Privacy Policy
Your privacy is important to us. It is our policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, korely.ai, and other sites we own and operate.
Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use a website or online service.
In the event our site contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy information about how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our site.
Information We Collect
Information we collect falls into one of two categories: voluntarily provided information and automatically collected information.
Voluntarily provided information refers to any information you knowingly and actively provide us when using or participating in any of our services and promotions.
Automatically collected information refers to any information automatically sent by your devices in the course of accessing our products and services.
Log Data
When you visit our website, our servers may automatically log the standard data provided by your web browser. It may include your device IP address, browser type and version, pages you visit, time and date of your visit, time spent on each page, and other details about your visit.
Additionally, if you encounter certain errors while using the site, we may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem.
Device Data
When you visit our website or interact with our services, we may automatically collect data about your device, such as:
- Device Type
- Operating system
- Geo-location data (country level only, derived from IP address)
Personal Information
We may ask for personal information when you submit content to us, register an account, or contact us, which may include:
- Name
- Home/mailing address (for billing, collected via our payment processor)
Sensitive Information (Special Category Data)
Sensitive information, also known as special categories of data under Article 9 of the GDPR, is a subset of personal information given a higher level of protection. The types of sensitive information that we may collect about you include:
- Biometric information (specifically: voice data contained in audio recordings you choose to make)
We will not collect sensitive information about you without first obtaining your explicit consent, and we will only use or disclose your sensitive information as permitted, required, or authorised by law.
Audio Recording and Biometric Data
When you use Korely's recording features, we collect audio recordings of meetings, conversations, and other interactions. Audio recordings contain voice data, which constitutes biometric special-category personal data under Article 9 of the GDPR. Specific disclosure:
- Lawful basis: Article 9(2)(a) GDPR - your explicit consent, captured via the in-app consent prompt before each recording starts.
- Purpose: transcription, summarisation, and storage in your personal Korely account for retrieval. Korely does NOT perform voice identification or speaker biometric matching.
- Sub-processors (audio transcription):
- Deepgram, Inc. (United States, with EU data-residency endpoint
api.eu.deepgram.com) processes audio for real-time, in-app transcription ("live recordings"). Audio is streamed transiently to Deepgram's EU endpoint, transcribed, and the transcript is returned. Transfer safeguards: Standard Contractual Clauses + Deepgram Data Processing Addendum. - Google Gemini (Google LLC, United States) processes audio for uploaded audio/video files via the multimodal Gemini API (single-call transcription + summarisation + entity extraction). Transfer safeguards: Standard Contractual Clauses + Google Cloud Data Processing Addendum (EU adequacy decision applicable).
- Deepgram, Inc. (United States, with EU data-residency endpoint
- Storage: audio files are stored in Cloudflare R2 (European Union region), encrypted at rest. Transcripts and metadata are stored in our PostgreSQL database hosted by Render (European Union, Frankfurt).
- Retention: audio is retained until you request its deletion. Upon account closure, audio is deleted within 30 days. Backups rotate on a 30-day cycle.
- Your responsibility: you are responsible for obtaining the consent of all participants in any recording, in accordance with the laws of your jurisdiction. See our Terms of Service, "Audio Recording Responsibilities" clause.
U.S. State Biometric Laws Notice (Illinois BIPA, Texas CUBI, Washington HB 1493)
Residents of Illinois, Texas, and Washington benefit from state-specific biometric privacy laws. Korely's position regarding these laws:
- Voiceprint as biometric identifier: the audio you record contains your voice, which qualifies as a "biometric identifier" under the Illinois Biometric Information Privacy Act (740 ILCS 14, "BIPA"), the Texas Capture or Use of Biometric Identifier Act (Bus. & Com. Code §503.001, "CUBI"), and Washington HB 1493.
- No biometric template storage: Korely does NOT extract, store, or use voiceprints, voice templates, or any biometric vector for the purpose of identifying you or any other speaker. Audio is processed transiently by Deepgram (live recordings, EU endpoint) or Google Gemini (uploaded files, US with EU SCC) for transcription and speaker labelling (e.g., "Speaker 1", "Speaker 2") and the resulting text-only transcript is stored. The original audio is retained only because you may want to replay it.
- Purpose limitation: we use audio solely for the limited purposes of transcription, diarisation labels, summarisation, and search retrieval within your personal account. We do NOT use voice data for: identification of natural persons, authentication, marketing, profiling, sale, or sharing with third parties for their independent purposes.
- Written consent (BIPA Section 15(b)): by clicking "Start transcribing" on the in-app consent prompt, you provide a written release authorising Korely to capture and process your voice data for the purposes stated above. This electronic acknowledgement constitutes a "written release" within the meaning of BIPA Section 10. The exact text of the consent prompt is logged with each recording event.
- Retention schedule (BIPA Section 15(a)): audio recordings are retained for the lifetime of your Korely account or until you request deletion, whichever comes first. Upon account closure or explicit deletion request, audio is permanently destroyed within 30 days. Backups rotate on a 30-day cycle. Korely's retention policy is published in this Privacy Policy and constitutes our written retention schedule under BIPA.
- No sale or disclosure (BIPA Section 15(c)-(d)): we do not sell, lease, trade, or otherwise profit from biometric data. The third parties that process your audio are Deepgram, Inc. (real-time recordings, EU endpoint) and Google Gemini (uploaded audio/video files), each acting as our sub-processor under a Data Processing Addendum, strictly for transcription, with contractual prohibition on independent use.
- Reasonable safeguards (BIPA Section 15(e)): audio is encrypted in transit (TLS 1.3) and at rest (AES-256 at Cloudflare R2). Access is limited to your authenticated account session.
AI Processing of Your Content
Korely uses third-party AI providers, primarily Google Gemini, to process content you submit (audio, transcripts, notes, queries) in order to provide the core features of the service: transcription, summarisation, semantic search, AI chat (Gordon AI), and entity extraction.
- Sub-processor: Google Gemini, operated by Google LLC (United States) and, for European customers, Google Ireland Limited. Transfer safeguards: Standard Contractual Clauses approved by the European Commission and Google's Data Processing Addendum.
- No training on your content: under our paid Gemini API agreement with Google, Google does NOT use your content to train its foundation models.
- Transient retention by AI provider: Google may retain processed content in short-term abuse-detection logs for up to 30 days, per Google's published API policies.
- Korely retention: AI-generated outputs (transcripts, summaries, embeddings, knowledge graph entities) are stored in your Korely account for the lifetime of your account.
- Automated decisions (Article 22 GDPR): Korely uses AI-driven automated processing for content organisation, search ranking, and similar operational functions. These automated processes do NOT produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. Human override is always available - you may manually edit, correct, or delete any AI-generated content.
- Accuracy disclaimer: AI-generated outputs may contain inaccuracies, hallucinations, or omissions. You are responsible for verifying AI-generated content before relying on it for any consequential decision.
Knowledge Graph and Data About Third Parties
Korely automatically extracts entities (persons, organisations, topics, projects, locations) from your content and constructs a personal knowledge graph linking these entities across your notes, recordings, and conversations. The graph powers Korely's retrieval features, "related items" suggestions, and the Gordon AI assistant.
- The knowledge graph is strictly per-user: your graph is never aggregated across users, never shared with other users, and never used for advertising or profiling targeted at you.
- Automated entity extraction is performed by Google Gemini (see "AI Processing of Your Content" above).
- When your content mentions third parties, those third parties become entities in your graph. You act as the data controller for any personal data about third parties you upload to Korely; we act as your processor under Article 28 GDPR.
- Third-party rights: any natural person mentioned in a Korely user's content may exercise their GDPR rights by contacting privacy@korely.ai. We will route such requests to the relevant user-controller and assist in fulfilment within the legal deadline.
- Deletion: when you delete content, the corresponding entities and edges are removed from the graph. Orphan entities are pruned during background maintenance.
User-Generated Content
We consider user-generated content to be materials (text, audio, image and/or video content) voluntarily supplied to us by our users.
Your User-Generated Content is Private
Notwithstanding any general language about "user-generated content" being public or being published, the user-generated content you submit to Korely (notes, recordings, transcripts, AI conversations, knowledge graph entities) is treated as PRIVATE to your account.
Korely does NOT publish your content publicly, does NOT share it on social media, and does NOT make it accessible to other Korely users. The only exceptions are:
- sub-processors strictly required to deliver the service (see "Disclosure of Personal Information to Third Parties" below);
- integrations you explicitly enable (e.g., Model Context Protocol clients you connect, calendar integrations you authorise); and
- data we are legally compelled to disclose (court order, regulatory requirement, defence of legal claims).
Legitimate Reasons for Processing Your Personal Information
We only collect and use your personal information when we have a legitimate reason for doing so. We only collect personal information that is reasonably necessary to provide our services to you.
Collection and Use of Information
We may collect personal information from you when you do any of the following on our website:
- Register for an account
- Post a comment or review or otherwise participate in our online community
- Use a mobile device or web browser to access our content
- Contact us via email, social media, or on any similar technologies
- When you mention us on social media
We may collect, hold, use, and disclose information for the following purposes:
- to provide you with our platform's core features and services
- to enable you to customise or personalise your experience
- to contact and communicate with you
- for analytics, market research, and business development
- to send you marketing and promotional communications (with opt-out)
- to enable you to access and use our website and applications
- for internal record keeping and administrative purposes
- to comply with our legal obligations and resolve any disputes
- to attribute any content you submit
- for security and fraud prevention
- for technical assessment, including to operate and improve our app
Security of Your Personal Information
When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use, or modification. We use TLS encryption in transit, encryption at rest on our database (Render-managed PostgreSQL) and on our object storage (Cloudflare R2), per-user authorisation checks on every API endpoint, and minimum-privilege credentials for all sub-processor integrations.
Although we will do our best to protect the personal information you provide to us, no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security.
How Long We Keep Your Personal Information
We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this privacy policy. For example, if you have provided us with personal information as part of creating an account with us, we may retain this information for the duration your account exists on our system. If your personal information is no longer required for this purpose, we will delete it or make it anonymous by removing all details that identify you.
However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation (typically 7 years for financial records under Italian fiscal law) or for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
Children's Privacy
We do not aim any of our products or services directly at children under the age of 13 and we do not knowingly collect personal information about children under 13.
Disclosure of Personal Information to Third Parties
We may disclose personal information to:
- third-party service providers for the purpose of enabling them to provide their services, including IT service providers, data storage, hosting and server providers, analytics, error loggers, AI/LLM providers, payment systems operators, professional advisors
- our employees, contractors, and/or related entities
- our existing or potential agents or business partners
- courts, tribunals, regulatory authorities, and law enforcement officers, as required by law
- third parties to collect and process data
- an entity that buys, or to which we transfer all or substantially all of our assets and business
Third parties we currently use include:
- Google Gemini (AI/LLM core: uploaded media transcription, embeddings, chat, summaries, entity extraction)
- Deepgram (real-time speech-to-text for in-app live recordings, EU endpoint)
- Render (cloud hosting, EU/Frankfurt)
- Cloudflare R2 (object storage, EU)
- Firebase Auth + FCM (authentication and notifications)
- Stripe (payments)
- Resend (transactional email only: magic-link, verification, password reset - no marketing newsletters)
- Loops (waitlist contact storage and product-update emails to opted-in leads — email, signup timestamp, GDPR consent record)
- Sentry (error tracking, EU-hosted)
- Microsoft Graph (optional Outlook calendar integration)
- Google Calendar API (optional calendar integration)
- Telegram Bot API (optional voice ingestion)
- Cloudflare Pages Analytics (cookieless, server-side audience measurement)
The full and current list of sub-processors, including their purposes, regions, and Data Processing Addendums, is published at korely.ai/subprocessors.html and is incorporated by reference into this Privacy Policy.
International Transfers of Personal Information
The personal information we collect is stored and/or processed in Italy, Germany (Frankfurt), Ireland, the European Union (Cloudflare R2 distributed across EU data centres), and the United States of America, or where we or our partners, affiliates, and third-party providers maintain facilities.
The countries to which we transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries, we will perform those transfers in accordance with the requirements of applicable law (including Standard Contractual Clauses approved by the European Commission, where applicable), and we will protect the transferred personal information in accordance with this privacy policy.
Your Rights and Controlling Your Personal Information
Your choice: by providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us; however, if you do not, it may affect your use of our website or the products and/or services offered.
Information from third parties: if we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent.
Marketing permission: if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.
Access: you may request details of the personal information that we hold about you.
Correction: if you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy.
Non-discrimination: we will not discriminate against you for exercising any of your rights over your personal information.
Downloading of personal information: we provide a means for you to download the personal information you have shared through our site. Please contact privacy@korely.ai for more information.
Notification of data breaches: we will comply with laws applicable to us in respect of any data breach.
Complaints: if you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below. You also have the right to contact a regulatory body or data protection authority. For data subjects in Italy, the competent supervisory authority is the Garante per la protezione dei dati personali (https://www.garanteprivacy.it/).
Opt out of communications: you may opt out of receiving communications from us, including marketing and promotional messages, at any time by clicking unsubscribe in any marketing email or contacting us directly.
Business Transfers
If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy.
Limits of Our Policy
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.
Changes to This Policy
At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy. If the changes are significant, or if required by applicable law, we will contact you and all our registered users with the new details and links to the updated policy.
Additional Disclosures for U.S. State Privacy Law Compliance
The following section applies to residents of California, Colorado, Delaware, Florida, Virginia, and Utah.
Do Not Track
Some browsers have a "Do Not Track" feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser "Do Not Track" signals.
California Notice of Collection
In the past 12 months, we have collected the following categories of personal information enumerated in the CCPA:
- Identifiers (name, email address, account name, IP address, account ID)
- Customer records (billing and shipping address, payment card data via Stripe)
- Commercial information (subscription history, purchases)
- Internet activity (your interactions with our service)
- Audio or visual data (audio recordings you create through our service)
- Geolocation data (country level only)
- Inferences (knowledge graph entities and relationships derived from your content)
For more information, review the "Information We Collect" section above. We collect and use these categories of personal information for the business purposes described in the "Collection and Use of Information" section.
Right to Know and Delete
You have the right to delete your personal information we collected and to know certain information about our data practices in the preceding 12 months. To exercise any of these rights, contact us using the details below.
Shine the Light (California)
Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organisations for their marketing purposes. To make such a request, contact us using the details provided in this privacy policy with "Request for California privacy information" in the subject line.
Additional Disclosures for GDPR Compliance (EU)
Data Controller / Data Processor
The GDPR distinguishes between organisations that process personal information for their own purposes ("data controllers") and organisations that process personal information on behalf of other organisations ("data processors"). Korely, located at the address provided in our Contact Us section, is a Data Controller with respect to information you provide directly to us as a Korely user, and a Data Processor with respect to personal data about third parties that you upload to Korely (per our Terms of Service, Knowledge Graph and Data Subject Rights clause).
Legal Bases for Processing Your Personal Information
Our lawful bases depend on the services you use and how you use them. We rely on the following grounds:
Consent
Where you give us consent for a specific purpose. You may withdraw consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place.
Performance of a Contract
Where you have entered into a contract with us, or in order to take preparatory steps prior to entering into a contract.
Legitimate Interests
Where we assess it is necessary for our legitimate interests, such as to provide, operate, improve, and communicate our services. These include research and development, understanding our audience, marketing analysis, and protecting our legal rights.
Compliance with the Law
Where we have a legal obligation to use or keep your personal information.
International Transfers Outside of the European Economic Area (EEA)
We will ensure that any transfer of personal information from countries in the EEA to countries outside the EEA will be protected by appropriate safeguards, for example by using Standard Contractual Clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means. Specifically, transfers to Google Gemini, Firebase, Stripe, Resend, and Loops in the United States are covered by the providers' Data Processing Addendums and Standard Contractual Clauses.
Your GDPR Rights
Restrict: you have the right to request that we restrict the processing of your personal information.
Object: you have the right to object to processing of your personal information that is based on our legitimate interests or public interest.
Data portability: you may have the right to request a copy of the personal information we hold about you in a structured, machine-readable format.
Deletion: you may request that we delete the personal information we hold about you. If you terminate or delete your account, we will delete your personal information within 30 days.
Additional Disclosures for UK GDPR Compliance (UK)
Data Controller / Data Processor
Korely, located at the address provided in our Contact Us section, is a Data Controller and/or Processor with respect to the personal information you provide to us, on the same terms as described in the EU GDPR section above.
International Transfers of Personal Information
Korely is established in Italy (European Union), not in the United Kingdom. The personal information we collect about UK users is therefore stored and/or processed primarily in Italy, Germany, Ireland, the European Union, and the United States of America, as described in the "International Transfers of Personal Information" section above. Following an adequacy decision by the European Commission, the UK has been granted an essentially equivalent level of protection to that guaranteed under EU GDPR, and vice versa, allowing free transfer between the UK and EEA. Where we share your data with third parties based outside the UK and EEA (notably Google Gemini, Firebase, Stripe, Resend, and Loops in the United States), we adopt appropriate safeguards including Standard Contractual Clauses and binding corporate rules per UK GDPR Article 45 and the UK Data Protection Act 2018.
Your UK GDPR Data Subject Rights
You have the same rights under UK GDPR as you do under EU GDPR, including: right to restrict processing, right to object, right to be informed, right of access (DSAR with 30 calendar day deadline), right to erasure, right to portability, and right to rectification.
Notification of data breaches: upon discovery of a data breach, we will investigate the incident and report it to the appropriate data protection regulator and yourself, if we deem it appropriate to do so.
Complaints: UK residents have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. Website: www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance using the details below.
Enquiries, Reports and Escalation
To enquire about our privacy policy, or to report violations of user privacy, you may contact us at privacy@korely.ai using the details in the Contact Us section of this privacy policy. (Note: Korely does not currently have a formally designated Data Protection Officer - see the "Data Protection Officer (DPO) Status" section below.)
Data Protection Officer (DPO) Status
Korely does not currently have a formally designated Data Protection Officer under Article 37 GDPR. The Article 37(1) designation criteria - public authority, core activities involving systematic monitoring on a large scale, or core activities involving large-scale processing of special-category data - are not yet met given Korely's current scale of operations.
Privacy enquiries, requests under GDPR Articles 15-22, and any other privacy-related concerns should be directed to privacy@korely.ai. This decision will be reassessed when Korely's user base or processing volume crosses the relevant thresholds.
Notwithstanding the absence of a formally designated DPO, Korely fulfils all data protection obligations through its data controller and the documented processes in Korely's internal Record of Processing Activities (Article 30 GDPR) and Data Protection Impact Assessments (Article 35 GDPR).
Other Jurisdictions and Catch-All Notice
This Privacy Policy is written to comply primarily with the General Data Protection Regulation (EU GDPR), the UK GDPR, and U.S. state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, and other comprehensive state laws as enumerated in the "Additional Disclosures for U.S. State Privacy Law Compliance" section). It does not yet contain jurisdiction-specific addenda for the following frameworks, which we will add as the relevant user base materialises:
- Brazil - Lei Geral de Proteção de Dados Pessoais (LGPD, Lei 13.709/2018)
- Canada (federal) - Personal Information Protection and Electronic Documents Act (PIPEDA)
- Quebec - Act respecting the protection of personal information in the private sector (Law 25)
- Australia - Privacy Act 1988 and the Australian Privacy Principles
- New Zealand - Privacy Act 2020
- Switzerland - revised Federal Act on Data Protection (FADP, in force 1 September 2023)
- Japan - Act on the Protection of Personal Information (APPI)
- South Korea - Personal Information Protection Act (PIPA)
- Singapore - Personal Data Protection Act (PDPA)
- India - Digital Personal Data Protection Act, 2023 (DPDP Act)
- South Africa - Protection of Personal Information Act (POPIA)
- Mainland China - Personal Information Protection Law (PIPL). Note: PIPL imposes data residency obligations that may not be compatible with Korely's current EU-only data residency model. Users from mainland China are advised to consult their local counsel before using Korely.
Catch-all commitment. If you reside in a jurisdiction not specifically addressed above, you may have additional rights under your local data protection or privacy law. Korely commits to:
- Responding to lawful data subject requests from any jurisdiction in line with the strictest applicable standard. In practice, the EU GDPR provides the highest baseline of rights (right of access within 30 calendar days, right of erasure, right to portability, right to rectification, right to object, right to restrict processing, right not to be subject to solely automated decisions with legal effect, and right to lodge a complaint with a supervisory authority). Meeting GDPR-grade response is our default for all jurisdictions.
- Adding a jurisdiction-specific addendum to this Privacy Policy when the first user from a new framework signs up, where the local law materially diverges from GDPR (typical examples: data residency requirements, sector-specific notice requirements, mandatory local representative).
- Not transferring your personal data outside the European Economic Area to a country without an adequacy decision or appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, or equivalent), as listed in the "International Transfers of Personal Information" section.
To exercise any local right not specifically described in this policy, contact privacy@korely.ai with a clear description of the right you wish to exercise and the jurisdiction whose law you are invoking. We will assess the request and respond within the deadline applicable under that jurisdiction or, if shorter, within 30 calendar days.
Contact Us
For any questions or concerns regarding your privacy, you may contact us using the following details:
Korely Privacy Team
Email: privacy@korely.ai
Data Controller: Massimiliano Martella (transferring to Korely SRL upon incorporation)
Address: Via della Bastia, 40033 Casalecchio di Reno (BO), Italia
This Privacy Policy was generated using GetTerms.io as a base template and customised with Korely-specific clauses (highlighted in indigo) for accurate disclosure of our audio recording, AI processing, and knowledge graph features.
← Back to Korely