meetbot.dev

privacy

Privacy policy

This is the operating draft of meetbot.dev's privacy policy. It will be reviewed by counsel before public launch — treat it as a substantive working document, not legal advice. If you're at a company evaluating meetbot for production and need a signed DPA, email privacy@meetbot.dev.

meetbot is meeting-bot infrastructure. Recordings flow through us; they are never our property. This page explains what data we touch, why we touch it, where it lives, and what rights you have over it.

Last updated 2026-05-10

1. Who we are

meetbot.dev is operated by meetbot UG (i.G.), a German limited-liability company in formation, registered in Berlin (DE). Our production infrastructure runs on Hetzner Online GmbH in Falkenstein, Germany — EU-hosted by default. Until the UG is fully formed, the natural-person controller is Pavel Remizov, reachable at privacy@meetbot.dev. For GDPR purposes we are the data controller for account-and-billing data and a data processor for any meeting media our customers dispatch us to capture.

2. What data we collect

We split the data we touch into four buckets: account data, recording data, usage and billing data, and analytics data. Each is collected for a specific operational purpose and discarded when that purpose lapses. We do not sell or rent any of it.

  • Account data

    The email you signed up with, the display name you provided (if any), your organization name, your hashed magic-link / OAuth identifiers, and a Stripe customer reference once you add a payment method. Used to authenticate you and bill you.

  • Recording data (processor-only)

    When you dispatch a bot, we transit the meeting capture (per-speaker audio in Opus, tab video in VP9, captions JSONL, chat JSONL, manifest JSON) and write it to the S3-compatible bucket you nominated. We are a processor for this data — your customer relationship with the meeting participants is the controller relationship; we are downstream of it. Default retention on our temp volume: deleted within 1 hour of upload completion.

  • Usage and billing data

    Per-bot dispatch metadata (timestamps, meeting URL host, duration, exit sub-code, bot run id, signed webhook delivery attempts, total minutes for invoicing). Error logs, scoped per request, sent to Sentry's EU region with PII scrubbed at the SDK layer. Stripe receives invoicing data — invoice-line meeting-minute totals, never meeting URLs or participant names.

  • Analytics data (when shipped)

    When the marketing site adds PostHog (currently planned, not live), we will record an anonymous id, the URL path, the referrer, the viewport size, and click events on a small set of conversion-relevant elements. PostHog runs in its EU region. The cookie is essential-only until consent is given; behavioural cookies are gated behind a banner.

3. Why we collect it (GDPR Art. 6)

Under GDPR Art. 6 every processing operation needs a lawful basis. Ours, by category:

categorylegal basisnote
Account dataContract performance — Art. 6(1)(b)We can't authenticate you or bill you without it.
Recording dataProcessor agreement — Art. 28 + 6(1)(b)You instruct us to capture the meeting; we execute. The participant-side legal basis is yours to establish.
Billing + usageContract performance + legal obligation — Art. 6(1)(b) and 6(1)(c)DE accounting law (HGB §257) requires us to retain invoice records for 6 years; tax law extends some categories to 10.
Error logs (Sentry)Legitimate interest — Art. 6(1)(f)Operational debugging. Retention 30 days. PII is scrubbed at the SDK level.
Analytics (when live)Consent for non-essential cookies — Art. 6(1)(a) + ePrivacyEssential cookies (auth, CSRF) under legitimate interest; behavioural cookies require explicit opt-in via the banner.

4. Where data lives

We host in the EU by default and we list the few extra-EEA flows up front. There is no shadow vendor list.

storelocationnote
Postgres (orchestrator + auth)Hetzner Falkenstein (DE)Account data, OAuth refresh tokens (encrypted at rest), bot dispatch metadata, audit logs.
S3 / object storage (recording media)Customer's nominated bucket — OR Hetzner Storage Box (FRA, DE) if you opt to use oursCustomer's bucket is the default. We hold credentials scoped to PutObject + AbortMultipartUpload on a single prefix.
Stripe billingUnited States — covered by EU SCCsCard data never touches our servers; Stripe Checkout + Portal are hosted by Stripe.
Sentry error trackingSentry EU region (Frankfurt, DE)Error events with PII scrubbed at SDK. Frankfurt region selected at signup; irreversible.
PostHog analytics (planned)PostHog EU region (Frankfurt, DE)Marketing site only; not live yet. Will be opt-in.
Cloudflare CDN + email workerUnited States entity, edge global — covered by EU SCCsTLS termination and inbound calendar-invite email parsing at the edge.

5. Retention

Defaults below — overridable per bot for recording data, fixed for the rest.

data typeretentionnote
Bot recording media (temp copy)Deleted within 1 hour of upload completion (default zero retention)Override per-bot: 0 / N days / forever. The customer's bucket is governed by their own retention policy, not ours.
Account dataLifetime of the accountDeleted within 30 days of account-closure request, except for invoice records.
Invoice + tax records10 years (DE Abgabenordnung §147)Retention here is mandated by law; we cannot delete on request.
Audit logs (admin actions)90 days, exportable from the dashboardIncludes admin role changes, key creation, billing actions.
Operational logs (Better Stack / Sentry)30 daysAuto-rotated by the upstream vendors.

6. Sub-processors

Every third party that touches your data, with what they do and where they sit. We notify customers in-product at least 30 days before adding a new processor.

sub-processorpurposejurisdiction
Hetzner Online GmbHPrimary hosting (compute, Postgres, optional storage)Germany
Stripe Payments Europe Ltd / Stripe Inc.Payments, invoicing, customer-portal billingIreland (EU entity) + United States (parent) — SCCs in DPA
Cloudflare, Inc.CDN, TLS termination, inbound email workerUnited States — SCCs in DPA
Functional Software Inc. (Sentry)Error trackingSentry EU region (Frankfurt, DE) selected; parent US — SCCs in DPA
PostHog Inc. (planned)Product analytics on the marketing site (not live yet)PostHog EU region (Frankfurt, DE); parent US — SCCs in DPA
Anthropic PBCLLM inference for sample apps that use Claude (e.g. action-items-bot)United States — SCCs in DPA; BAA path TBD; we do not route customer recordings to Anthropic for our own product

7. Your rights (GDPR)

You have the rights granted by GDPR Art. 15–22: access, rectification, erasure, portability, restriction, and objection. You can also withdraw consent at any time for any processing that depends on consent. To exercise any of these, email privacy@meetbot.dev with your account email and a description of the request — we respond within 30 calendar days (extendable by 60 days for complex requests, with notice). If you believe we are mishandling your data you have the right to lodge a complaint with your local supervisory authority. For our establishment that is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI).

8. International transfers

Most processing is intra-EU. The exceptions are Stripe, Cloudflare, Sentry's parent, PostHog's parent, and Anthropic — all US entities. For those flows we rely on the European Commission's Standard Contractual Clauses (SCCs, Module 2 controller-to-processor or Module 3 processor-to-processor as applicable), supplemented by transfer-impact assessments stored in our DPA repository. Our default product configuration does not transfer customer recordings outside the EEA.

9. Cookies

Today the only cookies set are essential ones — your authentication session and a CSRF token. We do not set advertising cookies, do not run cross-site trackers, and do not embed third-party share buttons that would. Once PostHog ships on the marketing site, a single first-party analytics cookie will be set behind an explicit consent banner; setting Do Not Track in your browser keeps it from being placed.

10. Contact

Privacy and DSAR requests: privacy@meetbot.dev. Vulnerability reports: security@meetbot.dev (PGP key on request; we publish /.well-known/security.txt). General inquiries: hello@meetbot.dev. Postal address available on request — the operating entity is meetbot UG (i.G.), Berlin, Germany. We do not have a designated DPO yet (not mandatory at our scale under Art. 37 GDPR); the privacy contact above acts in that capacity.

11. Changes to this policy

We will email all account holders for material changes at least 30 days before they take effect, and post a banner on this page. Non-material changes (typo fixes, link rewrites, sub-processor address updates) are made silently — the "Last updated" date at the top of this page always reflects the most recent edit. Historical versions are available on request.