Privacy Policy

Effective Date: February 24, 2026

Last Updated: February 24, 2026

Mnemoss ("Service," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• •Full Name — for personalization and CRM contact creation.
• •Email Address — for authentication, account recovery, and transactional communications.
• •Password — stored as a salted hash by Supabase Auth. We never store plaintext passwords.
• •Phone Number (optional) — collected during onboarding for enhanced CRM records.

1.2 Audio Recordings & Transcripts

When you upload an audio file or connect a meeting bot, we process:

• •Audio files (MP3, M4A, WAV formats) — uploaded to Supabase Storage or streamed from a meeting bot URL.
• •Transcripts — generated by our transcription provider and stored in our database.
• •Speaker diarization data — JSON metadata identifying different speakers in the recording.

1.3 AI-Extracted Data

Our AI processing pipeline extracts structured data from your transcripts, including:

• •Contact information (names, company, email, phone)
• •Deal information (budget, timeline, deal stage, sentiment)
• •Appointments and reminders (dates, locations, descriptions)
• •Discussion summaries and action items

This extracted data is stored in our PostgreSQL database hosted on Supabase.

1.4 Usage & Billing Data

We collect:

• •Processing usage — duration of audio files processed, tracked for metered billing.
• •Subscription tier — your current plan and billing status.
• •Payment information — handled entirely by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. Please refer to Stripe's Privacy Policy for details.

1.5 CRM Integration Credentials

If you connect third-party CRM services, we store:

• •HubSpot API Token — encrypted and stored per-user for authenticated API calls.
• •Notion API Key and Database ID — stored per-user in our database for integration.

These credentials are used solely to perform CRM operations on your behalf.

1.6 Technical Data

We automatically collect:

• •Browser type and version
• •IP address (for security logging)
• •Device type
• •Pages visited and timestamps

2. How We Use Your Information

We use your information to:

• •Provide the Service — transcribe audio, extract intelligence, and sync data to your CRM.
• •Process Payments — manage subscriptions, Booster Pack purchases, and billing via Stripe.
• •Monitor Usage — enforce hourly processing limits and send usage threshold alerts.
• •Improve the Service — analyze aggregate, anonymized usage patterns to improve features and performance.
• •Communicate with You — send transactional emails (e.g., password resets, usage alerts), and optional product updates.
• •Ensure Security — detect and prevent fraud, abuse, and unauthorized access.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your data under the following legal bases:

4. Third-Party Data Processors

We share your data with the following categories of third-party service providers. Each processes data only as necessary to provide their specific service:

3.1 AI & Transcription Providers

Important: Your audio recordings and transcript text are transmitted to these providers for processing. We recommend reviewing their respective privacy policies:

• •AssemblyAI Privacy Policy
• •Google Privacy Policy
• •Groq Privacy Policy

3.2 Infrastructure Providers

4.4 AI Training Disclosure

We do not use your audio recordings, transcripts, or extracted intelligence to train our own AI models. Furthermore, our agreements with our primary AI providers (AssemblyAI and Google Gemini) ensure that data sent via their APIs is not used to train their foundational models. We prioritize data privacy over model improvement.

4. Data Retention

4.1 Audio Recordings

Audio files are stored in Supabase Storage for the duration of your active account. You may delete individual recordings at any time from your dashboard.

4.2 Transcripts & Extractions

Transcripts and extracted data are retained in our database for the lifetime of your account. Deleted calls will have their associated transcripts and extractions permanently removed.

4.3 Account Deletion

Upon account deletion or termination:

• •Your profile, call records, transcripts, extractions, and usage logs will be permanently deleted within 30 days.
• •Data that has been pushed to third-party CRM platforms (HubSpot, Notion) will remain in those platforms and is subject to their respective retention policies.
• •Payment records maintained by Stripe will be retained in accordance with Stripe's data retention policy and applicable financial regulations.

4.4 Local-First Storage (User-Controlled)

The Service offers a "Local Only" storage mode that allows you to store transcripts, extracted data, and call records exclusively on your device using your browser's IndexedDB storage. When enabled:

• •After AI processing is complete, the resulting data is transferred to your device's local storage.
• •The cloud copy of that data (transcripts, extractions, and call metadata) is permanently deleted from our servers.
• •Your audio recordings are still transmitted to third-party AI providers (AssemblyAI, Gemini, Groq) for transcription and extraction during processing. Local storage mode controls where the results are kept — not how processing occurs.
• •We cannot recover locally stored data. If you clear your browser data, switch devices, or use incognito mode, your data will be permanently lost.
• •We recommend using the Download Backup feature regularly to create portable JSON backups of your local data.

A "Hybrid" mode is also available, which stores data both locally and in the cloud for offline access with cloud backup.

7. Data Security & Breach Notification

7.1 Security Measures

We implement industry-standard security measures to protect your data:

• •Encryption in Transit: All data transmitted via TLS/SSL (HTTPS).
• •Encryption at Rest: Database and storage data is encrypted at rest.
• •Authentication: Secure password hashing (bcrypt).
• •Row-Level Security (RLS): Database access enforced at the row level.

7.2 Breach Notification

In the event of a suspected data breach:

• •GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required.
• •PIPEDA: We will notify affected individuals and the Office of the Privacy Commissioner of Canada "as soon as feasible" if the breach creates a real risk of significant harm.
• •General: Affected users will be notified via the email address associated with their account.

8. Canadian Users (PIPEDA)

As an Ontario-based service, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). If you have concerns about our privacy practices, you have the right to contact the Office of the Privacy Commissioner of Canada.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

6.1 Access & Portability

You have the right to request a copy of the personal data we hold about you. Extracted data can be exported in standard formats (iCal, vCard, EML, JSON, Markdown) directly from the Service.

6.2 Correction

You may update your personal information at any time through your Profile page.

6.3 Deletion

You may request deletion of your account and all associated data by contacting us. We will process deletion requests within 30 days.

6.4 Restriction of Processing

You may request that we restrict processing of your personal data under certain circumstances, such as if you contest the accuracy of the data.

6.5 Objection

You may object to the processing of your personal data for certain purposes, such as direct marketing.

6.6 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before the withdrawal.

7. International Data Transfers

Our servers and third-party providers are located in the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States. By using the Service, you consent to such transfers.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete that information promptly.

9. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), the following additional provisions apply:

• •Legal Basis: We process your data based on (a) contractual necessity (to provide the Service), (b) legitimate interests (to improve and secure the Service), and (c) consent (where explicitly provided).
• •Data Protection Officer: For GDPR-related inquiries, contact us at the email listed below.
• •Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

10. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• •Know what personal information we collect and how it is used.
• •Request deletion of your personal information.
• •Opt out of the "sale" of personal information. We do not sell your personal information.
• •Not be discriminated against for exercising your CCPA rights.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification. The "Last Updated" date at the top of this document will be revised accordingly. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:

Email: privacy@mnemoss.com

This Privacy Policy is a draft and should be reviewed by qualified legal counsel before publication.