Vana AI, Inc. ("Vana," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our artificial intelligence meeting assistant service and related applications (collectively, the "Service").

This Privacy Policy applies to all users of our Service and covers data we collect through our website, applications, and any related services. By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use our Service.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, use, storage, disclosure, or deletion.

"Controller" means the entity that determines the purposes and means of processing personal data.

"Processor" means an entity that processes personal data on behalf of a controller.

"Third Party" means any individual or entity that is not Vana or our users.

We collect information you provide directly to us, information we collect automatically when you use our Service, and information from third-party sources when you authorize such access.

Account Information: When you create an account, we collect your name, email address, password (in hashed form), and profile information.

Meeting and Audio Data: When you use our real-time meeting assistant, we process audio data to generate insights, transcripts, and summaries. By default, audio is processed in real-time and not permanently stored unless you explicitly opt-in to retain transcripts or summaries.

Connected Service Data: When you authorize connections to third-party services (such as Google Workspace), we collect and process data from those services as described in dedicated sections below.

Usage Information: We automatically collect information about how you use our Service, including interaction logs, feature usage, session duration, and error reports.

Device and Technical Information: We collect device identifiers, browser type and version, operating system, IP address, referring/exit pages, and access times.

Communications: We retain records of communications between you and us, including support requests and feedback.

When you choose to connect your Google account, we access limited Google user data strictly to provide Vana AI features. We request only the minimum scopes necessary for the functionality you choose to use:

Google Calendar API Scopes:

• calendar.readonly: Access to read your calendar events and availability for scheduling insights and conflict detection

• calendar.events: Permission to create, modify, or delete calendar events when you explicitly request such actions through our interface

Google Drive API Scopes:

• drive.file: Access only to files that you explicitly select through our secure file picker interface. We cannot access other files in your Drive

Google Authentication Scopes:

• openid: Basic authentication to verify your Google identity

• userinfo.email: Access to your email address to associate with your Vana account

Data Usage: We use Google data exclusively to provide the specific features you request, such as displaying calendar availability, suggesting optimal meeting times, summarizing relevant documents during meetings, and creating calendar events at your direction.

No Broader Access: We do not have access to your entire Google Drive, Gmail, or other Google services beyond the specific files and calendar data you explicitly authorize.

Our use of information received from Google APIs strictly adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Limited Use Commitment: We only use Google user data to provide or improve user-facing features that are prominently displayed in our Service interface. We do not use Google data for any purpose unrelated to the core functionality you expect.

No Sale or Transfer: We do not sell, rent, or otherwise monetize Google user data. We do not transfer Google user data to third parties except: (a) with your explicit consent; (b) to provide or improve our features; (c) for security purposes; (d) to comply with applicable law; or (e) as part of a merger or acquisition with prior user consent.

No Advertising Use: We do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.

Human Access Restrictions: Human access to your Google user data is strictly limited to the following circumstances: (a) you provide specific, affirmative consent for a support interaction; (b) it is necessary for security purposes, such as investigating abuse or technical issues; (c) it is required to comply with applicable law or legal process; or (d) aggregated, de-identified data is used for internal operations in compliance with privacy requirements.

Minimal Scope Principle: We request only the narrowest OAuth scopes necessary for the features you actively choose to use. We do not request permissions for future or potential features.

User Control: You maintain full control over your Google data integration and can revoke our access at any time through your Google Account settings or our Service settings.

Calendar Information: Event titles, descriptions, start and end times, attendee lists, recurrence patterns, and calendar metadata. This information is used to display your availability, prevent scheduling conflicts, and create new events when requested.

Document Content: For Google Drive files you explicitly select, we access document content, metadata (title, creation date, sharing permissions), and version information to provide contextual insights during meetings.

Profile Information: Your Google account email address and basic profile information to authenticate your account and associate your Google services with your Vana account.

Token Management: We store OAuth access and refresh tokens in encrypted form to maintain authorized access to your Google services. These tokens are automatically refreshed as needed and deleted when you disconnect the integration.

Service Provision: To provide, operate, and maintain our AI meeting assistant functionality, including real-time transcription, insight generation, and meeting summaries.

Feature Enhancement: To develop, test, and improve our Service features, user interface, and artificial intelligence capabilities.

Communication: To send you administrative information, updates about our Service, respond to your inquiries, and provide customer support.

Security and Fraud Prevention: To monitor and analyze usage patterns, detect suspicious activity, prevent abuse, and maintain the security and integrity of our Service.

Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceability of our Terms of Service.

Business Operations: For internal analytics, quality assurance, and business intelligence purposes using aggregated, de-identified data.

Personalization: To customize your experience and provide relevant insights based on your usage patterns and preferences.

We do not sell, trade, or rent your personal data to third parties. We may share your information only in the following limited circumstances:

Service Providers: We may share data with trusted third-party service providers who assist us in operating our Service, such as cloud hosting providers, analytics services, and customer support platforms. These providers are contractually bound to protect your data and use it only for the specific services they provide to us.

Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, property, or safety, or that of others.

Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice and, where required, obtain consent before transferring your data under a materially different privacy policy.

Consent: We may share your information with third parties when you provide explicit consent for such sharing.

Aggregated Data: We may share aggregated, de-identified data that cannot reasonably be used to identify you for business intelligence, research, or marketing purposes.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Encryption: All data transmissions are protected using industry-standard TLS encryption. Sensitive data at rest is encrypted using AES-256 encryption.

Access Controls: We maintain strict access controls and authentication mechanisms. Employee access to personal data is limited to those who require it for their job functions.

Security Monitoring: We continuously monitor our systems for security threats and maintain incident response procedures.

Regular Audits: We conduct regular security assessments and are working toward SOC 2 compliance.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data: We retain your account information for as long as your account is active or as needed to provide you services.

Meeting Data: By default, audio data is processed in real-time and not stored. Transcripts and summaries are retained only if you explicitly opt-in to save them. You can delete saved content at any time.

Google Integration Data: OAuth tokens and cached Google data are retained while your integration is active. When you disconnect Google services, we delete stored tokens and cached data within 30 days.

Log Data: System logs and analytics data are typically retained for 12 months for security and service improvement purposes.

Legal Holds: We may retain data longer when required for legal proceedings, regulatory investigations, or compliance obligations.

Upon account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law.

Depending on your jurisdiction, you may have certain rights regarding your personal data:

Access: You may request confirmation of whether we process your personal data and obtain a copy of such data.

Rectification: You may request correction of inaccurate or incomplete personal data.

Erasure: You may request deletion of your personal data under certain circumstances.

Restriction: You may request restriction of processing your personal data in certain situations.

Portability: You may request transfer of your personal data to another service provider in a structured, commonly used format.

Objection: You may object to certain types of data processing.

Withdrawal of Consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise these rights, please contact us at privacy@vana.ai. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before processing your request.

Your information may be transferred to and processed in countries other than your own. We ensure that such transfers comply with applicable data protection laws.

For transfers outside the European Economic Area (EEA), we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

We work only with service providers that provide adequate protection for your personal data and comply with applicable data protection requirements.

Our Service is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children under these ages.

If we learn that we have collected personal data from a child under the applicable age without verified parental consent, we will take steps to delete such information promptly.

If you believe we have collected information from a child under the applicable age, please contact us immediately.

We use cookies, web beacons, and similar tracking technologies to enhance your experience and analyze Service usage.

Essential Cookies: Necessary for the Service to function properly, including authentication and security features.

Analytics Cookies: Help us understand how users interact with our Service to improve functionality and user experience.

You can control cookie settings through your browser preferences. However, disabling certain cookies may limit your ability to use some features of our Service.

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to such third-party services.

We encourage you to review the privacy policies of any third-party services you access through our Service.

We are not responsible for the privacy practices or content of third-party services.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request information about the categories and specific pieces of personal information we collect, use, disclose, and sell.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions.

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt-Out: You may opt-out of the sale or sharing of your personal information. Note: We do not sell personal information.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, please contact us at privacy@vana.ai or through our designated request form.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and related laws.

We process your personal data based on the following legal grounds: (a) your consent; (b) performance of a contract; (c) compliance with legal obligations; or (d) our legitimate interests.

You have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law.

For EEA residents, our legal basis for processing Google data is typically your explicit consent or performance of the contract to provide our Service.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will provide notice of material changes by posting the updated Privacy Policy on our website and updating the "Last Updated" date. For significant changes, we may also notify you by email or through our Service.

Your continued use of our Service after the effective date of the updated Privacy Policy constitutes your acceptance of the revised terms.

We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: privacy@vana.ai

Data Protection Officer: dpo@vana.ai

Mailing Address: Vana AI, Inc., [Address to be updated with official business address]

We will respond to your inquiries within a reasonable timeframe and as required by applicable law.

For Google-related privacy concerns specifically, you may also reference Google's Privacy Policy and use Google's data subject request tools.