Last updated 5 June 2026 · Effective 5 June 2026
Privacy policy
This policy explains what upstand.ai collects, why, who we share it with, how long we keep it, and what rights you have over it. It applies to anyone who signs in to upstand.ai or interacts with upstand.ai through a connected service (calendar, Slack, email).
At a glance
- We collect what we need to run meetings: account info, calendar metadata, meeting content (when you record), and basic telemetry.
- We never sell your data and never use it for advertising. We never train public AI models on your meeting content.
- Meeting content is processed by named sub-processors (Recall.ai, ElevenLabs, Anthropic) strictly to deliver upstand.ai's features. They are bound by contract and the same Limited Use rules Google requires of us.
- You can export or delete your data at any time, from the app or by emailing privacy@upstand.ai.
- For Google data specifically, our use complies with the Google API Services User Data Policy, including the Limited Use requirements.
Who we are
upstand.ai is an AI meeting orchestration platform operated by Future of X ("upstand.ai", "we", "us"). We are the data controller for the personal data described in this policy.
Contact us at privacy@upstand.ai.
Data we collect
Account & workspace
Your name, email address, profile picture (if you sign in with Google), and the workspaces / teams you belong to.
Calendar metadata
When you connect Google Calendar or Microsoft 365, we read the title, start/end time, video link, description, and attendee list of meetings you enrol in upstand.ai. We do not store other events from your calendar.
Meeting content
If you enable a transcript bot or Google Meet native recording for an enrolled meeting, we receive and store:
- Audio recording (during processing only; not retained after transcript extraction unless you explicitly download it).
- Transcript text.
- The in-meeting chat log (Google Meet, when available).
- Derived insights — decisions, action items, summaries — generated by our AI sub-processors.
Slack data
When you connect Slack we store an access token (encrypted at rest) and read the channel list, member directory, and your team info so we can post recap messages and resolve DM recipients.
Usage telemetry
Pages visited, features used, errors encountered. We do not log meeting content in our telemetry.
How we use your data
- Service delivery — running the upstand.ai product: showing your meetings, generating recaps, sending pre-meeting nudges, surfacing action items.
- Security & abuse prevention — detecting fraud, securing accounts, investigating incidents.
- Product analytics — understanding how features are used, in aggregate. We use first-party analytics, not third-party advertising trackers.
- Customer support — responding when you contact us. Where this requires our staff to access your data we log the access and notify you on request.
- Legal compliance — responding to lawful requests from authorities, complying with our own legal obligations.
We do not sell your data. We do not use your meeting content for advertising. We do not train public AI models on your meeting content.
Google API Services — Limited Use disclosure
upstand.ai's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide the user-facing features described above (calendar enrolment, transcript display, AI insights).
- We do not transfer Google user data to others except as necessary to provide those features (i.e. to the sub-processors named below, under contractual restrictions equivalent to this policy), to comply with applicable law, or as part of a merger or acquisition with appropriate notice to users.
- We do not use Google user data for advertising.
- We do not allow humans to read your Google user data except where you grant explicit permission for a specific issue, where required for security investigations or to comply with applicable law, or where the data has been aggregated and anonymised.
- We do not use Google user data to develop, improve, or train generalised AI / ML models.
We hold two Google scopes, both used strictly within these limits:
https://www.googleapis.com/auth/calendar.events— to read events you enrol and to patch a small upstand.ai block into the description of those enrolled events.https://www.googleapis.com/auth/drive.meet.readonly— to read recordings, transcripts, and chat logs that Google Meet itself created for your enrolled meetings. This scope only exposes files created by Meet; upstand.ai cannot see, list, or read any other file in your Drive.
Legal bases (GDPR / UK GDPR)
If you are in the UK, EEA, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:
- Contract (Art. 6(1)(b)) — to deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, and aggregated product analytics. Balanced against your interests as set out in this policy.
- Consent (Art. 6(1)(a)) — for optional features (e.g. enabling transcript capture, voiceprint enrolment if/when we offer it). You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — to comply with applicable law.
Sub-processors
We use the following sub-processors. Each is bound by contract to process data only for the purpose listed, under security obligations at least equivalent to ours, and to not retain your data after we end our agreement with them.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Application database, authentication, edge functions | EU (Ireland) |
| Vercel | Frontend hosting + CDN | Global edge; primary region EU |
| Recall.ai | Meeting bot infrastructure (joins your video meetings to record) | United States (under SCCs) |
| ElevenLabs | Speech-to-text transcription of meeting audio | EU / US (configurable) |
| Anthropic | AI insight extraction (decisions, action items, summaries) | US (under SCCs) |
| Resend | Transactional email delivery (recaps, nudges, invites) | EU (Frankfurt) |
| Slack | Slack channel and DM delivery (only if you connect Slack) | US (under SCCs) |
| Stripe | Payments + billing | EU (Ireland) + US (SCCs) |
We'll update this list when sub-processors change. Material changes are emailed to administrators of paying workspaces at least 30 days in advance.
International data transfers
Where data is transferred from the UK, EEA, or Switzerland to a country without an adequacy decision (notably the United States), the transfer is covered by Standard Contractual Clauses (SCCs) and supplementary measures (encryption in transit and at rest, access controls) consistent with EDPB Recommendation 01/2020.
Data retention
- Account & workspace metadata — for the lifetime of your account. Deleted within 30 days of account closure.
- Calendar metadata — for as long as the meeting remains enrolled. Removed within 24 hours of you disconnecting calendar access.
- Meeting transcripts & derived insights — default 12 months, configurable by workspace admins down to 30 days.
- Audio recordings — discarded as soon as the transcript has been extracted, unless you explicitly download and store them.
- Slack tokens — until you disconnect Slack from the workspace.
- Telemetry — 90 days, then aggregated.
- Backups — encrypted snapshots retained for 30 days for disaster recovery, then deleted.
Security
We encrypt all data in transit (TLS 1.2+) and at rest. Calendar and Slack access tokens are additionally encrypted at the application layer. Production access is restricted to a small number of engineering staff under MFA and audit-logged. Recall.ai webhooks are signature-verified; all customer-data edge functions enforce row-level security via Supabase RLS.
No system is perfectly secure. We'll notify affected users and the relevant supervisory authorities of a personal data breach without undue delay, and within 72 hours where required by law.
Your rights
Wherever you are, you can:
- Access and export the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and personal data.
- Revoke connected services (Google, Microsoft, Slack) from upstand.ai or from the provider's own account settings.
If you are in the UK, EEA, or Switzerland you additionally have the right to restrict or object to certain processing, to data portability, and to lodge a complaint with your local supervisory authority (for the UK, the ICO; for the EU, your national DPA).
If you are a California resident you have rights under the CCPA/CPRA including the right to know, delete, correct, and limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under the CPRA.
Email privacy@upstand.ai to exercise any of these rights. We'll respond within 30 days (or one month, whichever is later in the applicable framework).
Cookies and similar technologies
upstand.ai uses strictly necessary cookies for authentication and session management, and first-party analytics cookies to measure feature usage in aggregate. We do not use third-party advertising or cross-site tracking cookies.
Children
upstand.ai is a workplace tool not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, please contact privacy@upstand.ai and we will delete it.
Changes to this policy
We'll update this page when our practices change. Material changes (new categories of data, new sub-processors, changes to retention) are emailed to registered users at least 30 days before they take effect.
Contact
Questions, requests, or complaints: privacy@upstand.ai.