How we handle your data.
Felarity processes meetings — often the most sensitive conversations an organization has. This policy explains what we collect, why, where it goes, and how to get it back or delete it.
Effective date: June 7, 2026 · Last updated: June 7, 2026
1. Who we are
"Felarity," "we," "us," "our" refers to Felarity, the organizational intelligence service available at felarity.com, app.felarity.com, and api.felarity.com. We are the data controller for account and billing information, and a data processor for the meeting content you bring into the service.
Contact: privacy@felarity.com. For EU/UK matters: dpo@felarity.com.
2. What we collect
Account & identity
- Email address, display name, and profile picture from your identity provider (Google OAuth, or email + password if applicable).
- Workspace metadata: name, member list, role assignments, retention preferences.
- Authentication artifacts: hashed session tokens (stored in Redis with a 30-day TTL), MFA enrollment state, recovery-code hashes.
Meeting content you upload
- Audio recordings you submit for transcription. Stored encrypted at rest. Retained per your workspace retention policy (default: 30 days, configurable per workspace down to "process and delete").
- Transcripts and diarization output produced by our pipeline.
- Generated artifacts: contradiction detections, attestation chain entries, council/analyst notes, post-session reports.
- Files you attach to an Ask query (PDF/DOCX/text). Extracted text is used for the analysis you requested and deleted with the conversation per retention policy.
Billing
- Stripe customer ID and subscription state. We do not store card numbers — those go directly to Stripe.
- Invoices and payment events.
Telemetry
- Standard request logs: IP, user-agent, path, timestamp, status code. Retained 30 days for security investigation.
- Error reports (Sentry): stack traces and request context, with PII filtered before send.
- Product analytics: only first-party, aggregated, no third-party trackers.
3. What we do not collect
- We do not place advertising or analytics trackers from third parties.
- We do not record audio from your microphone outside an explicit meeting session you start.
- We do not scan your calendar, mail, drive, or any other connected service without an explicit integration that you enable per-workspace.
4. How we use what we collect
- To deliver the product: run the transcription, contradiction-detection, diarization, attestation, and reporting pipelines on the content you submit.
- To bill you: process subscription payments and send receipts.
- To support you: respond to your requests, with strict access controls and an audit log of any time an employee views customer content.
- To secure the service: detect abuse, investigate incidents, and meet our legal obligations.
Model training. We do not train shared models on customer meeting content. Aggregate, fully-anonymized service metrics (e.g., "average meeting length per tier") may be used for capacity planning and product analytics. Per-workspace opt-in is available if you want your content used to fine-tune workspace-specific models — that's a deliberate setting, off by default.
5. Where we send your data (subprocessors)
We use a small set of subprocessors to run the service. The current list lives at /trust/subprocessors with a last-updated date. Major categories:
- Cloudflare — edge, DNS, DDoS protection.
- Stripe — payments.
- Google — OAuth identity provider (only if you sign in with Google).
- Postmark — transactional email.
- Sentry — error monitoring (PII-filtered).
Our LLM inference stack is operated by us on our own infrastructure. We do not send your meeting content to a third-party LLM provider unless your workspace explicitly enables a "bring-your-own-key" provider integration.
6. Retention
Default retention windows (configurable per workspace):
| Data class | Default | Notes |
|---|---|---|
| Audio chunks | 30 days | Or process-and-delete if your workspace selects that mode. |
| Transcripts | 30 days | Independent control from audio. |
| Reports + attestation chain | 1 year | Reports are the durable artifact you'll typically need. |
| Request logs | 30 days | Security investigation. |
| Account record | While your account exists | Hard-deleted on account closure. |
| Billing | 7 years | Tax/audit obligations. |
7. Your rights
Regardless of where you live, you can:
- Export all of your account data as a zip from Settings → Data → Export.
- Delete your account, which hard-deletes all associated data within 30 days (account immediately closed; backups recycle within the same window).
- Correct any incorrect personal information from Settings → Account.
If you are in the EEA, UK, or California, you additionally have rights to access, object to certain processing, restrict processing, and lodge a complaint with your supervisory authority. Email privacy@felarity.com to exercise any of these.
8. Children
Felarity is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has provided us data, email privacy@felarity.com and we will delete it.
9. International transfers
Our infrastructure runs in the United States. Where data is transferred from the EEA/UK/Switzerland, we rely on the EU Standard Contractual Clauses (or the UK Addendum) as the transfer mechanism. Our DPA is available at /trust/dpa.
10. Security
See the dedicated Security overview and Trust center for details on encryption, access control, incident response, and compliance status. To report a vulnerability: security@felarity.com or our disclosure policy.
11. Changes
We will post changes here with a new "Last updated" date. Material changes will be announced in-product and by email at least 14 days before they take effect.
12. Contact
Felarity — Privacy team
privacy@felarity.com
This policy is a substantive draft for v1 launch and reflects our current operating practice. Buyers with specific regulatory needs (HIPAA, GLBA, sector-specific) should request our Data Processing Agreement and our SOC 2 / HIPAA control matrix from legal@felarity.com.