proatMeeting Intelligence met Context
Hoe het werktToepassingenPrijzen
InloggenGratis Starten

Privacy Policy

Last updated: March 9, 2026

1. Introduction

Proat ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Proat platform ("Service"), in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This policy applies to all users of the Service, including organization administrators, members, and anyone whose audio or video is processed through the platform.

2. Data Controller

Proat acts as data controller for account information, usage data, and audit logs — data we collect to provide and secure the Service.

For audio, video, transcripts, and AI-generated content uploaded or created by your organization, Proat acts as data processor on behalf of your organization (the data controller). Your organization determines the purposes and means of processing this content. A Data Processing Agreement (DPA) is available and can be accepted by organization administrators within the platform.

3. Data We Collect

Account information

Name, email address, and organizational affiliation. When using single sign-on (SSO), we receive identity information from your OIDC provider (e.g., Keycloak, Microsoft Entra ID, Google Workspace, Proton).

Audio and video content

Audio streams from live recordings, uploaded audio files (WAV, MP3, FLAC, OGG, WebM, M4A), and uploaded video files. This content is processed to generate transcripts and is stored according to your organization's retention settings.

Transcripts and AI-generated content

Text transcripts produced by speech recognition, speaker diarization results, and AI-generated artifacts such as meeting minutes, task lists, summaries, and Q&A responses.

Usage and audit data

Credit consumption, session metadata, IP addresses, user agent strings, and comprehensive audit log entries recording actor, action type, and timestamp. We do not use third-party analytics or tracking services.

4. Legal Basis for Processing

We process your data on the following legal bases under GDPR Article 6:

  • Contractual necessity (Art. 6(1)(b)): Processing your account information, audio/video content, and generating transcripts and AI artifacts is necessary to provide the Service you have subscribed to.
  • Legitimate interest (Art. 6(1)(f)): Audit logging, security monitoring, rate limiting, and credit enforcement to protect the Service and all users. Usage data collection for service improvement and debugging.
  • Legal obligation (Art. 6(1)(c)): Retaining certain records as required by applicable law, and responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a)): Where EU Data Residency features are enabled, users are asked to provide explicit consent through our GDPR consent mechanism before their data is processed. Consent can be withdrawn at any time.

5. How We Process Your Data

Speech recognition

Audio is processed through speech recognition providers to generate text transcripts. Our primary provider is Deepgram (with an EU-region endpoint available at api.eu.deepgram.com for organizations requiring EU data residency). Fallback providers include Azure Speech Services (configurable region, e.g., West Europe) and OpenAI Whisper (processed locally on our infrastructure, no external transfer). Audio is transmitted to external providers solely for transcription and is not retained by them beyond the processing window.

AI analysis

Transcripts and conversation content are processed by large language models (LLMs) to generate meeting artifacts. Our primary provider is Anthropic (Claude). Fallback providers include Azure OpenAI (gpt-4o, configurable region) and self-hosted models via our internal LLM router. Your content is sent to these providers for processing only and is not used to train their models. Organizations can opt out of model improvement programs via the GDPR compliance settings.

Vector embeddings

Conversation content may be embedded using vector representations to enable context-aware search and chat. Embedding can be performed locally using sentence-transformers (no external transfer) or via Azure OpenAI embeddings (configurable). All embeddings are scoped to your organization and stored in our PostgreSQL database with pgvector.

Document generation

AI-generated artifacts are rendered into documents (DOCX, PPTX, PDF) using our internal document generation workers. This processing happens entirely within our infrastructure — no content is sent to external services for document rendering.

6. Multi-Tenant Data Isolation

Proat is a multi-tenant platform. Every database query is scoped by organization ID (org_id), ensuring strict data isolation between tenants. There is no mechanism for one organization to access another organization's data. This isolation is enforced at the data layer using parameterized SQL across all tables and operations.

7. International Data Transfers

Some of our third-party processors are based outside the European Economic Area (EEA):

  • Anthropic (Claude): United States. Processing subject to appropriate safeguards.
  • Deepgram: United States (standard) or EU (via api.eu.deepgram.com when EU data residency is enabled).
  • Azure OpenAI / Azure Speech: Region configurable per deployment (e.g., West Europe).
  • Resend: United States — for transactional email delivery.

For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) and assess the data protection laws of the recipient country. Organizations requiring strict EU data residency can enable EU-only providers and local processing through the GDPR compliance settings in the platform.

8. Data Storage and Retention

Your data is stored in PostgreSQL databases. Audio files and generated documents are stored in object storage. All data in transit is encrypted via TLS.

Data retention is configurable at four levels, with the most specific setting taking precedence: conversation, folder, project, and organization (default: 365 days). Organization administrators can create granular retention rules per object type, folder, project type, and artifact type.

When data is deleted, it is first soft-deleted with a 30-day recovery window. After the recovery window expires, our lifecycle worker permanently purges all associated data including audio files, transcript segments, speaker data, AI artifacts, document embeddings, and blob storage files. All purge operations are recorded in an immutable audit trail.

9. Third-Party Sub-Processors

We share data with the following categories of third-party sub-processors:

  • Identity providers: Keycloak, Microsoft Entra ID, Google Workspace, Proton, or your configured OIDC provider — account authentication and SSO
  • Speech recognition: Deepgram (US or EU endpoint), Azure Speech Services (configurable region) — audio-to-text transcription
  • AI/LLM providers: Anthropic Claude (US), Azure OpenAI (configurable region) — meeting intelligence artifact generation
  • Email delivery: Resend (US) — transactional emails such as invitations, notifications, and email change verifications

All sub-processors are selected for their data processing commitments. None use customer content for model training. A current list of sub-processors and their data processing locations is available upon request.

10. Cookies and Local Storage

We use only essential cookies required for the Service to function:

  • Session cookie (authjs.session-token): Encrypted JWT containing your authentication session. HttpOnly, SameSite=Lax, expires after 24 hours.
  • CSRF token (authjs.csrf-token): Prevents cross-site request forgery. HttpOnly, session-scoped.
  • Organization selector (selectedOrgId): Remembers your selected organization. SameSite=Lax, expires after 90 days.

We also store UI preferences (language, sidebar width, panel state) in your browser's local storage. This data never leaves your device.

We do not use third-party tracking cookies, advertising cookies, or analytics services. No cookie consent banner is required as all cookies are strictly necessary for the Service.

11. Automated Decision-Making

The Service does not engage in automated decision-making or profiling that produces legal or similarly significant effects on users as described in GDPR Article 22.

AI-generated content (transcripts, meeting minutes, task lists) is produced for human review and does not result in automated decisions affecting your rights. The credit system may automatically restrict access to certain features when credit limits configured by your organization administrator are reached — this is a contractual usage limit, not profiling. Your organization administrator can adjust these limits at any time.

12. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

  • Access (Art. 15): Request a copy of your personal data. You can export your profile data directly from the platform via your account settings.
  • Rectification (Art. 16): Request correction of inaccurate data. You can update your profile and email address through the platform.
  • Erasure (Art. 17): Request deletion of your data. You can request account deletion from your profile, which initiates a 30-day grace period before permanent removal.
  • Portability (Art. 20): Request your data in a machine-readable format. Profile data can be exported as JSON; conversations and documents can be exported in standard formats (DOCX, PPTX, PDF, JSON, CSV, TXT).
  • Restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Objection (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use the self-service options in the platform or contact us at info@proat.app. We will respond within 30 days.

13. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. For the Netherlands, the supervisory authority is:

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag
autoriteitpersoonsgegevens.nl

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Art. 34).

15. Children's Privacy

The Service is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the Service or by email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after notification constitutes acceptance of the updated policy.

17. Contact

For questions about this Privacy Policy, data protection, or to exercise your rights, contact us at:

Proat
Email: info@proat.app

proat

AI-platform voor teams in 10 talen. Transcribeer gesprekken, stel er vragen over via chat en genereer direct bruikbare documenten.

Product

  • Transcriptie
  • AI Intelligentie
  • Documentgeneratie
  • Context Chat
  • Samenwerking
  • Beveiliging
  • Mobiele App
  • Prijzen

Bedrijf

  • Over ons
  • Contact
  • Vacatures

Juridisch

  • Privacybeleid
  • Gebruiksvoorwaarden
  • Beveiliging

© 2026 Proat. All rights reserved.

Gebouwd met Next.js, TypeScript en Tailwind CSS