Trust

Security & trust

Your patients' records are some of the most sensitive data a shop holds. Here's exactly how mnemoptic keeps them safe — in plain language.

Per-shop isolation

Every shop's data lives behind server-side rules that prevent any other account from reading or writing it — even through the API. Your data is yours alone.

Encrypted everywhere

Encrypted in transit with TLS 1.2+ and at rest with AES-256. No record ever travels or sits in the clear.

Payments never touch us

Card details go straight to Stripe (PCI-DSS Level 1). mnemoptic never receives or stores your card number.

You own your data

Export everything to JSON or Excel at any time, with no fee and no lock-in. Ask us to delete your account and we honour it.

Where your data lives

mnemoptic runs on Google Firebase — Firestore for structured records and Firebase Storage for uploaded files such as logos and frame photos — operating under the Google Cloud Data Processing Addendum. The default region is in the United States; customers on the Chain / Enterprise tier can request EU-region hosting (Frankfurt or Belgium) at account-creation time. The marketing site and app are served over HTTPS only.

How access is controlled

Access to the app requires a signed-in account with an active plan. Within the database, per-shop rules are enforced at the platform level — not just in the app code — so one shop can never reach another's data, including via direct API calls. Passwords are stored only as salted hashes; we never see your plaintext password.

Payments and PCI

All billing is handled by Stripe, which is certified to PCI-DSS Level 1, the highest level. You enter card details directly into Stripe's checkout; mnemoptic only ever receives non-sensitive billing metadata (the last four digits, card brand, billing email and country, amount, and subscription status). Full details are in our Privacy Policy.

Privacy & compliance

Our privacy practices are written to align with the principles of the EU GDPR, the Saudi PDPL, and the California CCPA. We do not sell, rent, or mine your data, run no advertising trackers, and use only essential cookies plus a privacy-respecting, aggregate analytics setup on the marketing site. As the optician you are the data controller for your patient records; mnemoptic is the processor. To exercise any data right — access, correction, export, or deletion — write to support@mnemoptic.com. See the full Privacy Policy and Terms.

Backups & durability

Your data is backed up automatically. You can also take your own export — JSON or Excel — at any moment from inside the app, so you always hold a copy. On account closure there is a 30-day export window before deletion.

Availability

We target 99.5% monthly uptime, excluding planned maintenance announced in advance (typically a low-traffic Sunday window). Because the app runs on Google Firebase, availability is in part a function of theirs; we monitor both. Chain / Enterprise customers can negotiate a contractual SLA.

Reporting a vulnerability

If you believe you've found a security issue, please email support@mnemoptic.com with the details and steps to reproduce. We'll acknowledge responsibly, investigate, and keep you updated. Please don't publicly disclose an unpatched issue or access data that isn't yours while testing.

Talk to us about security →