The problem almost nobody knows
You join a Zoom or Google Meet call. You notice a bot called "Otter Notetaker", "Fred (Fireflies.ai)" or "Fathom" in the participant list. You didn't invite it. The organization that invited you probably signed a clause saying they could record you, but you were never explicitly asked.
The result? Your voice, your opinions, your technical questions, your figures — everything recorded, transcribed and stored on US servers along with a biometric voiceprint of your voice to identify you in future meetings.
If you are a European citizen, you have the right to delete this under GDPR Article 17. But most people don't know how. This guide walks you through it, step by step, with ready-to-send templates.
What the Spanish DPA made clear in April 2026
The AEPD guidance of April 20, 2026 on AI transcription says something critical for this situation: the right of access also applies in multi-speaker. That is: they cannot deny you access to a recording where you appear by arguing "there are other participants whose data we protect".
And even more important: even if you are not the data controller (you didn't contract the service), you still have rights as data subject to: - Know that your voice is being processed - Obtain a copy of what was recorded/transcribed about you - Request full deletion (including biometric voiceprint) - Complain to the data protection authority if they don't respond
Step 1: identify the data controller
The bot belongs to a provider (Otter, Fireflies, Fathom...) but the data controller is the company or person who contracted the service and invited you to the meeting — not the bot provider.
Example: if you went to a call with a vendor that brought OtterPilot, the controller is that vendor, not Otter Inc. Otter is the processor (sub-processor).
Ask the meeting host: - Confirmation that the meeting was recorded - Identification of the bot provider - Retention policy (how long do they keep it?) - Whether your voice was used to create a biometric voiceprint
Step 2: email template for exercising right to deletion
Here is a ready template. Replace the brackets:
Subject: Personal data deletion request (Art. 17 GDPR) — meeting of [date]
Dear [responsible party],
On [date] I participated in a meeting convened by your organization in which the tool [Otter/Fireflies/Fathom/...] was used to record and transcribe the content.
Pursuant to Article 17 of Regulation (EU) 2016/679 (GDPR) and the guidance of the Spanish Data Protection Agency of April 20, 2026 on AI automated transcription, I hereby exercise my right to erasure regarding:
1. The audio recording of my voice corresponding to that meeting.
2. The transcript associated with my interventions.
3. Any biometric voiceprint that your sub-processor [bot provider] may have generated from my voice.
4. Any derived copy (summaries, action items, semantic embeddings) containing information about me.
I also request:
- Confirmation of execution of deletion within 30 days.
- Confirmation that deletion has been propagated to your sub-processor.
- Identification of the country and jurisdiction where the data was stored before deletion.
I await your response. I reserve the right to file a complaint with the AEPD if I do not receive a satisfactory response.
Sincerely,
[your name and signature]
Step 3: if the controller doesn't respond or doesn't cooperate
File a complaint with the AEPD. It's free, done via electronic registry with digital certificate or Cl@ve, and the AEPD is obligated to process your complaint.
URL: [sedeagpd.gob.es/sede-electronica-web/](https://sedeagpd.gob.es/sede-electronica-web/)
Complaint type: "Tutela de derechos" (when a controller does not honor a GDPR right).
Document: - Request email (with timestamp). - Any response or silence. - Screenshot of the bot in the meeting (if you kept it).
What if the bot is from a European provider?
The AEPD applies equally. What changes is that the sub-processor is in European jurisdiction, making deletion propagation easier. AudioMap, for example, has a [public deletion endpoint for third parties](/legal/request-deletion) precisely for this use case: a participant in a meeting recorded with AudioMap can request their removal without being a user, without contacting the host.
Spoiler: no US competitor (Otter, Fireflies, Fathom, Supernormal) offers this public endpoint. You have to go through the data controller, period.
The cultural shift coming
As the AEPD audits organizations recording with American bots without strict invitee consent, this will change. European professionals will be more cautious. And the tools that designed their architecture so that the invitee can exercise their rights directly — without asking favors of the host — will gain market share.
That is AudioMap's design. Not for vanity: because the AEPD April 2026 guidance says it should be.
Actionable summary
- Today: if you remember meetings where a bot appeared that you didn't invite, consider sending the template above to the organizer.
- Going forward: when you see a bot upon joining a call, ask in writing for provider identification before discussing anything sensitive.
- If you are an organizer: use tools with public third-party deletion endpoint (like AudioMap) or explicitly warn each participant in writing before the meeting.
Your voice, your right.