upstand .ai

Last updated 5 June 2026 · Effective 5 June 2026

Privacy policy

This policy explains what upstand.ai collects, why, who we share it with, how long we keep it, and what rights you have over it. It applies to anyone who signs in to upstand.ai or interacts with upstand.ai through a connected service (calendar, Slack, email).

At a glance

  • We collect what we need to run meetings: account info, calendar metadata, meeting content (when you record), and basic telemetry.
  • We never sell your data and never use it for advertising. We never train public AI models on your meeting content.
  • Meeting content is processed by named sub-processors (Recall.ai, ElevenLabs, Anthropic) strictly to deliver upstand.ai's features. They are bound by contract and the same Limited Use rules Google requires of us.
  • You can export or delete your data at any time, from the app or by emailing privacy@upstand.ai.
  • For Google data specifically, our use complies with the Google API Services User Data Policy, including the Limited Use requirements.

Who we are

upstand.ai is an AI meeting orchestration platform operated by Future of X ("upstand.ai", "we", "us"). We are the data controller for the personal data described in this policy.

Contact us at privacy@upstand.ai.

Data we collect

Account & workspace

Your name, email address, profile picture (if you sign in with Google), and the workspaces / teams you belong to.

Calendar metadata

When you connect Google Calendar or Microsoft 365, we read the title, start/end time, video link, description, and attendee list of meetings you enrol in upstand.ai. We do not store other events from your calendar.

Meeting content

If you enable a transcript bot or Google Meet native recording for an enrolled meeting, we receive and store:

  • Audio recording (during processing only; not retained after transcript extraction unless you explicitly download it).
  • Transcript text.
  • The in-meeting chat log (Google Meet, when available).
  • Derived insights — decisions, action items, summaries — generated by our AI sub-processors.

Slack data

When you connect Slack we store an access token (encrypted at rest) and read the channel list, member directory, and your team info so we can post recap messages and resolve DM recipients.

Usage telemetry

Pages visited, features used, errors encountered. We do not log meeting content in our telemetry.

How we use your data

  • Service delivery — running the upstand.ai product: showing your meetings, generating recaps, sending pre-meeting nudges, surfacing action items.
  • Security & abuse prevention — detecting fraud, securing accounts, investigating incidents.
  • Product analytics — understanding how features are used, in aggregate. We use first-party analytics, not third-party advertising trackers.
  • Customer support — responding when you contact us. Where this requires our staff to access your data we log the access and notify you on request.
  • Legal compliance — responding to lawful requests from authorities, complying with our own legal obligations.

We do not sell your data. We do not use your meeting content for advertising. We do not train public AI models on your meeting content.

Google API Services — Limited Use disclosure

upstand.ai's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide the user-facing features described above (calendar enrolment, transcript display, AI insights).
  • We do not transfer Google user data to others except as necessary to provide those features (i.e. to the sub-processors named below, under contractual restrictions equivalent to this policy), to comply with applicable law, or as part of a merger or acquisition with appropriate notice to users.
  • We do not use Google user data for advertising.
  • We do not allow humans to read your Google user data except where you grant explicit permission for a specific issue, where required for security investigations or to comply with applicable law, or where the data has been aggregated and anonymised.
  • We do not use Google user data to develop, improve, or train generalised AI / ML models.

We hold two Google scopes, both used strictly within these limits:

  • https://www.googleapis.com/auth/calendar.events — to read events you enrol and to patch a small upstand.ai block into the description of those enrolled events.
  • https://www.googleapis.com/auth/drive.meet.readonly — to read recordings, transcripts, and chat logs that Google Meet itself created for your enrolled meetings. This scope only exposes files created by Meet; upstand.ai cannot see, list, or read any other file in your Drive.

Legal bases (GDPR / UK GDPR)

If you are in the UK, EEA, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

  • Contract (Art. 6(1)(b)) — to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, and aggregated product analytics. Balanced against your interests as set out in this policy.
  • Consent (Art. 6(1)(a)) — for optional features (e.g. enabling transcript capture, voiceprint enrolment if/when we offer it). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable law.

Sub-processors

We use the following sub-processors. Each is bound by contract to process data only for the purpose listed, under security obligations at least equivalent to ours, and to not retain your data after we end our agreement with them.

Sub-processor Purpose Data location
Supabase Application database, authentication, edge functions EU (Ireland)
Vercel Frontend hosting + CDN Global edge; primary region EU
Recall.ai Meeting bot infrastructure (joins your video meetings to record) United States (under SCCs)
ElevenLabs Speech-to-text transcription of meeting audio EU / US (configurable)
Anthropic AI insight extraction (decisions, action items, summaries) US (under SCCs)
Resend Transactional email delivery (recaps, nudges, invites) EU (Frankfurt)
Slack Slack channel and DM delivery (only if you connect Slack) US (under SCCs)
Stripe Payments + billing EU (Ireland) + US (SCCs)

We'll update this list when sub-processors change. Material changes are emailed to administrators of paying workspaces at least 30 days in advance.

International data transfers

Where data is transferred from the UK, EEA, or Switzerland to a country without an adequacy decision (notably the United States), the transfer is covered by Standard Contractual Clauses (SCCs) and supplementary measures (encryption in transit and at rest, access controls) consistent with EDPB Recommendation 01/2020.

Data retention

  • Account & workspace metadata — for the lifetime of your account. Deleted within 30 days of account closure.
  • Calendar metadata — for as long as the meeting remains enrolled. Removed within 24 hours of you disconnecting calendar access.
  • Meeting transcripts & derived insights — default 12 months, configurable by workspace admins down to 30 days.
  • Audio recordings — discarded as soon as the transcript has been extracted, unless you explicitly download and store them.
  • Slack tokens — until you disconnect Slack from the workspace.
  • Telemetry — 90 days, then aggregated.
  • Backups — encrypted snapshots retained for 30 days for disaster recovery, then deleted.

Security

We encrypt all data in transit (TLS 1.2+) and at rest. Calendar and Slack access tokens are additionally encrypted at the application layer. Production access is restricted to a small number of engineering staff under MFA and audit-logged. Recall.ai webhooks are signature-verified; all customer-data edge functions enforce row-level security via Supabase RLS.

No system is perfectly secure. We'll notify affected users and the relevant supervisory authorities of a personal data breach without undue delay, and within 72 hours where required by law.

Your rights

Wherever you are, you can:

  • Access and export the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and personal data.
  • Revoke connected services (Google, Microsoft, Slack) from upstand.ai or from the provider's own account settings.

If you are in the UK, EEA, or Switzerland you additionally have the right to restrict or object to certain processing, to data portability, and to lodge a complaint with your local supervisory authority (for the UK, the ICO; for the EU, your national DPA).

If you are a California resident you have rights under the CCPA/CPRA including the right to know, delete, correct, and limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under the CPRA.

Email privacy@upstand.ai to exercise any of these rights. We'll respond within 30 days (or one month, whichever is later in the applicable framework).

Cookies and similar technologies

upstand.ai uses strictly necessary cookies for authentication and session management, and first-party analytics cookies to measure feature usage in aggregate. We do not use third-party advertising or cross-site tracking cookies.

Children

upstand.ai is a workplace tool not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, please contact privacy@upstand.ai and we will delete it.

Changes to this policy

We'll update this page when our practices change. Material changes (new categories of data, new sub-processors, changes to retention) are emailed to registered users at least 30 days before they take effect.

Contact

Questions, requests, or complaints: privacy@upstand.ai.