SeyrNot a journal. An intelligence built from everything you've lived..
Back
Security & Privacy

Your memories.
Protected honestly.

Most apps claim end-to-end encryption without fully implementing it. We will not do that. This page explains exactly what we encrypt, how keys are managed, and what we can and cannot access.

What is encrypted

Content fieldsEvery memory title, caption, and transcription is encrypted with AES-256-GCM before it is written to our database. We store ciphertext — never plaintext content.
Media assetsPhotos, videos, and voice recordings are stored in AWS S3 with server-side KMS encryption. They are never accessible via public URLs.
AlgorithmAES-256-GCM — authenticated encryption that detects tampering in addition to encrypting. The same standard used by financial institutions.

What is not encrypted and why

Honest disclosure: some metadata must remain readable for Seyr to function. We encrypt everything we can without breaking the product.

Structural metadataFields like moment type, year, and created date are stored in plaintext. Our AI and graph engine needs to query this data to surface your memories correctly.
Graph relationshipsThe connections between your memories are stored as graph edges. These cannot be encrypted without breaking traversal.
What this meansWe know you have a memory from 2019 of type photo. We do not know its title, caption, transcription, or content — those are encrypted and inaccessible to us.

How encryption keys are managed

Per-user keysEvery Seyr user has a unique 256-bit encryption key. Your key is never shared with other users and is mathematically isolated from theirs.
AWS KMSYour encryption key is generated and managed by AWS Key Management Service, backed by hardware security modules. We never see your plaintext key.
How it worksWhen you access your memories, your encrypted key is sent to KMS, decrypted in a secure enclave, used to decrypt your content in memory, then discarded. The plaintext key is never written to disk or logged.
Key isolationEach user's key is bound to their unique user ID via KMS encryption context. A key generated for one user cannot decrypt another user's data.

What Seyr can and cannot access

What we can accessStructural metadata such as moment type, year, and timestamps, along with graph relationships and your account information. This is necessary to operate the service.
What we cannot accessThe content of your memories — titles, captions, transcriptions, and media files. These are encrypted with keys we do not hold in plaintext.
AI processingSeyr's AI processes your content in memory only, during active requests. It does not retain plaintext between sessions. No human at Seyr reads your memories.
What this is notThis is not true end-to-end encryption. Our server decrypts your content during AI processing. True E2E is on our roadmap and we will be explicit when we reach that milestone.

Media access and expiry

Pre-signed URLsPhotos, videos, and voice recordings are never served from permanent public URLs. Every media access generates a time-limited pre-signed URL that expires in 15 minutes.
Direct uploadWhen you upload media, your device uploads directly to S3 using a short-lived upload URL. Your media never passes through Seyr's servers.
Ownership verificationBefore generating any media URL, Seyr verifies that the requesting user owns the media. You cannot access another user's media even if you know its storage key.

Breach notification commitment

Our commitmentIn the event of a security breach affecting user data, we will notify affected users within 72 hours of discovery — before regulators, before press.
What a breach means for your dataBecause content is encrypted and keys are managed by AWS KMS, a breach of our database exposes only encrypted ciphertext. Without the KMS-managed key, it is unreadable.
Reporting a vulnerabilityIf you discover a security vulnerability in Seyr, please contact security@seyr.ai. We take all reports seriously and will respond within 24 hours.

Questions about security or privacy?

security@seyr.ai

Last updated March 2026 · Seyr Inc. · This page reflects our current implementation. We update it when our security posture changes.