Privacy Policy
Last Updated: March 7, 2026 · Effective: March 7, 2026
1. Introduction
Streamli9 ("we", "our", "us") is an AI-powered meeting accountability platform operated from India, serving users globally. We are committed to protecting your privacy and handling your data with transparency. This Privacy Policy explains how we collect, use, store, and protect your information when you use our desktop application and related services.
By using Streamli9, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
2. Data We Collect
2.1 Account Information
When you sign in via OAuth (Microsoft or Google), we collect:
- Name and email address (from your Microsoft or Google account)
- Profile picture (if available)
- Authentication tokens for connected services (encrypted at rest)
We do not store your Microsoft or Google account password. Authentication is handled entirely through OAuth 2.0.
2.2 Meeting Data
When you connect Zoom, we access:
- Meeting metadata (title, date, time, duration, participants)
- Meeting transcripts (from Zoom cloud recordings)
- AI-generated meeting summaries (from Zoom)
- Participant information (names, email addresses)
Important: We do not download, store, or access raw audio or video recordings. We only access text-based transcripts and metadata.
2.3 Email Data
When you connect Microsoft Outlook, we access:
- Email threads related to synced meetings only
- Email metadata (sender, subject, timestamp)
- Email body content for status keyword detection (e.g., "done", "blocked", "in progress")
Important: We do not access your entire inbox. We only monitor emails that are directly related to meetings you have synced with Streamli9.
2.4 Action Item Data
From meeting transcripts and email threads, our AI extracts:
- Action items (task descriptions, assigned owners, due dates)
- Status updates and progress tracking
- Dependencies between action items
- Carry-forward history across recurring meetings
2.5 Usage Data
We collect usage data to improve our service:
- App interactions and feature usage (anonymized)
- Token consumption history (1 token = 1 minute of meeting processing)
- Error reports and crash logs (via Sentry)
- Performance metrics
2.6 Payment Information
Payment processing is handled by third-party processors:
- Dodo Payments (Merchant of Record for US, EU, CA, and other global markets)
- Razorpay (India)
We do not store your credit card number, bank account details, or other financial information on our servers. We retain only:
- Last 4 digits of payment card (for display purposes)
- Billing address
- Payment status confirmations
- Transaction history
3. How We Use Your Data
We use the collected data for the following purposes:
- AI-powered action item extraction from meeting transcripts
- Email thread monitoring to detect status updates on action items
- Sending automated reminders and notifications on your behalf
- Tracking dependencies between action items across meetings
- Carrying forward incomplete items across recurring meetings
- Providing the accountability dashboard
- Improving our AI models and service quality
- Providing customer support
- Complying with legal obligations
We do not sell, rent, or share your personal data with third parties for marketing purposes.
3.1 Legal Basis for Processing (GDPR)
| Legal Basis | Data Covered |
|---|---|
| Contract performance | Account data, meeting data, action items, payment data |
| Legitimate interest | Usage data, service improvement, fraud prevention, security |
| Consent | Third-party service connections (Zoom, Microsoft, Google) |
4. AI Processing and Data Handling
4.1 AI Providers
Meeting transcripts are processed by third-party AI services to extract action items:
| Provider | Role | Data Sent | Training Use |
|---|---|---|---|
| Anthropic (Claude) | Primary AI processor | Transcript text, extraction prompts | Not used for training |
| OpenAI (GPT-4o-mini) | Fallback AI processor | Transcript text, extraction prompts | Not used for training (API opt-out) |
- Transcripts are sent for processing and are not retained by the AI provider beyond the processing session.
- We use API endpoints with data retention disabled where available.
- AI providers process data in the United States.
4.2 Bring Your Own AI Key (BYOAI)
If you choose to use your own Anthropic or OpenAI API key:
- Your API key is encrypted and stored securely (AES-256)
- Transcript processing uses your key directly with the AI provider
- Data handling is subject to your own agreement with the AI provider
- We do not have visibility into your API key usage or billing with the provider
4.3 Privacy Model for Action Items
- Meeting hosts can see all action items extracted from meetings they host
- Participants can see only their own action items from meetings they attended
- This privacy model is platform-wide and is not configurable
5. Third-Party Services and Sub-Processors
5.1 User-Connected Services
| Service | Data Accessed | Purpose | Auth |
|---|---|---|---|
| Zoom | Meeting recordings, transcripts, participant data | Meeting sync and action item extraction | OAuth 2.0 |
| Microsoft (Outlook) | Email threads related to synced meetings | Status update detection from email | OAuth 2.0 |
| Account profile, Google Calendar events, Google Meet meeting spaces | User authentication, calendar sync, meeting discovery | OAuth 2.0 |
Each service has its own privacy policy. We encourage you to review them.
5.2 Sub-Processors
| Processor | Purpose | Location |
|---|---|---|
| Render | Application hosting (API), Redis queue processing | United States |
| Neon | Cloud PostgreSQL database | United States |
| Cloudflare | DNS, CDN, desktop app update distribution (R2) | United States |
| Anthropic | AI transcript processing (primary) | United States |
| OpenAI | AI transcript processing (fallback) | United States |
| Dodo Payments | Payment processing — Merchant of Record | United States |
| Razorpay | Payment processing (India) | India |
| Sentry | Error monitoring and crash reporting | United States |
| Resend | Email delivery (notifications, reminders) | United States |
We will notify users of any material changes to this sub-processor list at least 30 days in advance.
6. Google API Services User Data Policy
Streamli9's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, Streamli9:
- Only uses Google user data for the purposes described in this privacy policy and the app's core functionality (meeting discovery, calendar sync, and authentication)
- Does not transfer Google user data to third parties except as necessary to provide or improve the app's core functionality, with user consent, for security purposes, or to comply with applicable laws
- Does not use Google user data for serving advertisements
- Does not allow humans to read Google user data unless: (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations
Google data we access and how we use it:
| Scope | Data Accessed | Purpose |
|---|---|---|
| calendar.readonly | Calendar events (read-only) | Discovering and syncing meetings |
| meetings.space.readonly | Google Meet meeting space metadata (read-only) | Linking meetings with Google Meet sessions |
7. Data Storage and Security
7.1 Encryption
| Layer | Standard |
|---|---|
| Data at rest | AES-256 (all database fields, stored objects) |
| Data in transit | TLS 1.2 or higher (all API calls, webhooks) |
| OAuth tokens | AES-256-GCM with scrypt key derivation (encrypted before database storage) |
| Backups | AES-256 (encrypted database backups) |
7.2 Authentication and Access Controls
- OAuth 2.0 with PKCE (S256) for all third-party integrations (no passwords stored)
- JWT-based session management (access tokens: 15 minutes, refresh tokens: 7 days)
- Token rotation on every refresh
- Rate limiting: 100 requests per minute per user, 1,000 requests per minute per IP
- Failed login lockout: 5 attempts, then 15-minute lockout
- Separate admin authentication with audit logging
7.3 Infrastructure Security
- HTTPS enforced on all endpoints
- Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy)
- Regular security audits and vulnerability assessments
- Automated monitoring and alerting (Sentry)
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period | User Control |
|---|---|---|
| Account data | Until account deletion | Yes |
| Meeting metadata | Until deleted by user or account deletion | Yes |
| Raw transcripts | 7 days, then automatically deleted | No |
| AI summaries | 7 days, then automatically deleted | No |
| Processed action items | Until deleted by user or account deletion | Yes |
| Token usage logs | 2 years | View only |
| Audit logs | 1 year (anonymized) | No |
| Billing records | 7 years (legal requirement) | No |
| Communication data (support tickets) | 3 years | No |
8.2 After Account Cancellation
| Period | Access Level |
|---|---|
| 0–30 days | Read-only access to your data |
| 30–90 days | Data export available on request |
| 90+ days | All data permanently deleted |
8.3 Account Deletion Process
- You request deletion in Settings > Account > Delete Account
- 7-day grace period during which you can cancel the deletion
- After 7 days: all personal data is permanently deleted
- Confirmation email sent to your registered email address
- Backup purge completed within 30 days
What gets deleted:
- Account data (name, email, profile)
- All meetings and meeting metadata
- All action items and status history
- All transcripts (if still within 7-day window)
- OAuth tokens and connected service data
- Usage history and preferences
What is retained (legal requirements):
- Billing records (7 years, as required by law)
- Audit logs (1 year, anonymized — cannot be linked back to you)
9. Your Rights
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Request a copy of all data we hold about you | Settings > Privacy, or email us |
| Right to Portability / Export | Export your data in machine-readable format | Settings > Export Data |
| Right to Deletion | Request complete deletion of your account and data | Settings > Account > Delete Account |
| Right to Rectification | Request correction of inaccurate personal data | Edit profile in Settings, or email us |
| Right to Restrict Processing | Request that we limit how we use your data | Contact us |
| Right to Object | Object to processing for specific purposes | Contact us |
| Right to Withdraw Consent | Disconnect third-party integrations at any time | Settings > Connected Accounts |
| Right to Opt Out | Opt out of marketing communications | Unsubscribe link in emails, or Settings |
9.1 Data Export
You can export all your data in machine-readable format at any time:
- Export includes: Account information, all meetings, all action items, all status updates, and token usage history
- Export format: ZIP file containing JSON and CSV files
- Processing time: Less than 24 hours
- Download availability: 7 days after generation
9.2 Response Timeline
We will respond to all data rights requests within 30 days. If a request is complex, we may extend this by an additional 60 days with notice.
To exercise any of these rights, go to Settings > Privacy in the application, or contact us at privacy@streamli9.com.
10. GDPR Compliance
For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR).
10.1 Legal Basis for Processing
- Consent: You provide consent when you sign in and connect third-party services
- Contract: Processing is necessary to provide the services you have subscribed to
- Legitimate interest: To improve our services, prevent fraud, and ensure security
10.2 International Data Transfers
Data may be transferred outside the EEA for processing. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for EU data transfers, in compliance with GDPR Chapter V.
10.3 Data Protection Officer
For GDPR-related inquiries, you may contact our Data Protection Officer at dpo@streamli9.com.
11. Incident Response and Breach Notification
11.1 Incident Response
We maintain an incident response plan with the following timeline:
| Phase | Timeline |
|---|---|
| Detection and triage | Less than 1 hour |
| Containment | Less than 2 hours |
| Eradication and recovery | Less than 48 hours |
| Post-incident review | Less than 1 week |
11.2 Breach Notification
In the event of a data breach:
| Audience | Timeline | Method |
|---|---|---|
| Supervisory Authority (GDPR) | Within 72 hours | Official notification |
| Affected users | Without undue delay | Email and in-app notification |
| Public (if severe) | As required by law | Website notice |
12. Cookies and Local Storage
Streamli9 is a desktop application and does not use browser cookies. We store minimal local data on your device:
- Authentication tokens (encrypted)
- User preferences and settings
- Application cache
This data is stored securely on your device and is not shared with third parties. You can clear this data by signing out or uninstalling the application.
13. Children's Privacy
Streamli9 is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@streamli9.com.
14. International Data Transfers
Streamli9 operates from India and uses cloud infrastructure hosted primarily in the United States. Your data may be transferred to and processed in countries other than your country of residence, including:
- United States (primary infrastructure, AI processing, payment processing via Dodo Payments)
- India (operations, payment processing via Razorpay)
We ensure that all international data transfers comply with applicable data protection laws and that appropriate safeguards are in place, including Standard Contractual Clauses where required.
15. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request details about the categories and specific pieces of personal information we have collected
- Right to Delete: You may request deletion of your personal information
- Right to Opt-Out of Sale: We do not sell your personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise these rights, contact us at privacy@streamli9.com or use the in-app privacy settings.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes at least 30 days before they take effect by:
- Sending a notification through the application
- Sending an email to your registered email address
Your continued use of Streamli9 after the changes take effect constitutes acceptance of the updated policy. The previous version of this policy will be archived and available upon request.
17. Contact Us
| Contact | Purpose | |
|---|---|---|
| Privacy Team | Data requests, privacy inquiries | privacy@streamli9.com |
| Data Protection Officer | GDPR and data protection | dpo@streamli9.com |
| Security Team | Vulnerability reports | security@streamli9.com |
| Support | General questions | support@streamli9.com |
Website: www.streamli9.com
© 2026 Streamli9. All rights reserved.