Privacy

summri is a service operated by Saasyn, a UK-based business. For any personal data covered below, Saasyn is the “data controller” (we decide why and how it's processed) for your account and billing data, and the “data processor” (we process it on your instructions) for the meeting content you upload.

For Enterprise customers whose admin invites colleagues into a shared workspace, the customer's organisation is the controller for content uploaded by their team members; Saasyn processes that content on the organisation's behalf.

Account data

• Name + email — to identify you and send transactional emails (sign-in, account changes, minutes ready, billing).
• Hashed password — stored as a one-way hash via better-auth (scrypt with a 32-byte random salt, N=16384). We never see your plaintext password.
• Session metadata — IP address, user-agent, sign-in timestamps, while a session is active.

Billing data

• Card payments are handled entirely by Stripe. We never see, transmit or store card numbers, CVCs, or expiry dates. We hold a Stripe customer ID, the last invoice status, your billing country and any VAT ID you provide.

Content you upload

• Meeting transcripts you drag-and-drop or that we ingest from Microsoft Teams on your behalf.
• AI-generated minutes derived from those transcripts.
• Action items and decisions extracted from the minutes.
• Personal and organisation glossary terms you maintain to improve transcription accuracy.

Transcripts and minutes are encrypted at rest using AES-256-GCM in our PostgreSQL database. Decryption keys are held outside the database row in environment configuration. Decryption only happens when the content is shown to you, an authorised team member, or sent to Anthropic for AI processing.

Microsoft Graph data (Professional and Enterprise plans only)

• If you connect your Microsoft 365 account, we store an encrypted OAuth access + refresh token so we can fetch transcripts of meetings you organise (delegated permissions: OnlineMeetings.Read, OnlineMeetingTranscript.Read.All).
• If your tenant admin grants org-wide capture (Enterprise), we use application permissions (OnlineMeetings.Read.All, OnlineMeetingTranscript.Read.All, Calendars.Read.All) to ingest transcripts for any tenant member who organised a meeting.
• OAuth tokens are encrypted with AES-256-GCM before being written to the database.

Operational data

• Error and request logs — minimal, used to diagnose bugs. Retained 30 days.
• Email delivery logs — what we sent you and whether it bounced. Retained while your account is active.
• Audit log — admin actions (e.g. pricing changes, user removals) with actor, action, timestamp.

• We do not sell your data to anyone, ever.
• We do not use your meeting content to train AI models. Anthropic (our AI provider) does not train on API content by default — see their privacy policy.
• We do not place advertising or marketing-tracking cookies. The site uses a single cookie used solely for session management (sign-in state).
• We do not share your content with other customers under any circumstances.

These are the third-party services that handle your data on our behalf:

• Anthropic, PBC (USA) — generates minutes, action items and decisions from your transcripts via the Claude API. Data is sent over TLS, processed transiently, and discarded by Anthropic per their API terms (no training on content).
• Stripe Payments Europe Ltd (Ireland) — handles all card payments and billing. PCI-DSS Level 1 certified. UK/EU data residency.
• Microsoft Corporation (USA / EU data residency where chosen) — outbound transactional email is delivered via Microsoft Graph (M365). When you connect Microsoft Teams, transcript and meeting metadata is fetched from Microsoft Graph on your behalf.
• Self-hosted UK infrastructure — the application server and PostgreSQL database run on UK-based virtualised infrastructure operated by Saasyn. No third-party hosting provider sees the database contents (storage is encrypted at rest at the OS level in addition to row-level encryption above).

We will email account admins at least 14 days before adding a new sub-processor that processes meeting content.

The primary database is hosted in the United Kingdom. Sub-processors may transfer data internationally:

• Anthropic processes API requests in the United States. Transfers rely on the EU­-US Data Privacy Framework and Standard Contractual Clauses.
• Stripe stores billing data in Ireland (UK/EU residency).
• Microsoft email delivery uses M365 infrastructure with EU data residency configured for our tenant.

Meeting content is retained per your plan:

• Individual — 90 days. After 90 days, the transcript and minutes are deleted from active storage; database backups roll off after a further 30 days.
• Professional — 365 days, then the same backup roll-off.
• Enterprise — retained while your subscription is active. Enterprise admins can request a custom retention policy in writing.

Account-level data (name, email, org membership) is retained while your account is active. Email delivery logs are retained while your account is active. Audit logs are retained for 12 months.

On account deletion, all of the above is removed within 24 hours. Database backups containing previously-deleted content roll off within 30 days; we do not selectively excise individual records from backups.

You have the right to access, correct, export, restrict processing of, or delete the personal data we hold about you, and to withdraw consent at any time.

• Access / export — email privacy@saasyn.com. We respond within 30 days with a JSON export of your account, meetings (decrypted), action items and decisions.
• Deletion — Settings → Danger zone → Delete my account. We email a confirmation link to your address; clicking it permanently and immediately removes everything.
• Correction — name + email can be edited from Settings. Other fields: email us.
• Complaint — you can also complain to the UK Information Commissioner's Office if you believe we've mishandled your data.

summri serves customers globally. The protections in this policy reflect UK GDPR, which we consider our floor — most other regimes are similar in spirit. Specific additions:

• California residents (CCPA / CPRA) — you have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate data, the right to opt out of any “sale” or “sharing” (we do not sell or share your data for cross-context behavioural advertising — this is structural, not opt-in), and the right to limit use of sensitive personal information. We don't use sensitive PI beyond what's strictly necessary to deliver the service. Contact privacy@saasyn.com to exercise any right.
• Brazilian residents (LGPD) — your rights mirror those above, plus access, correction, anonymisation, portability, and revocation of consent. We do not have a local DPO appointed in Brazil; for matters under LGPD, write to the same privacy address and we'll respond within the statutory window.
• EEA / Swiss residents — see the “Your rights” section above. Transfers to the United States rely on the EU­-US Data Privacy Framework (Anthropic, Microsoft) and the Standard Contractual Clauses where DPF doesn't apply.

• All traffic is HTTPS (TLS 1.2+) only.
• Transcripts, minutes and OAuth tokens are encrypted in the database with AES-256-GCM.
• Passwords are stored as scrypt hashes (N=16384, 32-byte salt) via better-auth.
• Database access is restricted to the application server; no public ingress to the database.
• Server software is updated weekly. Critical security patches are applied within 24 hours of release.
• If we discover a breach affecting personal data, we will notify affected users within 72 hours of confirmation, in line with UK GDPR Article 33.

summri uses one cookie: better-auth.session_token, used solely to keep you signed in. It is HttpOnly, Secure, SameSite=Lax, and expires when your session ends or after 30 days of inactivity. We do not use marketing, analytics, advertising or cross-site tracking cookies.

Privacy questions or data subject requests: privacy@saasyn.com.

General support: hello@saasyn.com.

For business customers: see the Data Processing Agreement which sets out our role as data processor on your organisation's behalf.

We'll update the “Last updated” date above when this page changes. For changes that materially expand the scope of processing, we'll email account admins at least 14 days before the change takes effect.