Bernstein Holding UG (haftungsbeschränkt)
Eschenlohmühle 2
86862 Lamerdingen, Germany
Email: help@thememo.am
The Memo processes personal data only where necessary to provide the website and subscription service, deliver the content and features included in a subscription, administer referral benefits, operate the website securely, process payments, respond to support requests, measure the website in a privacy-conscious way, and protect subscription content from unauthorised redistribution. The iOS app is covered by our separate App Privacy Policy.
The following personal data may be processed:
Processing is based on Art. 6(1)(b) GDPR where it is necessary to provide the subscription service, Art. 6(1)(c) GDPR where we must comply with legal obligations such as tax and accounting retention rules, and Art. 6(1)(f) GDPR where we have a legitimate interest in operating a secure, reliable, privacy-conscious, and high-quality service and in measuring basic aggregate website reach through the minimized process described in sections 10 to 12.
Optional analytics and marketing cookies, related storage, full Google Analytics measurement, Google Signals, and advertising-related measurement are used only on the basis of your consent under Art. 6(1)(a) GDPR and, where applicable, § 25(1) TDDDG. Technically necessary cookies or similar storage, including storage of your consent choice, are used where required for the service you request or for secure operation of the website, including under § 25(2) TDDDG where applicable.
Where processing is based on consent, you may withdraw that consent at any time with effect for the future. Where processing is based on legitimate interests, you may object as described in section 19.
Where you purchase a subscription through our website, payment processing is handled by Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) and its sub-processors. During such a purchase, you are redirected to Stripe's checkout page. Stripe's privacy policy applies: stripe.com/privacy
Depending on the subscription, content and service communications may be delivered by email. We use your email address to provide the content and features included in your subscription according to the applicable delivery schedule, and to send account-related messages, payment or subscription notices, and essential service communications. The applicable content, features, and delivery schedule are described on our website or at checkout.
You can turn edition delivery by email on or off in your account settings. Turning it off does not cancel your paid subscription or change access through the app, and essential account or payment messages may still be sent. If your email address has not yet completed double opt-in, enabling delivery sends a confirmation email. Once confirmed, pausing and later resuming edition delivery does not by itself require another confirmation.
Where content or service communications are sent by email, technical delivery is handled via Resend, Inc. and its sub-processors, a US-based email service provider operating under EU Standard Contractual Clauses. Resend's privacy policy applies: resend.com/legal/privacy-policy
If your subscription ends, delivery of the content and access to the features tied to that subscription will stop as provided by the applicable subscription terms. Any separate account functionality may remain available. We may retain minimal suppression or account records where necessary to document cancellation, prevent accidental reactivation, comply with legal obligations, or defend legal claims.
When you open an invitation link, we use a technically necessary, signed referral-claim cookie for up to 30 days to remember the referring subscriber during signup. Referral identifiers are excluded from website analytics and the dedicated invitation route is excluded from the normal website access log.
If a subscription is attributed to a referral, we connect the subscriptions in our internal records and exchange the necessary subscription, invoice, discount and reward status with Stripe. We use these records to grant the referred subscriber's lifetime discount, calculate the referrer's conditional reward, enforce the minimum subscription price, restore eligibility after resubscription, reconcile billing events and prevent self-referral, duplicate attribution and fraud. Processing is necessary to perform the referral terms under Art. 6(1)(b) GDPR and, for security, audit and fraud prevention, based on Art. 6(1)(f) GDPR.
Referral relationships, reward history and lifetime eligibility are retained for as long as needed to administer and audit the program, including across cancellation and resubscription, and for any additional period required by accounting law, fraud prevention or legal claims. Full names, email addresses and payment problems of referred subscribers are not shown to referrers.
If you contact us by email, we process the information you provide in order to respond to your request. This may include your email address, name, message content, and related correspondence. Processing is based on Art. 6(1)(b) GDPR where the request relates to a subscription, and otherwise on Art. 6(1)(f) GDPR.
Data processing through The Memo iOS app and its subscriber API is described separately in our App Privacy Policy.
This website uses technically necessary cookies and comparable storage for basic website operation and consent storage. We use Finsweet Cookie Consent to collect and store your cookie preferences. The consent script is loaded via jsDelivr CDN. This loading is used to display and operate the consent mechanism.
The consent banner distinguishes between Essential, Analytics, and Marketing. Essential storage is required for basic operation and for remembering your consent choice. Analytics helps us understand and improve how the website is used through Google Analytics 4. Marketing supports audience features and advertising-related measurement through Google Signals and requires Analytics because these functions use Analytics data. No optional category is preselected.
You can accept all optional purposes, reject them, or save a custom choice. You may withdraw or change consent at any time with effect for the future by selecting “Change privacy settings” in the footer of any page. Withdrawing Analytics also disables Marketing. You may alternatively clear your browser site data for this website or contact us.
On this website, we use Google Tag Manager, Google Analytics 4, and Google Consent Mode to understand how the website is used and to improve it. These services are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, including their sub-processors.
If you grant analytics consent, Google Tag Manager and Google Analytics may be loaded. Google Analytics may then process analytics identifiers, page views, referrers, device and browser information, and interaction events. Analytics cookies and similar analytics storage may be set in your browser only after analytics consent has been granted. The legal basis is Art. 6(1)(a) GDPR and, where applicable, § 25(1) TDDDG. Google privacy information is available at policies.google.com/privacy.
When you begin subscription checkout with analytics consent granted, the current pseudonymous Google Analytics client and session identifiers, together with your analytics and marketing consent choices, may be attached to Stripe Checkout metadata. This allows a subscription or payment later confirmed by Stripe to be attributed to the originating website visit. These analytics identifiers are included only when analytics consent is granted. We do not send your name, email address, Stripe customer ID, or internal subscriber ID to Google Analytics.
We have enabled Google Signals in our Google Analytics 4 property. Google Signals is a Google Analytics advertising feature. If you grant both Analytics and Marketing consent, Google may associate the usage data collected from this website with information from your Google account if you are signed in to that account and have enabled Ads Personalization. This may enable aggregated cross-device reporting and reports about demographic characteristics and interests. Google states that cross-platform reports contain aggregated data and do not expose information about individual Google account users to us.
For Google Signals, Google may use first-party Google Analytics cookies or other first-party identifiers together with Google advertising cookies or other Google advertising identifiers. This processing is based on your prior consent under Art. 6(1)(a) GDPR and, where applicable, § 25(1) TDDDG. Google Signals is not used for the minimized denied-consent page views described below. You may withdraw your consent at any time with effect for the future through our cookie settings. You can also manage Ads Personalization in Google My Ad Center, access and delete activity associated with your Google account in Google My Activity, or use the Google Analytics opt-out browser add-on. Further information is available in Google's Google Signals documentation and its policy requirements for Google Analytics advertising features.
If you reject analytics consent, we do not load the Google Tag Manager or Google Analytics browser script for analytics measurement, do not set Google Analytics cookies, and do not use analytics storage in your browser. To maintain a basic aggregate pageview count, the website sends one separate same-origin request to our dedicated anonymous pageview endpoint. The request uses no stored analytics identifier and is not used to recognise you on later visits, build a user profile, personalise advertising, or combine the pageview with subscriber account data.
The browser payload contains the event type, a timestamp, the page URL without query string or hash, the page title normalised and limited to 150 characters, a non-personalised-processing flag, and random technical identifiers generated in memory for that one event. It does not contain your name, email address, subscriber ID, referrer, screen resolution, browser language, URL query parameters, URL hash, advertising identifiers, stored Google Analytics identifiers, or the reason for your consent choice.
Our web server necessarily receives the IP address to establish and answer the HTTPS request, as it does for other page requests. The dedicated endpoint is excluded from the Nginx access log and removes the visitor IP and forwarding headers, original User-Agent, cookies, referrer, and browser client-hint headers before the measurement event reaches the server-side Google Tag Manager container. A conditional allow-list in that container removes all event fields except the event name, sanitised page location, bounded page title, one-event identifiers, non-personalised-processing flag, and technical protocol and destination fields required to transmit the event.
Only this minimized event is forwarded to Google Analytics 4 as a page view for the aggregate pageview count. Because the identifiers are not stored or reused, these page views are not suitable for determining denied-consent visitors, returning users, user paths, or reliable sessions. Google Signals and advertising-related functions are not used for these page views. The legal basis for the transient server-side processing and this limited reach measurement is Art. 6(1)(f) GDPR. Our legitimate interest is to understand basic website reach while respecting the rejection of analytics cookies and visitor-level analytics. You may object to this processing as described in section 19.
This website is hosted on servers operated by STRATO AG (Otto-Ostrowski-Straße 7, 10249 Berlin, Germany) and its sub-processors. When accessing the site, technically necessary data may be processed in server log files, including IP address, access time, requested page, browser type, operating system, referrer URL, and request status.
Server logs are processed pursuant to Art. 6(1)(f) GDPR for security, troubleshooting, abuse prevention, and reliable operation of the website. Log data is not used to create visitor profiles. Nginx access logs are normally rotated daily and retained for up to 14 days, unless a longer retention period is necessary for security incidents, abuse investigation, legal obligations, or legal claims. Requests to the dedicated anonymous pageview endpoint described in section 10 are excluded from the Nginx access log.
Consent-granted analytics requests are routed through our same-origin endpoint at www.thememo.am/metrics before reaching our server-side Google Tag Manager container. The separate denied-consent pageview request uses www.thememo.am/metrics/anonymous/g/collect. Both endpoints are operated on our production VPS. Server-side tagging is used to keep the browser-facing measurement endpoints on our own domain and apply server-side privacy and forwarding controls.
When analytics consent is granted, normal Google Analytics events may be forwarded from the server-side container to Google Analytics 4. If analytics consent is rejected, the dedicated route first removes browser connection metadata and the server container then applies a strict event-data allow-list before the minimized page view described in section 10 is forwarded. Apart from the bounded page title, we do not add user data, advertising data, referrer, screen resolution, browser language, query string, hash, persistent analytics identifiers, or subscriber identifiers to that event.
We do not use the anonymous pageview endpoint to override the visitor's choice about analytics cookies or visitor-level analytics. Rejected analytics consent means no analytics cookies, no Google Tag Manager or Google Analytics browser script, no persistent analytics identifier, no cross-page recognition, and no Google Signals processing for that pageview.
This website uses SSL/TLS encryption. You can recognise an encrypted connection by the “https://” address in your browser. Encryption helps protect data transmitted between your browser and our website.
Where subscription content is supplied as a PDF or other downloadable document, it may be individually watermarked or marked with a subscriber-specific identifier derived from your email address. This is necessary to protect our intellectual property and enforce our Terms of Service. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in preventing unauthorised redistribution).
Personal data is shared only where necessary to provide the service, operate the website, process payments, comply with legal obligations, protect our rights, or work with carefully selected service providers.
Where required under Art. 28 GDPR, we have concluded data processing agreements with our processors.
Through the use of Stripe, Resend, Google, Finsweet, and jsDelivr, data may be transferred to countries outside the European Economic Area, including the United States. Where applicable, providers rely on the EU-US Data Privacy Framework, EU Standard Contractual Clauses, or comparable transfer safeguards as required by law.
Unless a more specific retention period applies, personal data is stored only for as long as necessary for the purpose for which it was collected, or as required by law.
Subscription and account data are stored for as long as needed to provide the relevant subscription or account functionality. After the related subscription and account relationship has ended, your email address and name will be deleted within 30 days unless referral-program administration, lifetime-discount eligibility, statutory retention periods, documentation obligations, suppression requirements, fraud prevention, or legal claims require longer storage.
Cookie consent choices are stored for the duration configured in the consent banner or until you change or delete the consent data in your browser. Minimized denied-consent page view events forwarded to Google Analytics 4 are retained according to the retention settings configured in Google Analytics, without a persistent identifier that would allow us to recognise the browser on a later page.
Invoice data is retained for 10 years in accordance with German tax law (§ 147 AO, § 257 HGB).
You have the right to:
To exercise your rights, please contact: help@thememo.am
You may object at any time to processing based on Art. 6(1)(f) GDPR for reasons arising from your particular situation. We will then stop processing the data unless we can demonstrate compelling legitimate grounds or the processing is necessary for the establishment, exercise, or defence of legal claims.
If personal data is processed for direct marketing, you may object at any time. In that case, your data will no longer be processed for direct marketing purposes.
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de
We reserve the right to update this privacy policy as needed. The current version is always available on this page.
Last updated: 15 July 2026