Privacy policy
Last updated: April 27, 2026
This Privacy Policy explains how Capvo ("we", "us") collects and processes personal
data when you use the Capvo desktop app, the API at api.capvo.app, and the
website at capvo.app.
If you have questions, write to privacy@capvo.app.
Who is the controller
Capvo, registered in France, is the data controller for the personal data described below. The full legal entity name and registration number will be published here before public launch.
What data we collect
We collect three categories of data:
Account data. Your email address, a hashed password, the API keys you create, and the name of your account. You give us this when you register.
Content data. The audio recordings you make with Capvo, the transcripts generated from those recordings, any AI summaries you ask us to produce, and the embeddings used to power semantic search.
Operational data. IP addresses of API requests, request timestamps, error logs, and webhook delivery logs. We use this to operate the service, debug issues, and prevent abuse.
We do not collect cookies for advertising. We do not use third-party analytics with behavioural tracking.
Why we process this data
- To deliver the service: store your recordings, transcribe them, serve them back via the API, deliver webhooks.
- To secure the service: rate-limit API keys, detect abuse, investigate incidents.
- To bill you (Pro and Enterprise): process payments through Stripe (see sub-processors).
- To send transactional emails: account verification, billing receipts, security notices. We do not send marketing emails without explicit opt-in.
The legal basis under RGPD is contract performance for service delivery and billing, legitimate interest for security, and consent for any optional marketing communication.
Where we store data
All customer data is stored in the European Union (Frankfurt) on infrastructure provided by Supabase. Audio is encrypted at rest. Transcripts and metadata are stored in PostgreSQL with full-disk encryption.
How long we keep it
| Data | Retention |
|---|---|
| Audio recordings | 90 days, then automatically deleted |
| Transcripts and metadata | Until you delete the meeting or your account |
| Embeddings | Until you delete the meeting |
| Webhook delivery logs | 30 days |
| Account email and billing records | Until you delete the account, then 10 years for invoices (French legal requirement) |
Sub-processors
We rely on the following sub-processors:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Hosting, storage, database | EU (Frankfurt) |
| OpenAI | Whisper transcription | US (30-day retention, no training) |
| Anthropic | Claude AI summaries (Pro/Enterprise only, opt-in per call) | US (no training on API inputs) |
| Stripe | Payment processing | US/EU |
| Resend | Transactional email | EU |
| Vercel | Marketing site and API hosting | EU |
We update this list when sub-processors change. Material changes are announced via email at least 30 days in advance.
Your rights
Under RGPD, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Delete your data (the "right to be forgotten").
- Restrict or object to processing.
- Port your data to another service.
- Lodge a complaint with the CNIL (French data protection authority).
Most of these you can exercise yourself: export your meetings via the API, delete a meeting from the desktop app, or delete your entire account from Settings → Account → Delete account.
For requests we can't automate, write to privacy@capvo.app with proof of identity. We respond within 30 days.
Security
API keys and webhook secrets are stored as bcrypt hashes. Audio is encrypted at rest. All traffic between you and Capvo goes over TLS 1.2 or higher. We follow the practices documented at /docs/security for production keys.
If we discover a personal data breach affecting you, we will notify the CNIL within 72 hours and you directly without undue delay, as required by RGPD.
Children
Capvo is not directed to children under 16. We do not knowingly collect personal data from children. If we learn we have, we delete it.
Changes to this policy
We may update this policy. The "Last updated" date at the top reflects the most recent change. Material changes are announced via email at least 30 days before they take effect.
Contact
- Data protection contact: privacy@capvo.app
- Postal address: Capvo, [address on company registration]