Your meeting notes are not private — and what to do about it
Cloud meeting tools store your conversation data, share it with subprocessors, and keep it longer than you think. Here is how to audit your exposure and what genuinely private meeting notes look like.
When you finish a meeting and the AI generates a summary, where does it go? The answer is: to more places than the notification you received. To a database row somewhere in Virginia or Oregon. To a subprocessor that handled the transcription. To a backup that will outlive your subscription. Possibly to a training dataset.
None of this is hidden — it is in the privacy policies. Most people never read them. This article is the part of the privacy policy you should have read.
The anatomy of where your meeting data goes
A typical AI meeting tool collects the following, in rough order of sensitivity:
- Audio recording — the raw call, biometric data under GDPR Article 9
- Transcript — spoken words attributed to named or identified participants
- AI summary — synthesised decisions, action items, sentiment
- Metadata — participant list, join/leave times, meeting title, calendar data
- Files shared — screen shares, attachments, any content displayed
Each of these travels through a chain of entities: your browser or app, the vendor's servers, the vendor's AI subprocessors (typically US-based), backup systems, and sometimes third-party integrations like Slack, Notion, or your CRM.
The retention problem
Most people assume data is deleted when they delete it. This is incorrect for most cloud services. When you delete a meeting recording from a tool like Otter or Fireflies, what typically happens is:
- The record is soft-deleted from the primary database (marked deleted, not removed)
- Backups containing the data persist for 30–90 days (standard backup retention)
- Any data already sent to AI subprocessors is subject to those subprocessors' retention policies
- Data used for model training may be retained indefinitely in model weights
The practical implication: data you "deleted" three months ago may still exist in a backup or a training corpus. This is not malicious — it is how distributed systems work. But it means your deletion is not as final as you think.
The subprocessor problem
The tool you see is not the only entity processing your meeting data. Behind most AI meeting tools is a chain of subprocessors:
- Speech-to-text — often AWS Transcribe, Google Speech-to-Text, OpenAI Whisper, or Deepgram. US companies, US servers.
- AI summarisation — often OpenAI GPT models, Anthropic Claude, or similar LLM APIs. US companies.
- Infrastructure — AWS, Google Cloud, Azure. US companies subject to CLOUD Act.
- Analytics and monitoring — Segment, Mixpanel, Datadog, Sentry. US companies.
When you use a "EU-based" meeting tool, check whether the AI processing actually stays in the EU. Many European startups front the UI from EU servers but send audio to OpenAI's US API for transcription. The data residency is cosmetic.
The legal exposure problem
Meeting notes are discoverable in litigation. In most jurisdictions, electronic records including AI-generated summaries and transcripts are subject to e-discovery in civil cases and disclosure orders in criminal matters. If your tool has them, they can be obtained.
Consider what is in a typical set of meeting notes from a year of business discussions: strategic decisions before they were public, personnel decisions before they were final, legal analysis in early stages, financial projections, customer data discussed in context. All of it, in a database row, accessible to a valid court order — or a breach.
What genuinely private meeting notes look like
There are two meaningful architectures for private meeting notes:
Zero retention
The meeting is processed in memory. Audio is transcribed, the transcript is summarised, and the audio buffer is destroyed at the end of the request. Nothing is written to persistent storage during transcription. The final transcript and summary are stored (encrypted), but there is no audio, no intermediate data, no log of the raw conversation.
This eliminates the highest-risk data (biometric audio) entirely. The stored transcript still has exposure, but it can be deleted permanently — it is a single database row, not a distributed artifact.
End-to-end encryption
The transcript and summary are encrypted with a key the vendor does not hold. The key lives in the meeting URL (a fragment that is never sent to the server) or in a password-protected keystore the user controls. The vendor stores ciphertext. Even a court order or breach only yields encrypted blobs.
This is technically more complex and has UX trade-offs (you cannot search across sessions without decrypting each one). But for legal, financial, or HR use cases, it is the right architecture.
The practical audit: questions to ask your current tool
- Where is your audio stored, and for how long?
- Which subprocessors handle transcription and AI summarisation, and are they EU-based?
- Is your data used to train AI models, and how do I opt out?
- If I delete my account, when is my data actually deleted, including backups?
- Can you sign an Article 28 GDPR Data Processing Agreement?
- What encryption is used at rest, and who holds the keys?
If you cannot get clear answers to these questions, the tool is not ready for sensitive meeting content.
Punkto answers all six: zero audio retention by architecture, EU-only subprocessors for AI, no training data use, AES-256-GCM encryption at rest, DPA available, instant account deletion. Free for 3 transcripts per month.
Frequently asked questions
Who can access my AI meeting notes?
It depends on the tool. Most cloud AI meeting tools allow: (1) the vendor and their employees with appropriate access controls, (2) the vendor's AI subprocessors (often US companies like OpenAI, AWS, Google), (3) government authorities with valid legal orders, and (4) anyone with a valid link to the shared summary. Many tools also use your data to train or improve AI models unless you opt out. The short version: more people than you probably assume.
How long do AI meeting tools keep my transcripts?
Retention policies vary widely. Free tiers often keep data indefinitely or for "account lifetime." Paid plans may have shorter configurable windows. The problem is subprocessors — even if you delete from the primary tool, the transcript may have already been sent to an AI processing provider with their own retention schedule. The only reliable answer is zero retention: destroy the data immediately after use.
Can meeting notes be used as evidence in legal proceedings?
Yes. In most jurisdictions, electronic records including AI meeting transcripts and summaries are discoverable in litigation. If your tool stores meeting notes, they can be subpoenaed. This is a material risk for legal, HR, and financial discussions. The risk is eliminated if the data does not exist — which is why zero-retention architecture matters for sensitive meetings.
What does "end-to-end encrypted meeting notes" mean?
True end-to-end encryption for meeting notes means the encryption key is generated and held by the meeting participants, not the vendor. The vendor stores ciphertext they cannot decrypt. This is technically achievable for text files but requires the client to hold the key — usually in the meeting URL or a password-protected key store. It is different from "encrypted at rest," where the vendor holds the key.
Are meeting summaries covered by GDPR?
Yes, if the summaries contain personal data — which they almost always do (names, roles, decisions attributed to individuals, contact information discussed, performance topics). GDPR applies to the controller (your organisation) and the processor (the meeting tool). You are responsible for ensuring the processor has appropriate safeguards, limited retention, and the ability to respond to data subject access requests.
What is the difference between encrypted at rest and zero retention?
Encrypted at rest means the data is stored on disk in encrypted form, with the vendor holding the decryption key. A court order, a breach, or a rogue employee with key access can expose it. Zero retention means the data is never written to disk — it exists only in process memory during the request that generated it, then is garbage-collected. You cannot subpoena data that does not exist.