Privacy Policy

1. Data We Collect

• Account data: name, email address, company name, role, and organization type when you register.
• Session data: meeting notes, answers to session questions, action items, talking points, and private notes created during 1:1 meetings.
• AI-processed data: session content is sent to our AI provider (Anthropic Claude) for generating summaries, sentiment analysis, and action item suggestions. We do not use your data to train AI models.
• Calendar data: if you connect Google Calendar, we access event titles, times, and participant emails to sync meeting schedules. We store OAuth tokens securely.
• Usage data: pages visited, features used, browser type, IP address, and device information for analytics and service improvement.
• Cookies: authentication session cookies (HTTP-only, secure), locale preference cookie (NEXT_LOCALE), and theme preference.

2. How We Use Your Data

• To provide and operate the 1on1 meeting management platform
• To generate AI-powered session summaries, sentiment analysis, and coaching suggestions
• To sync meeting schedules with your calendar provider
• To send transactional emails (invitations, password resets, session reminders)
• To compute analytics dashboards (team health scores, action item completion rates)
• To enforce role-based access controls and tenant isolation

3. Data Protection

• Encryption: private meeting notes are encrypted at rest using AES-256-GCM with per-tenant keys derived via HKDF. All data in transit is encrypted via TLS 1.3.
• Tenant isolation: every database query is scoped to your organization's tenant ID. PostgreSQL Row-Level Security (RLS) provides a secondary enforcement layer.
• Access control: three-tier RBAC (admin, manager, member) ensures users can only access data relevant to their role and reporting relationships.

4. Third-Party Services

We share data with the following processors, solely to provide the service:

• Vercel — hosting and edge delivery
• Neon — managed PostgreSQL database (EU region available)
• Anthropic — AI analysis of session content (summaries, sentiment, suggestions)
• Google — OAuth authentication and Calendar API (only if you connect)
• Resend / Nodemailer — transactional email delivery

5. Data Retention

We retain your data for as long as your account is active. When you delete your account or your organization is removed, all associated data (sessions, notes, action items, analytics) is permanently deleted within 30 days. AI-generated summaries are deleted alongside their source sessions.

Calendar OAuth tokens are revoked and deleted immediately when you disconnect your calendar.

6. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure of your data
• Export your data in a portable format
• Restrict or object to processing

To exercise these rights, contact us at privacy@surcod.ro. We will respond within 30 days.

7. Self-Hosting

1on1 is open source (AGPL v3). If you self-host the platform, you are the data controller and this privacy policy does not apply to your instance. You are responsible for your own data protection compliance.

8. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email or an in-app notification. Continued use after changes constitutes acceptance.

9. Contact

For privacy-related inquiries: privacy@surcod.ro