact name you give us. This is the minimum needed to give you access to your plan, log you in, and bill you. If you contact us through a form or by email, we keep the message and any reply alongside your account record.
(b) Operational data — the records you create inside the app
This is the data you put into mnemoptic to run your shop: patient names and contact details, prescriptions, sales, frame and lens inventory, suppliers, and so on. This data is yours. mnemoptic stores it on your behalf — we are a processor, you are the controller. We do not look at it, mine it, or use it for any purpose other than serving it back to you, except where we are legally required to or where you give us explicit written permission (for example, to debug a specific problem you've reported).
(c) Analytics
We collect anonymous, aggregate usage data via a privacy-respecting, Plausible-style analytics setup (no cross-site cookies, no user identifiers, no behavioural profiles) so we know which pages of our marketing site work and which don't. We do not run analytics inside the app itself.
(d) Payment data
When you buy or renew a plan, payment is processed by Stripe. You enter your card details directly into Stripe's secure, PCI-DSS-compliant checkout — mnemoptic never receives, sees, or stores your full card number, security code, or expiry. Stripe returns to us only non-sensitive billing metadata (the last four digits and brand of the card, your billing email and country, the amount, and the subscription status) so we can issue receipts and manage your subscription. Stripe processes your payment data as an independent controller under its own Privacy Policy.
3. Why we collect it
Account data is processed on the basis of contract performance: without it we cannot provide the service you have paid for. Operational data is processed on the basis of contract performance with the controller (you), under a Data Processing Agreement that is part of our Terms. Analytics data is processed on the basis of legitimate interest in improving our marketing and our product, and is collected only in aggregate and anonymous form. We do not process your data for advertising, profiling, automated decision-making, or any purpose unrelated to running mnemoptic.
4. How we store it
All data is stored on Google Firebase (Firestore for structured data, Firebase Storage for uploaded files like logos and frame photos). It is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Per-shop logical isolation is enforced at the database-rules level: server-side rules prevent any account from reading or writing any other account's data, even via direct API access. The Firebase region defaults to us-central1. Customers on the Enterprise / Chain tier can request a EU region (europe-west3 Frankfurt or europe-west1 Belgium) at account-creation time — write to support to arrange this before you set up your shop, since region cannot be changed after data exists.
5. Who we share it with
We share your data with two categories of third parties, and only these two:
- Google Firebase — our hosting and database provider, acting as a sub-processor under the Google Cloud Data Processing Addendum. Data flows through Firebase to be stored and served back to you. Google does not see your data in cleartext beyond what is technically necessary to serve the database.
- Stripe (Stripe, Inc. and its affiliates) — our payment processor, used only when you buy or renew a plan. You enter your card details directly into Stripe's checkout, so Stripe receives your name, billing email, billing country, and card data, while mnemoptic never receives your full card number. Stripe is certified to PCI-DSS Level 1 (the highest level) and acts as an independent controller for that payment data under its own Privacy Policy and the Stripe Data Processing Agreement.
We do not sell, rent, or share your data with any other party. We do not have advertising partners, data brokers, or marketing affiliates. If we are ever served a valid legal request (subpoena, court order) for your data, we will notify you before complying unless legally prohibited from doing so.
6. Your rights
Whether or not GDPR strictly applies to your jurisdiction, we extend its rights to all customers as a matter of policy:
- Right of access. You can request a copy of all data we hold about you and your shop, in JSON form.
- Right to rectification. You can correct any data we hold about you that is wrong.
- Right to erasure. You can ask us to delete your account and all associated data. We will do so within 30 days unless legally required to retain specific records longer.
- Right to data portability. Your operational data can be exported as JSON or Excel at any time, from inside the app, with no loss of fidelity.
- Right to object to processing on the basis of legitimate interest (i.e. analytics).
- Right to lodge a complaint with your local data-protection authority.
To exercise any of these rights, write to support@mnemoptic.com. We aim to respond within 5 working days and to action requests within 30.
7. Retention
Account data is retained for as long as your subscription is active, plus 30 days afterwards (so you can recover an accidentally cancelled account). Lifetime-plan customers' account data is retained indefinitely while the plan is in use. Operational data — the patient and clinical records you store inside the app — is retained according to the retention obligations applicable to opticians in your jurisdiction (typically 5 to 30 years for clinical records). You remain responsible, as the controller, for that retention. On account closure we offer a 30-day data-export window before deletion. After deletion, anonymous backups may persist in our backup system for up to 90 days before being permanently destroyed.
8. Cookies and local storage
mnemoptic uses essential cookies only. Specifically, an authentication session cookie keeps you logged in across page loads. We use the browser's localStorage to remember your preferences (chosen country, dark/light mode, last-used language) — this is stored only on your device and is never sent to our servers. We do not use any tracking pixels, advertising cookies, social-media beacons, or third-party tags. Because we use only essential cookies and a local-storage preference, we display a notice-style cookie banner — not a consent gate — on first visit. You can read and clear this storage at any time from your browser settings.
9. Children
mnemoptic is a B2B product sold to optical-shop operators. We do not knowingly collect data from anyone under 16, and the service is not directed at children. If your shop's patient records include minors (which is common in optometry), they are governed by your own privacy practices toward your patients, not by ours toward you. We process them on your behalf only.
10. International transfers
Our default Firebase region is in the United States (us-central1). For EU customers, this means data crosses the Atlantic. Such transfers are covered by the EU–US Data Privacy Framework and by Standard Contractual Clauses included in the Google Cloud Data Processing Addendum we have in place. Customers who require EU-only hosting can request that on the Enterprise / Chain tier at account-creation time. Customers in the GCC, Levant, and North Africa: data currently sits in the US. If local-residency hosting becomes a regulatory requirement for your shop (KSA NDMO, UAE PDPL), contact us — we are tracking these regulations and can arrange a regional hosting agreement on the Chain tier.
11. Changes to this policy
We will update this policy when we add features, change processors, or learn we have explained something badly. Material changes (a new processor, a new data category, a change in retention) will be communicated by email to all account holders at least 30 days before they take effect. The "last updated" date at the top of this page is canonical; older versions are kept on request.
12. Contact
For any privacy question, request, or complaint, write to support@mnemoptic.com. If you would prefer postal mail, ask us by email and we will provide a postal address. If you are unhappy with our response, you have the right to lodge a complaint with your national data-protection authority (CNIL in France, ICO in the UK, SDAIA in Saudi Arabia, your state attorney-general in the US, etc.).