Integritet

Who we are

Max Lindholm AB, org. nr. 559407-9633, Sweden, trading as Roomradar (“Roomradar”, “we”, “us”), is the data controller for personal data described in this policy. Contact us at lindholm.maximilian@gmail.com.

This policy covers personal data we process as a data controller (account data, billing, platform operations). When you use Roomradar to process meeting content on behalf of a customer organisation, we act as a data processor on that organisation’s behalf. In that case, refer to your organisation’s own privacy notice for information about how meeting data is handled.

Data we collect and why

Account and identity data — name, email address, organisation, hashed password. We use this to manage your account, authenticate you, and send service notifications. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

Meeting and session data — voice recording (deleted immediately after transcription), meeting transcript, AI-generated outputs (summaries, moments, action items), participant list, and session metadata. Legal basis: performance of a contract, with explicit consent obtained from each participant before recording begins.

Billing data — payment method details, billing address, invoice records. Payment card details are processed directly by Stripe and not stored on Roomradar systems. Legal basis: performance of a contract and compliance with the Swedish Bookkeeping Act.

Usage and operational data — log data (IP address, browser type, timestamps), feature usage patterns, error reports. Legal basis: legitimate interests in maintaining the security, reliability, and quality of the platform.

We do not intentionally collect special category personal data. Meeting content may incidentally include such data if participants discuss those topics; processing of any such data is covered by the pre-session consent.

We do not use your meeting content to train AI models.

Who we share data with

We use sub-processors to help deliver the platform. Standard tier sub-processors include OpenRouter (US, an API router used for AI model calls — OpenRouter is contractually responsible for its downstream model providers under GDPR Art. 28(4)), Clerk (US, authentication), Soniox (US, speech-to-text), ElevenLabs (US, alternative speech-to-text for higher-quality modes), Google (US, analytics — only with your consent), and Stripe (Ireland, payments). For Secure Mode customers (K2 / K3 tier), we use only EU-jurisdiction sub-processors: Scaleway (France) and Nebius (Netherlands).

All sub-processors are bound by data processing agreements and may only process your data for the purposes we instruct. We do not sell, rent, or trade personal data.

International transfers

Our Standard tier uses sub-processors in the United States. These transfers are safeguarded by Standard Contractual Clauses approved by the European Commission (Decision 2021/914). The US sub-processors we use are subject to the US CLOUD Act.

Our Secure Mode / EU tier uses exclusively EU/EEA-based infrastructure with no transfers outside the EU/EEA. This tier is designed for customers who require EU-jurisdiction data processing, including Swedish municipalities and public-sector organisations with KLASSA K2/K3 requirements.

How long we keep your data

Account data, meeting transcripts, and AI-generated outputs are kept for the duration of your subscription plus 90 days after cancellation. If you re-subscribe within that window, your data is preserved; after 90 days, your account and associated data are permanently deleted.

Audio recordings are deleted immediately after transcription — they are never stored on our servers after the transcript is generated. Operational and security logs are kept for 90 days. Backups roll on a 30-day cycle, so deletion is fully propagated within 30 days of hard deletion.

Billing and invoice records are kept for 7 years as required by the Swedish Bookkeeping Act (Bokföringslagen). These are stored separately from your account data after the 90-day window.

If you submit an explicit erasure request under GDPR Art. 17, we will action it within 30 days, except where law requires us to retain billing records.

Cookies

We use essential cookies to keep you signed in (Clerk authentication cookies). These are strictly necessary for the platform to function and do not require consent.

With your consent, we also use Google Analytics to understand how the platform is used. Analytics cookies are not loaded until you accept them via the cookie banner. You may withdraw consent at any time by clearing your browser cookies, after which the banner will re-appear and let you choose again.

Your rights

Under the GDPR, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time. To exercise these rights, contact us at the email above. We will respond within 30 days.

California and other U.S. state privacy rights

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), in addition to the rights described above: the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, the right to opt out of “sale” or “sharing”, the right to limit use of sensitive information, and the right to non-discrimination for exercising these rights.

We do not sell personal information for monetary consideration. We share certain data with analytics providers (Google Analytics) for the purposes of improving the platform — but only after you have given consent via the cookie banner, which you can withdraw at any time. Under CCPA’s broad definition this constitutes “sharing”, and you may opt out at any time via the same cookie banner.

To exercise any of these rights, contact us at the email above. We will verify your identity before responding and will respond within 45 days as required by CCPA. You may also use an authorised agent acting on your behalf with your written permission.

Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana and others) have similar rights and may exercise them via the same process.

Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, imy@imy.se, www.imy.se.