Privacy Policy

1. Introduction

ArrowZ AI Desktop is a privacy-first AI meeting assistant application developed by SigmaPi Labs. This Privacy Policy explains how we collect, use, store, protect, and share your information when you use our desktop application.

1.1 Our Commitment to Privacy

We are committed to protecting your privacy and giving you control over your data. Our application is designed with privacy as a core principle:

• Local-First Architecture: Most data processing occurs on your device
• User Control: You choose when to use cloud services
• Transparency: Clear disclosure of what data is collected and how it's used
• Security: Industry-standard encryption and security measures
• Compliance: Adherence to GDPR, CCPA, and other privacy regulations

1.2 Scope of This Policy

This Privacy Policy applies to:

• The ArrowZ AI Desktop application
• All features and services provided through the application
• Third-party integrations and services used by the application
• Data collected, processed, and stored both locally and in the cloud

This policy does not apply to:

• Third-party websites or services linked from our application
• Information collected by third-party integrations outside of our application
• Data practices of meeting platforms when used independently

2. Information We Collect

We collect different types of information depending on how you use our application. The following sections detail what information we collect and why.

2.1 Account and Authentication Information

When you create an account or sign in, we collect the following information:

Purpose: Account management, authentication, user identification, service delivery

2.2 User Profile Information

We collect and store the following profile information:

2.3 Audio and Video Recordings

When you record meetings or audio, we collect the following:

Purpose: Meeting transcription, AI-powered analysis, meeting review and search

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Core Application Functionality

• Meeting Recording and Transcription: Process audio/video to create transcripts
• AI-Powered Features: Generate summaries, answer questions, extract action items
• Search and Retrieval: Enable search across your meetings and documents
• Calendar Integration: Sync meetings, detect upcoming meetings, trigger recordings
• Task Management: Track and manage action items from meetings

3.2 Service Delivery and Improvement

• Performance Optimization: Improve processing speed and accuracy
• Feature Development: Develop new features based on usage patterns
• Bug Fixing: Identify and resolve application issues
• Quality Assurance: Ensure service reliability and accuracy

3.3 User Experience Personalization

• Customization: Apply your preferences (theme, notifications, etc.)
• Recommendations: Suggest relevant meetings, documents, or features
• Onboarding: Guide you through initial setup and feature discovery

3.4 Security and Compliance

• Authentication: Verify your identity and manage access
• Fraud Prevention: Detect and prevent unauthorized access
• Compliance: Meet legal and regulatory requirements
• Audit Logging: Maintain records for security and compliance purposes

3.5 Communication

• Service Updates: Notify you of important changes or updates
• Support: Respond to your inquiries and provide customer support
• Feature Announcements: Inform you about new features (with your consent)

3.6 Analytics and Research

• Usage Analytics: Understand how features are used (aggregated, anonymized data)
• Product Research: Improve our products and services
• Performance Monitoring: Track application performance and reliability

4. Data Storage and Processing

4.1 Local Storage

Primary Storage Location: Your local device

4.2 Cloud Storage

Cloud Storage Provider: Secure cloud database service

4.3 Data Processing Locations

4.4 Data Encryption

5. Third-Party Services and Integrations

We use third-party services to provide functionality. Each service has its own privacy policy and data practices.

6. Data Security

We implement industry-standard security measures to protect your data.

6.1 Security Measures

Encryption:

• All data in transit is encrypted using TLS/HTTPS
• Authentication tokens are encrypted at rest using industry-standard encryption
• API keys stored in OS secure storage (encrypted by operating system)
• Cloud database encrypted using industry-standard encryption

Access Controls:

• Row-level security in cloud database
• Users can only access their own data
• Service role access restricted to necessary operations
• Local file system permissions enforced by operating system

Authentication:

• Secure password storage (hashed, never stored in plain text)
• Secure token-based authentication with expiration
• Token rotation for enhanced security
• OAuth authentication for third-party integrations
• Session management and timeout

6.2 Security Considerations

Important Security Information:

1. Local Data: Local data is protected by operating system security. We recommend using full-disk encryption on your device, setting strong device passwords, and keeping your operating system updated to enhance security.
2. Application Security: We implement security best practices to protect your data. However, as with any software application, users should take appropriate security measures to protect their devices and data.
3. Third-Party Services: We rely on reputable third-party services for some functionality. Their security practices are outside our direct control, though we select providers with strong security standards and regularly review their security practices.
4. Cloud Processing: When you use cloud processing modes, data is sent to third-party services. While these services have strong security measures, your data is processed on their servers according to their privacy and security policies.

6.3 Your Security Responsibilities

You play an important role in keeping your data secure:

• Strong Passwords: Use a strong, unique password for your account
• Device Security: Keep your device secure with passwords, encryption, and updates
• API Keys: Keep your API keys secure and private
• Account Access: Don't share your account credentials
• Logout: Log out when using shared devices
• Updates: Keep the application updated to the latest version

7. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

7.1 With Your Consent

• Integration Sharing: When you connect third-party services, we share necessary data to enable those integrations
• Cloud Processing: When you enable cloud processing modes, audio/data is sent to cloud services
• Meeting Sharing: When you share meetings or summaries, data is sent to the selected platform

7.2 Service Providers

We share data with service providers who help us operate the application:

• Hosting Services: Hosting, authentication, database services
• Payment Processing: Payment processing
• Cloud Transcription: Cloud transcription (if enabled)
• Cloud AI Processing: Cloud AI processing (if enabled)
• Email Services: For email notifications (if enabled)

These service providers are contractually obligated to use data only for specified purposes, implement appropriate security measures, not sell or share data with third parties, and comply with applicable privacy laws.

7.3 Legal Requirements

We may disclose your information if required by law:

• Legal Process: In response to subpoenas, court orders, or legal processes
• Law Enforcement: To comply with law enforcement requests
• Legal Rights: To protect our rights, property, or safety
• Regulatory Compliance: To comply with applicable laws and regulations

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified of any such transfer, and the acquiring entity will be bound by this Privacy Policy.

8. Your Privacy Rights

Depending on your location, you have certain rights regarding your personal information.

8.1 General Rights (All Users)

• Access: You can access your data through the application or by contacting us
• Correction: You can update your profile information, preferences, and settings in the application
• Deletion: You can delete your account and data (see Section 9 for details)
• Export: You can export your meeting data, transcripts, and summaries
• Opt-Out: You can opt out of cloud processing (use local-only mode), cloud sync (disable cloud features), email notifications (in settings), and non-essential data collection

8.2 GDPR Rights (European Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restrict Processing: Request limitation of data processing
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your data for certain purposes
• Right to Withdraw Consent: Withdraw consent for data processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

8.3 CCPA Rights (California Users)

If you are a California resident, you have rights under CCPA:

• Right to Know: Request information about categories of personal information collected, sources, business purposes, and third parties with whom information is shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Exercise your rights without discrimination

8.4 How to Exercise Your Rights

Through the Application:

• Update profile: Settings → Profile
• Delete account: Settings → Account → Delete Account
• Export data: Settings → Data → Export Data
• Disable cloud features: Settings → Cloud Processing

By Contacting Us:

• Email: privacy@arrowz.ai
• Include: Your email address, specific request, verification of identity

Response Time: We will respond to your request within 30 days (or as required by applicable law). We may request verification of your identity before processing certain requests.

9. Data Retention

9.1 Retention Periods

We retain different types of data for varying periods based on legal requirements and operational needs:

9.2 Deletion

Automatic Deletion:

• Data is automatically deleted when you delete your account
• Integration data is deleted when you disconnect an integration
• Temporary files are automatically cleaned up

Manual Deletion:

• You can delete individual meetings, transcripts, or documents through the application
• You can delete your entire account: Settings → Account → Delete Account

Deletion Process:

1. Local Data: Immediately deleted from your device
2. Cloud Data: Deleted within 30 days of account deletion request
3. Backup Data: May be retained in backups for up to 90 days (then permanently deleted)
4. Legal Holds: Data subject to legal holds may be retained longer

Permanent Deletion: Deleted data cannot be recovered. Make sure to export important data before deletion.

10. Children's Privacy

Age Requirement: Our application is not intended for users under the age of 13 (or 16 in the EEA).

COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13.

If You Are a Parent or Guardian: If you believe your child has provided us with personal information, contact us immediately. We will delete such information upon verification.

Age Verification: We do not currently verify user ages. If you are under 13 (or 16 in the EEA), please do not use our application.

11. International Data Transfers

11.1 Transfer Safeguards

• Standard Contractual Clauses: We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
• Adequacy Decisions: We rely on adequacy decisions where applicable
• Privacy Shield: Some service providers may participate in privacy frameworks (though Privacy Shield was invalidated, some providers maintain equivalent protections)

11.2 Your Rights

You have the right to know where your data is processed, request that data be processed in a specific region (where technically feasible), and object to certain international transfers.

12. Cookies and Tracking Technologies

12.1 Cookies

Desktop Application: Our desktop application does not use traditional web cookies. However, we use similar technologies:

• Local Storage: Stored preferences and settings
• Session Storage: Temporary session data
• Encrypted Storage: Authentication tokens and credentials

12.2 Tracking

Analytics:

• We collect usage analytics to improve the application
• Analytics are aggregated and anonymized
• You can opt out of analytics in settings (where available)

Third-Party Tracking:

• We do not use third-party advertising or tracking services
• Third-party integrations may use their own tracking (see their privacy policies)

12.3 Do Not Track

We respect "Do Not Track" signals where technically feasible. You can disable analytics and tracking in application settings.

Children's Privacy

Our Service is not intended for children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete such information.

13. Processing Modes and Privacy Implications

Our application offers different processing modes with varying privacy implications. Choose the mode that best fits your privacy and performance needs.

14. Audio and Video Recording

14.1 Recording Permissions

• Microphone Access: Required for audio recording. Requested when you start recording. You can revoke access in system settings.
• Screen/System Audio Access: Required for capturing meeting audio. Requested when you start recording. You can revoke access in system settings.
• Camera Access (if video recording enabled): Required for video recording. Requested when you start video recording. You can revoke access in system settings.

14.2 What Is Recorded

• Audio Recordings: Your microphone input (your voice), system audio (meeting participants, system sounds), combined/mixed audio streams, dual-stream recordings (separate tracks)
• Video Recordings (if enabled): Screen content, application windows, system audio (if selected)

14.3 Recording Storage

Location: Local file system on your device

• Audio: Local storage directories
• Video: Local storage directories

Format: Audio (WAV files), Video (WebM files)

Retention: Stored indefinitely until you delete them

Cloud Upload: Recordings are NOT automatically uploaded to the cloud. They are only sent to cloud services if you enable cloud processing mode or explicitly share a recording.

14.4 Legal Considerations

Consent: You are responsible for obtaining consent from meeting participants before recording. Laws vary by jurisdiction regarding recording consent. We are not responsible for compliance with recording laws.

Prohibited Uses: Do not record without consent where required by law. Do not use recordings for illegal purposes. Respect privacy rights of recorded individuals.

15. Meeting Data and Transcripts

15.1 Transcript Generation

Local Processing:

• Real-time transcription
• Post-processing transcription
• Speaker diarization
• Speaker recognition

Cloud Processing (if enabled):

• Cloud transcription
• Automatic speaker diarization

15.2 Transcript Content

What's Included:

• Spoken words (text transcription)
• Timestamps (start/end times)
• Speaker labels (when available)
• Confidence scores
• Language detection

15.3 Transcript Storage

Local Storage:

• Local database
• Full-text search capabilities
• Semantic search capabilities

Cloud Storage: Transcripts are NOT stored in the cloud by default. Only metadata and summaries (if opted in) are stored in the cloud.

16. Integration-Specific Privacy Considerations

16.1 Communication Platform Integrations

Data Shared: Authentication tokens, Meeting summaries (if you share), Messages you send

Your Control: You choose when to share. You can disconnect the integration at any time. Disconnecting revokes authentication tokens.

16.2 Task Management Integrations

Data Shared: API credentials (encrypted), Action item data (if you create tasks), Task creation requests

Your Control: You choose which action items to create as tasks. You can disconnect the integration at any time.

16.3 Calendar Integrations

Data Shared: Authentication tokens, Calendar events (meeting titles, times, links), User profile information

Your Control: You choose which calendars to sync. You can disconnect integrations at any time. You control what meeting data is synced.

17. AI and Machine Learning

17.1 Local AI Processing

What It Means: AI models run on your device. No data sent to external servers. 100% private.

Data Processing: Meeting transcripts (processed locally), User questions (processed locally), Document content (processed locally), Knowledge Hub queries (processed locally)

Privacy: ⭐⭐⭐⭐⭐ Maximum Privacy

17.2 Cloud AI Processing

What It Means: AI processing occurs on cloud servers. Data sent to cloud AI services. Requires internet connection.

Data Shared: Your prompts and questions, Meeting transcript excerpts (for context), Document content (for knowledge hub queries)

Privacy: ⭐⭐⭐ Moderate Privacy

17.3 AI Training Data

We Do NOT:

• Use your data to train our own AI models
• Share your data with AI model providers for training
• Include your data in training datasets

18. Account and Subscription Information

18.1 Account Creation

Required Information: Email address, Password (encrypted, we cannot see it)

Optional Information: Full name, Profile picture

18.2 Subscription Information

Free Plan: No payment information required. Limited features. Local processing only.

Pro/Enterprise Plans: Payment processed by a third-party payment processor. We do not store credit card information. Subscription status stored in our database.

Note: We do not store or have access to your credit card information. All payment processing is handled by a secure third-party payment processor.

19. Device Information and System Access

19.1 Device Information Collected

Basic Device Info: Device ID (unique identifier generated by app), Device name (if provided), Operating system (macOS), Platform version

Purpose: Device registration (for subscription limits), Device management, Support and troubleshooting

19.2 System Permissions

Required Permissions: Microphone access (for audio recording), Screen/System audio access (for meeting capture), File system access (for storing recordings), Network access (for cloud features, if enabled)

Optional Permissions: Camera access (for video recording, if enabled), Calendar access (for calendar sync, if enabled), Notification permissions (for notifications, if enabled)

20. Changes to This Privacy Policy

20.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, new features or services, legal or regulatory requirements, and user feedback.

20.2 Notification of Changes

How We Notify You:

• In-app notification (for significant changes)
• Email notification (if you have an account)
• Updated "Last Updated" date at the top of this policy

When Changes Take Effect: Changes become effective when posted. Continued use of the application after changes constitutes acceptance.