Cornflake ("Cornflake", "we", "us", or "our") takes your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use, and share your information as described in this Privacy Policy.
Your use of Cornflake's Services is at all times subject to our Terms of Service (the "Terms"), which incorporates this Privacy Policy. Any terms we use in this Policy without defining them have the definitions given to them in the Terms.
Before we get into the details, a few key points we'd like you to know:
- Cornflake is a macOS desktop application that records, transcribes, and summarises your meetings. Audio is captured locally on your device and only sent to our processing partners as needed to produce a transcript and meeting summary.
- Recordings (raw audio) are not retained. Audio is captured solely for the purpose of producing a transcription and is discarded after the transcription is created.
- We store your account data, meeting transcripts, and summaries on cloud infrastructure located in the U.S. (Railway, which runs on AWS/GCP infrastructure). Data is encrypted in transit (TLS) and at rest using our infrastructure providers' encrypted storage systems.
- We use third-party processors — including Deepgram (transcription), Anthropic, OpenAI, and xAI (LLM-based summarisation), SendGrid (email dispatch), WorkOS (authentication), and Stripe (payments) — to provide the Services.
As we continually work to improve our Services, we may need to change this Privacy Policy from time to time. We will alert you of material changes by placing a notice on the Cornflake website, by sending you an email, and/or by some other means. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.
What this Privacy Policy Covers
This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules, or regulations. This Privacy Policy does not cover the practices of companies we don't own or control or people we don't manage.
Personal Data
Categories of Personal Data We Collect
| Category | Examples | Third Parties We Share With |
|---|---|---|
| Profile or Contact Data | First and last name; email address | Service Providers; Parties You Authorize, Access or Authenticate |
| Payment Data | Payment card type; last 4 digits; billing address, phone number, and email | Service Providers (specifically our payment processor, Stripe, Inc.) |
| Device/IP Data | IP address; IP-based location information; device ID; type of device / operating system; macOS version | Service Providers |
| Product Analytics | App interactions and feature usage; crash and error logs; referring source | Service Providers |
| Professional or Employment-Related Data | Job title and role; employer; professional website (only if you voluntarily provide it) | Service Providers; Parties You Authorize, Access or Authenticate |
| Calendar Data (from Google) | Meeting invitations, titles, descriptions, start/end times, organisers, and attendees retrieved from your Google Calendar with your authorisation | Service Providers; Parties You Authorize, Access or Authenticate |
| Recordings and Transcriptions | Audio captured from your microphone and from system audio output during meetings (used solely to produce transcripts — see "Data Retention" below); transcripts and speaker labels derived from that audio | Service Providers (Deepgram for transcription; Anthropic, OpenAI, and xAI for summarisation) |
| Meeting Content | Meeting summaries, action items, notes, and participants generated by or stored in the Services | Service Providers; Parties You Authorize, Access or Authenticate |
| Other Identifying Information You Voluntarily Provide | Identifying information in emails or other communication you send us; any other information you elect to share with Cornflake | Service Providers |
Categories of Sources of Personal Data
We may collect Personal Data about you from the following categories of sources:
You
When you provide such information directly to us:
- When you create an account or use our interactive tools and Services.
- When you connect your Google Calendar to the Services.
- When you record or import a meeting via the Services.
- When you voluntarily provide information in free-form text boxes through the Services.
- When you send us an email or otherwise contact us.
When you use the Services and such information is collected automatically:
- When you install and run the Cornflake desktop app, we may collect information transmitted from your computing device for the purpose of providing the Services, such as macOS version, device identifiers, app version, and crash/error logs.
Third Parties
- Google. If you authorise Cornflake to access your Google Calendar, we receive calendar event metadata (titles, descriptions, times, organisers, attendees) via the Google Calendar API.
- Authentication providers. We use WorkOS to handle sign-in. When you sign in, WorkOS provides us with the basic profile information associated with your account (such as your name and email address).
- Analytics and infrastructure vendors. We may use vendors to host the Services and analyse how users interact with the Services.
Google User Data and Limited Use Disclosure
Cornflake's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- Scopes we request. We request read-only access to your Google Calendar (
https://www.googleapis.com/auth/calendar.readonlyor equivalent) and basic profile information (name and email) for authentication. - How we use Google user data. We use Google Calendar data solely to (a) detect upcoming meetings so we can prompt you to record them, (b) hydrate meeting records with attendee, title, and time information when you start or import a meeting, and (c) display your upcoming meetings inside the Cornflake app. We use basic profile information solely to identify your account.
- How we share Google user data. We do not sell, rent, or transfer Google user data to third parties for advertising, marketing, or any other unrelated purpose. We share limited Google user data only with infrastructure subprocessors (such as our hosting provider) acting on our behalf to provide the Services, and with our LLM summarisation providers strictly when needed to generate meeting summaries that incorporate attendee context.
- No AI model training on Google user data. We do not use Google user data, and we do not allow our subprocessors to use Google user data, to develop, improve, or train generalised AI or machine-learning models.
- No human reading. We do not allow humans to read your Google user data unless (i) we have your affirmative consent for specific data items, (ii) doing so is necessary for security purposes (such as investigating abuse), (iii) we are required to do so by law, or (iv) the data has been aggregated and anonymised so that it cannot be used to identify any individual.
- Revoking access. You can revoke Cornflake's access to your Google account at any time by visiting your Google Account permissions page. You can also disconnect your calendar from within the Cornflake app.
Our Commercial or Business Purposes for Collecting or Disclosing Personal Data
- Providing, Customising, and Improving the Services
- Creating and managing your account.
- Processing transactions and billing.
- Recording, transcribing, and summarising your meetings, and storing the resulting transcripts and summaries.
- Detecting and surfacing your upcoming meetings from connected calendars.
- Providing support and assistance for the Services.
- Improving the Services, including testing, research, internal analytics, and product development.
- Personalising the Services and communications based on your preferences.
- Doing fraud prevention, security, and debugging.
- Marketing the Services
- Marketing the Services to current and prospective users.
- Corresponding with You
- Responding to correspondence we receive from you, contacting you when necessary or requested, and sending you information about Cornflake or the Services.
- Sending product updates and emails according to your preferences.
Other Permitted Purposes for Processing Personal Data
Each of the above categories of Personal Data may also be collected, used, and disclosed with the government, including law enforcement, or other parties to meet certain legal requirements and to enforce legal terms, including: fulfilling our legal obligations under applicable law, regulation, court order, or other legal process; preventing, detecting, and investigating security incidents and potentially illegal or prohibited activities; protecting the rights, property, or safety of you, Cornflake, or another party; enforcing any agreements with you; and resolving disputes.
We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without providing you notice.
How We May Disclose Your Personal Data
We may disclose your Personal Data to the categories of service providers and other parties listed in this section.
- Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
- Hosting and infrastructure — Railway (which runs on AWS and Google Cloud Platform infrastructure in the U.S.) hosts our backend and stores your account data, transcripts, and meeting summaries.
- Authentication — WorkOS provides single sign-on and session management.
- Audio transcription — Deepgram processes meeting audio to produce transcripts. Audio is streamed to Deepgram for transcription only.
- LLM summarisation — Anthropic, OpenAI, and xAI process transcripts and attendee context to generate meeting summaries, action items, and other derived content. We do not permit these providers to use your data to train their models.
- Email delivery — SendGrid is used to deliver transactional and meeting-related emails on your behalf.
- Payment processing — Our payment processor Stripe, Inc. ("Stripe") collects your voluntarily provided payment card information necessary to process payments. Please see Stripe's terms of service and privacy policy for information on its use and storage of your Personal Data.
- Analytics — Product-analytics and crash-reporting providers help us understand how the Services are used and detect errors.
- Parties You Authorize, Access, or Authenticate
- Organisations through which you access our Services (such as your employer).
- Third parties you connect to the Services (such as Google, via Google Calendar).
- Recipients of meeting summary emails or other communications you elect to send through the Services.
Legal Obligations. We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under "Other Permitted Purposes for Processing Personal Data" above.
Business Transfers. All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.
Cookies
The Cornflake website may use cookies and similar technologies (collectively, "Cookies") to enable our servers to recognise your web browser, tell us how and when you visit and use our Services, analyse trends, learn about our user base, and operate and improve our Services. Cookies are small pieces of data — usually text files — placed on your device when you use that device to access our Services.
We use the following types of Cookies on our website:
- Essential Cookies required for providing features you have requested, such as logging into secure areas of our Services.
- Functional Cookies that record your choices and preferences.
- Performance/Analytical Cookies that help us understand how visitors use our website.
You can decide whether or not to accept Cookies through your internet browser's settings. The Cornflake desktop app itself does not use browser cookies, but it does store local preferences and authentication tokens on your device in order to function.
Data Storage and Security
We seek to protect your Personal Data from unauthorised access, use, and disclosure using appropriate physical, technical, organisational, and administrative security measures based on the type of Personal Data and how we are processing that data.
- Where data is stored. Account data, transcripts, and meeting summaries are stored on cloud infrastructure located in the U.S. (Railway, which is built on AWS and Google Cloud Platform). A local copy of your meeting data is also stored in an encrypted SQLite database on your device.
- Encryption. All Personal Data is encrypted in transit (TLS) and at rest using our infrastructure providers' encrypted storage systems. Authentication tokens are stored in the macOS Keychain on your device.
- Access controls. Access to production systems is limited to authorised personnel.
You can also help protect your Personal Data by appropriately limiting access to your computer and signing out after you have finished using the Services. Although we work to protect the security of your account and data, please be aware that no method of transmitting data over the internet or storing data is completely secure.
Data Retention
We retain Personal Data about you for as long as necessary to provide you with our Services or to perform our business or commercial purposes for collecting your Personal Data. When establishing a retention period for specific categories of data, we consider factors such as our purposes for collecting and the sensitivity of such data. In some cases, we retain Personal Data for longer if doing so is necessary to comply with our legal obligations, resolve disputes, collect fees owed, or is otherwise permitted or required by applicable law.
For example:
- Audio recordings of meetings are captured only for the purpose of producing a transcription. We do not retain or store raw recordings once the transcription is created. Transient audio files written to your device's temporary directory during recording are deleted after transcription completes.
- We retain your profile information, credentials, transcripts, and meeting summaries for as long as you have an account with us.
- We retain your payment data for as long as we need to process your purchase or subscription.
- We retain your device/IP data for as long as we need it to ensure our systems are working appropriately, effectively, and efficiently.
You can delete your account and the associated data at any time (see "Erasure" below).
Personal Data of Children
We do not knowingly collect or solicit Personal Data from children under 16 years of age. If you are a child under the age of 16, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn we have collected Personal Data from a child under 16, we will delete that information as quickly as possible. If you believe that a child under 16 may have provided Personal Data to us, please contact us at nithinsudarsan@basegraph.co.
US State Privacy Rights
California Resident Rights. Under California Civil Code Sections 1798.83–1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties' direct marketing purposes; however, we do not knowingly make any such disclosures.
Nevada Resident Rights. If you are a resident of Nevada, you have the right to opt out of the sale of certain Personal Data to third parties; however, we do not currently sell your Personal Data as "sale" is defined in Nevada Revised Statutes Chapter 603A.
United Kingdom, European Union, and Swiss Data Subject Rights
If you are a resident of the United Kingdom ("UK"), European Union ("EU"), Liechtenstein, Norway, or Iceland, you may have additional rights under the UK or EU General Data Protection Regulation (the "GDPR") with respect to your Personal Data.
For this section, we use the terms "Personal Data" and "processing" as they are defined in the GDPR. Cornflake will be the controller of your Personal Data processed in connection with the Services.
Personal Data Use and Processing Grounds. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases include:
- Contractual Necessity. We process Profile/Contact Data, Payment Data, Calendar Data, Recordings/Transcripts, Meeting Content, and Other Identifying Information you voluntarily provide as a matter of contractual necessity to provide the Services to you. Failure to provide such Personal Data will result in your inability to use some or all portions of the Services that require such data.
- Legitimate Interest. We process Device/IP Data, Product Analytics, and the above categories where applicable to further our legitimate interests in providing, customising, and improving the Services; corresponding with you; meeting legal requirements; and completing corporate transactions.
- Consent. In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data.
- Other Grounds. From time to time we may also need to process Personal Data to comply with a legal obligation, to protect the vital interests of you or other data subjects, or for a task carried out in the public interest.
Data Subject Rights. You have the following rights with respect to your Personal Data. To exercise any of them, please email nithinsudarsan@basegraph.co with the subject line "GDPR Request: [nature of request]". Your request must include enough information for us to verify your identity and the nature of your request.
- Access. You can request more information about the Personal Data we hold about you and request a copy. You can also access your meeting data by signing into the Cornflake app.
- Rectification. If you believe any Personal Data we hold about you is incorrect or incomplete, you can request that we correct it. Note that due to the nature of automated transcription, transcripts may contain inaccuracies; you can edit meeting summaries and notes within the Cornflake app.
- Erasure.
- Deleting your Cornflake account. You can delete your account from within the Cornflake app: Settings → Profile → Delete Account. Deleting your account removes your transcripts, summaries, and meeting data from our systems.
- Deleting a meeting. You can delete any meeting from your meeting list within the Cornflake app.
- For any other deletion requests, email nithinsudarsan@basegraph.co.
- Withdrawal of Consent. If we are processing your Personal Data based on your consent, you have the right to withdraw your consent at any time. You may also revoke Cornflake's access to your Google account at any time via your Google Account permissions page.
- Portability. You can ask for a copy of your Personal Data in a machine-readable format.
- Objection. You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes.
- Restriction of Processing. You can ask us to restrict further processing of your Personal Data.
- Right to File a Complaint. You have the right to lodge a complaint about Cornflake's practices with respect to your Personal Data with your local supervisory authority.
Transfers of Personal Data. Cornflake is operated from the United Kingdom, and our infrastructure providers (including Railway, AWS, and Google Cloud Platform) host data on servers located in the United States. Laws in the U.S. may differ from the laws where you reside and may not provide the same level of protection as laws in your home jurisdiction. By using our Services, you acknowledge that any Personal Data about you may be transferred to, stored, and processed in the United Kingdom, the United States, and other countries where our service providers operate, and you authorise Cornflake to make those transfers. Where required, such transfers are made pursuant to data processing agreements that incorporate the UK International Data Transfer Addendum and/or the EU Standard Contractual Clauses.
Contact Information
If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, or your choices and rights regarding such collection and use, please contact us at:
Nithin Sudarsan (Cornflake)
nithinsudarsan@basegraph.co