Skip to content
IronMemo

Legal

Privacy Policy

Effective date
July 17, 2026
Version
2.0
Status
In force

Applies to: the ironmemo.com website, the cloud SaaS product, mobile and desktop apps, the API, enterprise deployments, and support (the "Service").

01

What this Policy covers

This Privacy Policy describes how IronMemo LLC ("IronMemo", "we", "us") collects, uses, stores, protects, and discloses personal data when you use our Service.

This Policy does not apply to data we process on behalf of corporate customers under enterprise agreements and self-hosted deployments — such processing is governed by separate customer contracts and a Data Processing Addendum (DPA).

By using our Service, you agree to the practices described in this Policy. If you do not agree, do not use the Service.

02

How we handle your data: principles

Before we get into the details, we want to give direct answers to the questions people ask most often.

Do we train our models on your data?
Yes. We use anonymized and aggregated data from processed meetings to improve IronMemo's own AI models — to increase transcription accuracy, summary quality, and task relevance. This makes the Service better for all users.You can opt out of having your data used for model training in your account settings: Settings → Privacy → Model training. For Enterprise plan users, training on customer data is disabled by default.
Do we sell your data?
No. We do not sell, share, or license your personal data or meeting content to third parties for their own commercial purposes, advertising, marketing, or training of third-party AI models. Ever.
Do we share data to train other companies' models?
No. Your meeting content is not used to train, fine-tune, or improve any third party's AI models. When we send data to AI providers for processing (transcription, summary generation), it happens exclusively through enterprise API modes with a contractual ban on training and minimal or zero data retention (Zero Data Retention).
Do we keep data longer than needed?
No. Meeting data is stored while your workspace is active. After a recording is deleted or a subscription is cancelled, data is deleted within 30 days. Audio files uploaded on the free plan without registration are deleted immediately after processing.
Do we distribute your data?
No. We do not make meeting content publicly available, index it in search engines, pass it to ad networks, or use it for targeted or behavioral advertising.

How exactly data improves our models

  1. De-identification. Before data is used for training, participant names, company names, email addresses, phone numbers, and other direct identifiers are removed.
  2. Aggregation. We work with language patterns, speech structure, acoustic characteristics, and typical recognition errors — not with the content of your conversations.
  3. Isolation. Training data is stored separately from the Service's operational data and cannot be matched to a specific user or workspace.
  4. Control. You can opt out at any time. Anonymized data included in training before you opted out cannot be extracted from the trained model, but no new data will be used.
03

What data we collect

We collect only the data necessary to operate the Service, ensure security, provide support, and meet contractual and legal obligations.

Data you provide

CategoryExamplesLegal basis (GDPR)Retention
Account dataName, email, company, role, hashed password, avatar, workspace settings, SSO/SCIM identifiers.Contract performance (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)); consent for marketing communications (Art. 6(1)(a)).While the account is active + 30 days after deletion.
Meeting dataAudio recordings, video recordings, transcripts, speaker identification, AI summaries, tasks, follow-up emails, metadata (duration, platform, participant list).Contract performance; legitimate interest; consent where required by law.Until deleted by the workspace admin, or 30 days after subscription cancellation.
Integration dataOAuth tokens, scopes, workspace IDs, data synced from CRMs, task trackers, messengers.Contract performance; legitimate interest.While the integration is connected + 30 days after disconnection.
Support requestsTickets, feedback, correspondence with the support team, attachments.Contract performance; legitimate interest; consent for marketing.3 years after the request is closed.

Data we receive automatically

CategoryExamplesLegal basisRetention
Logs and telemetryIP address, user agent, browser and device type, OS, time zone, country, request date and time, navigation within the Service.Legitimate interest; contract performance.90 days for general logs; 1 year for security and audit logs.
Usage dataWhich features are used, frequency, errors, performance, response times, product events.Legitimate interest.90 days in identified form; indefinitely in aggregated/anonymized form.
Cookies and similar technologiesSession cookies, authentication tokens, analytics cookies, cookie preferences.Consent for non-essential cookies (Art. 6(1)(a)); legitimate interest for strictly necessary ones (Art. 6(1)(f)).Session cookies — until the browser is closed; persistent — up to 12 months.

Data from third-party sources

We may receive data from security partners to prevent fraud and abuse, and from payment systems to process transactions.

04

How we use data

To provide the Service

Connecting to Zoom, Google Meet, and Microsoft Teams; recording meetings; creating transcripts; detecting language and participants; generating summaries, tasks, and follow-up emails; indexing meetings in the knowledge base; powering AI chat and semantic search; keeping integrations running.

To perform actions in connected systems

If an administrator has connected integrations — creating tasks in trackers, updating CRM records, sending emails, publishing notes to messengers and knowledge bases.

To improve our AI models

We use anonymized and aggregated data from processed meetings to train and improve IronMemo's own models: transcription, diarization, summary generation, language detection, and task extraction.

  • What is used: speech patterns, acoustic characteristics, language structures, typical recognition errors, quality statistics.
  • What is NOT used: the content of your conversations in identifiable form, names, company names, confidential data.
  • How to opt out: Settings → Privacy → Model training. Disabled by default for Enterprise.

See "02. How we handle your data" for details.

To improve the product (without AI training)

Anonymized telemetry and usage logs: which features are used, where errors occur, performance metrics. This data does not contain your meeting content and is used for UX improvements, bug fixes, and feature planning.

To keep the Service secure

Logs, audit logs, IP addresses, user agent — to detect errors, unauthorized access, abuse, integration failures, and suspicious activity.

To communicate with you

Email, name, company, support history — to answer support requests and send service, billing, and security notifications. Marketing messages — only with your consent. Unsubscribing takes one click in every email.

To meet legal obligations

Storing and disclosing data where required by law, a court order, a regulator's request, tax rules, or to protect the rights of IronMemo, our customers, and users.

05

AI and your data

What AI processing IronMemo performs

ProcessingInput dataResult
TranscriptionMeeting audio, language, participant metadata.Text transcript with speaker labels.
SummaryTranscript, meeting structure, workspace settings.Concise summary of the meeting.
TasksTranscript, context, participants.Task list with owners and due dates.
Follow-up emailsTranscript, summary, participants, customer templates.Draft follow-up email.
AI chat and searchMeeting index, transcripts, summaries, access permissions.Answers from the workspace knowledge base.
Meeting analyticsMetadata, talk time, topics, sentiment.Metrics and recommendations for administrators.

Learn more about our AI: ironmemo.com/our-ai.

Third-party AI providers

We use third-party AI providers for processing. The set of providers depends on the meeting language and the type of processing. Each of them operates under enterprise (enterprise / API) modes and contractual terms, including:

  • No training — your meeting content is not used to train, fine-tune, or improve third-party providers' models.
  • Minimal retention — Zero Data Retention (ZDR) where the provider offers it; otherwise a limited retention period not exceeding 30 days, with a ban on using the data.
  • API-only transfer — TLS 1.3 encryption, with no data passed to consumer interfaces or open channels.
  • Sub-processor role — providers process data strictly under our instructions.
  • Regional routing — EU or US, based on the customer's workspace region. For EU workspaces, routing outside the EU/US is disabled at the infrastructure level.

The current list of sub-processors is provided to enterprise customers as part of the DPA and is available on request: privacy@ironmemo.com. When adding a new sub-processor, we notify customers 30 days in advance.

The boundary: what improves IronMemo models — and what doesn't

Used to train IronMemo modelsNOT used
Anonymized acoustic patternsIdentifiable audio recordings
Aggregated language statisticsTranscripts with names and content
Recognition quality metricsSummaries and tasks
Anonymized diarization errorsFollow-up emails
AI chat messages
Data from integrations
06

Sharing data with third parties

We share data with third parties only where necessary to operate the Service.

CategoryPurposeRegionKey safeguards
Cloud infrastructureHosting, storage, compute, networking, databases.AWS Frankfurt (EU) or AWS Virginia (US) — customer's choice.DPA, Standard Contractual Clauses (SCC), encryption at rest and in transit.
Transcription AI providersAudio transcription, diarization, language detection.EU or US — based on workspace region.Enterprise API, TLS 1.3, ZDR or limited retention, no-training clause.
LLM AI providersSummaries, tasks, emails, AI chat.EU or US — based on workspace region.Enterprise / API terms, ZDR or deletion within 30 days, no-training clause.
BillingPayments, invoices, subscription management, fraud prevention.Per the payment provider's terms.PCI DSS, DPA, SCC.
Product analyticsAnonymized product events, aggregated statistics, errors.EU or US — based on workspace region.Anonymized events only, no meeting content. Cookies are activated with consent.
Email notificationsService emails, security alerts, product notices.Per the provider's terms, SCC for EU data.DPA, SCC.

We do not sell your data or share it for advertising

IronMemo does not "sell" and does not "share" personal data or meeting content within the meaning of the CCPA as amended by the CPRA.

We:

  • do not pass data to third parties for targeted or cross-context behavioral advertising;
  • do not receive monetary or other valuable consideration for it;
  • do not use data for advertising profiling.

When we are required to disclose data

We may disclose personal data:

  • when required by law, a court order, or a regulator's request;
  • to protect the rights, property, or safety of IronMemo, our users, or third parties;
  • to prevent fraud, abuse, or violations of our terms;
  • as part of corporate transactions (merger, acquisition, reorganization) — with notice to users.

Integrations the customer connects

If a customer connects Zoom, Google Meet, Teams, Slack, Jira, Salesforce, HubSpot, or other services, data may be transferred to those services according to the workspace administrator's settings. Such transfers are performed on the customer's instructions and are governed by the privacy policies of the respective services.

07

Data storage and deletion

Where data is stored

RegionInfrastructureBest for
EUAWS Frankfurt (eu-central-1)Customers who need an EU storage region.
USAWS Virginia (us-east-1)Customers who need a US storage region.
Self-hostedCustomer infrastructure (Docker / Kubernetes)Enterprise customers with full control over their data.

Retention periods

Data categoryBase periodAfter subscription cancellation
Account dataWhile the account is active.30 days.
Meeting audio and videoPer workspace settings. Auto-deletion can be set to 7, 30, or 90 days, or unlimited storage.30 days after cancellation.
Transcripts and AI summariesPer workspace settings.30 days after cancellation.
Search index and AI chatWhile the workspace is active.30 days after workspace deletion.
Integration dataWhile the integration is connected.30 days after disconnection.
Audit logs1 year (Standard), 2 years (Business), configurable (Enterprise).Kept until the configured period expires.
Billing records5 years (tax and accounting requirements).5 years.
Support requests3 years after closure.3 years.
Data used for model trainingAfter de-identification and aggregation, the data cannot be matched to a specific user. Kept indefinitely as part of the training dataset.New data stops being added; already anonymized data remains in the dataset.

What happens when a subscription is cancelled

  1. Workspace access switches to read-and-export-only mode for 30 days.
  2. The administrator can export all data (transcripts, summaries, tasks) to JSON/CSV.
  3. After 30 days, workspace data is deleted unless we are legally required to keep it.

How to request deletion

MethodDetails
In the appSettings → Privacy → Delete data / Delete account
Emailprivacy@ironmemo.com — include your account email and your request

We confirm receipt of the request within 3 business days and complete deletion within 30 days, unless the law requires otherwise. We may ask you to verify your identity before deletion.

08

Encryption and security

MeasureDescription
Encryption in transitTLS 1.3 for all connections between the client, the app, the API, and integrations.
Encryption at restAES-256 for all data in the cloud infrastructure.
Access controlRole-based model, workspace-level permissions, SSO (SAML 2.0), SCIM provisioning, least-privilege principle for internal access.
Audit logsLogs of user and administrator actions for security review and compliance export.
Data segmentationLogical separation of data at the workspace level with tenant isolation.
Key managementAWS KMS with automatic key rotation.
MonitoringCentralized logging, security alerts, error tracking, incident review.
BackupsDaily encrypted backups retained for 30 days in the same region.
Employee accessIronMemo engineers access customer data only with the customer's permission and only for support purposes.

Learn more: ironmemo.com/security.

SOC 2 Type II

IronMemo is undergoing a SOC 2 Type II audit. Expected completion date — Q4 2026. Until we receive the final report, we do not claim certification.

The audit status and compliance roadmap are available on request at privacy@ironmemo.com. Once received, the report is provided to enterprise customers under NDA.

Security breach notification

In the event of a confirmed security breach affecting personal data:

  • we notify affected customers by email within 72 hours of discovery (in accordance with GDPR Art. 33);
  • we notify the relevant supervisory authority within the timeframes required by law;
  • we provide a description of the incident, the data affected, the measures taken, and recommendations.
09

Managing your data

We give you control over how your data is used and stored.

ControlWhere to configure
Model training — allow or forbid the use of your data to improve IronMemo models.Settings → Privacy → Model training
Meeting deletion — delete individual recordings, transcripts, summaries.Dashboard → Meeting → Delete
Data export — download transcripts, summaries, tasks in JSON/CSV.Settings → Privacy → Export data
Account deletion — complete deletion of your account and all related data.Settings → Privacy → Delete account
Recording auto-deletion — automatically delete audio files after 7, 30, or 90 days.Settings → Workspace → Retention
Cookie preferences — manage analytics and marketing cookies.Cookie banner on the website
Marketing communications — unsubscribe from emails.The "Unsubscribe" link in every email
Integrations — connect and disconnect third-party services.Settings → Integrations

If you opt out of model training, anonymized data previously included in the training dataset cannot be extracted from the trained model. However, no new data will be used.

10

Your rights

Depending on your country, role, and applicable law, you may have the following rights:

RightGDPRCCPA / CPRAHow to exercise it
Access to dataArt. 15Right to know / accessSettings → Privacy → Export data; or email privacy@ironmemo.com
CorrectionArt. 16Right to correctEdit your profile in Settings or send a request to privacy@ironmemo.com
DeletionArt. 17Right to deleteDelete in the workspace or request via privacy@ironmemo.com
PortabilityArt. 20Right to data portabilityExport data in JSON/CSV via Settings
Objection to processingArt. 21Right to opt-out of sale/shareSettings → Privacy → Model training; or privacy@ironmemo.com
Restriction of processingArt. 18Partially applicableprivacy@ironmemo.com
Withdrawal of consentArt. 7Consent withdrawalCookie preferences; unsubscribe from emails; Settings → Privacy
Non-discriminationRight to non-discriminationWe do not discriminate against users for exercising their rights.

Response times

GDPR: without undue delay, within one month. May be extended by two months for complex requests — with notice.

CCPA / CPRA: within 45 calendar days. May be extended by an additional 45 days — with notice.

Verification

To protect your data, we may ask you to verify your identity before fulfilling a request. If we cannot verify your identity, we will not be able to fulfill the request.

Authorized agents

You may submit a request through an authorized agent. The agent must present written authorization, and we may additionally ask you to verify your identity. Send agent requests to privacy@ironmemo.com.

Appeals

If you disagree with our decision on your request, send an appeal to privacy@ironmemo.com. If the GDPR applies to you, you may also contact the data protection supervisory authority in your country of residence.

11

Cookies

IronMemo uses cookies and similar technologies.

TypePurposeBasisCan be disabled?Lifetime
Strictly necessaryAuthentication, session, security, CSRF protection, cookie preferences.Legitimate interest; contract performance.No.Session — until the browser is closed; persistent — up to 12 months.
FunctionalLanguage, region, interface settings.Consent or legitimate interest.Yes.Up to 12 months.
AnalyticsUnderstanding site usage, errors, aggregated statistics.Consent.Yes.Up to 12 months.
MarketingCampaign measurement, attribution. Activated only with explicit consent.Consent.Yes.Up to 12 months.

How to manage cookies

  • Cookie banner on your first visit to the site — choose which cookie categories to allow.
  • Browser settings — restrict or block cookies. Some features may not work correctly without strictly necessary cookies.
12

Meeting recordings and participant consent

IronMemo records meetings via Zoom, Google Meet, and Microsoft Teams using a bot participant or native APIs.

Responsibility for consent

The workspace administrator and the customer organization are responsible for obtaining meeting participants' consent in accordance with applicable laws, internal policies, and contractual obligations. This includes notifying participants about recording, transcription, AI processing, and storage.

Recording notice

By default, IronMemo enables a visual recording notice (bot name, banner in the meeting platform's interface) where the platform supports it. The administrator can configure notices in workspace settings.

Jurisdictions with stricter requirements

In a number of jurisdictions (California, Germany, Austria, several US states, and others), recording a call requires the consent of all participants. The customer must account for the legal requirements of the countries, regions, and industries where meeting participants are located.

13

Children

IronMemo is intended for use by organizations and professional teams.

  • Minimum age: 16 in the GDPR context, 13 in the COPPA context.
  • We do not knowingly collect children's personal data.
  • If you believe a child has provided personal data to IronMemo, write to privacy@ironmemo.com. We will review the request and delete the data.
14

Changes to this Policy

We may update this Policy when the product, technologies, sub-processors, legal requirements, or our data processing practices change.

  • Material changes: notice by email and/or in-app notification 30 days before the changes take effect.
  • Non-material changes (wording clarifications, contact updates): take effect upon publication of the updated version on this page.
15

Additional disclosures for US states

Certain US state laws (CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others) require additional disclosures.

Category of personal dataUseDisclosure to third parties
Identifiers (name, email, IP address, device ID)Providing the Service, security, support, product improvement, communication.Infrastructure and service vendors, AI providers, government authorities where required by law.
Commercial information (transaction history, subscription plan)Billing, fraud prevention, accounting.Payment provider, auditors.
Internet activity data (logs, feature usage)Security, product improvement, error diagnostics.Analytics vendor (anonymized data).
User content (meeting recordings, transcripts, summaries)Providing the Service; improving IronMemo models (when the setting is enabled, in anonymized form).AI providers (sub-processors) for processing.
Geolocation data (country/region by IP)Security, data region selection.Not disclosed to third parties.

We do not "sell" personal data. We do not "share" personal data for cross-context behavioral advertising. We do not process sensitive personal information for purposes that trigger the right to limit.

16

International data transfers

IronMemo LLC is registered in the State of California, USA. If you are located outside the US, your data may be transferred to and processed in the US or the EU, depending on your chosen workspace region.

Transfer mechanisms (EEA/UK → US)

  • Standard Contractual Clauses (SCC) — in place with every sub-processor that processes EU/UK residents' data.
  • Data Processing Addendum (DPA) — available to enterprise customers on request at privacy@ironmemo.com.

We apply the safeguards described in this Policy regardless of where the data is processed.

17

Contact

FieldValue
Legal nameIronMemo LLC
JurisdictionState of California, USA
Privacy emailprivacy@ironmemo.com
General inquiriesinfo@ironmemo.com

Right to contact a supervisory authority

If the GDPR applies to you, you may contact the data protection supervisory authority (Data Protection Authority) in the country of your residence, your place of work, or the alleged violation.

Questions? Write to us: privacy@ironmemo.com