Most products ask you to trust a privacy policy. We’d rather you didn’t have to. Every time your memory content is decrypted — by a background job, by your own dashboard, by anyone — MyPenny writes a record to a public, append-only log, hosted on a different cloud than your data. Anyone can read it. You don’t have to take our word for how your memory is handled; you can check.

Each entry records why the decryption happened (from a fixed, published list of reasons), when, which service did it, and a reference you can verify. Identifiers are hashed with a salt unique to you — your entries are yours to find, but no one else can tell which are yours.

The log never contains your memory content, your name or email, your raw IDs, IP addresses, or request paths. It proves that access happened and why; it never exposes what was read.

Your dashboard lists every decryption of your memory — routine and not — in plain language, each linked to its public-log entry. Routine reasons (search indexing, background memory upkeep, your own dashboard reads) are marked as such. Anything outside that list is flagged — and has to clear a higher bar first.

There is no quiet way for us to read your memory. Any access outside the routine list requires both founders — Aaron and Peter — to cryptographically sign the request and post it to the public log before the system will run it; the same code that decrypts refuses to execute without those signatures. A watchdog re-checks every ten minutes that the log hasn’t been altered, an independent monitor on a separate cloud verifies it too, and we anchor a signed snapshot to a public transparency log (Sigstore Rekor) every week.

We commit to publishing every government request for user data in this log, to the maximum extent the law permits. We will resist overbroad requests and disclose only what we are legally required to.

Be clear-eyed about the limit: because we hold the encryption keys, our architecture cannot cryptographically stop disclosure compelled by valid legal process. If your threat model needs cryptographic defense against US legal process, MyPenny isn’t the right product for you today — a tier where only you hold the key is on our roadmap.