Privacy Policy
Version 2.4 · Last Updated: April 9, 2026 · Effective: April 9, 2026
1. Introduction
Streamli9 ("we", "our", "us") is an AI-powered meeting accountability platform operated from India, serving users globally. We are committed to protecting your privacy and handling your data with transparency. This Privacy Policy explains how we collect, use, store, and protect your information when you use our desktop application and related services.
By using Streamli9, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
2. Data We Collect
2.1 Account Information
When you sign in via OAuth (Microsoft or Google), we collect:
- Name and email address (from your Microsoft or Google account)
- Profile picture (if available)
- Authentication tokens for connected services (encrypted at rest)
We do not store your Microsoft or Google account password. Authentication is handled entirely through OAuth 2.0.
2.2 Meeting Data
When you connect meeting platforms, we access:
- Meeting metadata (title, date, time, duration, participants)
- Meeting transcripts (from cloud recordings or connected transcript tools)
- AI-generated meeting summaries (where available)
- Participant information (names, email addresses)
The following platforms are supported:
| Platform | Data Accessed |
|---|---|
| Zoom | Meeting metadata, cloud recording transcripts, AI summaries, participants |
| Microsoft Teams | Meeting metadata, transcripts (via Microsoft Graph API) |
| Google Meet | Meeting metadata, transcripts |
Important: We do not download, store, or access raw audio or video recordings. We only access text-based transcripts and metadata.
2.3 Email Data
When you connect email services, we access:
| Service | Data Accessed | Purpose |
|---|---|---|
| Microsoft Outlook | Email threads related to synced meetings, email metadata, email body content | Status keyword detection (e.g., "done", "blocked", "in progress") |
| Gmail | Email threads related to synced meetings, email metadata, email body content | Status keyword detection and meeting-related email threading |
Important: We do not access your entire inbox. We only monitor emails that are directly related to meetings you have synced with Streamli9.
2.4 Action Item Data
From meeting transcripts and email threads, our AI extracts:
- Action items (task descriptions, assigned owners, due dates)
- Status updates and progress tracking
- Dependencies between action items
- Carry-forward history across recurring meetings
Additionally, you may create personal action items by:
- Typing or pasting text for AI extraction
- Uploading documents (PDF, DOCX, TXT) for AI extraction
- Uploading images for OCR-based AI extraction
Personal items are processed by the same AI providers listed in Section 4.1 and stored alongside meeting-extracted items.
2.5 Messaging and Channel Monitoring Data
When you connect messaging platforms, we access:
| Service | Data Accessed | Purpose |
|---|---|---|
| Slack | Messages in monitored channels only, channel metadata | Detect action items mentioned in Slack conversations |
| Microsoft Teams (Bot) | Messages in configured conversations | Deliver notifications and detect action item updates |
Channel monitoring is opt-in: you explicitly select which Slack or Teams channels to monitor. We do not scan all channels or private messages. Only messages in channels you have explicitly configured are processed.
2.6 Third-Party Transcript Tool Data
When you connect third-party transcript tools, we access meeting transcripts and metadata from those services:
| Tool | Data Accessed |
|---|---|
| Fireflies | Meeting transcripts and metadata |
| Grain | Meeting transcripts and metadata |
| tl;dv | Meeting transcripts and metadata |
| Otter.ai | Meeting transcripts via webhook |
| Read AI | Meeting transcripts via webhook |
| Avoma | Meeting transcripts and metadata |
These connections are user-initiated. We only access data from meetings processed by the connected tool.
2.7 Usage Data
We collect usage data to improve our service:
- App interactions and feature usage (anonymized)
- Token consumption history (1 token = 1 minute of meeting processing)
- Error reports and crash logs (via Sentry)
- Performance metrics
2.8 Payment Information
Payment processing is handled by third-party processors:
- Dodo Payments (Merchant of Record for US, EU, CA, and other global markets)
- Razorpay (India)
We do not store your credit card number, bank account details, or other financial information on our servers. We retain only:
- Last 4 digits of payment card (for display purposes)
- Billing address
- Payment status confirmations
- Transaction history
3. How We Use Your Data
We use the collected data for the following purposes:
- AI-powered action item extraction from meeting transcripts
- Email thread monitoring to detect status updates on action items
- Sending automated reminders and notifications on your behalf
- Tracking dependencies between action items across meetings
- Carrying forward incomplete items across recurring meetings
- Providing the accountability dashboard
- Improving our AI models and service quality
- Providing customer support
- Complying with legal obligations
We do not sell, rent, or share your personal data with third parties for marketing purposes.
3.1 Legal Basis for Processing (GDPR)
| Legal Basis | Data Covered |
|---|---|
| Contract performance | Account data, meeting data, action items, payment data |
| Legitimate interest | Usage data, service improvement, fraud prevention, security |
| Consent | Third-party service connections (Zoom, Microsoft, Google) |
4. AI Processing and Data Handling
4.1 AI Providers
Meeting transcripts are processed by third-party AI services to extract action items:
| Provider | Role | Data Sent | Training Use |
|---|---|---|---|
| Anthropic (Claude) | Primary AI processor | Transcript text, extraction prompts | Not used for training |
| OpenAI (GPT-4o-mini) | Fallback AI processor | Transcript text, extraction prompts | Not used for training (API opt-out) |
- Transcripts are sent for processing and are not retained by the AI provider beyond the processing session.
- We use API endpoints with data retention disabled where available.
- AI providers process data in the United States.
4.2 Bring Your Own AI Key (BYOAI)
If you choose to use your own Anthropic or OpenAI API key:
- Your API key is encrypted and stored securely (AES-256)
- Transcript processing uses your key directly with the AI provider
- Data handling is subject to your own agreement with the AI provider
- We do not have visibility into your API key usage or billing with the provider
4.3 Privacy Model for Action Items
- Meeting hosts can see all action items extracted from meetings they host
- Participants can see only their own action items from meetings they attended
- This privacy model is platform-wide and is not configurable
5. Third-Party Services and Sub-Processors
5.1 User-Connected Services
| Service | Data Accessed | Purpose | Auth |
|---|---|---|---|
| Zoom | Meeting recordings, transcripts, summaries, participant data | Meeting sync and action item extraction | OAuth 2.0 with PKCE |
| Microsoft (Outlook, Teams) | Calendar events, email threads, Teams meeting transcripts | Meeting discovery, status detection, Teams sync | OAuth 2.0 |
| Google (Gmail, Google Meet) | Calendar events, email threads, Google Meet transcripts | Meeting discovery, status detection, Meet sync | OAuth 2.0 |
| Slack | Channel messages (monitored channels only), channel metadata | Action item detection, bot notifications | OAuth 2.0 |
| Microsoft Teams Bot | Conversation messages (configured conversations only) | Bot notifications and action item updates | Bot Framework |
| Fireflies | Meeting transcripts and metadata | Third-party transcript import | API key |
| Grain | Meeting transcripts and metadata | Third-party transcript import | API key |
| tl;dv | Meeting transcripts and metadata | Third-party transcript import | API key |
| Otter.ai | Meeting transcripts (via webhook) | Third-party transcript import | Webhook |
| Read AI | Meeting transcripts (via webhook) | Third-party transcript import | Webhook |
| Avoma | Meeting transcripts and metadata | Third-party transcript import | API key |
Each service has its own privacy policy. We encourage you to review them.
5.2 Sub-Processors
| Processor | Purpose | Location |
|---|---|---|
| Render | Application hosting (API), Redis queue processing | United States |
| Neon | Cloud PostgreSQL database | United States |
| Cloudflare | DNS, CDN, desktop app update distribution (R2) | United States |
| Anthropic | AI transcript processing (primary) | United States |
| OpenAI | AI transcript processing (fallback) | United States |
| Dodo Payments | Payment processing (Merchant of Record) | United States |
| Razorpay | Payment processing (India) | India |
| Sentry | Error monitoring and crash reporting | United States |
| Resend | Email delivery (notifications, reminders) | United States |
We will notify users of any material changes to this sub-processor list at least 30 days in advance.
6. Google API Services User Data Policy
Streamli9's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, Streamli9:
- Only uses Google user data for the purposes described in this privacy policy and the app's core functionality (meeting discovery, calendar sync, and authentication)
- Does not transfer Google user data to third parties except as necessary to provide or improve the app's core functionality, with user consent, for security purposes, or to comply with applicable laws
- Does not use Google user data for serving advertisements
- Does not allow humans to read Google user data unless: (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations
Google data we access and how we use it:
| Scope | Data Accessed | Purpose |
|---|---|---|
| calendar.readonly | Calendar events (read-only) | Discovering and syncing meetings |
| meetings.space.readonly | Google Meet meeting space metadata (read-only) | Linking meetings with Google Meet sessions |
7. Data Storage and Security
7.1 Encryption
| Layer | Standard |
|---|---|
| Data at rest | AES-256 (all database fields, stored objects) |
| Data in transit | TLS 1.2 or higher (all API calls, webhooks) |
| OAuth tokens | AES-256-GCM with scrypt key derivation (encrypted before database storage) |
| Backups | AES-256 (encrypted database backups) |
7.2 Authentication and Access Controls
- OAuth 2.0 with PKCE (S256) for all third-party integrations (no passwords stored)
- JWT-based session management (access tokens: 15 minutes, refresh tokens: 7 days)
- Token rotation on every refresh
- Rate limiting: 100 requests per minute per user, 1,000 requests per minute per IP
- Failed login lockout: 5 attempts, then 15-minute lockout
- Separate admin authentication with audit logging
7.3 Infrastructure Security
- HTTPS enforced on all endpoints
- Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy)
- Regular security audits and vulnerability assessments
- Automated monitoring and alerting (Sentry)
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period | User Control |
|---|---|---|
| Account data | Until account deletion | Yes |
| Meeting metadata | Until deleted by user or account deletion | Yes |
| Raw transcripts | 7 days, then automatically deleted | No |
| AI summaries | 7 days, then automatically deleted | No |
| Processed action items | Until deleted by user or account deletion | Yes |
| Personal action items | Until deleted by user or account deletion | Yes |
| Channel monitoring detections | Until deleted by user or account deletion | Yes |
| Token usage logs | 2 years | View only |
| Audit logs | 1 year (anonymized) | No |
| Billing records | 7 years (legal requirement) | No |
| Communication data (support tickets) | 3 years | No |
8.2 After Account Cancellation
| Period | Access Level |
|---|---|
| 0–30 days | Read-only access to your data |
| 30–90 days | Data export available on request |
| 90+ days | All data permanently deleted |
8.3 Account Deletion Process
- You request deletion in Settings > Account > Delete Account
- 30-day grace period during which you can cancel the deletion
- After 30 days: all personal data is permanently deleted
- Confirmation email sent to your registered email address
- Backup purge completed within 30 days of deletion
What gets deleted:
- Account data (name, email, profile)
- All meetings and meeting metadata
- All action items (meeting-extracted and personal) and status history
- All transcripts (if still within 7-day window)
- OAuth tokens and connected service data
- Slack and Teams Bot connections and channel monitoring configurations
- Usage history and preferences
What is retained (legal requirements):
- Billing records (7 years, as required by law), stored with internal ID reference only, no personally identifiable information retained
- Audit logs (1 year, anonymized, cannot be linked back to you)
9. Your Rights
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Request a copy of all data we hold about you | Settings > Privacy, or email us |
| Right to Portability / Export | Export your data in machine-readable format | Settings > Export Data |
| Right to Deletion | Request complete deletion of your account and data | Settings > Account > Delete Account |
| Right to Rectification | Request correction of inaccurate personal data | Edit profile in Settings, or email us |
| Right to Restrict Processing | Request that we limit how we use your data | Contact us |
| Right to Object | Object to processing for specific purposes | Contact us |
| Right to Withdraw Consent | Disconnect third-party integrations at any time | Settings > Connected Accounts |
| Right to Opt Out | Opt out of marketing communications | Unsubscribe link in emails, or Settings |
9.1 Data Export
You can export all your data in machine-readable format at any time:
- Export includes: Account information, all meetings, all action items, all status updates, and token usage history
- Export format: ZIP file containing JSON and CSV files
- Processing time: Less than 24 hours
- Download availability: 7 days after generation
9.2 Response Timeline
We will respond to all data rights requests within 30 days. If a request is complex, we may extend this by an additional 60 days with notice.
To exercise any of these rights, go to Settings > Privacy in the application, or contact us at privacy@streamli9.com.
10. GDPR Compliance
For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR).
10.1 Legal Basis for Processing
- Consent: You provide consent when you sign in and connect third-party services
- Contract: Processing is necessary to provide the services you have subscribed to
- Legitimate interest: To improve our services, prevent fraud, and ensure security
10.2 International Data Transfers
Data may be transferred outside the EEA for processing. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for EU data transfers, in compliance with GDPR Chapter V.
10.3 Data Protection Officer
For GDPR-related inquiries, you may contact our Data Protection Officer at dpo@streamli9.com.
11. Incident Response and Breach Notification
11.1 Incident Response
We maintain an incident response plan with the following timeline:
| Phase | Timeline |
|---|---|
| Detection and triage | Less than 1 hour |
| Containment | Less than 2 hours |
| Eradication and recovery | Less than 48 hours |
| Post-incident review | Less than 1 week |
11.2 Breach Notification
In the event of a data breach:
| Audience | Timeline | Method |
|---|---|---|
| Supervisory Authority (GDPR) | Within 72 hours | Official notification |
| Affected users | Without undue delay | Email and in-app notification |
| Public (if severe) | As required by law | Website notice |
12. Cookies and Local Storage
Streamli9 is a desktop application and does not use browser cookies. We store minimal local data on your device:
- Authentication tokens (encrypted)
- User preferences and settings
- Application cache
This data is stored securely on your device and is not shared with third parties. You can clear this data by signing out or uninstalling the application.
13. Children's Privacy
Streamli9 is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@streamli9.com.
14. International Data Transfers
Streamli9 operates from India and uses cloud infrastructure hosted primarily in the United States. Your data may be transferred to and processed in countries other than your country of residence, including:
- United States (primary infrastructure, AI processing, payment processing via Dodo Payments)
- India (operations, payment processing via Razorpay)
We ensure that all international data transfers comply with applicable data protection laws and that appropriate safeguards are in place, including Standard Contractual Clauses where required.
15. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
15.1 Your California Privacy Rights
| Right | Description | How to Exercise |
|---|---|---|
| Right to Know | Request categories and specific pieces of personal information collected | Settings > Export Data, or email us |
| Right to Delete | Request deletion of your personal information | Settings > Delete Account |
| Right to Correct | Request correction of inaccurate personal information | Edit profile in Settings, or email us |
| Right to Opt-Out of Sale/Sharing | Opt out of sale or sharing of personal information | Not applicable: we do not sell or share |
| Right to Limit Use | Limit use and disclosure of sensitive personal information | Contact privacy@streamli9.com |
| Right to Non-Discrimination | We will not discriminate against you for exercising your rights | Automatic |
15.2 Do Not Sell or Share My Personal Information
Streamli9 does NOT sell or share your personal information.
We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. None of our sub-processors (listed in Section 5.2) use your data for targeted advertising.
Because we do not sell or share personal information, there is no need to submit an opt-out request. However, if you have questions, contact us at privacy@streamli9.com.
15.3 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Name, email address, account ID
- Commercial information: Subscription plan, payment history, token usage
- Internet/electronic activity: App feature usage, error logs
- Professional information: Meeting data, action items, calendar data
We do not collect sensitive personal information as defined by CPRA (social security numbers, financial account numbers, precise geolocation, racial/ethnic data, etc.).
15.4 Verifiable Consumer Requests
To submit a verifiable consumer request, email privacy@streamli9.com from the email address associated with your account, or use the in-app privacy settings (Settings > Export Data, Settings > Delete Account).
We will verify your identity by matching your request email to your account email. We will respond within 45 days. If we need more time, we will notify you and may extend by an additional 45 days (90 days total).
You may make a verifiable request up to twice within a 12-month period. You may also designate an authorized agent to make a request on your behalf.
15.5 Financial Incentive Disclosure
Our referral program offers 1 month free to referring users. This incentive is not tied to the sale of personal information. The value of the incentive is based on the user's current plan price. You may opt out of the referral program at any time without affecting your account.
16. Indian Users: Digital Personal Data Protection Act (DPDP Act 2023)
If you are located in India, your personal data is protected under the Digital Personal Data Protection Act, 2023 (DPDP Act). Streamli9 acts as a Data Fiduciary under the DPDP Act.
16.1 Your Rights Under the DPDP Act
| Right | Description | How to Exercise |
|---|---|---|
| Right to Information | Know what personal data is collected and how it is processed | This Privacy Policy; Settings > Export Data |
| Right to Correction and Erasure | Correct inaccurate data or request deletion | Settings > Edit Profile; Settings > Delete Account |
| Right to Grievance Redressal | File a complaint about data processing | Email grievance@streamli9.com |
| Right to Nominate | Nominate another person to exercise your rights in case of death or incapacity | Contact grievance@streamli9.com |
16.2 Consent
We collect and process your personal data based on your consent, which you provide when you sign in and connect third-party services (Zoom, Microsoft, Google). You may withdraw consent at any time by disconnecting services in Settings or deleting your account.
16.3 Cross-Border Data Transfer
Your data may be transferred to and processed in the United States (where our infrastructure is hosted). We ensure such transfers comply with the DPDP Act and that adequate safeguards are in place per any rules notified by the Central Government.
16.4 Grievance Officer
In accordance with the DPDP Act, we have appointed a Grievance Officer. For any complaints or concerns regarding your personal data:
- Email: grievance@streamli9.com
- Response time: Within 30 days of receipt
If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.
16.5 Data Retention for Indian Users
We retain your data only as long as necessary for the purposes described in this policy (see Section 8, Data Retention). Upon withdrawal of consent or account deletion, your data is deleted within the timeframes specified, except where retention is required by law.
17. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes at least 30 days before they take effect by:
- Sending a notification through the application
- Sending an email to your registered email address
Your continued use of Streamli9 after the changes take effect constitutes acceptance of the updated policy. The previous version of this policy will be archived and available upon request.
18. Contact Us
| Contact | Purpose | |
|---|---|---|
| Grievance Officer (India/DPDP) | DPDP Act complaints, Indian user data concerns | grievance@streamli9.com |
| Privacy Team | Data requests, privacy inquiries | privacy@streamli9.com |
| Data Protection Officer | GDPR and data protection | dpo@streamli9.com |
| Security Team | Vulnerability reports | security@streamli9.com |
| Support | General questions | support@streamli9.com |
Website: www.streamli9.com
© 2026 Streamli9. All rights reserved.