Privacy isn't a paragraph in the terms of service. It's an architecture decision. Here are ours.
What we DON'T do
- We don't train models on your audio. Not ours, not third parties'. It's a contractual clause with every vendor that touches content.
- We don't sell data. Ever. It's not a business model that makes ethical or economic sense for us.
- We don't share audio between accounts. Your material is isolated in your workspace.
- We don't transcribe without your action. No automatic processing of your drive or calendar meetings unless you trigger it.
What we DO do
Encryption at rest and in transit. AES-256 for storage, TLS 1.3 for transport. Encryption keys in regional KMS (EU for European customers).
Real deletion. "Delete note" means deleted from S3, from the database, and from the search embeddings. No tombstones that linger.
PII detection. When you generate a shared link, we detect card numbers, national IDs, IBANs, phones, emails. By default we redact them. You can change the policy.
Audit log. Every operation is logged. You see it in your security panel.
Compliance
- GDPR: EU residency for European accounts. Standard DPA available.
- SOC 2 Type II: in progress, expected Q3 2026.
- HIPAA: on roadmap for mid-2026 with BAA.
Consent
The most important part isn't ours, it's yours. Before recording, notify the participants. AudioMap offers consent templates by jurisdiction (EU vs. US have different rules). On platform-recorded calls (Zoom, Meet, Teams), the platform's standard indicator counts.
This is the baseline. If you need something more specific for your industry, write to us and we'll work it out.