Privacy Policy

Last updated: March 14, 2026

1. Introduction

Configure AI, Inc. ("Configure", "we", "us", "our") operates the Configure platform and Memory service. Configure is the identity layer for AI agents — it gives users a persistent profile that includes identity information, preferences, memories, and connected tools, accessible across any AI agent that integrates our SDK.

This Privacy Policy applies to all users of the Configure platform, including:

• Memory end users — individuals who verify their identity and build a profile that works across AI agents
• Developers — individuals and organizations that use the Configure API or SDK to build agents that read and write user profiles

By using Configure, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Phone number

We collect your phone number for identity verification via SMS one-time passcode (OTP) through our verification provider, Prelude. Your phone number is stored as an irreversible cryptographic hash. We cannot recover raw phone numbers from our database.

Profile data

When you use Configure through an integrated AI agent, we collect and store identity information (such as name, email, bio, occupation, and interests), preferences, and memories extracted from your conversations. This data forms your persistent Memory profile.

Connected tool data

When you connect third-party services, we access metadata and content necessary to enrich your profile:

• Gmail — sender and recipient information, subject lines, and relevant content from emails
• Google Calendar — event details, schedules, and calendar metadata
• Google Drive — file metadata and document content
• Notion — page content and workspace metadata

We only access data from services you explicitly connect and authorize.

Usage data

We collect standard server logs, including IP addresses, timestamps, and request paths, to operate and improve our services.

Developer data

For developers using the Configure API or SDK, we collect API keys, agent configurations, and usage metrics.

3. How We Use Your Information

• Verify your identity via phone OTP
• Build and maintain your persistent user profile across AI agents
• Extract facts, preferences, and context from conversations using AI models — only the extracted data is stored; we may in the future retain conversation content
• Sync and enrich your profile with data from connected tools you authorize
• Provide profile portability so your identity, preferences, and context follow you across agents
• Improve and develop our services
• For developers: authenticate API access and process conversations sent via the SDK for memory extraction

4. Profile Portability

Profile portability is a core feature of Memory. By default, your profile is readable by any AI agent authorized through the Configure network. When you authenticate with a developer's application, that application can access your profile data, including identity information, preferences, and memories.

This means your context follows you across agents — you do not need to re-introduce yourself or re-state your preferences each time you interact with a new application.

Granular portability controls, allowing you to restrict which agents can access specific parts of your profile, are planned for a future release.

Developers who access your profile through the Configure SDK are prohibited from selling or sharing your profile data outside the Configure network.

5. AI Processing

Conversations between you and AI agents using Configure are processed by AI models to extract relevant facts, preferences, and contextual information for your profile.

Currently, only extracted data is stored in your profile. Raw conversation content is not retained.

We may in the future retain conversation content to improve profile accuracy and service quality. This policy will be updated before any such change takes effect, and we will provide notice as described in Section 15.

6. Third-Party Service Providers

We use third-party service providers for identity verification, AI model inference, application hosting, OAuth integration management, caching, and static site delivery. These providers process data only as necessary to operate the Configure platform and are subject to contractual obligations to protect your data.

When you connect third-party services (such as Gmail, Calendar, Drive, or Notion), we access those services through their official APIs using credentials you authorize.

7. Data Storage and Security

• Phone numbers are hashed with a cryptographic pepper before storage — we cannot reverse the hash to recover the original number
• All data is encrypted in transit (TLS) and at rest
• Our database is hosted on Fly.io with network-level access controls
• API keys are stored as SHA-256 hashes — plaintext keys are never persisted
• We implement role-based access controls and follow industry-standard security practices

8. Data Breach Notification

In the event of a data breach that compromises the security of your personal information, we will:

• Notify affected developers via their registered email address within 30 days of discovering the breach
• Describe the nature and scope of the breach, the types of data involved, and the steps we have taken to contain and remediate it
• Provide guidance on any actions you should take to protect yourself or your users
• Notify applicable regulatory authorities as required by law, including under GDPR (Article 33/34) and CCPA (§1798.150)

9. Data Retention and Deletion

• Profile data is retained for as long as your account exists, or until you request deletion
• When you delete data, it is soft-deleted immediately and permanently purged within 30 days
• You can delete individual memories, app-specific data, or your entire profile
• Disconnecting a tool removes the associated data from your profile
• Server logs are retained for up to 90 days

10. Your Rights

Under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), you have the right to:

• Access your personal data and obtain a copy of the information we hold about you
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten")
• Port your data to another service in a structured, machine-readable format
• Restrict processing of your data in certain circumstances
• Object to processing based on legitimate interest
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, contact us at privacy@configure.dev. We will respond to your request within 30 days.

11. Legal Basis for Processing

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data on the following legal bases:

• Consent — when you verify your phone number, connect third-party tools, or authorize data access, you consent to the associated processing
• Legitimate interest — for service improvement, security monitoring, and fraud prevention, where these interests are not overridden by your rights
• Contract — processing necessary to provide the Memory service and fulfill our obligations to you

12. International Data Transfers

Configure AI, Inc. is based in the United States. Your data is processed and stored in the US.

For users in the European Economic Area (EEA), UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate safeguards for international data transfers.

By using our services, you acknowledge that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

13. For Developers

When you integrate the Configure SDK or API into your application:

• You act as a data controller for your end users. Configure processes data on your behalf as a data processor.
• You are responsible for informing your end users that your application uses Configure and for providing a link to this Privacy Policy or your own policy that covers Configure's processing.
• Conversations sent to Configure via the SDK are processed for memory extraction as described in Sections 3 and 5.
• API keys authenticate your agent. User tokens (JWTs) identify individual end users. Both are required to access user profile data.
• You may not use profile data obtained through Configure for purposes beyond those described in your own privacy policy and terms of service.

14. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@configure.dev.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

We will provide at least 30 days' notice for material changes — through our website, through the service, or by email where possible. The "Last updated" date at the top of this page indicates when this policy was last revised.

Your continued use of Configure after changes take effect constitutes acceptance of the revised policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

privacy@configure.dev

Configure AI, Inc.