Legal
Privacy Policy
- Effective date
- July 17, 2026
- Version
- 2.0
- Status
- In force
Applies to: the ironmemo.com website, the cloud SaaS product, mobile and desktop apps, the API, enterprise deployments, and support (the "Service").
What this Policy covers
This Privacy Policy describes how IronMemo LLC ("IronMemo", "we", "us") collects, uses, stores, protects, and discloses personal data when you use our Service.
This Policy does not apply to data we process on behalf of corporate customers under enterprise agreements and self-hosted deployments — such processing is governed by separate customer contracts and a Data Processing Addendum (DPA).
By using our Service, you agree to the practices described in this Policy. If you do not agree, do not use the Service.
How we handle your data: principles
Before we get into the details, we want to give direct answers to the questions people ask most often.
- Do we train our models on your data?
- Yes. We use anonymized and aggregated data from processed meetings to improve IronMemo's own AI models — to increase transcription accuracy, summary quality, and task relevance. This makes the Service better for all users.You can opt out of having your data used for model training in your account settings: Settings → Privacy → Model training. For Enterprise plan users, training on customer data is disabled by default.
- Do we sell your data?
- No. We do not sell, share, or license your personal data or meeting content to third parties for their own commercial purposes, advertising, marketing, or training of third-party AI models. Ever.
- Do we share data to train other companies' models?
- No. Your meeting content is not used to train, fine-tune, or improve any third party's AI models. When we send data to AI providers for processing (transcription, summary generation), it happens exclusively through enterprise API modes with a contractual ban on training and minimal or zero data retention (Zero Data Retention).
- Do we keep data longer than needed?
- No. Meeting data is stored while your workspace is active. After a recording is deleted or a subscription is cancelled, data is deleted within 30 days. Audio files uploaded on the free plan without registration are deleted immediately after processing.
- Do we distribute your data?
- No. We do not make meeting content publicly available, index it in search engines, pass it to ad networks, or use it for targeted or behavioral advertising.
How exactly data improves our models
- De-identification. Before data is used for training, participant names, company names, email addresses, phone numbers, and other direct identifiers are removed.
- Aggregation. We work with language patterns, speech structure, acoustic characteristics, and typical recognition errors — not with the content of your conversations.
- Isolation. Training data is stored separately from the Service's operational data and cannot be matched to a specific user or workspace.
- Control. You can opt out at any time. Anonymized data included in training before you opted out cannot be extracted from the trained model, but no new data will be used.
What data we collect
We collect only the data necessary to operate the Service, ensure security, provide support, and meet contractual and legal obligations.
Data you provide
| Category | Examples | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Account data | Name, email, company, role, hashed password, avatar, workspace settings, SSO/SCIM identifiers. | Contract performance (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)); consent for marketing communications (Art. 6(1)(a)). | While the account is active + 30 days after deletion. |
| Meeting data | Audio recordings, video recordings, transcripts, speaker identification, AI summaries, tasks, follow-up emails, metadata (duration, platform, participant list). | Contract performance; legitimate interest; consent where required by law. | Until deleted by the workspace admin, or 30 days after subscription cancellation. |
| Integration data | OAuth tokens, scopes, workspace IDs, data synced from CRMs, task trackers, messengers. | Contract performance; legitimate interest. | While the integration is connected + 30 days after disconnection. |
| Support requests | Tickets, feedback, correspondence with the support team, attachments. | Contract performance; legitimate interest; consent for marketing. | 3 years after the request is closed. |
Data we receive automatically
| Category | Examples | Legal basis | Retention |
|---|---|---|---|
| Logs and telemetry | IP address, user agent, browser and device type, OS, time zone, country, request date and time, navigation within the Service. | Legitimate interest; contract performance. | 90 days for general logs; 1 year for security and audit logs. |
| Usage data | Which features are used, frequency, errors, performance, response times, product events. | Legitimate interest. | 90 days in identified form; indefinitely in aggregated/anonymized form. |
| Cookies and similar technologies | Session cookies, authentication tokens, analytics cookies, cookie preferences. | Consent for non-essential cookies (Art. 6(1)(a)); legitimate interest for strictly necessary ones (Art. 6(1)(f)). | Session cookies — until the browser is closed; persistent — up to 12 months. |
Data from third-party sources
We may receive data from security partners to prevent fraud and abuse, and from payment systems to process transactions.
How we use data
To provide the Service
Connecting to Zoom, Google Meet, and Microsoft Teams; recording meetings; creating transcripts; detecting language and participants; generating summaries, tasks, and follow-up emails; indexing meetings in the knowledge base; powering AI chat and semantic search; keeping integrations running.
To perform actions in connected systems
If an administrator has connected integrations — creating tasks in trackers, updating CRM records, sending emails, publishing notes to messengers and knowledge bases.
To improve our AI models
We use anonymized and aggregated data from processed meetings to train and improve IronMemo's own models: transcription, diarization, summary generation, language detection, and task extraction.
- What is used: speech patterns, acoustic characteristics, language structures, typical recognition errors, quality statistics.
- What is NOT used: the content of your conversations in identifiable form, names, company names, confidential data.
- How to opt out: Settings → Privacy → Model training. Disabled by default for Enterprise.
See "02. How we handle your data" for details.
To improve the product (without AI training)
Anonymized telemetry and usage logs: which features are used, where errors occur, performance metrics. This data does not contain your meeting content and is used for UX improvements, bug fixes, and feature planning.
To keep the Service secure
Logs, audit logs, IP addresses, user agent — to detect errors, unauthorized access, abuse, integration failures, and suspicious activity.
To communicate with you
Email, name, company, support history — to answer support requests and send service, billing, and security notifications. Marketing messages — only with your consent. Unsubscribing takes one click in every email.
To meet legal obligations
Storing and disclosing data where required by law, a court order, a regulator's request, tax rules, or to protect the rights of IronMemo, our customers, and users.
AI and your data
What AI processing IronMemo performs
| Processing | Input data | Result |
|---|---|---|
| Transcription | Meeting audio, language, participant metadata. | Text transcript with speaker labels. |
| Summary | Transcript, meeting structure, workspace settings. | Concise summary of the meeting. |
| Tasks | Transcript, context, participants. | Task list with owners and due dates. |
| Follow-up emails | Transcript, summary, participants, customer templates. | Draft follow-up email. |
| AI chat and search | Meeting index, transcripts, summaries, access permissions. | Answers from the workspace knowledge base. |
| Meeting analytics | Metadata, talk time, topics, sentiment. | Metrics and recommendations for administrators. |
Learn more about our AI: ironmemo.com/our-ai.
Third-party AI providers
We use third-party AI providers for processing. The set of providers depends on the meeting language and the type of processing. Each of them operates under enterprise (enterprise / API) modes and contractual terms, including:
- No training — your meeting content is not used to train, fine-tune, or improve third-party providers' models.
- Minimal retention — Zero Data Retention (ZDR) where the provider offers it; otherwise a limited retention period not exceeding 30 days, with a ban on using the data.
- API-only transfer — TLS 1.3 encryption, with no data passed to consumer interfaces or open channels.
- Sub-processor role — providers process data strictly under our instructions.
- Regional routing — EU or US, based on the customer's workspace region. For EU workspaces, routing outside the EU/US is disabled at the infrastructure level.
The current list of sub-processors is provided to enterprise customers as part of the DPA and is available on request: privacy@ironmemo.com. When adding a new sub-processor, we notify customers 30 days in advance.
The boundary: what improves IronMemo models — and what doesn't
| Used to train IronMemo models | NOT used |
|---|---|
| Anonymized acoustic patterns | Identifiable audio recordings |
| Aggregated language statistics | Transcripts with names and content |
| Recognition quality metrics | Summaries and tasks |
| Anonymized diarization errors | Follow-up emails |
| AI chat messages | |
| Data from integrations |
Sharing data with third parties
We share data with third parties only where necessary to operate the Service.
| Category | Purpose | Region | Key safeguards |
|---|---|---|---|
| Cloud infrastructure | Hosting, storage, compute, networking, databases. | AWS Frankfurt (EU) or AWS Virginia (US) — customer's choice. | DPA, Standard Contractual Clauses (SCC), encryption at rest and in transit. |
| Transcription AI providers | Audio transcription, diarization, language detection. | EU or US — based on workspace region. | Enterprise API, TLS 1.3, ZDR or limited retention, no-training clause. |
| LLM AI providers | Summaries, tasks, emails, AI chat. | EU or US — based on workspace region. | Enterprise / API terms, ZDR or deletion within 30 days, no-training clause. |
| Billing | Payments, invoices, subscription management, fraud prevention. | Per the payment provider's terms. | PCI DSS, DPA, SCC. |
| Product analytics | Anonymized product events, aggregated statistics, errors. | EU or US — based on workspace region. | Anonymized events only, no meeting content. Cookies are activated with consent. |
| Email notifications | Service emails, security alerts, product notices. | Per the provider's terms, SCC for EU data. | DPA, SCC. |
We do not sell your data or share it for advertising
IronMemo does not "sell" and does not "share" personal data or meeting content within the meaning of the CCPA as amended by the CPRA.
We:
- do not pass data to third parties for targeted or cross-context behavioral advertising;
- do not receive monetary or other valuable consideration for it;
- do not use data for advertising profiling.
When we are required to disclose data
We may disclose personal data:
- when required by law, a court order, or a regulator's request;
- to protect the rights, property, or safety of IronMemo, our users, or third parties;
- to prevent fraud, abuse, or violations of our terms;
- as part of corporate transactions (merger, acquisition, reorganization) — with notice to users.
Integrations the customer connects
If a customer connects Zoom, Google Meet, Teams, Slack, Jira, Salesforce, HubSpot, or other services, data may be transferred to those services according to the workspace administrator's settings. Such transfers are performed on the customer's instructions and are governed by the privacy policies of the respective services.
Data storage and deletion
Where data is stored
| Region | Infrastructure | Best for |
|---|---|---|
| EU | AWS Frankfurt (eu-central-1) | Customers who need an EU storage region. |
| US | AWS Virginia (us-east-1) | Customers who need a US storage region. |
| Self-hosted | Customer infrastructure (Docker / Kubernetes) | Enterprise customers with full control over their data. |
Retention periods
| Data category | Base period | After subscription cancellation |
|---|---|---|
| Account data | While the account is active. | 30 days. |
| Meeting audio and video | Per workspace settings. Auto-deletion can be set to 7, 30, or 90 days, or unlimited storage. | 30 days after cancellation. |
| Transcripts and AI summaries | Per workspace settings. | 30 days after cancellation. |
| Search index and AI chat | While the workspace is active. | 30 days after workspace deletion. |
| Integration data | While the integration is connected. | 30 days after disconnection. |
| Audit logs | 1 year (Standard), 2 years (Business), configurable (Enterprise). | Kept until the configured period expires. |
| Billing records | 5 years (tax and accounting requirements). | 5 years. |
| Support requests | 3 years after closure. | 3 years. |
| Data used for model training | After de-identification and aggregation, the data cannot be matched to a specific user. Kept indefinitely as part of the training dataset. | New data stops being added; already anonymized data remains in the dataset. |
What happens when a subscription is cancelled
- Workspace access switches to read-and-export-only mode for 30 days.
- The administrator can export all data (transcripts, summaries, tasks) to JSON/CSV.
- After 30 days, workspace data is deleted unless we are legally required to keep it.
How to request deletion
| Method | Details |
|---|---|
| In the app | Settings → Privacy → Delete data / Delete account |
| privacy@ironmemo.com — include your account email and your request |
We confirm receipt of the request within 3 business days and complete deletion within 30 days, unless the law requires otherwise. We may ask you to verify your identity before deletion.
Encryption and security
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.3 for all connections between the client, the app, the API, and integrations. |
| Encryption at rest | AES-256 for all data in the cloud infrastructure. |
| Access control | Role-based model, workspace-level permissions, SSO (SAML 2.0), SCIM provisioning, least-privilege principle for internal access. |
| Audit logs | Logs of user and administrator actions for security review and compliance export. |
| Data segmentation | Logical separation of data at the workspace level with tenant isolation. |
| Key management | AWS KMS with automatic key rotation. |
| Monitoring | Centralized logging, security alerts, error tracking, incident review. |
| Backups | Daily encrypted backups retained for 30 days in the same region. |
| Employee access | IronMemo engineers access customer data only with the customer's permission and only for support purposes. |
Learn more: ironmemo.com/security.
SOC 2 Type II
IronMemo is undergoing a SOC 2 Type II audit. Expected completion date — Q4 2026. Until we receive the final report, we do not claim certification.
The audit status and compliance roadmap are available on request at privacy@ironmemo.com. Once received, the report is provided to enterprise customers under NDA.
Security breach notification
In the event of a confirmed security breach affecting personal data:
- we notify affected customers by email within 72 hours of discovery (in accordance with GDPR Art. 33);
- we notify the relevant supervisory authority within the timeframes required by law;
- we provide a description of the incident, the data affected, the measures taken, and recommendations.
Managing your data
We give you control over how your data is used and stored.
| Control | Where to configure |
|---|---|
| Model training — allow or forbid the use of your data to improve IronMemo models. | Settings → Privacy → Model training |
| Meeting deletion — delete individual recordings, transcripts, summaries. | Dashboard → Meeting → Delete |
| Data export — download transcripts, summaries, tasks in JSON/CSV. | Settings → Privacy → Export data |
| Account deletion — complete deletion of your account and all related data. | Settings → Privacy → Delete account |
| Recording auto-deletion — automatically delete audio files after 7, 30, or 90 days. | Settings → Workspace → Retention |
| Cookie preferences — manage analytics and marketing cookies. | Cookie banner on the website |
| Marketing communications — unsubscribe from emails. | The "Unsubscribe" link in every email |
| Integrations — connect and disconnect third-party services. | Settings → Integrations |
If you opt out of model training, anonymized data previously included in the training dataset cannot be extracted from the trained model. However, no new data will be used.
Your rights
Depending on your country, role, and applicable law, you may have the following rights:
| Right | GDPR | CCPA / CPRA | How to exercise it |
|---|---|---|---|
| Access to data | Art. 15 | Right to know / access | Settings → Privacy → Export data; or email privacy@ironmemo.com |
| Correction | Art. 16 | Right to correct | Edit your profile in Settings or send a request to privacy@ironmemo.com |
| Deletion | Art. 17 | Right to delete | Delete in the workspace or request via privacy@ironmemo.com |
| Portability | Art. 20 | Right to data portability | Export data in JSON/CSV via Settings |
| Objection to processing | Art. 21 | Right to opt-out of sale/share | Settings → Privacy → Model training; or privacy@ironmemo.com |
| Restriction of processing | Art. 18 | Partially applicable | privacy@ironmemo.com |
| Withdrawal of consent | Art. 7 | Consent withdrawal | Cookie preferences; unsubscribe from emails; Settings → Privacy |
| Non-discrimination | — | Right to non-discrimination | We do not discriminate against users for exercising their rights. |
Response times
GDPR: without undue delay, within one month. May be extended by two months for complex requests — with notice.
CCPA / CPRA: within 45 calendar days. May be extended by an additional 45 days — with notice.
Verification
To protect your data, we may ask you to verify your identity before fulfilling a request. If we cannot verify your identity, we will not be able to fulfill the request.
Authorized agents
You may submit a request through an authorized agent. The agent must present written authorization, and we may additionally ask you to verify your identity. Send agent requests to privacy@ironmemo.com.
Appeals
If you disagree with our decision on your request, send an appeal to privacy@ironmemo.com. If the GDPR applies to you, you may also contact the data protection supervisory authority in your country of residence.
Meeting recordings and participant consent
IronMemo records meetings via Zoom, Google Meet, and Microsoft Teams using a bot participant or native APIs.
Responsibility for consent
The workspace administrator and the customer organization are responsible for obtaining meeting participants' consent in accordance with applicable laws, internal policies, and contractual obligations. This includes notifying participants about recording, transcription, AI processing, and storage.
Recording notice
By default, IronMemo enables a visual recording notice (bot name, banner in the meeting platform's interface) where the platform supports it. The administrator can configure notices in workspace settings.
Jurisdictions with stricter requirements
In a number of jurisdictions (California, Germany, Austria, several US states, and others), recording a call requires the consent of all participants. The customer must account for the legal requirements of the countries, regions, and industries where meeting participants are located.
Children
IronMemo is intended for use by organizations and professional teams.
- Minimum age: 16 in the GDPR context, 13 in the COPPA context.
- We do not knowingly collect children's personal data.
- If you believe a child has provided personal data to IronMemo, write to privacy@ironmemo.com. We will review the request and delete the data.
Changes to this Policy
We may update this Policy when the product, technologies, sub-processors, legal requirements, or our data processing practices change.
- Material changes: notice by email and/or in-app notification 30 days before the changes take effect.
- Non-material changes (wording clarifications, contact updates): take effect upon publication of the updated version on this page.
Additional disclosures for US states
Certain US state laws (CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others) require additional disclosures.
| Category of personal data | Use | Disclosure to third parties |
|---|---|---|
| Identifiers (name, email, IP address, device ID) | Providing the Service, security, support, product improvement, communication. | Infrastructure and service vendors, AI providers, government authorities where required by law. |
| Commercial information (transaction history, subscription plan) | Billing, fraud prevention, accounting. | Payment provider, auditors. |
| Internet activity data (logs, feature usage) | Security, product improvement, error diagnostics. | Analytics vendor (anonymized data). |
| User content (meeting recordings, transcripts, summaries) | Providing the Service; improving IronMemo models (when the setting is enabled, in anonymized form). | AI providers (sub-processors) for processing. |
| Geolocation data (country/region by IP) | Security, data region selection. | Not disclosed to third parties. |
We do not "sell" personal data. We do not "share" personal data for cross-context behavioral advertising. We do not process sensitive personal information for purposes that trigger the right to limit.
International data transfers
IronMemo LLC is registered in the State of California, USA. If you are located outside the US, your data may be transferred to and processed in the US or the EU, depending on your chosen workspace region.
Transfer mechanisms (EEA/UK → US)
- Standard Contractual Clauses (SCC) — in place with every sub-processor that processes EU/UK residents' data.
- Data Processing Addendum (DPA) — available to enterprise customers on request at privacy@ironmemo.com.
We apply the safeguards described in this Policy regardless of where the data is processed.
Contact
| Field | Value |
|---|---|
| Legal name | IronMemo LLC |
| Jurisdiction | State of California, USA |
| Privacy email | privacy@ironmemo.com |
| General inquiries | info@ironmemo.com |
Right to contact a supervisory authority
If the GDPR applies to you, you may contact the data protection supervisory authority (Data Protection Authority) in the country of your residence, your place of work, or the alleged violation.
Questions? Write to us: privacy@ironmemo.com