Mrmeet

Privacy Policy

Last updated: 1 July 2026

This Privacy Policy explains how Mrmeet(“we”, “us”, “our”) collects, uses, shares and protects personal data when you use the Mrmeet meeting-notetaker service (the “Service”). Mrmeet is an EU-hosted, compliance-first notetaker: audio capture, speech-to-text and semantic indexing run only on self-hosted infrastructure inside the EU/EEA, and only meeting text — never raw audio, and never emotion or sentiment analysis — is sent to an EU-region AI model to produce summaries and action items.

1. Who we are and how to contact us

The Service is provided by Mrmeet, European Union. For privacy questions or to exercise your rights, contact our Data Protection Officer at dpo@mrmeet.app. For general support, contact support@mrmeet.app.

2. Our role: controller and processor

For account and login data we act as the controller. For meeting content (recordings, transcripts, summaries and action items) we generally act as a processor on behalf of the organisation whose workspace you belong to — that organisation is the controller of that content and is responsible for having a lawful basis for recording. Where you use the Service in a personal capacity, we act as the controller for that content.

3. Personal data we process

  • Account & profile: email address, hashed password, display name and optional avatar; email-verification and account-security metadata.
  • Meeting metadata: meeting title, platform (Google Meet, Microsoft Teams), start/end times, participants and speaker labels. Participant email addresses are encrypted at rest.
  • Recordings: audio (and, where applicable, video) captured by the notetaker bot, stored on in-EU object storage.
  • Transcripts & diarization: the text of what was said, with per-speaker attribution and timestamps.
  • AI outputs: summaries and action items derived from the transcript, together with the model and prompt version used to generate them.
  • Consent & compliance records: consent evidence, data-subject requests and audit logs required to demonstrate compliance.
  • Technical & usage data: IP address, user-agent, session information and security/audit logs.
  • Cookies: see section 13.

4. Where your data comes from

We collect data directly from you (when you create an account or use the Service), from other meeting participants (whose voices and, where provided, names appear in a recording you initiate), and — where you connect them — from calendar or sign-in integrations you authorise (Google, Microsoft).

5. Why we process your data and our legal bases

  • To provide the Service(transcription, summaries, search, sharing) — performance of a contract, or our and the controller's legitimate interests in delivering a notetaker.
  • To record a meeting — a lawful basis established by the initiating organisation; the Service requires an explicit recording-consent flag before a bot is dispatched.
  • Security, fraud prevention and compliance — our legitimate interests and legal obligations (e.g. audit logging, breach notification).
  • Optional cookies and communications — your consent, which you can withdraw at any time.

6. Automated processing and AI transparency

Summaries and action items are generated by artificial intelligence and are always labelled as AI-generated. In line with the EU AI Act (Article 50) they are provided to assist you, not to make decisions about you, and you should verify them before relying on them. We do not perform emotion or sentiment recognition — this is prohibited and enforced in our code. AI inference is text-only, runs against an EU-region model, and each run is logged with its model and prompt version so its provenance can be audited. No solely-automated decision producing legal or similarly significant effects is made about you.

7. Recording and consent

A meeting is only recorded when the person dispatching the notetaker confirms a lawful basis to do so. We maintain an immutable consent ledger, and participants can object to being recorded. If you are a participant and wish to object or have a recording addressed, contact the meeting organiser or our DPO.

8. Data residency and hosting

The Service is single-tenant and EU-hosted. Audio capture, speech-to-text and embedding generation run only on self-hosted infrastructure within the EU/EEA (or, where a workspace is configured for it, the Netherlands only). A residency guard blocks and logs any attempt to send data to a non-EU endpoint.

9. Sub-processors

We use a limited set of vetted sub-processors to run the Service. We maintain a current sub-processor register and process personal data only with providers that offer appropriate safeguards. Categories include:

CategoryPurpose
EU-region AI model providerText-only summaries and action items
In-EU object storageStoring recordings and exports
Transactional email provider (EU region)Account, invitation and security emails
Meeting-platform & calendar integrations (optional)Joining meetings and calendar auto-join

Speech-to-text and semantic search run on self-hosted, in-EU components and are not outsourced to third parties. Contact our DPO for the current, itemised sub-processor list.

10. International transfers

We are designed to keep personal data within the EU/EEA and do not transfer it outside the EEA in the ordinary course of providing the Service. Where any transfer were ever necessary, it would be subject to an adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses.

11. How long we keep your data

Retention is configurable per deployment. By default, recordings and their transcripts are retained for 90 days and then deleted, and compliance audit logs are retained for 365 days. Account data is kept for as long as your account is active and then deleted or anonymised, unless a longer period is required by law.

12. How we protect your data

We apply field-level encryption to sensitive identifiers (such as participant emails), hash passwords and API keys, enforce TLS/HSTS in transit, apply workspace-scoped access controls, and maintain an immutable audit trail. No system is perfectly secure, but we take appropriate technical and organisational measures to protect your data.

13. Your rights and how to exercise them

Subject to applicable law, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and the right to data portability. You can:

  • Export your data — signed-in users can download a copy of their data from Profile Settings.
  • Delete your account — available from Profile Settings.
  • Make any other request — email our DPO at dpo@mrmeet.app. There is no public self-service request form; rights are exercised in-app or by contacting the DPO.

14. Cookies

We use strictly-necessary cookies to authenticate you and secure the Service; these do not require consent. With your consent we also use functional cookies (to remember preferences) and analytics cookies (off by default). You can set or change your choices at any time through the cookie banner, in line with the Dutch Telecommunicatiewet and the ePrivacy Directive.

15. Children

The Service is intended for use by professionals and is not directed at children. We do not knowingly collect personal data from children.

16. Complaints

If you have a concern we could not resolve, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) or your local data-protection authority. We would appreciate the chance to address your concern first — please contact our DPO.

17. Changes to this policy

We may update this Privacy Policy from time to time. We will change the “Last updated” date above and, where changes are material, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

See also our Terms & Conditions.