Privacy Statement
Privacy Statement
Last updated: June 26, 2026
01
Who we are and scope
StandIn is operated by [Komaa, legal entity name] (“we”, “us”). This statement explains how we handle personal data in connection with the StandIn website, account, and media-bridge service. It does not cover the content of your Teams meetings, which stays in your own Microsoft tenant (see section 5).
02
Our role: controller and processor
For your account, billing, and usage data we act as the data controller. For real-time meeting media we act only as a transient conduit and do not store it, you (or your organization) remain the controller of your meeting content and your bot identity. For business customers a Data Processing Agreement is available on request.
03
What we collect
Account data from your sign-in provider (name, email address, and profile image via Microsoft or Google); subscription and billing metadata (processed by Paddle as Merchant of Record, we do not receive full card details); references to the bot credentials you provide (held as references in Azure Key Vault, never the secret values in our application database); operational logs, diagnostics, and usage metrics; and any information you send us for support.
04
Google API Services
StandIn offers sign-in with Google. When you choose Google sign-in, we access your basic Google account profile (name, email address, and profile image) solely to authenticate you and to create and operate your StandIn account. StandIn’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google user data for advertising, we do not sell it, we do not transfer it except as needed to provide or secure the service or as required by law, and we do not use it to train generalized AI or machine-learning models.
05
What we do NOT collect or store
We do not store meeting content, no transcripts, recordings, audio, video, or memory. The media bridge only transits real-time media to the agent you operate and persists none of it. Your bot identity and meeting content remain in your own Microsoft tenant and selected region. We do not create voiceprints or other biometric identifiers, and we do not retain the voice, image, or personal data of meeting participants.
06
How we use data, and legal bases
We use personal data to provide, operate, secure, bill, and support the service, to communicate with you, and to comply with law. Where the GDPR or similar laws apply, our legal bases are: performance of our contract with you; our legitimate interests in operating and securing the service; your consent where required; and compliance with legal obligations.
07
Sharing and sub-processors
We share data with service providers that help us run StandIn. Our current sub-processors are: Microsoft (Azure hosting, and Microsoft Teams and Graph); Paddle (payments, as Merchant of Record); [observability/logging provider, confirm]; and [email/support provider, confirm]. You separately choose and control your own AI agent and model providers. We do not sell personal data. We will post material changes to this list on this page.
08
Where your data is processed
Our portal and control plane currently run in Microsoft Azure in [West Europe], and account and billing data is stored in [North Europe]; Paddle processes payment data in its own locations. Real-time meeting media transits in the region you select for your workload and is not stored. Where personal data is transferred across borders, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required.
09
Data residency
For paid plans your media workload runs in the region you select. The free Sandbox runs in our default region. Account and billing data locations are described in section 8.
10
Retention
We retain personal data only as long as necessary for the purposes described in this statement. Account data: for the life of your account, then deleted or anonymized within 90 days of account closure. Billing and invoice records: for the period required by applicable tax and accounting law (typically up to seven (7) years; final period to be confirmed for [Komaa’s jurisdiction, confirm with counsel]). Operational logs and diagnostics: up to 90 days, then deleted or anonymized. Support correspondence: up to 24 months after the request is closed. Prospect and marketing contact data, where applicable: up to 24 months from your last interaction, or until you opt out. Real-time meeting media is never stored (see the “What we do NOT collect or store” section).
11
Security
We protect data with encryption in transit, secrets stored in Azure Key Vault (we hold references, not secret values, in our application database), managed-identity and least-privilege access, and network controls. No method of transmission or storage is completely secure.
12
Your rights
Subject to applicable law, you may request access to, correction, deletion, export, or restriction of your personal data, and may object to certain processing. Contact privacy@komaa.com; we aim to respond within 30 days. You may also have the right to complain to your local data protection authority.
13
Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising or cross-site tracking cookies.
14
Children
StandIn is a business service, is not directed to children, and we do not knowingly collect personal data from children.
15
Changes
We will post any changes to this statement on this page with a new “last updated” date and, for material changes, take reasonable steps to notify you.
16
Contact
Privacy questions and requests: privacy@komaa.com. [TO CONFIRM WITH COUNSEL: Komaa legal entity name, registered address, and, if we process EU/UK residents’ data, our Article 27 EU/UK representative and Data Protection Officer]