⚠️ Placeholder document. This Privacy Policy is a temporary draft. Production deployment requires legal counsel review and finalization.

Privacy Policy

Last updated: 2026-05-20 (placeholder)

1. Who we are

Beesiness is operated by [Placeholder — legal entity and registered address]. For GDPR purposes we act as Data Controller for account data and as Data Processor for meeting content on your workspace's behalf. Our Data Protection Officer (DPO) can be reached at dpo@beesiness.com.

2. Data we collect

2.1 Account data

  • Name, email, profile picture (via Google or Microsoft OAuth)
  • Organization name + role
  • Billing information (handled by Stripe — we do not store card numbers)

2.2 Meeting data

  • Meeting URL, scheduled time, platform (Meet/Zoom/Teams)
  • Audio recording (retained 90 days by default; user can shorten/extend)
  • Transcript (retained 365 days)
  • Generated summaries, action items, decisions
  • Participant names/emails (extracted from meeting metadata)

2.3 Usage data

  • IP address, browser type, pages visited
  • Feature usage analytics (no personal identifiers in analytics)
  • Error logs (Sentry — scrubbed of PII)

3. How we use your data

  • To deliver the meeting recording, transcription, and summary service
  • To process billing
  • To send service notifications (transactional email only)
  • To detect fraud and abuse
  • To improve the service (aggregated analytics, no personal data)

4. Sub-processors

We share necessary data with the following sub-processors to deliver the service:

ServicePurposeLocation
Anthropic (Claude)AI summary generationUSA
OpenAI (GPT-4o)AI fallbackUSA
SonioxSpeech-to-text transcriptionUSA
VexaMeeting audio capture / recordingUSA
Cloudflare R2Audio storageGlobal (EU primary)
NeonDatabase hostingEU region (eu-central-1)
VercelWeb app hostingGlobal
StripePayment processingUSA / EU
ResendTransactional emailUSA
SentryError trackingUSA

5. AI training data

Beesiness does not currently use your meeting content to train AI models. Your transcripts and summaries are processed only to generate your own meeting outputs (see § 4 sub-processors) and are not added to any model-training corpus.

If we introduce model improvement in the future it will be opt-in, applied only to pseudonymized data (identity fields such as names, emails, phone numbers and national IDs replaced with random tokens before any training use), and announced in advance. Enterprise customers additionally have a contractual guarantee that training is never enabled regardless of in-product settings — see DPA § 8.

Note: Pseudonymized data is still considered personal data under GDPR. Beesiness relies on legitimate interest (Art. 6(1)(f) GDPR) for product improvement, balanced against your right to object. Contact dpo@beesiness.com if you wish to invoke that right.

6. Your rights

  • Access: Download your data via Settings → Export
  • Rectification: Edit your profile any time
  • Erasure (right to be forgotten): Delete Organization → 30-day soft delete, then hard delete
  • Portability: JSON export of all transcripts and summaries
  • Object to processing: Contact dpo@beesiness.com to restrict specific uses

7. Children's data (K12 customers)

[Placeholder — requires legal review now that K-12 customers are onboarding. Parental consent flow, student data handling, COPPA + FERPA safeguards, and equivalent provisions under applicable EU member-state child-data laws are all needed.]

For K12 deployments, all data is processed on-premises within the school's infrastructure. Parental consent is required for any audio recording involving minors.

8. Recording consent

Beesiness bots announce their presence verbally and display a banner: "This meeting is being recorded by Beesiness." In jurisdictions requiring all-party consent (EU, California, Illinois, Massachusetts), additional language is shown: "If you object, please ask the host to remove the bot."

9. Data retention

  • Audio: 90 days (default), then automatically deleted
  • Transcripts: 365 days
  • Account data: until you delete your Organization
  • Audit logs: 1 year (compliance requirement)
  • Anonymized training corpus (opt-in only): no time limit while consent active

10. Security

  • Encryption in transit: TLS 1.3
  • Encryption at rest: AES-256
  • Multi-tenant isolation: Postgres Row-Level Security
  • Access controls: role-based (admin/member/guest)
  • Audit logs for all data access

11. Data residency

  • Default: EU region (eu-central-1)
  • Opt-in: US region, on-premises (Helm chart)
  • Enterprise customers may choose region

12. International transfers

Some sub-processors (Anthropic, OpenAI, Soniox, Vexa, Stripe, Resend, Sentry) are based in the USA. We rely on EU Standard Contractual Clauses (SCCs) for these transfers.

13. Contact

DPO: dpo@beesiness.com
General privacy questions: privacy@beesiness.com

Privacy Policy · Beesiness