Ingenious AI Studio

Privacy Policy

Last updated: March 4, 2026

1. Introduction

Ingenious AI Studio ("we," "our," or "us") is committed to protecting your privacy in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our meeting transcription service ("the Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Data Controller and Data Processor

2.1 Data Controller

Ingenious AI Studio acts as the Data Controller for account information and service-related data. When you use the Service to record third-party meetings, you (the user) act as the Data Controller for the meeting content, and are responsible for ensuring lawful recording and obtaining consent from all meeting participants.

2.2 Data Processor

We act as a Data Processor when processing meeting recordings and transcripts on your behalf. We process this data solely for the purpose of providing the Service and in accordance with your instructions. A Data Processing Agreement (DPA) is available upon request for enterprise customers.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Authentication credentials (securely hashed)

3.2 Meeting Data

When you use our service to record meetings, the following data is processed:

  • Meeting URLs and platform metadata
  • Audio and video recordings of meetings
  • Transcripts generated from recordings (including speaker identification)
  • AI-generated summaries of transcript content
  • Meeting duration, timestamps, and participant names

3.3 Calendar Data

If you connect your calendar, we access:

  • Calendar event titles and times
  • Meeting links from calendar events
  • Attendee information (email addresses)

We only read calendar data; we never modify or delete your calendar events.

3.4 Uploaded Content

When you upload audio files for transcription, we process and store:

  • Audio files you upload
  • Generated transcripts
  • File metadata (name, size, format)

4. How We Use Your Information

We process your data based on the following legal bases under GDPR:

  • Performance of a contract (Art. 6(1)(b)): To provide the transcription service you have requested
  • Legitimate interests (Art. 6(1)(f)): To improve service quality, ensure security, and prevent fraud
  • Consent (Art. 6(1)(a)): For optional features like calendar integration and AI summaries
  • Legal obligation (Art. 6(1)(c)): To comply with applicable laws and regulations

Specifically, we use data to:

  • Provide and maintain the transcription service
  • Process and store meeting recordings and transcripts
  • Generate AI-powered summaries and enable transcript chat features
  • Automatically join meetings when calendar integration is enabled
  • Send service-related communications
  • Respond to support requests

5. Sub-Processors and Third-Party Services

To provide the Service, we engage the following sub-processors who may process your data. Each sub-processor is contractually bound to handle data in accordance with GDPR requirements.

MeetingBaas (SPOKE SAS, France)

Purpose: Meeting bot deployment, audio/video recording, and speech-to-text transcription.

Data processed: Meeting audio, video recordings, transcripts, speaker diarization, and screenshots.

Hosting: Amazon Web Services (AWS), European Union.

Retention: Recordings and transcripts are stored on MeetingBaas servers for a maximum of 90 days after creation, after which they are automatically deleted.

Privacy policy: meetingbaas.com/en/legal/privacy-policy

Google Cloud Platform / Firebase (Google LLC, USA)

Purpose: User authentication, database storage (Firestore), file storage (Cloud Storage), and application hosting.

Data processed: Account data, transcripts, uploaded audio files, and application metadata.

Data transfer safeguards: Standard Contractual Clauses (SCCs) as per GDPR Chapter V.

OpenAI (OpenAI LLC, USA)

Purpose: AI-powered transcript summaries and conversational chat with transcript content.

Data processed: Transcript text segments (sent for processing; not used for model training under our API agreement).

Data transfer safeguards: Standard Contractual Clauses (SCCs).

Vercel (Vercel Inc., USA)

Purpose: Application hosting and serverless function execution.

Data processed: HTTP request data, authentication tokens (in transit).

Data transfer safeguards: Standard Contractual Clauses (SCCs).

6. Data Storage and Security

We implement appropriate technical and organizational measures to protect your data as required by GDPR Article 32:

  • Data is encrypted in transit using TLS 1.2+
  • Data is encrypted at rest using AES-256 encryption
  • Access to data is restricted to authorized personnel only, following the principle of least privilege
  • Authentication credentials are securely hashed and never stored in plain text
  • Webhook communications are verified using cryptographic signatures
  • Regular security monitoring and incident response procedures

Primary data storage is on Google Cloud Platform (Firebase). Meeting recordings are temporarily processed on MeetingBaas infrastructure hosted on AWS within the European Union.

7. Data Retention

We retain your data for no longer than necessary to fulfill the purposes for which it was collected:

  • Account data: Retained for the duration of your account plus 3 years after account deletion for legal compliance
  • Transcripts and summaries: Retained until you delete them or your account is terminated
  • Uploaded audio files: Stored in our cloud storage until you delete the associated transcript or your account
  • Meeting recordings on MeetingBaas: Automatically deleted after a maximum of 90 days on MeetingBaas servers. We do not permanently store audio/video recordings on our own infrastructure.
  • Calendar connections: Retained until you disconnect or delete your account
  • Inactive accounts: Accounts inactive for 12 consecutive months may be subject to closure and data deletion after prior notice

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States, where some of our sub-processors are located.

For all transfers outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Supplementary measures where necessary to ensure an essentially equivalent level of protection

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Right to restriction (Art. 18): Request restriction of processing of your data
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another service
  • Right to object (Art. 21): Object to processing of your data based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time for processing based on consent (e.g., calendar integration)

To exercise any of these rights, contact us at privacy@ingenious.dk. We will respond to your request within 30 days as required by GDPR. You also have the right to lodge a complaint with your local data protection authority (in Denmark: Datatilsynet).

10. Cookies and Tracking

We use essential cookies for:

  • Authentication and session management
  • Security and fraud prevention
  • Remembering your preferences

We do not use third-party tracking cookies, analytics trackers, or sell your data to advertisers.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (Datatilsynet) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Document the breach, its effects, and the remedial actions taken

12. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

13. Data Processing Agreement

For enterprise and business customers who require a formal Data Processing Agreement (DPA) in accordance with GDPR Article 28, please contact us at privacy@ingenious.dk. Our DPA covers:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the data controller
  • Sub-processor management and approval procedures
  • Data deletion and return upon termination

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and where appropriate, sending you an email notification. We encourage you to review this policy periodically.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Data Protection Contact: privacy@ingenious.dk
General Inquiries: support@ingenious.dk
Address: Ingenious AI Studio, Copenhagen, Denmark

Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with Datatilsynet (Danish Data Protection Agency) at datatilsynet.dk.

Terms of ServiceBack to Home