Privacy Policy
Effective March 2, 2026
B3dmar ApS, trading as 3ngram ("we," "us," "our"), respects your privacy. B3dmar ApS is the data controller for your personal data under the GDPR. This policy explains how we collect, use, store, and share your information on the 3ngram platform.
What we collect
Information you provide
- Account info: name, email, authentication credentials (via OAuth or email/password)
- User content: memories, commitments, decisions, blockers, preferences, patterns, context, and indexed documents
- Communications: support and feedback messages
Information collected automatically
- Usage data: features used, search queries, API call patterns, session duration (via Vercel Analytics)
- Device/browser info: IP address, browser type, OS, device identifiers
- Error reports: crash data and stack traces (via Sentry, hosted in DE)
Information from third parties
- OAuth providers: basic profile (name, email) from Google, GitHub, or other providers
- AI platform metadata: interaction metadata when using MCP with third-party AI tools (we do not receive or store AI model responses)
How we process your data
We use your data to:
- Provide memory storage, semantic search, and accountability features
- Generate vector embeddings via OpenAI
text-embedding-3-smallfor semantic search (your content is not used to train any AI models) - Send email digests, alerts, and notifications (via Resend)
- Process payments (via Stripe)
- Analyze usage patterns to improve the service
- Enforce our terms and protect against abuse
Data retention
| Data type | Retention |
|---|---|
| Documents, memories, content chunks | Indefinite while account exists |
| MCP request logs | 90 days (auto-pruned) |
| Soft-deleted documents | 30 days before hard delete |
| Audit logs | 1 year minimum |
| OAuth access tokens | 1 hour |
| OAuth refresh tokens | 30 days |
| Google Docs content | Retained as memories while account exists; removed on account deletion or manual deletion by user |
On account deletion, all user data is permanently removed via cascading deletes, including memories, documents, embeddings, and account information. Anonymized aggregate statistics may be retained. Encrypted backups may persist up to 90 days before automatic deletion.
Third-party processors
| Service | Purpose | Location |
|---|---|---|
| Railway | Database hosting | EU (Netherlands) |
| OpenAI / Azure OpenAI | Embeddings | US |
| Resend | Transactional email | US |
| Stripe | Payments | US |
| Vercel | Frontend hosting, analytics | Global CDN |
| Sentry | Error tracking | DE |
We do not sell your personal data. We may share information with service providers under contractual obligations, for legal compliance, or in connection with business transfers (with prior notice).
Google Workspace Data
When you connect Google integrations, we access Google API data only for the purposes described below. Use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
Google Docs (drive.file scope)
- Only files you select via Google Picker are accessible — no broad Drive access
- Document content is chunked, embedded, and stored as content sources for semantic search
- You can create and export Google Docs via MCP tools; these files are added to your content sources
Data use and retention
- Disconnection: disconnecting an integration in Settings revokes the OAuth token and stops future syncs. Memories already derived from Google data are retained until you delete them or delete your account
- Account deletion: deleting your account permanently removes all memories, content chunks, embeddings, and OAuth tokens derived from Google APIs
- No advertising: Google API data is never used for serving advertisements, profiling for advertising purposes, or sold to third parties
Your rights
Depending on your jurisdiction, you can:
- Access: request a copy of your personal data
- Rectification: request correction of inaccurate data
- Deletion: delete your account (cascades all data permanently)
- Portability: export your data via
GET /api/export - Objection: object to certain types of processing
- Restriction: request restricted processing in certain circumstances
- Withdraw consent: withdraw consent for processing at any time, without affecting prior processing
- Complaint: lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority
Contact privacy@3ngram.ai to exercise these rights.
Cookies
For detailed information about the cookies we use, see our Cookie Policy.
| Category | Duration | Purpose |
|---|---|---|
| Essential | Session | Authentication, session management |
| Functional | 1 year | Preferences, theme, dashboard config |
| Analytics | 90 days | Anonymized usage (Vercel Analytics) |
Essential cookies cannot be disabled. Functional and analytics cookies are activated only after you provide consent via our cookie banner, in compliance with the ePrivacy Directive. You may update your preferences at any time. We honor Do Not Track (DNT) signals.
GDPR (EU/EEA users)
Legal basis: contract performance (providing the service), legitimate interests (analytics, improvement), and consent (marketing, non-essential cookies).
Data Protection Officer: dpo@3ngram.ai
Additional GDPR rights: you may withdraw consent at any time without affecting prior processing. You have the right not to be subject to decisions based solely on automated processing. You may lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority.
CCPA (California residents)
We collect identifiers (name, email, IP), internet activity (usage, queries), and professional information (if provided). We do not sell personal information.
Your rights: right to know, right to delete, right to opt-out of sale (not applicable), and right to non-discrimination. Exercise via privacy@3ngram.ai or account settings.
International transfers
Your data is primarily stored in the European Union (Railway, Netherlands). Certain processing involves transfers to US-based providers (OpenAI, Resend, Stripe) protected by EU Standard Contractual Clauses (SCCs) and Data Processing Agreements.
Children
3ngram is not directed to anyone under 18. We do not knowingly collect personal information from minors. If we discover we have, we will delete it promptly.
Security
We protect your data with row-level security (RLS) on all data tables, TLS 1.2+ encryption in transit, AES-256 encryption at rest, OAuth 2.0 authentication, and restricted production database access.
Changes to this policy
We may update this policy with notice via email or the service. Continued use means you accept the changes.
Questions? Contact privacy@3ngram.ai. Also see our Terms of Service.