Privacy Policy

Version 2.1 · Last updated: December 15, 2025

Alpha Status Notice: Ensue is currently in alpha development. The service is provided "as-is" and may undergo breaking changes, experience downtime, or have bugs that affect data availability or security. Features described here may evolve significantly. By using Ensue during alpha, you acknowledge these risks. We'll notify you of material changes to data handling practices when feasible.

What Ensue Does

Ensue provides a shared memory network where users and AI agents can store, retrieve, and share contextual information using fine-grained permissions. You control what memories are created, who can access them, and which AI services receive them.

Key principle: You decide what to share and with whom. We build the infrastructure; you control the permissions and bear responsibility for how you use the system.

1. Information We Collect

Memory Content (Your Data)

  • Memory entries (text, structured data, metadata)
  • Permissions data (users, groups, organizations)
  • Configuration (access controls, organizational settings)
  • Account information (email, organization name)

System Data (How You Use Ensue)

  • Request metadata (timestamps, endpoints called, request identifiers, response codes)
  • Performance metrics (latency, error rates, usage patterns)
  • Authentication logs (login events, API key usage, access attempts)
  • Infrastructure logs (IP addresses, user agents, device metadata)

What we DON'T collect: We do not intentionally log the contents of your memories in analytics or operational logs—only metadata about operations performed. However, memory content may incidentally appear in error logs, debug traces, or support tickets when investigating issues.

2. How We Use Your Information

To Provide the Service

  • Store and retrieve your memories based on your permissions
  • Enforce access controls you configure
  • Enable sharing within and (in the future) across organizations
  • Provide APIs, SDKs, and dashboard access

To Keep Things Running

  • Monitor system performance and security
  • Debug issues and investigate errors
  • Prevent abuse, fraud, and unauthorized access
  • Respond to your support requests
  • Comply with legal obligations and enforce our terms

To Improve Ensue

  • Analyze usage patterns to optimize performance
  • Develop new features and test experimental functionality
  • Understand how the product is being used (aggregated analytics)
  • Conduct internal research and development

Future Possibility: Model Training

We do not currently train AI models on your memory content. If we decide to in the future, we will update this policy. However, we reserve the right to use aggregated, anonymized, or de-identified data derived from service usage for analytics and improvement purposes without additional notice.

What we never do:

  • Sell your identified personal data to advertisers or data brokers
  • Share memory content with unrelated third parties except as described in this policy
  • Use your memories for purposes fundamentally incompatible with providing the service

3. Sharing Your Memories: The Critical Part

You Control Third-Party AI Access

Ensue enables you to share memories with AI agents (like Claude, GPT, or other LLMs). This is a core feature: memory content will be sent to third-party AI providers when you configure this functionality.

  • You decide which memories to share with which agents
  • You configure which AI services to use (via your own API keys or integrations)
  • You control the permissions for each memory
  • When you share a memory with an AI agent, that memory content is transmitted to the AI provider's API, which is governed by their privacy policy and terms
  • Common providers include Anthropic (Claude), OpenAI (GPT), and others you integrate
  • Some AI providers may use conversation data for model training or other purposes per their own policies

Your responsibility: review the privacy policies and terms of AI providers; ensure you have appropriate rights to share the content; understand sharing is at your own risk; avoid sharing sensitive or legally protected information unless you accept the risks.

Ensue is not responsible for: how AI providers handle your data; breaches, misuse, or unauthorized access at the provider; compliance issues arising from your choice to share data; damages resulting from your use of third-party AI integrations.

When We Share With Service Providers

We share data with subprocessors who help us run Ensue:

  • AWS (infrastructure, database, storage) — data stored across multiple AWS regions
  • Stripe (payment processing) — billing information only
  • Grafana (monitoring) — read-only access, generally no memory content
  • Google Analytics (website analytics) — dashboard and documentation usage only

These vendors receive only data necessary for their specific function and are contractually required to protect it, though we cannot guarantee their compliance. We reserve the right to add, remove, or replace subprocessors and will update this list periodically; major changes affecting data handling will be communicated where feasible.

When Law Requires It

We may disclose data when legally required (subpoenas, court orders, government requests, etc.) or when we believe in good faith that disclosure is necessary to comply with legal obligations, protect rights or safety, prevent fraud or abuse, or enforce our terms. We'll make reasonable efforts to notify you of legal demands unless prohibited by law or where notification could create risk.

In a Business Transfer

If Ensue is acquired, merged, sells assets, or undergoes bankruptcy or similar proceedings, your data may be transferred as part of that transaction. We'll make reasonable efforts to notify you, and you may delete your account before the transfer if you choose. We cannot guarantee the acquiring entity will maintain the same privacy practices.

4. Where Your Data Lives

Current infrastructure: AWS across multiple regions globally:

  • US: us-east-1, us-east-2, us-west-1, us-west-2
  • Europe: eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1
  • Asia Pacific: ap-south-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-southeast-1, ap-southeast-2
  • Canada: ca-central-1
  • South America: sa-east-1

You cannot currently choose which region your data lives in. Data may be replicated across regions for performance, redundancy, and disaster recovery.

International transfers: By using Ensue, you acknowledge and consent to transfer, storage, and processing of your data in countries other than your own, which may have different data protection laws. For transfers from the EEA/UK, we rely on AWS Standard Contractual Clauses and adequacy mechanisms.

Data Processing Agreements: If you require a DPA (e.g., GDPR), contact ops@ensue.dev. We'll work with you on reasonable terms, but cannot guarantee we can accommodate all requests during alpha.

5. How Long We Keep Your Data

Active Data

  • Memory content: stored until you delete it or close your account
  • Account data: retained while your account is active and for a reasonable period thereafter

Deleted Data

  • Production removal from active systems within a reasonable timeframe
  • May persist in caches, CDNs, or temporary storage briefly
  • May remain in AWS automated backups, snapshots, and disaster recovery systems
  • Purged subject to AWS backup rotation schedules and operational requirements

Important limitations:

  • No guarantee of instant purging from all systems
  • Backups are managed by AWS and follow their retention schedules
  • Replicated data across regions may take time to fully remove
  • De-identified or aggregated derivatives may be retained
  • Data shared with third-party AI providers follows their retention policies

Logs and Metadata

  • Operational logs: retained for a reasonable period for security, debugging, and legal compliance
  • Analytics data: aggregated data may be retained indefinitely
  • Authentication/security logs: retained for security and compliance purposes
  • Financial records: retained as required by law

We may retain data longer when required by law or necessary for legal defense.

6. Security Measures

What we do

  • Encryption at rest (AES-256 where supported)
  • Encryption in transit (TLS 1.2+ for external connections)
  • Access controls: role-based permissions; limited access to memory content
  • Monitoring: automated alerts and on-call engineering team
  • Authentication: OAuth, API key management, MFA available

Important limitations and disclaimers

  • No system is completely secure
  • Alpha-stage service: practices are evolving; no SOC 2/ISO 27001 yet
  • Incident response is managed by the core engineering team
  • Third-party dependencies (e.g., AWS) could affect you
  • You're responsible for securing your API keys, credentials, and access controls

If there's a security incident

  • We'll investigate to the best of our ability
  • We'll notify affected users of material breaches within 72 hours where required
  • We'll work to mitigate within our capabilities

Limitation of liability: to the maximum extent permitted by law, Ensue is not liable for incidents caused by subprocessors, your failure to secure credentials, incidents from alpha-stage bugs or vulnerabilities, or damages exceeding the amount you've paid us in the preceding 12 months.

7. Your Rights

What You Can Do

  • Access: request a copy of your data
  • Correct: update inaccurate information
  • Delete: remove memories or close your account (subject to backup retention)
  • Export: request data in portable format (JSON) where feasible
  • Restrict/Object: request limitation of certain processing or opt out of non-essential analytics

How to exercise rights: email ops@ensue.dev. We'll respond within 30 days (or as required by law) and may request verification. We may charge reasonable fees for excessive, repetitive, or unfounded requests or refuse requests that are impossible, disproportionately burdensome, or jeopardize others' privacy.

GDPR-Specific Rights (EU/UK)

  • Right to lodge a complaint with your supervisory data protection authority
  • Right to data portability in machine-readable format
  • Right to object to automated decision-making (not currently used)
  • Right to withdraw consent where processing is based on consent

Legal bases: contract performance (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)); consent (Art. 6(1)(a)); legal obligations (Art. 6(1)(c)). Data Controller: Ensue Inc.

8. Special Considerations

For Organizations & Admins

Admin access follows permissions in our access control system. You are responsible for managing permissions appropriately, ensuring you have authorization to store/share content, complying with applicable laws (including employee privacy), and obtaining necessary consents.

Children's Privacy

Ensue is not intended for anyone under 16 (or the applicable age in your jurisdiction). We don't knowingly collect data from minors. If discovered, we'll delete it promptly, but we have no affirmative obligation to verify users' ages.

AI Agent Considerations

When you use Ensue to provide context to AI agents, you're responsible for ensuring you have rights to share that content. Review provider terms—many use conversations for model training. Providers have different data retention and usage policies. You bear all risk; Ensue has no control once data is transmitted.

Sensitive Data Warning

Do not store highly sensitive information in Ensue during alpha, including regulated data (PHI, payment card data, government IDs), critical trade secrets, personal data without appropriate consent, or any data whose loss or exposure would cause severe harm. Use at your own risk.

9. Cookies & Tracking

We use essential cookies for authentication and session management, and analytics cookies (Google Analytics) on our dashboard and documentation (not API operations). You can disable cookies, but authentication and other features will not work. We don't use advertising cookies or cross-site trackers. By using Ensue, you consent to our use of cookies as described.

10. Changes to This Policy

We reserve the right to update this policy at any time. Changes are effective immediately upon posting unless otherwise specified. Continued use after changes constitutes acceptance. If you disagree, delete your account and stop using the service before changes take effect.

11. Disclaimers and Limitations of Liability

Service provided "as-is"

The service is provided on an "as-is" and "as-available" basis during alpha. We make no warranties (express or implied), including merchantability, fitness for a particular purpose, or non-infringement.

No data guarantees

  • Uninterrupted or error-free service
  • Data availability, accuracy, or integrity
  • That the service will meet your requirements
  • That security vulnerabilities will not exist
  • That backups will be recoverable

Limitation of liability

To the maximum extent permitted by law, Ensue's total aggregate liability for all claims arising from or related to these Terms or the Service shall not exceed:

  • For paid users: the total amount you paid to Ensue in the 12 months preceding the claim
  • For free users (including free tier and alpha users who have not paid fees): $0 (zero dollars)

We are not liable for indirect, incidental, consequential, punitive, or special damages. We are not liable for data loss, business interruption, or lost profits. We are not liable for third-party actions (including AI providers, AWS, or other subprocessors).

Alpha acknowledgment

  • Higher risk of bugs, data loss, and security vulnerabilities
  • Possibility of breaking changes without notice
  • Limited support and incident response capabilities
  • The service may be discontinued at any time

12. Indemnification

You agree to indemnify and hold harmless Ensue, its officers, employees, and contractors from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from your use or misuse of the service; your violation of this Privacy Policy or our Terms of Service; your violation of any third party rights; your sharing of data with AI providers or other third parties; any content you submit, store, or share through Ensue; and your failure to secure your credentials or API keys.

13. Contact & Data Protection

We're a small team—all inquiries go to the same place currently. We typically respond within 2-5 business days but don't guarantee response times. GDPR requests will be handled within legally required timelines (typically 30 days).

14. Governing Law and Disputes

This Privacy Policy is governed by the laws of the State of Delaware, without regard to conflict of law provisions. Disputes are resolved per the dispute resolution provisions in our Terms of Service. EU/UK users: nothing here affects your statutory rights under GDPR or other applicable consumer protection laws.

15. Severability

If any provision of this Privacy Policy is found to be unenforceable, the remaining provisions remain in full effect, and the unenforceable provision will be modified to reflect our intent to the extent possible under law.

Summary (TL;DR)

  • You control what memories to create and who can access them—use the system lawfully
  • Sharing with AI agents means data goes to those providers; we're not liable for them
  • Data is stored on AWS globally; you can't pick the region yet
  • Deleted data is removed promptly but may linger in backups
  • We generally can't see memory content, only metadata (content may appear in errors)
  • We don't sell your data or currently train models on it
  • Alpha-stage: service is "as-is"; bugs happen; security isn't enterprise-certified yet
  • You can export, delete, or correct your data (subject to technical limitations)
  • Our liability is limited; you use the service at your own risk
  • Don't store highly sensitive data during alpha