Privacy Statement

Privacy Statement

Last updated: June 26, 2026

01

Who we are and scope

StandIn is operated by [Komaa, legal entity name] (“we”, “us”). This statement explains how we handle personal data in connection with the StandIn website, account, and media-bridge service. It does not cover the content of your Teams meetings, which stays in your own Microsoft tenant (see section 5).

02

Our role: controller and processor

For your account, billing, and usage data we act as the data controller. For real-time meeting media we act only as a transient conduit and do not store it, you (or your organization) remain the controller of your meeting content and your bot identity. For business customers a Data Processing Agreement is available on request.

03

What we collect

Account data from your sign-in provider (name, email address, and profile image via Microsoft or Google); subscription and billing metadata (processed by Paddle as Merchant of Record, we do not receive full card details); references to the bot credentials you provide (held as references in Azure Key Vault, never the secret values in our application database); operational logs, diagnostics, and usage metrics; and any information you send us for support.

04

Google API Services

StandIn offers sign-in with Google. When you choose Google sign-in, we access your basic Google account profile (name, email address, and profile image) solely to authenticate you and to create and operate your StandIn account. StandIn’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google user data for advertising, we do not sell it, we do not transfer it except as needed to provide or secure the service or as required by law, and we do not use it to train generalized AI or machine-learning models.

05

What we do NOT collect or store

We do not store meeting content, no transcripts, recordings, audio, video, or memory. The media bridge only transits real-time media to the agent you operate and persists none of it. Your bot identity and meeting content remain in your own Microsoft tenant and selected region. We do not create voiceprints or other biometric identifiers, and we do not retain the voice, image, or personal data of meeting participants.

06

How we use data, and legal bases

We use personal data to provide, operate, secure, bill, and support the service, to communicate with you, and to comply with law. Where the GDPR or similar laws apply, our legal bases are: performance of our contract with you; our legitimate interests in operating and securing the service; your consent where required; and compliance with legal obligations.

07

Sharing and sub-processors

We share data with service providers that help us run StandIn. Our current sub-processors are: Microsoft (Azure hosting, and Microsoft Teams and Graph); Paddle (payments, as Merchant of Record); [observability/logging provider, confirm]; and [email/support provider, confirm]. You separately choose and control your own AI agent and model providers. We do not sell personal data. We will post material changes to this list on this page.

08

Where your data is processed

Our portal and control plane currently run in Microsoft Azure in [West Europe], and account and billing data is stored in [North Europe]; Paddle processes payment data in its own locations. Real-time meeting media transits in the region you select for your workload and is not stored. Where personal data is transferred across borders, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required.

09

Data residency

For paid plans your media workload runs in the region you select. The free Sandbox runs in our default region. Account and billing data locations are described in section 8.

10

Retention

We retain personal data only as long as necessary for the purposes described in this statement. Account data: for the life of your account, then deleted or anonymized within 90 days of account closure. Billing and invoice records: for the period required by applicable tax and accounting law (typically up to seven (7) years; final period to be confirmed for [Komaa’s jurisdiction, confirm with counsel]). Operational logs and diagnostics: up to 90 days, then deleted or anonymized. Support correspondence: up to 24 months after the request is closed. Prospect and marketing contact data, where applicable: up to 24 months from your last interaction, or until you opt out. Real-time meeting media is never stored (see the “What we do NOT collect or store” section).

11

Security

We protect data with encryption in transit, secrets stored in Azure Key Vault (we hold references, not secret values, in our application database), managed-identity and least-privilege access, and network controls. No method of transmission or storage is completely secure.

12

Your rights

Subject to applicable law, you may request access to, correction, deletion, export, or restriction of your personal data, and may object to certain processing. Contact privacy@komaa.com; we aim to respond within 30 days. You may also have the right to complain to your local data protection authority.

13

Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising or cross-site tracking cookies.

14

Children

StandIn is a business service, is not directed to children, and we do not knowingly collect personal data from children.

15

Changes

We will post any changes to this statement on this page with a new “last updated” date and, for material changes, take reasonable steps to notify you.

16

Contact

Privacy questions and requests: privacy@komaa.com. [TO CONFIRM WITH COUNSEL: Komaa legal entity name, registered address, and, if we process EU/UK residents’ data, our Article 27 EU/UK representative and Data Protection Officer]