Privacy Policy

Your privacy matters - we keep it simple and transparent

Last Updated: April 6, 2026

What this is about:

This policy explains how we handle your information. The gist:

  • We keep only what we need — to fulfill your request and keep the service running
  • We don't track or profile you — no ads following you around the web
  • We don't sell your data — and we don't let anyone train AI on your data
  • When we need something extra — like your precise location — we ask first

The details are below. We tried to write them like humans.

If you have an account, you agreed to this when you signed up. If you use Momor Search without an account, we handle your data under our legitimate interest to provide the service — no personal profile, no tracking.

1. Introduction and Scope

This Privacy Policy ("Policy") explains how Momor.ai LLC ("Company," "we," "us," or "our") collects, uses, discloses, and protects information obtained from users ("you," "your") of the Momor.ai website and services (collectively, the "Service"). This Policy applies to all users of our Service, regardless of location.

If you do not agree with the terms of this Policy, do not access or use the Service.

Our Privacy Promise

We know what was asked, not who asked it. We keep just enough data to fulfill the request and keep the Service running, with short-lived logs that auto-delete. We do not build marketing profiles, do not follow you across sites, and do not use your queries, uploads, or workflow data to train AI models. Location beyond coarse city-level is opt-in and stored on your device, and paid users do not see ads. If we ever show ads on free tiers, they will be strictly contextual to the current request, not to a personal profile.

2. Information We Collect

2.1 Information You Provide Directly

Anonymous Users

  • Search Queries: The terms you search for
  • Uploaded Images and Files: Images or files you upload for visual search, reverse image search, or file analysis (see Section 2.4 for how we handle these)
  • Conversations: If you ask follow-up questions within a search thread, the conversation is stored temporarily. For anonymous users, conversations exist in short-lived cache (typically 30 minutes) and are not stored permanently
  • Feedback Data: If you provide feedback, we collect the query, results shown, your feedback, and session correlation ID

Registered Users (When Available)

  • Account Information: When you register, we collect your email address and name. We support authentication through third-party providers (e.g., Google) or passwordless magic links.
  • Profile and Preference Information: To customize your experience, you may voluntarily provide information such as your name, preferred language, and other settings related to your use of the service.
  • Subscription and Billing Information: If you purchase a paid plan, we store your subscription tier and billing identifiers from our payment provider (for example, customer ID, subscription ID, and subscription period metadata). Card numbers and full payment methods are processed by the payment provider and are not stored on our servers.
  • Profile Picture: You may optionally upload a profile picture.
  • Conversation Threads: When you are signed in, conversation threads are saved to your account by default. We store your queries, our responses, and associated metadata (sources, timestamps, interaction steps) until you delete the thread or your account. You can use incognito mode to search without saving.

Enterprise Inquiries

  • Contact Form Data: If you submit an enterprise inquiry through our website, we collect your name, email address, company name, and message. This information is used solely to respond to your inquiry and evaluate potential enterprise relationships.

Information from Third-Party Services (OAuth)

If you choose to register or log in using a third-party service like Google or Apple ("Third-Party Service"), we may collect information made available by that service, including:

  • Name: Your full name.
  • Email Address: Your primary email address.
  • Profile Picture: Your public profile picture (optional).

We only request the minimum information necessary to create and manage your account. We do not receive your password from these services. Your interaction with these Third-Party Services is governed by their respective privacy policies.

2.2 Information Collected Automatically

For All Users

  • Log Data: Browser type, operating system, referring URLs, pages viewed, access times
  • Derived Location: General geographic area (country, state/region, city) derived from IP address for analytics and service improvement
  • Precise Geolocation (with explicit consent): By default, we use your IP address to estimate location. If you explicitly choose "Use Precise Location" and grant browser permission, your device's GPS coordinates are stored locally in your browser (never on our servers). Storage duration depends on your choice: without "remember my choice" checked, coordinates are stored in session storage (current browser window only); with "remember my choice" checked, coordinates are stored in local storage (persists across sessions until you revoke). When a search query requires location context, coordinates are sent to our servers to provide location-based results, used ephemerally for that request only, and immediately discarded without storage.
  • Security Data: Hashed IP address for rate limiting, abuse prevention, and enforcing per-tier usage limits (retained 24 hours)
  • Session Data: Temporary correlation ID for debugging and connecting feedback to searches
  • Performance Data: Page load times, feature usage, error reports

Technical Identifiers

  • We do NOT use persistent cookies for anonymous users
  • We do NOT engage in device fingerprinting
  • We do NOT track users across websites

2.3 Information We Do NOT Collect

  • Biometric data (we do not extract or store facial recognition templates, fingerprints, or similar biometric identifiers from uploaded images)
  • Sensitive personal information (race, religion, sexual orientation, health data)
  • Information from children under 13 years of age (any such data discovered is promptly deleted)
  • Social Security numbers or government identifiers
  • Third-party tracking cookies or advertising identifiers
  • Training data for machine learning models from user queries

2.4 Uploaded Images and Files

When you upload an image or file for visual search, reverse image search, or file analysis:

  • Storage: Your upload is stored temporarily in private cloud storage (not publicly accessible) so our AI providers can process it.
  • Processing: A time-limited URL is shared with our AI providers to retrieve and analyze the content. This URL expires within minutes.
  • Retention: Uploads are marked for deletion after 30 minutes. In rare cases (such as cleanup job delays), files may persist up to 24 hours before automatic deletion.
  • No indexing: We do not index, catalog, or retain uploaded content beyond what's needed to return your search results.
  • No training: Uploaded images and files are not used to train AI models — ours or our providers'.
  • No human review: Uploads are not reviewed by humans unless flagged by automated systems for potential violations of our Terms of Service.

Important: Uploaded content is processed by third-party AI providers. Do not upload content you would not want processed by external systems, such as confidential documents, sensitive personal information, or legally privileged materials.

Currently supported formats: JPEG, PNG, GIF, WebP, HEIC. Additional file types may be supported in the future.

3. Enhanced Data Minimization and Retention

3.1 Logs and Retention

We minimize and expire data quickly:

  • IP addresses: Truncated at collection and stored separately from queries
  • Session correlation IDs: Rotate at least every 24 hours
  • Application logs: Containing query metadata are retained for up to 30 days, then deleted or irreversibly de-identified
  • Feedback datasets: Query + returned results + ephemeral correlation ID are retained up to 30 days solely to diagnose quality issues, then deleted
  • Ephemeral conversation threads: Expire from cache within 30 minutes and are not stored permanently
  • Saved conversation threads: Stored in the user's account until the user deletes the thread or their account; upon deletion, removed within 30 days

3.2 Anonymous and Unauthenticated Use

Anonymous users are not associated with persistent identifiers and are never tracked for advertising or profiling. Anonymous session data is processed only to operate the Service and is deleted per Section 3.1.

3.3 Data Residency and International Transfers

Personal Information is stored in the United States. For transfers to users in the European Economic Area or United Kingdom, we use appropriate safeguards such as Standard Contractual Clauses.

4. How We Use Your Information

4.1 Primary Purposes

  • Provide Search Services: Process queries and deliver results. Queries may also include uploaded images and files to deliver search results, reverse image search, visual fact-checking, and content analysis
  • Provide Conversational Features: Maintain context within multi-turn conversation threads so follow-up questions can build on previous answers
  • Generate AI Summaries: Create summaries of search results
  • Improve Service Quality: Debug issues, optimize performance
  • Prevent Abuse: Rate limiting, fraud detection, security monitoring
  • Enforce Usage Limits: Apply per-tier search quotas and fair-use limits so the Service remains fast and reliable for everyone
  • Legal Compliance: Respond to legal requests, enforce our Terms

4.2 Secondary Purposes

  • Analytics: Understand usage patterns (anonymized and aggregated)
  • Communications: Send service-related messages (registered users)
  • Product Development: Develop new features based on usage data

4.3 Restricted Uses

We will NEVER:

  • Sell your personal information
  • Use your data for behavioral advertising
  • Create user profiles for marketing
  • Share your searches with third parties for their marketing
  • Use your searches, uploads, or data to train AI models
  • Share or sell your data to third parties for AI training
  • Use your feedback or content to improve machine learning systems

4.4 AI Training Prohibition (Our Systems and Vendors)

We do not use your queries, uploads, feedback, or other user content to train machine learning models.

For any third-party AI providers, we actively select only vendors whose terms of service explicitly prohibit them from using customer data to train their own models. If we discover that a vendor uses customer data for training, we will seek alternative providers.

4.5 No Sale/Share Under CPRA

We do not "sell" or "share" Personal Information as those terms are defined under the California Consumer Privacy Act (as amended by CPRA) and analogous state laws. If we show ads in any tier, they will be strictly contextual. We do not allow tracking, retargeting, or interest-based advertising.

5. Legal Basis for Processing

We process your information based on:

  • Legitimate Interests: Operating our service, improving functionality, ensuring security
  • Contract Performance: Providing services to registered users
  • Legal Obligations: Complying with applicable laws and regulations
  • Consent: Where specifically required (e.g., optional features, marketing)
  • Vital Interests: Protecting health and safety in emergency situations
Processing Activity Legal Basis
Search queries and logs Legitimate interests (provide and secure the Service)
Uploaded images and files Legitimate interests (provide visual search features)
Coarse location from IP Legitimate interests (localize results)
Account data and authentication cookies Contract performance (provide account features)
Hashed IP for rate limiting Legitimate interests (security and fair use)
Precise GPS location Your explicit consent
Marketing emails Your explicit consent
Future optional analytics cookies Your explicit consent (if introduced)
Tax and billing records Legal obligation
Security incident response Vital interests / legal obligation

6. Information Sharing and Disclosure

6.1 Service Providers

We share information with third-party service providers solely to operate our Service:

  • Search Infrastructure Providers: To retrieve search results
  • AI Processing Services: To generate summaries, analyze content, and process uploaded images and files
  • Cloud Infrastructure Providers: To host our services and data
  • Payment Processors: To handle subscription payments
  • Analytics Services: For anonymous performance monitoring
  • Security Services: For threat detection and prevention
  • Customer Support Tools: To manage support requests

All service providers are:

  • Contractually obligated to protect your data
  • Prohibited from using your data for their own purposes
  • Required to delete data when no longer needed
  • Explicitly prohibited from using your content to train AI models

6.2 AI Service Providers

We engage only third-party AI providers that explicitly commit to not using customer API data for training or improvement of their models. We regularly review our AI vendors and will discontinue relationships with any provider found to be using customer content for training purposes. All providers must: (a) delete transient inputs/outputs within commercially reasonable periods; and (b) restrict use to providing the Service to us.

For visual search features, AI providers receive a time-limited URL to access your uploaded content. This URL expires within minutes, limiting the window during which the content can be retrieved.

Enterprise customers may restrict which AI providers process their data. Where such restrictions are configured, we route queries only to approved providers and do not fall back to excluded ones.

6.3 Legal Disclosures and Government Requests

We may disclose information if required by:

  • Court order or subpoena
  • Government or regulatory request
  • Law enforcement investigation
  • To protect our legal rights or property
  • To prevent harm to others
  • In connection with legal proceedings

Government Request Transparency: We will notify you of any governmental or law-enforcement request for your information prior to disclosure, unless legally prohibited, and will only disclose the minimum necessary to comply with law.

Child Safety Reporting: If we discover content that appears to be child sexual abuse material (CSAM), we are legally required to report it to the National Center for Missing & Exploited Children (NCMEC) and may report it to law enforcement. We will comply with these obligations without prior notice to the user.

6.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

6.5 Aggregate Information

We may share anonymized, aggregated data that cannot identify you personally.

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of location, you have the right to:

  • Access: Request information about data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to certain processing activities
  • Restriction: Request we limit processing of your data
  • Withdraw Consent: Where processing is based on consent

7.2 Exercising Your Rights

To exercise any right, email privacy@momor.ai with:

  • Your specific request
  • Information to verify your identity
  • Any relevant details about your account

We will respond within 30 days. We may deny requests that require disproportionate effort, violate others' privacy rights, are manifestly unfounded or excessive, or conflict with legal obligations.

7.3 Location-Specific Rights

California Residents (CCPA/CPRA)

Additional rights include:

  • Right to know categories of personal information collected, sources, and purposes
  • Right to opt-out of "sale" or "share" (we do not sell or share data)
  • Right to non-discrimination
  • Appeals Process: If we deny your request, you may appeal by replying to our decision or emailing privacy@momor.ai with "Appeal" in the subject within 45 days

EU/UK Residents (GDPR)

Additional rights include:

  • Right to lodge complaints with supervisory authorities
  • Right to object to automated decision-making
  • Enhanced consent requirements for certain processing

If you believe we have mishandled your personal data, you have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office at https://ico.org.uk.

7.4 User Controls

You may access, export, and delete your account information through account settings. Upon verified deletion, we delete active copies within 30 days and remove from backups within 90 days, except where retention is required by law. We honor Global Privacy Control (GPC) signals.

To prevent abuse, data export requests are limited to once per 30-day period. Requests that appear to be automated, excessive, or made for purposes other than exercising your privacy rights may be denied.

8. Enhanced Security Measures

8.1 Security Measures

We implement reasonable administrative, technical, and organizational safeguards appropriate to the nature of the data, including:

  • Encryption in transit and at rest
  • Least-privilege access controls
  • Vulnerability management
  • Regular security assessments and penetration testing
  • Intrusion detection and prevention systems
  • Security incident response procedures
  • Employee security training

8.2 Security Limitations

No security system is impenetrable. While we implement industry-standard measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information against all possible threats. You use the Service at your own risk. You are responsible for:

  • Maintaining the confidentiality of your account credentials
  • Using strong, unique passwords
  • Promptly reporting suspected security breaches

8.3 Data Breach Response

If we determine a breach of security has likely resulted in risk to you, we will notify you without undue delay and in accordance with applicable law. We will:

  • Notify affected users within 72 hours of discovery (where feasible)
  • Describe the nature and scope of the breach
  • Explain measures taken to contain the breach
  • Provide recommendations for protective actions

9. Data Retention

We retain information for the minimum time necessary:

Data Type Retention Period Purpose
Uploaded images and files 30 minutes (up to 24 hours) Visual search processing
Ephemeral conversation threads 30 minutes Conversational context
Saved conversation threads Until user deletes User-initiated persistence
Anonymous search queries (cache) 1 hour–1 day Caching for performance
Feedback data 30 days Service improvement
Session correlation IDs Browser session Debugging
IP addresses (hashed) 24 hours Rate limiting and fair-use enforcement
Geographic data (country/city) 30 days Analytics and service improvement
Server logs 30 days Security and debugging
Account data Active account + 30 days Service provision
Payment records 7 years Tax and legal compliance
Legal hold data As required Legal obligations

Deleted data may persist in encrypted backups for up to 90 days.

10. Cookies and Tracking Technologies

10.1 Current State

We treat cookies and similar technologies differently for anonymous users and signed-in accounts:

  • Anonymous users: When you use Momor without signing in, we do not set any cookies. We rely on temporary identifiers stored in your browser (for example, session IDs in sessionStorage) that stay on your device and are not shared with third parties.
  • Signed-in users: When you create an account or sign in, we use a small number of strictly necessary first-party cookies to keep you logged in and protect your account. These include:
    • Refresh token cookie (prf) – HttpOnly, Secure, SameSite=Strict cookie that stores an encrypted refresh token so we can issue new access tokens without asking you to re-authenticate on every page. Typical lifetime: up to 30 days with rotation.
    • Session authentication cookie (pat) – short-lived cookie used to keep your session active between page loads.

These cookies:

  • Are only sent to momor.ai domains;
  • Are not used for advertising or cross-site tracking;
  • Are not shared with third parties for their own purposes.

If you block these cookies, you can still use anonymous search, but you will not be able to sign in or use account-based features.

10.2 Non-essential cookies and future changes

We do not use non-essential cookies (such as marketing or profiling cookies). If we ever introduce optional cookies—for example, to improve analytics beyond what we can do with aggregated logs—we will:

  • Ask for your consent before setting them;
  • Allow you to withdraw consent at any time; and
  • Continue to offer a fully functional search experience without those optional cookies.

We will update this Policy and our in-product notices if our cookie usage changes.

11. Children's Privacy

Our Service is not directed to children under 13. We do not knowingly collect information from children under 13. If we discover we have collected such information, we will delete it and terminate the account. Parents who believe we have information about their child should contact privacy@momor.ai.

12. International Data Transfers

Our servers and service providers are primarily located in the United States. By using our Service, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.

We ensure appropriate safeguards for international transfers through:

  • Standard contractual clauses
  • Data processing agreements
  • Adherence to applicable frameworks

13. Third-Party Links and Services

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies before providing any information.

14. Do Not Track Signals

Our Service does not currently respond to Do Not Track (DNT) browser signals. We do not track users across third-party websites.

15. Marketing and Communications

15.1 Service Communications

We may send registered users:

  • Account-related messages (password resets, security alerts)
  • Service announcements (maintenance, updates)
  • Legal notices (terms updates, policy changes)

15.2 Marketing Communications

With your consent, we may send:

  • Product updates and new features
  • Tips for using our Service
  • Industry news and insights

You can opt-out of marketing communications at any time via:

16. Data Processing Addendum

Organizations requiring a Data Processing Addendum (DPA) for compliance purposes may request one by emailing legal@momor.ai. Enterprise DPAs may include provisions for:

  • Tenant isolation and data segregation guarantees
  • Restrictions on which AI providers and jurisdictions may process data
  • Audit logging owned and controlled by the enterprise customer
  • Custom data retention schedules aligned with the organization's compliance requirements

17. Changes to This Policy

We may update this Policy to reflect changes in:

  • Our data practices
  • Legal requirements
  • Service features

We will notify you of material changes via:

  • Email notice (registered users)
  • Prominent website notice
  • In-app notification

Continued use after notification constitutes acceptance of the revised Policy.

18. Contact Information

For privacy-related questions or to exercise your rights:

Privacy Officer
Email: privacy@momor.ai

General Support
Email: support@momor.ai

Legal Notices
Email: legal@momor.ai

Mailing Address
Momor.ai LLC
2501 CHATHAM RD, STE N
SPRINGFIELD, IL 62704

19. Severability

If any provision of this Policy is found unenforceable, the remaining provisions will continue in full effect.

20. Governing Law

This Policy is governed by the laws of Illinois, United States, without regard to conflict of law principles.

Effective Date: This Policy becomes effective when you first use our Service after publication.