Privacy Policy

1. Data We Collect

When you use CallScrib, we collect and process the following data:

• Meeting and call transcripts — text content generated by Microsoft Teams transcription
• User identifiers — Microsoft Entra (Azure AD) object IDs, display names, email addresses
• Organization identifiers — Microsoft 365 tenant IDs
• AI-generated summaries — structured summaries produced from your transcripts
• Usage data — conversation counts for plan limits, feature usage analytics
• Billing data — subscription plan, seat count, and payment identifiers (processed by Stripe; we do not store credit card numbers)

2. How We Use Your Data

Each category of data is collected for a specific purpose:

• Transcripts — processed by AI to generate structured meeting summaries, action items, and decisions
• User identifiers — to associate summaries with the correct user and deliver them to the correct Teams chat
• Organization identifiers — to manage tenant-level settings, permissions, and plan limits
• AI-generated summaries — stored so you can search, export, and revisit past conversations
• Usage data — to enforce plan limits and improve the product
• Billing data — to manage your subscription and process payments

We do not sell your data. We do not use your data for advertising.

3. Data Storage and Retention

Your data is stored in US-East region data centers provided by Supabase (PostgreSQL on AWS) and Microsoft Azure.

• Transcripts and summaries are retained for 90 days by default
• Pro, Business, and Enterprise plans may have extended retention windows
• You may delete your data at any time via the Settings page or by emailing us
• Deleted data is soft-deleted immediately and permanently purged within 30 days
• Account deletion removes all associated data, including transcripts, summaries, and usage history

4. Third-Party Processors

We use the following third-party services to operate CallScrib. Each processes customer data only as necessary to provide its service:

• DeepInfra — hosts the AI models that generate summaries and transcribe audio. DeepInfra operates under a zero-retention API: your data is not stored after processing and is never used to train AI models. DeepInfra Privacy Policy
• Microsoft Azure — hosts our backend application services (Azure Functions, US-East). Microsoft Privacy Statement
• Supabase — provides our PostgreSQL database and authentication infrastructure. Supabase Privacy Policy
• Stripe — processes subscription payments. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy
• Resend — delivers email summaries when enabled by the user. Resend Privacy Policy

We do not share your data with any other third parties.

5. AI Usage Disclosure

CallScrib uses AI to generate meeting summaries, action items, and other structured outputs from your transcript text.

• AI processing is performed via DeepInfra’s zero-retention API — your transcript data is not stored by the AI provider after processing completes
• Your transcripts are never used to train, fine-tune, or improve AI models
• All AI-generated content is clearly labeled with an “AI-generated summary — always verify accuracy” disclaimer
• AI outputs may contain inaccuracies. Users should always verify AI-generated content before acting on it

6. GDPR Data Subject Rights

If you are in the European Economic Area, you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct any inaccurate data
• Erasure — request deletion of all your data
• Portability — receive your data in a machine-readable format
• Restriction — request that we stop processing your data
• Objection — object to specific processing activities

To exercise any of these rights, email privacy@callscrib.com. We will respond within 30 days.

7. Data Deletion

You may request deletion of all your data by:

• Using the “Delete my data” button in Settings
• Emailing privacy@callscrib.com

We will process deletion requests within 30 days. Upon deletion, all transcripts, summaries, usage history, and account data are permanently removed.

8. Security and Incident Notification

We take the security of your data seriously:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access to production systems is restricted to authorized personnel with multi-factor authentication
• We conduct regular security reviews of our infrastructure and code

In the event of a data breach that affects your personal data, we will notify affected customers by email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, the data affected, and the steps we are taking to address it.

9. Contact

For privacy-related questions, data subject requests, or concerns about how your data is handled:

• Privacy email: privacy@callscrib.com
• General support: hello@callscrib.com
• Mailing address: Vesuvio Labs LLC, United States

We aim to respond to all privacy inquiries within 5 business days.

10. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify users via email or an in-app notice. Continued use of CallScrib after changes constitutes acceptance of the updated policy.