1. Who we are
meetbot.dev is operated by meetbot UG (i.G.), a German limited-liability company in formation, registered in Berlin (DE). Our production infrastructure runs on Hetzner Online GmbH in Falkenstein, Germany — EU-hosted by default. Until the UG is fully formed, the natural-person controller is Pavel Remizov, reachable at privacy@meetbot.dev. For GDPR purposes we are the data controller for account-and-billing data and a data processor for any meeting media our customers dispatch us to capture.
1. 収集する情報
bot の起動と請求に必要な情報のみ収集します。お客様から: メールアドレスと (Google 経由でサインアップした場合は) Google アカウント ID、組織名、生成された API キー。利用状況から: bot を起動した会議 URL、起動タイムスタンプ、会議時間、宛先 S3 バケットのプレフィックス、指定された webhook URL。会議の内容は収集しません — 直接お客様のバケットに届きます。
- Account data
The email you signed up with, the display name you provided (if any), your organization name, your hashed magic-link / OAuth identifiers, and a Stripe customer reference once you add a payment method. Used to authenticate you and bill you.
- Recording data (processor-only)
When you dispatch a bot, we transit the meeting capture (per-speaker audio in Opus, tab video in VP9, captions JSONL, chat JSONL, manifest JSON) and write it to the S3-compatible bucket you nominated. We are a processor for this data — your customer relationship with the meeting participants is the controller relationship; we are downstream of it. Default retention on our temp volume: deleted within 1 hour of upload completion.
- Usage and billing data
Per-bot dispatch metadata (timestamps, meeting URL host, duration, exit sub-code, bot run id, signed webhook delivery attempts, total minutes for invoicing). Error logs, scoped per request, sent to Sentry's EU region with PII scrubbed at the SDK layer. Stripe receives invoicing data — invoice-line meeting-minute totals, never meeting URLs or participant names.
- Analytics data (when shipped)
When the marketing site adds PostHog (currently planned, not live), we will record an anonymous id, the URL path, the referrer, the viewport size, and click events on a small set of conversion-relevant elements. PostHog runs in its EU region. The cookie is essential-only until consent is given; behavioural cookies are gated behind a banner.
3. Why we collect it (GDPR Art. 6)
Under GDPR Art. 6 every processing operation needs a lawful basis. Ours, by category:
| category | legal basis | note |
|---|---|---|
| Account data | Contract performance — Art. 6(1)(b) | We can't authenticate you or bill you without it. |
| Recording data | Processor agreement — Art. 28 + 6(1)(b) | You instruct us to capture the meeting; we execute. The participant-side legal basis is yours to establish. |
| Billing + usage | Contract performance + legal obligation — Art. 6(1)(b) and 6(1)(c) | DE accounting law (HGB §257) requires us to retain invoice records for 6 years; tax law extends some categories to 10. |
| Error logs (Sentry) | Legitimate interest — Art. 6(1)(f) | Operational debugging. Retention 30 days. PII is scrubbed at the SDK level. |
| Analytics (when live) | Consent for non-essential cookies — Art. 6(1)(a) + ePrivacy | Essential cookies (auth, CSRF) under legitimate interest; behavioural cookies require explicit opt-in via the banner. |
4. Where data lives
We host in the EU by default and we list the few extra-EEA flows up front. There is no shadow vendor list.
| store | location | note |
|---|---|---|
| Postgres (orchestrator + auth) | Hetzner Falkenstein (DE) | Account data, OAuth refresh tokens (encrypted at rest), bot dispatch metadata, audit logs. |
| S3 / object storage (recording media) | Customer's nominated bucket — OR Hetzner Storage Box (FRA, DE) if you opt to use ours | Customer's bucket is the default. We hold credentials scoped to PutObject + AbortMultipartUpload on a single prefix. |
| Stripe billing | United States — covered by EU SCCs | Card data never touches our servers; Stripe Checkout + Portal are hosted by Stripe. |
| Sentry error tracking | Sentry EU region (Frankfurt, DE) | Error events with PII scrubbed at SDK. Frankfurt region selected at signup; irreversible. |
| PostHog analytics (planned) | PostHog EU region (Frankfurt, DE) | Marketing site only; not live yet. Will be opt-in. |
| Cloudflare CDN + email worker | United States entity, edge global — covered by EU SCCs | TLS termination and inbound calendar-invite email parsing at the edge. |
3. 保持期間のデフォルト
bot の録画: デフォルトはゼロ (お客様のバケットに送出後、当社からは削除)。bot 単位で設定可能。アカウントメタデータ (組織、API キー): アカウントが有効な期間は保持し、要請による閉鎖から 30日以内に削除。監査ログ: 90日、エクスポート可能。
| data type | retention | note |
|---|---|---|
| Bot recording media (temp copy) | Deleted within 1 hour of upload completion (default zero retention) | Override per-bot: 0 / N days / forever. The customer's bucket is governed by their own retention policy, not ours. |
| Account data | Lifetime of the account | Deleted within 30 days of account-closure request, except for invoice records. |
| Invoice + tax records | 10 years (DE Abgabenordnung §147) | Retention here is mandated by law; we cannot delete on request. |
| Audit logs (admin actions) | 90 days, exportable from the dashboard | Includes admin role changes, key creation, billing actions. |
| Operational logs (Better Stack / Sentry) | 30 days | Auto-rotated by the upstream vendors. |
4. 副処理者
Hetzner Online (DE) — 主要なインフラホスト、デフォルトで EU ホスティング。Stripe (IE) — 請求。Sentry (US、EU データレジデンシー付き) — エラーモニタリング。Cloudflare (US) — DNS + エッジキャッシュ。PostHog (EU) — マーケティングサイトのプロダクトアナリティクス、ブラウザの DNT 設定でオプトアウト可能。Google Analytics は使用しません。お客様データを誰にも販売しません。副処理者の完全リストは要請に応じて提供します。
| sub-processor | purpose | jurisdiction |
|---|---|---|
| Hetzner Online GmbH | Primary hosting (compute, Postgres, optional storage) | Germany |
| Stripe Payments Europe Ltd / Stripe Inc. | Payments, invoicing, customer-portal billing | Ireland (EU entity) + United States (parent) — SCCs in DPA |
| Cloudflare, Inc. | CDN, TLS termination, inbound email worker | United States — SCCs in DPA |
| Functional Software Inc. (Sentry) | Error tracking | Sentry EU region (Frankfurt, DE) selected; parent US — SCCs in DPA |
| PostHog Inc. (planned) | Product analytics on the marketing site (not live yet) | PostHog EU region (Frankfurt, DE); parent US — SCCs in DPA |
| Anthropic PBC | LLM inference for sample apps that use Claude (e.g. action-items-bot) | United States — SCCs in DPA; BAA path TBD; we do not route customer recordings to Anthropic for our own product |
6. お客様の権利
GDPR の下で (当社は EU 拠点なので、管轄を問わずすべての顧客に GDPR が適用されます): 個人データへのアクセス、訂正、削除、ポータビリティ、処理制限を請求する権利があります。hello@meetbot.dev へ請求メールをお送りください。30日以内に回答します。Data Protection Officer はまだいませんが、pavel@meetbot.dev がプライバシー連絡先を担当します。
8. International transfers
Most processing is intra-EU. The exceptions are Stripe, Cloudflare, Sentry's parent, PostHog's parent, and Anthropic — all US entities. For those flows we rely on the European Commission's Standard Contractual Clauses (SCCs, Module 2 controller-to-processor or Module 3 processor-to-processor as applicable), supplemented by transfer-impact assessments stored in our DPA repository. Our default product configuration does not transfer customer recordings outside the EEA.
7. お問い合わせ
プライバシーに関するお問い合わせ: hello@meetbot.dev。セキュリティ報告: security@meetbot.dev。郵送先住所は要請に応じて提供。運営会社: meetbot UG (i.G.)、ベルリン、ドイツ — 登記手続中。
11. Changes to this policy
We will email all account holders for material changes at least 30 days before they take effect, and post a banner on this page. Non-material changes (typo fixes, link rewrites, sub-processor address updates) are made silently — the "Last updated" date at the top of this page always reflects the most recent edit. Historical versions are available on request.