Privacy Policy

Menutes is operated by AI Eesti OÜ, registered in Estonia.

Address: Pärnu maakond, Pärnu linn, Pärnu linn, Sillutise tn 1, 80013

Contact: info@menutes.com

We collect the following categories of personal data:

• Account information: name, email address, profile picture, and authentication credentials (via Google or Microsoft OAuth).
• Voice recordings & transcripts: audio captured during meetings, AI-generated transcriptions, summaries, and identified participants.
• Calendar data: event titles, times, and attendee information accessed via Google Calendar (readonly) or Microsoft Outlook (Calendars.Read) OAuth scopes.
• Device & session data: IP address, user-agent string, browser type, operating system, and session identifiers.
• Payment information: billing details processed by Stripe. We do not store credit card numbers on our servers.
• Team & organization data: team membership, roles, and shared meeting content within your organization.
• Push notification tokens: Web Push subscription details if you enable notifications.

We process your data under the following GDPR legal bases:

We use the following third-party sub-processors to operate Menutes:

• Google Cloud Platform: hosting, file storage (GCS), secret management, and Gemini AI for transcription and summarization.
• Deepgram: speech-to-text processing for speaker diarization (identifying who spoke when).
• Stripe: payment processing and subscription management.
• Google & Microsoft OAuth: authentication and calendar data access.
• Resend: transactional email delivery (meeting summaries, account notifications).
• OpenAI: GPT-4 for meeting memo generation and translation.
• Microsoft Azure Speech Services: optional speech-to-text transcription provider.
• PostHog: product analytics and error tracking, hosted on EU servers. We use PostHog to understand how the Service is used and to diagnose issues.
• Firecrawl: optional website content extraction used to auto-detect organization information when setting up a team.
• Web Push services: browser push notification delivery via platform providers (Google FCM, Apple APNs, Mozilla Push Service).

Each sub-processor receives only the minimum data necessary for its specific function. All sub-processors process data in accordance with their own privacy policies and applicable data processing agreements.

We do not sell your personal data to any third party, for any purpose.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We implement industry-standard security measures to protect your data:

• Transcripts, summaries, participant names, and calendar attendee data are encrypted at rest using AES-256-GCM.
• All data in transit is encrypted via TLS.
• OAuth tokens and API keys are stored in Google Cloud Secret Manager.
• Sessions are validated on every request with device fingerprinting.

In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities within 72 hours of discovery, as required by GDPR Article 33.

All core infrastructure is hosted on Google Cloud Platform in europe-north1 (Finland, EU/EEA). This includes our database (PostgreSQL), file storage (Google Cloud Storage), and application servers (Cloud Run).

Certain third-party processors may process data outside the EEA:

• Stripe (US): processes payment data under Standard Contractual Clauses (SCCs).
• Resend (US): processes email delivery data under SCCs.
• Deepgram (US): processes audio data for speaker diarization under SCCs.
• OpenAI (US): processes transcript text for memo generation under SCCs.
• Microsoft Azure Speech Services: may process audio data outside the EEA under Microsoft's Data Processing Addendum and SCCs.
• Google Gemini API: may process audio data outside the EEA under Google's Cloud Data Processing Addendum and SCCs.

No personal data is sold or transferred to third countries for marketing or advertising purposes.

Menutes uses AI services to transcribe audio recordings, identify speakers, and generate meeting summaries.

• Audio is sent to the Google Gemini API for transcription and summarization, and to Deepgram for speaker diarization (identifying individual speakers). These services run in parallel to produce accurate, speaker-labeled transcripts.
• Data processed via the paid Gemini API is not used by Google for model training, per Google's Cloud Data Processing terms. Deepgram processes audio under their data processing agreement and does not use customer audio for training.
• Audio files uploaded to the Gemini File API are automatically deleted by Google after processing.
• Transcript text may also be sent to OpenAI (GPT-4) for meeting memo generation and translation. OpenAI API data is not used for model training per their business terms.
• Microsoft Azure Speech Services may be used as an alternative transcription provider. Audio processed via Azure is subject to Microsoft's data processing terms.
• All AI-generated outputs (transcripts and summaries) are stored encrypted using AES-256-GCM in our database.
• No AI-generated content is shared with third parties beyond what is necessary for service delivery (e.g., emailing a summary to your chosen recipients).

We retain your data as follows:

• Account deletion: when you delete your account, a 7-day grace period applies during which you can cancel the deletion via email link. After 7 days, all your data, including recordings, transcripts, summaries, audio files, calendar data, and account information, is permanently and irreversibly deleted.
• Recording deletion: deleted recordings are immediately soft-deleted (hidden from view) and permanently removed when your account is deleted or per your organization's retention policy.
• Organization retention policy: organization administrators can configure automatic recording retention periods of 7, 90, 180, or 365 days, or retain recordings indefinitely.
• Calendar events: calendar event data is automatically deleted 48 hours after the event ends. Event data is immediately deleted when you disable a calendar integration.
• Session & device data: deleted when your session expires or your account is deleted.
• Audio files: stored in Google Cloud Storage and permanently deleted when the associated recording is permanently deleted.

You may request complete deletion of your account and all associated data at any time through the account settings or by contacting us at info@menutes.com.

Under the GDPR and applicable data protection laws, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your data (“right to be forgotten”).
• Data portability: export your data in a portable format. Menutes provides data export as a ZIP file containing your JSON profile data, text transcripts, and HTML summaries.
• Restriction: request that we restrict certain processing activities.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@menutes.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. For users in Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.

Menutes uses the following client-side storage mechanisms:

• Session cookies: a NextAuth session token used for authentication. This is an essential cookie required for the Service to function. It expires when your session ends.
• PostHog analytics cookies: used for product analytics and error tracking. PostHog data is processed on EU servers (eu.posthog.com). These cookies help us understand how the Service is used and diagnose issues.
• IndexedDB: used to temporarily buffer audio chunks during recording for crash recovery. Data is automatically cleared after successful upload.
• LocalStorage: stores UI preferences (e.g., sidebar state) and recording state.

We do not use any third-party advertising or marketing cookies. Analytics data collected via PostHog is used solely to improve the Service and is not shared with advertisers.

Menutes is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice within the application or sending you an email. Continued use of Menutes after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at: info@menutes.com

AI Eesti OÜ
Pärnu maakond, Pärnu linn, Pärnu linn, Sillutise tn 1, 80013
Estonia