Legal
Privacy Policy
- Last updated
- May 22, 2026
- Version
- v0.1-draft
- Status
- Draft pending legal review
IronMemo helps B2B teams record meetings, generate transcripts, summaries, action items and follow-up emails, search across a knowledge base, and hand work off to the tools their team already uses. This Policy explains what data we process, why we need it, where it is stored, who it may be shared with, and how you can control your data.
This Policy applies to the IronMemo website, the cloud SaaS product, enterprise deployments and related support services, unless a customer contract states otherwise. For enterprise customers, data processing is also governed by the master agreement, the Data Processing Addendum, the order form, workspace settings, and the storage region selected at provisioning.
At a glance
- What data do you process?
- Account data, meeting data, transcripts, AI summaries, action items, integration data, usage logs, support tickets and cookies.
- Why do you need it?
- To deliver the service, process meetings, generate transcripts and summaries, keep the product secure, support customers, run integrations and meet legal obligations.
- Are meetings used to train AI models?
- Customer meeting content is not used to train IronMemo AI models.
[LEGAL-CHECK: Confirm wording against DPA and AI provider contracts.] - Where is data stored?
- Customers pick a cloud region at provisioning: AWS Frankfurt (EU) or AWS Virginia (US). In the self-hosted deployment the data stays inside the customer's infrastructure.
- How do I delete data?
- Workspace admins can delete meetings and export data from settings. To delete an account or an entire workspace, submit a request via
[LINK: privacy request form]or email[PLACEHOLDER: privacy@ironmemo.com].
What data we collect
We only collect data we need to run the service, keep it secure, support customers, power integrations and meet our contractual or legal obligations.
| Category | Examples | Legal basis | Retention |
|---|---|---|---|
| Account data | Name, email, company, role, hashed password, workspace settings, SSO/SCIM identifiers. | Contract; legitimate interest; consent for specific communications. | While the account is active, then [DATA: N days/months] after deletion or contract termination. |
| Meeting data | Audio, video, transcripts, speaker diarization, AI summaries, action items, follow-up emails, meeting metadata, participants, duration, meeting platform. | Contract; legitimate interest; consent where required by law or customer settings. | Until deleted by the workspace admin or up to [DATA: N days] after subscription cancellation. |
| Integration data | OAuth tokens, scopes, workspace IDs, data pulled from CRM / ticket trackers / email / Slack / Notion / Confluence / Jira / Trello / Linear / Bitrix24 / Salesforce / HubSpot / amoCRM. | Contract; legitimate interest. | While the integration is connected, then [DATA: N days] after disconnection or workspace removal. |
| Usage data | Logs, product events, feature usage, IP address, user agent, device / browser data, errors, telemetry, audit logs. | Legitimate interest; contract; legal obligation for some security logs. | [DATA: N days/months], except audit and security logs which may be retained longer. |
| Communications | Support tickets, feedback, threads with sales and customer success, request records, attachments. | Contract; legitimate interest; consent for marketing communications. | For the duration of the conversation, then [DATA: N months/years] for support history. |
| Cookies and tracking | Session cookies, authentication cookies, analytics cookies, cookie preferences, marketing pixels when enabled. | Consent; legitimate interest for strictly necessary cookies. | Per cookie type: session, [DATA: N months], [DATA: N years]. |
How we use data
To deliver the service
We use account, meeting and integration data so IronMemo can join Zoom, Google Meet and Microsoft Teams calls, record meetings, generate transcripts, identify speakers, build summaries, action items and follow-up emails.
We also use this data to index meetings in your knowledge base, power the AI chat and semantic search, and run the integrations you connect.
To act in connected systems
When admins connect integrations, IronMemo can create tickets, update CRM records, send follow-up emails or push data into the tools your team uses every day.
Examples: Jira, Trello, Linear, Bitrix24, Salesforce, HubSpot, amoCRM, Slack, Notion, Gmail and Confluence.
To keep the service secure
We use logs, audit logs, IP addresses, user agents and technical events to detect errors, unauthorized access, abuse, integration failures and suspicious activity.
To improve the product
We analyze aggregated and de-identified usage data to understand which features work well, where errors occur and which parts of the product need investment.
Customer meeting content is not used to train IronMemo AI models. [LEGAL-CHECK: Confirm exact wording with engineering, DPA and AI provider contracts.]
To communicate with you
We use email, name, company and request history to respond to support, send service notices, security alerts, billing notifications and important changes to terms.
Marketing messages are sent only where we have an appropriate basis or your consent.
To meet legal obligations
We may retain and disclose data when required by law, court order, regulatory request, tax rules, contractual obligations or to protect the rights of IronMemo, customers and users.
AI and your data
Customer meeting content is not used to train IronMemo AI models
We do not use customer meeting content to train IronMemo AI models.
Meeting content includes audio, video, transcripts, summaries, action items, follow-up emails, AI chat messages and data pulled in from connected work tools. [LEGAL-CHECK: Replace wording after review. Do not commit to anything stronger than the AI provider contracts allow.]
What AI processing IronMemo runs
| Processing | Input data | Result |
|---|---|---|
| Transcription | Meeting audio, meeting language, speaker metadata. | Text transcript with speaker labels. |
| Summaries | Transcript, meeting structure, workspace settings. | Concise meeting summary. |
| Action items | Transcript, task context, participants. | Task list with owners and due dates. |
| Follow-up emails | Transcript, summary, participants, customer templates. | Draft follow-up email. |
| AI chat and search | Meeting index, transcripts, summaries, user access rights. | Answers grounded in the workspace knowledge base. |
| Meeting analytics | Metadata, talk time, topics, sentiment, coaching signals. | Meeting metrics and recommendations for admins. |
What data may go to AI providers
To run these tasks, IronMemo may send audio fragments, transcripts, prompts, meeting metadata and request identifiers to AI providers.
We only send what is needed for the specific AI task. [LEGAL-CHECK: List concrete AI providers, processing regions, retention, opt-out, zero data retention, logging and training terms.]
What happens after processing
Processing results are stored in the customer workspace: transcripts, summaries, action items, follow-up emails, search index and AI chat history.
Retention depends on workspace settings, the contract, the chosen deployment and the data deletion policy.
DPA for enterprise customers
Enterprise customers can request a Data Processing Addendum that locks down roles, sub-processors, transfer mechanisms, security requirements and customer content processing terms.
[LINK: Data Processing Addendum]
Sharing data with third parties
We share data with third parties only where needed to run the service, hosting, security, billing, support, analytics or to meet legal obligations.
| Category | Provider | Purpose | Data region | Compliance |
|---|---|---|---|---|
| Cloud infrastructure | AWS | Hosting, storage, compute, network, databases. | AWS Frankfurt (EU) or AWS Virginia (US), customer choice. | [DATA: DPA / SCC / SOC reports / security docs] |
| AI transcription provider | [PLACEHOLDER: provider name] | Audio transcription, diarization, language detection. | [DATA: EU / US / other] | [LEGAL-CHECK: retention, training, subprocessors] |
| AI LLM provider | [PLACEHOLDER: provider name] | Summaries, action items, follow-up emails, AI chat. | [DATA: EU / US / other] | [LEGAL-CHECK: enterprise terms, zero data retention, model training terms] |
| Billing | [PLACEHOLDER: billing provider] | Payments, invoices, subscription status, fraud prevention. | [DATA: region] | [DATA: PCI DSS / DPA / SCC] |
| Product analytics | [PLACEHOLDER: analytics provider] | Feature usage, aggregated analytics, errors. | [DATA: region] | [LEGAL-CHECK: cookie consent, data retention, DPA] |
| Support | [PLACEHOLDER: support provider] | User requests, customer support, attachments. | [DATA: region] | [DATA: DPA / SCC / security docs] |
| Email notifications | [PLACEHOLDER: email provider] | Service email, security alerts, product notices. | [DATA: region] | [DATA: DPA / SCC / security docs] |
We do not sell customer meeting content. [LEGAL-CHECK: Confirm wording is acceptable under CCPA/CPRA. A dedicated “Do Not Sell or Share My Personal Information” block may be required.]
Integrations the customer connects
When a customer connects Zoom, Google Meet, Microsoft Teams, Slack, Notion, Gmail, Confluence, Jira, Trello, Linear, Bitrix24, Salesforce, HubSpot, amoCRM or other services, data may flow into those services per workspace admin settings.
This transfer happens on the customer's instruction and depends on access rights, OAuth scopes and integration configuration.
Data storage and deletion
Where data is stored
For the IronMemo cloud SaaS, customers pick the storage region at provisioning:
| Region | Infrastructure | Best for |
|---|---|---|
| EU | AWS Frankfurt | Customers requiring data storage inside the European Union. |
| US | AWS Virginia | Customers requiring data storage inside the United States. |
| Self-hosted | Customer infrastructure | Customers that need to keep data fully inside their own environment. |
Retention periods
| Data category | Default retention | After cancellation |
|---|---|---|
| Account data | While the account is active. | [DATA: N days], unless we have a legal duty to keep it longer. |
| Meeting audio and video | Per workspace settings. | [DATA: N days] after cancellation or admin request. |
| Transcripts and AI summaries | Per workspace settings. | [DATA: N days] after cancellation or admin request. |
| Search index and AI chat | While the workspace is active. | [DATA: N days] after workspace deletion. |
| Integration data | While the integration is connected. | [DATA: N days] after disconnection. |
| Audit logs | Per plan and security requirements. | [DATA: N months/years] if needed for security or compliance export. |
| Billing records | Per tax and accounting requirements. | [DATA: N years]. |
| Support tickets | While needed for support and request history. | [DATA: N months/years]. |
What happens when a subscription is cancelled
Once a subscription is cancelled, access to the workspace may be restricted or moved into an export-only state.
Workspace data is kept for [DATA: 30 / 60 / 90 days] so the admin can export data or restore the subscription.
After that period the data is deleted or anonymized, unless retention is required by law, contract or security measures.
How to request data deletion
Workspace admins can delete individual meetings, transcripts, summaries and integrations from the IronMemo settings.
Full account, workspace or customer data deletion can be requested through these channels:
| Channel | What to do |
|---|---|
[PLACEHOLDER: privacy@ironmemo.com] | |
| Form | [LINK: privacy request form] |
| In-app | Settings → Privacy → Data deletion request |
We may need to verify the identity of the requester or the authority of the workspace admin before deleting data.
Encryption and security
We apply technical and organizational measures to protect customer data.
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2+ for data moving between the client, app, API and integrations. |
| Encryption at rest | AES-256 for data stored in the cloud infrastructure. |
| Access control | Roles, workspace-level permissions, SSO, SCIM, least privilege for internal access. |
| Audit logs | User and admin action logs available for security review and compliance export. |
| Data segmentation | Logical separation of customer data at the workspace and tenant level. |
| Key management | [DATA: KMS / HSM / key rotation policy] |
| Monitoring | Security logs, alerts, error tracking and incident review. |
| Export controls | Data export for customers with the appropriate access rights. |
SOC 2 Type II
A SOC 2 Type II audit is in progress.
Planned completion: [DATA: month and year]. [LEGAL-CHECK: Do not display a SOC 2 Type II badge until the audit is complete and the report is in hand.]
Self-hosted deployment
For the self-hosted deployment, IronMemo runs inside the customer's infrastructure via Docker or Kubernetes.
In this mode meeting data, transcripts, indexes, AI processing, logs and integrations are stored and processed inside the customer's environment, unless the contract and deployment architecture specify otherwise.
Your rights
Depending on your country, role and applicable law you may have rights to access, correct, delete, export, restrict or object to the processing of your personal data.
If you use IronMemo through your employer or organization, some of these requests may be routed through the admin of your workspace.
| Right | GDPR | CCPA / CPRA | How to exercise |
|---|---|---|---|
| Access | Art. 15 | Right to know / access | Request a copy of your data via [LINK: privacy request form], email or in-app settings. |
| Correction | Art. 16 | Right to correct | Update the profile in settings or submit a correction request. |
| Deletion | Art. 17 | Right to delete | Delete data in the workspace or submit a deletion request through privacy channels. |
| Portability | Art. 20 | Right to data portability / access | Export data in JSON / CSV where available on your plan. |
| Objection | Art. 21 | Right to opt out of sale / share; right to limit certain uses | Submit a request via email or form. |
| Restriction | Art. 18 | Partial — via restriction of specific processing. | Submit a request via email or form. |
| Withdraw consent | Art. 7 | Consent withdrawal where applicable | Change cookie preferences, unsubscribe from marketing email or submit a request. |
| Non-discrimination | Not a standalone GDPR right in this form. | Right to non-discrimination | We will not discriminate against users for exercising their rights where applicable. |
Response times
We respond to GDPR requests without undue delay and within one month, unless applicable law sets a different deadline.
We respond to CCPA / CPRA requests within 45 calendar days, unless an extension is permitted by law.
Where to send a request
| Channel | Contact |
|---|---|
| Email for privacy questions | [PLACEHOLDER: privacy@ironmemo.com] |
| DPO | [PLACEHOLDER: DPO name / email, if appointed] |
| Request form | [LINK: privacy request form] |
| In-app | Settings → Privacy |
We may request additional information to verify the identity of the user or the authority of the workspace admin.
Meeting recording and participant consent
IronMemo can record meetings on Zoom, Google Meet and Microsoft Teams using native APIs or a bot participant.
The customer is responsible for making sure that meeting recording and participant data processing complies with applicable laws, internal policies and contractual obligations.
Responsibility for consent
The workspace admin and the customer organization are responsible for obtaining any required participant consent.
This includes notifying participants about recording, transcription, AI processing, storage, analysis and any onward transfer of data into connected tools.
Recording notice
By default IronMemo enables a voice or visual recording notice when the meeting platform and workspace settings allow it.
Admins can adjust notices within the available product features and contractual requirements.
Jurisdictions with stricter requirements
Some jurisdictions require consent from all participants before a call can be recorded.
The customer should account for requirements of the country, state, region and industry where the meeting participants are located.
Recording consent guidance
We recommend that workspace admins review our recording consent guide before enabling meeting capture.
[LINK: Recording Consent Guide]
Children
IronMemo is built for organizations and professional teams.
The product is not intended for individuals under 16 under GDPR or under 13 under COPPA.
We do not knowingly collect personal data from children.
If you believe a child has provided personal data to IronMemo, contact us at [PLACEHOLDER: privacy@ironmemo.com]. We will review the request and delete data where required by law.
Changes to this Policy
We may update this Policy as the product, technology, sub-processors, legal requirements or data processing practices change.
For material changes we notify customers by email, in-app notification or other reasonable means at least [DATA: N days] before the change takes effect, unless law or contract requires a different period.
An archive of previous versions is available here:
[LINK: Privacy Policy Archive]
Contacts
If you have questions about privacy, data processing or how to exercise your rights, get in touch.
| Field | Value |
|---|---|
| Legal name | [PLACEHOLDER: legal company name] |
| Address | [PLACEHOLDER: legal address, California, USA] |
| Privacy email | [PLACEHOLDER: privacy@ironmemo.com] |
| DPO | [PLACEHOLDER: DPO contact, if appointed] |
| EU representative | [PLACEHOLDER: EU representative under GDPR Art. 27, if required] |
| Request form | [LINK: privacy request form] |
Right to lodge a complaint
If GDPR applies to you, you can lodge a complaint with the data protection supervisory authority in the country where you live, work or where the alleged infringement took place.