Legal
GDPR
Your rights at a glance: access · rectification · erasure · portability · restriction · objection. Contact legal@takizen.xyz — we respond within 30 days.
1. Overview
takizen is committed to processing personal data in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"). This page explains our role, the legal bases for processing, and how you can exercise your rights as a data subject.
2. Data Controller
takizen acts as the data controller for personal data collected through the Service. For all data protection matters, contact:
- Email: legal@takizen.xyz
- Response time: within 30 calendar days
Where you use takizen to store data on behalf of third parties (e.g., memories about end-users of your own product), you act as a data controller and takizen acts as a data processor. Contact us to establish a Data Processing Agreement (DPA) as required by GDPR Art. 28.
3. Legal Bases for Processing
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing the memory storage and retrieval service | Contract performance | Art. 6(1)(b) |
| API key management and authentication | Contract performance | Art. 6(1)(b) |
| Security monitoring and abuse prevention | Legitimate interest | Art. 6(1)(f) |
| Maintaining audit logs for accountability | Legal obligation | Art. 6(1)(c) |
| Recording ToS acceptance | Legal obligation / Legitimate interest | Art. 6(1)(c)/(f) |
| Responding to data subject requests | Legal obligation | Art. 6(1)(c) |
| Sending service notifications | Legitimate interest | Art. 6(1)(f) |
4. Your Rights as a Data Subject
Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about how it is used.
Right to Rectification (Art. 16)
You have the right to have inaccurate personal data corrected. For memory content, you can directly edit memories via the dashboard. For account data, contact us.
Right to Erasure / "Right to be Forgotten" (Art. 17)
You have the right to request deletion of your personal data. We will permanently delete:
- All memories in your namespace
- Your account and email address
- All API keys (hashes)
- Usage statistics linked to your account
Note: audit logs may be retained for up to 24 months to fulfil our legal obligations under Art. 17(3)(b). Retained audit data will be anonymised where possible.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). This includes all memories, tags, and graph links. You can request an export via the dashboard or by email.
Right to Restriction of Processing (Art. 18)
You have the right to request that we restrict processing of your data in certain circumstances, for example while a rectification request is being assessed, or if you contest the accuracy of data.
Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Rights Related to Automated Decision-Making (Art. 22)
takizen does not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects.
5. How to Exercise Your Rights
Submit requests by email to legal@takizen.xyz with:
- Subject line: GDPR Request — [Right Type]
- Your account email address
- Description of the request
We will acknowledge your request within 72 hours and provide a substantive response within 30 calendar days. Complex requests may be extended by a further 2 months — we will notify you if this is necessary.
Requests are free of charge. We may ask for identity verification before processing requests to prevent unauthorised access.
6. Data Transfers Outside the EEA
Our primary database (Supabase) is hosted in EU-West-1 (Dublin, Ireland) within the EEA. No international transfer of your primary data occurs.
Cloudflare Workers operates a globally distributed edge network. Request metadata (IP addresses, headers) may be processed in non-EEA locations transiently via Cloudflare's infrastructure. Cloudflare participates in the EU-U.S. Data Privacy Framework and provides Standard Contractual Clauses for GDPR compliance.
OpenRouter (used for generating embeddings) may process memory text in the US. We have Data Processing Agreements in place. Memory text is sent for embedding purposes only and is not retained by OpenRouter beyond request processing.
7. Data Retention Summary
| Data Type | Retention Period |
|---|---|
| Active memories | Until deleted by user or decayed to zero |
| Archived memories (KV) | 90 days, then permanently deleted |
| API key hashes | Until revoked |
| Account / email | 30 days after deletion request |
| Audit logs | 24 months |
| Usage statistics | 12 months |
| ToS acceptance records | Duration of legal obligation |
8. Supervisory Authority
If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. You may contact:
- The supervisory authority in your EU Member State of habitual residence, place of work, or the place of the alleged infringement.
- A list of EU supervisory authorities is available at edpb.europa.eu.
We encourage you to contact us first at legal@takizen.xyz — we are committed to resolving concerns directly.
9. Data Processing Agreement
If you are a business using takizen to process personal data of your own users or customers, you may require a Data Processing Agreement (DPA) under GDPR Art. 28. Contact legal@takizen.xyz to request a DPA.
10. Updates
This GDPR policy will be updated to reflect changes in our processing activities or applicable law. Material changes will be communicated by email. The "Last updated" date at the top of this page indicates when it was last revised.