Privacy Policy

1. Who we are

TOM is operated by Mircea Preotu. The data controller's full legal name and registered address are listed in our Impressum.

For privacy questions: hi@meettom.ai.

2. What this policy does and does not cover

This policy covers the meettom.ai website, the purchase flow, the app download, the update check, the one-time licence activation, and our customer-support inbox.

It does not cover the contents of your meetings — and there is no third-party processor that does, either. TOM performs transcription, summarisation, and cross-meeting search entirely on-device on your Mac. No audio, transcript, embedding, or query is transmitted to us, to any cloud AI provider, or to any other third party. See the Privacy section on the homepage for the full data flow.

3. What we collect, why, and how long

Website visits

• Server logs. The site is served from AWS CloudFront with origin storage in Amazon S3 (region: eu-central-1, Frankfurt, Germany; TLS via AWS Certificate Manager). Standard CloudFront access logs are recorded for each request: IP address, user agent, requested URL, response status, timestamp. Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) in operating the site, debugging, and detecting abuse. Retention: 30 days, then automatically deleted.
• Analytics. We use a small, self-hosted analytics tool to count aggregate page views. It does not set cookies, does not track you across other sites, and does not build a profile of you. It records anonymised data only: page URL, referrer, country, browser, and device type. Visitor identifiers are derived from a daily-rotating hash of IP + user agent and cannot be linked back to you. Lawful basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: 12 months.

Purchases

Payments are processed by Stripe. When you buy TOM, Stripe collects your name, email, billing address (where required), and payment card details. We receive from Stripe: your email, the purchased product, the amount, and a Stripe customer/subscription ID. We do not receive your full card number.

Stripe is the data controller for the payment data it collects directly. See Stripe's privacy policy. We retain invoice records for 10 years as required by German tax law (§147 AO).

App downloads, model fetch, and licence activation

• Download. The TOM installer is served from the same AWS infrastructure (CloudFront + S3, eu-central-1). Standard server logs apply (see above).
• First-launch model download. On first launch, TOM downloads approximately 4 GB of on-device AI model weights directly from Hugging Face. That request is between your Mac and Hugging Face; we are not in the path. After this one-time fetch the models live in your Mac's caches and TOM works offline indefinitely. See Hugging Face's privacy policy.
• Licence activation (one-time). When you enter a paid licence, the app contacts our licence endpoint once to verify it. We log the licence ID, timestamp, and IP for fraud prevention. After activation, the licence is bound to your installation locally — the app does not phone home to re-validate. Retention of the activation log: duration of the licence + 12 months.

Customer support

When you email us, we receive your email address and whatever you put in the message, held in our email inbox. Lawful basis: performance of contract (Art. 6(1)(b) GDPR) for buyers, legitimate interest (Art. 6(1)(f) GDPR) for prospective customers. Retention: 24 months after last contact.

4. What we do not collect

• Your meeting recordings, audio, video, or transcripts.
• The summaries, action items, or topics TOM generates.
• The questions you ask TOM, or the answers it returns.
• The embeddings TOM builds for cross-meeting search.
• Your contacts, calendar, or email content.
• Crash reports, diagnostics, or any other telemetry. TOM does not phone home from your Mac.

To be precise: those items don't reach us, and they don't reach any third-party AI service either. All transcription, summarisation, embedding, and cross-meeting search are computed on-device by AI models that live in your Mac's caches.

5. Third parties

The third parties we use:

• Stripe — payment processing.
• Amazon Web Services (AWS) — website hosting, installer hosting, update and licence-activation endpoints, TLS certificates. All in eu-central-1 (Frankfurt, Germany).
• Hugging Face — origin for the on-device AI model weights, fetched once on first launch. Hugging Face does not receive any meeting data; only the public model files are downloaded.

No cloud AI provider is in the loop. TOM does not send audio, transcripts, summaries, queries, or matching snippets to any AI service for processing. All inference runs locally on Apple Silicon.

6. International transfers

Site traffic, downloads, update checks, licence activation, and analytics are all processed in the EEA (eu-central-1, Frankfurt). Stripe may process payment data outside the EEA; for those transfers, Stripe relies on the European Commission's Standard Contractual Clauses and equivalent safeguards. Hugging Face may serve model files from outside the EEA; only public model weights are fetched, and no personal data is transmitted.

7. Your rights

Under GDPR (and equivalent laws elsewhere), you have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing. Email hi@meettom.ai and we will respond within 30 days.

Because we do not receive your meeting content, requests about meeting data should be handled on your Mac directly — delete or export the TOM library on your machine. We cannot delete data we never had.

8. Cookies

meettom.ai does not use cookies. Our analytics tool is cookieless, and we do not run any third-party advertising or tracking pixels.

9. Security

All endpoints we operate are served over TLS (certificates managed via AWS Certificate Manager). We do not run a server that ingests meeting content, so there is no "meeting database" that can be breached on our side. All infrastructure (CloudFront, S3, licence and update endpoints) is hosted in AWS eu-central-1, Frankfurt.

10. Children

TOM is not directed at children under 16, and we do not knowingly collect data from them.

11. Changes to this policy

We will update this page when our practices change and revise the "last updated" date at the top. Material changes will also be announced via a notice on this website.

12. Complaints

If you believe we have mishandled your data, please contact us first. You also have the right to lodge a complaint with your local data-protection authority. The supervisory authority for our region is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.