Privacy Policy

Last updated: January 21, 2026

            Summary: AgendaPilot processes meeting audio to help you track agenda items. We collect minimal data needed to provide the service. You can delete your data at any time.
        

Audio Handling

Default Mode: AgendaPilot never receives, stores, or saves your audio on our servers. Speech recognition is handled by your browser or device (e.g., Google's Web Speech API on Chrome). We receive only the converted text.

Enhanced Transcription (Optional, Pro Tier): If you opt in to Enhanced Transcription, audio is temporarily sent from your browser to our server and forwarded to OpenAI for transcription. Audio is not stored by AgendaPilot or OpenAI and is discarded immediately after transcription. This feature requires your explicit consent and can be disabled at any time.

Meeting transcripts (text only) are stored as part of your meeting history for 90 days so you can review past meetings. You can delete any meeting at any time.

1. Introduction

AgendaPilot ("we", "our", or "us") is a meeting productivity application that helps you track agenda items during meetings using speech recognition. This privacy policy explains what data we collect, how we use it, and your rights.

By using AgendaPilot, you agree to the collection and use of information in accordance with this policy and our Terms of Service.

Data Controller

For the purposes of GDPR and other data protection laws, the data controller is:

Entity: AgendaPilot
Contact Email: koalat@koalat.ai
Address: United States

For data protection inquiries, contact us at the email above. We will respond within 30 days.

2. Data We Collect

Account Information

Email address: Used for authentication via magic link sign-in
Subscription status: Whether you have an active subscription

Meeting Data

Agenda items: The meeting topics you enter
Session metadata: Meeting duration and item completion status
Meeting history: Completed meeting summaries (items covered/missed, duration, context) are stored for 90 days so you can review past meetings
Full transcripts: Complete meeting transcripts with timestamps are stored as part of your meeting history for 90 days, allowing you to review what was discussed

Important - How Speech Recognition Works:

Default Mode: Your browser or device (not AgendaPilot) captures and processes your audio using its built-in speech recognition (e.g., Chrome uses Google's Web Speech API). We only receive the converted text for agenda tracking. See your browser/device privacy policy for how they handle audio.

Enhanced Transcription (Opt-in, Pro Tier): When you enable this optional feature, audio from your microphone is sent to our server and forwarded to OpenAI's transcription API for higher-accuracy speech-to-text conversion. Audio is processed in real-time and is never stored. Only the resulting text transcript is retained (for 90 days with your meeting history). You must explicitly consent to this mode and can revert to default at any time.

Your Responsibility - Recording Consent: You are solely responsible for obtaining appropriate consent from all meeting participants before using AgendaPilot's speech recognition features. Many jurisdictions (including California, Illinois, and EU countries) require all-party consent to process conversations. See our Terms of Service for more details.

Technical Data

Browser type and version
Device type (for mobile app)
Error logs for troubleshooting

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Provide the service	Email, agenda items, session data	Contract performance
Process payments	Email (shared with Stripe)	Contract performance
Send login links	Email	Contract performance
AI-powered features	Transcript text (Pro tier)	Consent / Contract
Improve the service	Anonymized usage patterns	Legitimate interest

4. Third-Party Services (Subprocessors)

We use the following third-party services to provide AgendaPilot. These are our data subprocessors:

Service	Purpose	Data Shared	Location
Stripe	Payment processing	Email, payment info	USA
Resend	Email delivery	Email address	USA
OpenRouter	AI analysis (Pro tier)	De-identified text only	USA
Google Web Speech API	Speech recognition (default)	Audio (browser-side)	USA
OpenAI	Enhanced Transcription (opt-in, Pro tier)	Audio (temporarily, not stored)	USA
Neon (via Replit)	Database hosting	Account and meeting data	USA

Stripe (Payment Processing)

We use Stripe to process subscription payments. When you subscribe, Stripe receives your email address and payment information. Stripe is PCI-DSS compliant. Privacy policy: stripe.com/privacy

Resend (Email Delivery)

We use Resend to send magic link login emails. Your email address is shared with Resend for this purpose. Privacy policy: resend.com/legal/privacy-policy

OpenRouter (AI Features - Pro Tier)

Pro tier features use AI models via OpenRouter for meeting analysis and coaching. We enable Zero Data Retention (ZDR) on all AI requests, ensuring your prompts are never stored by AI providers. Additionally, all text is de-identified (PII removed) before being sent. Privacy policy: openrouter.ai/privacy

Web Speech API (Browser - Default)

By default, speech recognition uses your browser's built-in Web Speech API. Audio processing is handled by your browser (typically Google for Chrome). AgendaPilot never receives your audio in this mode. See Google's Privacy Policy.

OpenAI (Enhanced Transcription - Opt-in, Pro Tier)

Pro tier users can optionally enable Enhanced Transcription for higher-accuracy speech recognition. When enabled:

Audio from your microphone is sent from your browser to our server, then forwarded to OpenAI's transcription API
Audio is processed in real-time and is never stored by AgendaPilot or OpenAI
Only the resulting text transcript is retained (90 days, with meeting history)
This feature requires your explicit opt-in consent and can be disabled at any time from Settings
OpenAI's data usage policy applies: openai.com/privacy

5. Data Retention

Data Category	Retention Period	Purpose
Email address	Until account deletion	Authentication, communications
Subscription status	Until account deletion	Service access control
Meeting history	90 days (auto-deleted)	Review past meetings
Magic link tokens	24 hours	One-time authentication
Audio (default mode)	Never stored	N/A - browser-side only
Audio (Enhanced Transcription)	Never stored - processed in transit only	Temporarily forwarded to OpenAI for transcription, then discarded
Transcript text	90 days (with meeting history)	Review past meetings, AI analysis

You can manually delete any meeting from the "Meeting History" section at any time. After account deletion, all data is removed within 30 days.

6. Your Rights

Depending on your location, you may have the following rights:

For All Users

Access: Request a copy of your data
Deletion: Request deletion of your account and data
Correction: Update your email address

For EU/EEA Users (GDPR)

Portability: Receive your data in a structured format
Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interest
Withdraw consent: For AI features at any time

For US State Privacy Laws (CCPA, CPRA, VCDPA, CPA, CTDPA)

If you're a resident of California, Virginia, Colorado, Connecticut, or other states with privacy laws, you have the following rights:

Categories of Personal Information We Collect

Category	Examples	Collected
Identifiers	Email address	Yes
Commercial information	Subscription history	Yes
Internet activity	App usage, meeting metadata	Yes
Geolocation	IP-based location	No
Biometric data	Voice recordings	No (default: browser-side only; Enhanced Transcription: temporarily processed, never stored)
Sensitive personal info	Health, financial data	No

Your Rights

Know/Access: What personal information we collect about you
Delete: Request deletion of your personal information
Correct: Fix inaccurate personal information
Opt-out: Of sale or sharing for targeted advertising
Limit sensitive PI: Limit use of sensitive personal information
Non-discrimination: Equal service regardless of exercising rights

            Do Not Sell or Share My Personal Information: We do NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. Because we don't engage in these practices, there is no need to opt out.
        

To exercise any of these rights, email us at koalat@koalat.ai or use the "Export Data" and "Delete Account" features in the app. You may also designate an authorized agent to make requests on your behalf.

Healthcare Users (HIPAA Compliance)

            Important Context: As noted above, AgendaPilot does not store your audio or transcripts. The core agenda tracking feature processes speech locally in real-time without sending data anywhere.
        

When does HIPAA de-identification apply? Only when you optionally choose to use our AI analysis features (Pro tier). These features allow you to paste or submit transcript text for AI-powered insights. In these cases only:

Text you submit is automatically scanned for sensitive information
PII is redacted before being sent to AI providers
Redacted text uses placeholders (e.g., [EMAIL], [SSN], [NAME])
Original text with PII is never transmitted externally

What we detect: Our de-identification covers 18 HIPAA Safe Harbor identifier categories including names, SSNs, dates of birth, addresses, phone numbers, emails, medical record numbers, health plan IDs, and more.

Note: While we provide tools to support HIPAA compliance for optional AI features, covered entities are responsible for their overall HIPAA compliance. The core tracking feature doesn't store or transmit any data, so there's nothing to de-identify.

7. Data Security

We implement appropriate security measures including:

HTTPS encryption for all data in transit
Secure password hashing (bcrypt) for authentication tokens
Database encryption at rest
Regular security updates and monitoring

8. Children's Privacy

AgendaPilot is not intended for users under 16 years of age. We do not knowingly collect personal information from children.

9. International Data Transfers

Your data may be processed in the United States where our servers and third-party providers are located.

For EU/EEA/UK Users

When we transfer personal data outside the European Economic Area or United Kingdom, we rely on:

Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide adequate safeguards
Data Processing Agreements: With each subprocessor listed in Section 4
Adequacy decisions: Where available for specific countries

You can request a copy of the safeguards we use by contacting us at koalat@koalat.ai.

Your Right to Complain

If you are in the EU/EEA and believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection authority (supervisory authority).

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through the app. The "Last updated" date at the top indicates when changes were made.

11. Contact Us

For privacy-related questions, data requests, or to exercise your rights:

Email: koalat@koalat.ai
Website: agendapilot.ai

We will respond to requests within 30 days.

← Back to AgendaPilot Terms of Service FAQ