VEKTOR Memory is built local-first. Your agent memories never leave your machine. The amount of personal data we hold about you is intentionally minimal — and this policy tells you exactly what that is.
VEKTOR Memory is an AI agent memory product developed and operated by the VEKTOR Memory development team ("we", "us", "our"). Our website is vektormemory.com. For privacy enquiries: [email protected].
We operate a local-first product. The table below is the complete inventory of personal data we hold. There are no hidden analytics, no telemetry pipelines, no behavioural tracking.
| Data | Why we hold it | Legal basis | Retention |
|---|---|---|---|
| Email address | Licence management, purchase receipts, security notifications | Contract performance | Duration of licence + 90 days |
| Licence activation timestamp | Detect abuse of the licence key system | Legitimate interest | Duration of licence + 90 days |
| Payment method | Billing — processed entirely by Polar.sh / Stripe. We never see card numbers. | Contract performance | Held by Polar.sh / Stripe, not by us |
| Your agent memories | Not collected. Stored locally on your device only. We have no access. | — | — |
| Usage / telemetry | Not collected. The SDK contains no analytics calls or phone-home mechanisms. | — | — |
| IP address / device fingerprint | Not collected or stored by us. Standard web server logs on the VPS are rotated after 7 days. | — | 7 days (web logs only) |
The VEKTOR Memory SDK and Slipstream MCP server run entirely on your own machine or server. The memory database is a local SQLite file. Embeddings are computed in-process using a local ONNX model (bge-small-en-v1.5). Neither the memory content, the embedding vectors, nor any prompt text is transmitted to VEKTOR servers at any point.
When you make calls to LLM providers (Anthropic, OpenAI, Groq, etc.), those calls go directly from your machine to the provider you configured. VEKTOR does not proxy, intercept, or log those requests.
API keys you store in the cloak_passport credential vault are encrypted with AES-256-GCM using a machine-bound key. They are never transmitted anywhere.
When you first activate VEKTOR Memory, the SDK makes a single HTTPS request to our licence API at vektormemory.com to verify your key. This request contains your licence key and a timestamp. It does not contain your memory database, any prompt text, your IP address in a stored form, or any device fingerprint. After activation, validation runs locally with no further network calls required.
The vektormemory.com website does not use advertising cookies, tracking pixels, or third-party analytics. We do not use Google Analytics, Meta Pixel, or similar services. The only cookies set are session-functional (e.g. your light/dark theme preference stored in localStorage — this never leaves your browser).
Polar.sh / Stripe — our billing provider. They process your payment method and email address when you purchase a licence. Stripe is PCI-DSS Level 1 certified and SOC 2 Type II audited. We receive from Stripe only your email address and a payment confirmation — no card details. Stripe's privacy policy: stripe.com/privacy.
Cloud hosting provider — our managed cloud infrastructure. Standard web server access logs (IP, timestamp, path) are retained for 7 days for security purposes and then deleted.
Cloudflare — DNS and DDoS protection. Cloudflare processes DNS queries as part of routing traffic to our servers. Cloudflare's privacy policy: cloudflare.com/privacypolicy.
We do not sell, rent, or share your personal data with any other third parties.
Depending on your jurisdiction, you may have the right to access, correct, port, or delete the personal data we hold about you. Because we hold very little data, these requests are straightforward to fulfil.
To exercise any right, email [email protected] with the subject line "Privacy Request". We will respond within 30 days.
Right to deletion: Requesting deletion of your account will purge your email address and licence record from our systems within 30 days. Your licence key will cease to function. Your local memory database is not affected — it is yours and remains on your machine.
Data portability: Your memory data is already fully portable — it is a standard SQLite file on your own machine. You own it entirely.
If you are in the EU/EEA and believe we have handled your data unlawfully, you have the right to lodge a complaint with your local supervisory authority.
We take reasonable technical and organisational measures to protect the personal data we hold. Production server access is SSH key-only. All data in transit uses TLS 1.2+. Credentials are stored in an AES-256-GCM encrypted vault. Automated backups run before every deployment. For a full description of our security controls, see our Security page.
Our server infrastructure is hosted on a managed cloud provider. If you are purchasing from the EU/EEA or another jurisdiction, your email address passes through Polar.sh / Stripe's infrastructure, which may involve transfers to the United States under standard contractual clauses.
VEKTOR Memory is a developer tool not intended for use by persons under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it promptly.
If we make material changes to this policy, we will update the date at the top of this page and, where appropriate, notify active licence holders by email. We will not retroactively reduce your privacy rights without explicit consent.
For privacy questions, data requests, or security disclosures:
Email: [email protected]
Website: vektormemory.com
VEKTOR Memory is designed to connect to external services at your direction. This includes large language model (LLM) API providers, Model Context Protocol (MCP) servers, and Desktop Extension Tool (DXT) connectors. We have no control over, affiliation with, or responsibility for these third-party systems.
LLM providers (Anthropic, OpenAI, Groq, Mistral, etc.) — When you configure VEKTOR to send prompts to an LLM provider, your prompts and any retrieved memory context are transmitted directly from your machine to that provider's API. VEKTOR does not proxy, log, or intercept these requests. Each provider's own privacy policy and data retention practices apply. You are responsible for reviewing and accepting those policies before use.
MCP servers — VEKTOR Slipstream can act as an MCP server and can also invoke external MCP-compatible tools and services you configure. When you connect an external MCP server, data exchanged with that server (including tool inputs and outputs) is subject to that server's operator's policies. We have no visibility into, and accept no liability for, data handled by third-party MCP servers.
DXT connectors — Desktop Extension Tools you install and connect via VEKTOR may access local files, system resources, or external APIs depending on their design. VEKTOR does not audit or endorse third-party DXT packages. You should review the permissions and privacy practices of any DXT connector before enabling it. We are not responsible for data collected or transmitted by third-party DXT connectors.
This policy applies to VEKTOR Memory and the VEKTOR Slipstream SDK only. It does not extend to third-party LLM providers, MCP servers, DXT connectors, or any other external services you choose to connect. Those services are governed exclusively by their own terms and privacy policies.