Privacy policy
Privacy policy

Privacy Policy

Last updated: January 2026

This Privacy Policy explains how Kitra ("Kitra", "we", "us", "our") collects, uses, stores, and protects personal data when you use our services.

Kitra is an all-in-one SaaS platform that allows businesses to create booking pages, schedule meetings, automatically record meetings via the Kitra Notetaker, and generate AI-powered notes and summaries.

1. Company Information

Virtual Mailing Address:
30 N Gould St, STE R
Sheridan, WY 82801, USA

Work Address:
Ulpiane, Dëshmorët e Kombit
Prishtina, 10000 Kosovo

Email: support@kitra.io

2. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contractual necessity — to provide Kitra services you have requested
  • User consent — for calendar access, meeting recording, and AI processing
  • Legitimate interest — for security, fraud prevention, and service improvement
  • Legal obligation — for billing, tax compliance, and regulatory requirements

3. Data We Collect

3.1 Account Information

  • Name, email address, profile photo
  • Username and profile bio
  • For email signup: Your password is securely hashed and stored by our authentication provider (Supabase). We never store or have access to your plaintext password.
  • For Google signup: No password is stored. We receive OAuth tokens to access your calendar with your permission.

3.2 Billing Information

  • Payment details are processed securely by Stripe
  • We do not store your full credit card number

3.3 Calendar Data

  • Calendar events, availability schedules, and scheduling metadata
  • Meeting times, titles, and attendee information

3.4 Meeting Content

When you use the Kitra Notetaker, we store:

  • Audio recordings — so you can listen to your meetings within the app
  • Text transcripts — the written record of what was said
  • Speaker mapping — attribution of who said what
  • AI-generated content — summaries, action items, and meeting titles

How we use audio:

  • For transcription (converting speech to text)
  • For playback within your Kitra account
  • Audio is automatically deleted after your retention period expires (14-90 days based on plan)

What we do NOT do with audio:

  • We do NOT create voice prints or biometric profiles
  • We do NOT use audio to train AI models
  • We do NOT sell or share audio with third parties
  • We do NOT retain audio beyond your plan's retention period

What we do NOT store:

  • Video recordings
  • Biometric voice data or voice prints

3.5 Booking Data

  • Guest names, email addresses, and booking details
  • Custom form responses provided by guests
  • Scheduling preferences and time zones

3.6 Usage Data

  • Technical logs and error reports
  • Feature usage patterns
  • Device and browser information

4. How the Kitra Notetaker Works

The Kitra Notetaker is an automated assistant that joins your meetings to transcribe them.

4.1 Visibility & Transparency

  • The Notetaker joins meetings as a visible participant named "Kitra Notetaker" (or your custom bot name)
  • All meeting participants can see when the Notetaker is present in the attendee list

4.2 How Transcription Works

  • Audio is captured during the meeting
  • Our AI system transcribes speech to text and identifies different speakers
  • Audio is stored so you can listen to your meetings in the app
  • Text transcripts and speaker attribution are generated and stored
  • All meeting data (audio, transcripts) is automatically deleted after your retention period

4.3 Meeting Guest Consent

  • As the meeting host, you are responsible for informing guests that the meeting will be transcribed
  • We recommend announcing the Notetaker at the start of each meeting
  • Guests can see the Kitra Notetaker in the participant list and may leave if they do not consent

5. Google OAuth & Limited Use Disclosure

If you sign up or log in using Google, Kitra requests limited access to your Google account.

5.1 OAuth Scopes Requested

We request the following permissions:

  • userinfo.email — Your email address, used to identify and authenticate your Kitra account
  • userinfo.profile — Your name and profile photo, used to display your profile within the app
  • calendar.events — Read/write calendar events, used to create booking events and Google Meet links on your calendar
  • calendar.readonly — Read-only calendar access, used to check your availability for scheduling

5.2 How We Use Google Data

  • Email: To identify your account and send booking notifications
  • Name & Photo: To display your profile on booking pages
  • Calendar Events: To create bookings with automatic Google Meet links
  • Calendar Availability: To show available time slots to people booking with you

5.3 What We Do With Calendar Access

  • Create events — When someone books with you, we create a calendar event with a Google Meet link
  • Read events — We check your calendar to determine available time slots
  • Update events — We can modify bookings if rescheduled
  • Delete events — We remove calendar events when bookings are cancelled
  • Send invites — Calendar invitations are sent to guests automatically

5.4 Limited Use Compliance

Kitra's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

We do NOT:

  • Sell or share Google user data with third parties
  • Use Google data for advertising purposes
  • Use Google data for purposes unrelated to the core Kitra service
  • Allow humans to read your Google data unless required for security, legal compliance, or with your explicit consent
  • Transfer Google data to third parties except as necessary to provide the service

5.5 Revoking Google Access

You can revoke Kitra's access to your Google account at any time:

  1. Visit Google Account Permissions
  2. Find "Kitra" in the list of connected apps
  3. Click "Remove Access"

Note: Revoking access will disable calendar sync and Google Meet integration.

6. Zoom Integration

If you connect your Zoom account, Kitra requests access to:

  • Zoom profile information
  • Meeting creation and management capabilities

This access is used to:

  • Create Zoom meetings for your bookings
  • Sync meeting information with your Kitra account

7. AI & Automated Processing

Kitra uses AI and machine learning services to deliver core features:

7.1 Transcription & Speaker Identification

  • WhisperX — for accurate speech-to-text transcription
  • Pyannote — for identifying different speakers in meetings

7.2 AI Summaries & Insights

  • Groq (Llama 3.3) — generates meeting summaries, action items, and meeting titles
  • Google Gemini — powers semantic search and the "Ask Kitra" feature

7.3 How AI Processing Works

  • All AI processing occurs under Kitra's control using our contracted service providers
  • No AI providers receive ownership rights over your data
  • AI models are not trained on your meeting content
  • Processing is performed solely to deliver the features you requested
  • Audio is used only for transcription and playback — never for AI training or biometrics

8. Data Storage & Security

We use industry-standard infrastructure providers with strong security practices:

8.1 Infrastructure Providers

  • Supabase — Database & Authentication (EU - Ireland)
  • Vercel — Application Hosting (USA - East)
  • Railway — Background Processing (EU - West)
  • Cloudflare R2 — Audio & File Storage (Global CDN)
  • Modal.com — AI Transcription / GPU (USA)
  • Groq — AI Summaries (USA)
  • Google Cloud — AI Embeddings & Search (USA)
  • Stripe — Payment Processing (USA)
  • Resend — Email Delivery (USA)
  • Framer — Marketing Website (USA)

8.2 Security Measures

  • Encryption at rest — all stored data is encrypted
  • Encryption in transit — all data transfers use TLS/HTTPS
  • Row-Level Security (RLS) — database access is restricted to authorized users only
  • OAuth tokens — securely stored and refreshed automatically
  • Access controls — role-based permissions and audit logging
  • Regular monitoring — automated security monitoring and alerting
  • Automatic deletion — all meeting data is automatically purged after retention period

9. Data Retention

We retain your data only as long as necessary to provide services:

9.1 Meeting Data (Audio, Transcripts & Notes)

Retention periods by plan:

  • Free: 14 days
  • Pay-As-You-Go: 30 days
  • Pro: 90 days

After the retention period, all meeting data (audio recordings, transcripts, and notes) is automatically and permanently deleted.

9.2 Audio Recordings

  • Audio is stored so you can listen to your meetings within the app
  • Audio follows the same retention period as transcripts (14-90 days based on plan)
  • After the retention period, audio is automatically and permanently deleted
  • We do not use audio for voice biometrics, AI training, or any purpose other than playback and transcription

9.3 Account Data

  • Profile information is retained while your account is active
  • When you delete your account, all associated data is permanently deleted within 30 days

9.4 Billing Records

  • Transaction records may be retained for up to 7 years for tax and legal compliance

10. International Data Transfers

Your data may be processed in different jurisdictions where our service providers operate:

  • Primary database: EU (Ireland)
  • AI processing: USA
  • Application hosting: USA and EU

For transfers outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) with our processors
  • Data processing agreements with all third-party providers
  • Compliance with applicable data protection frameworks

11. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights:

Right to Access
Request a copy of the personal data we hold about you.

Right to Rectification
Request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data.

Right to Data Portability
Request your data in a machine-readable format.

Right to Restrict Processing
Request that we limit how we use your data.

Right to Object
Object to processing based on legitimate interests.

Right to Withdraw Consent
Withdraw consent at any time for consent-based processing.

How to Exercise Your Rights:
You can exercise these rights through the Data & Privacy section in your account settings, or by contacting us at support@kitra.io. We will respond to your request within 30 days.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to Know — what personal information we collect, use, and disclose
  • Right to Delete — request deletion of your personal information
  • Right to Opt-Out — opt out of the sale of personal information (note: we do not sell your data)
  • Right to Non-Discrimination — we will not discriminate against you for exercising your rights

To exercise these rights, contact us at support@kitra.io.

13. Email Communications

13.1 Transactional Emails

We send essential emails related to your use of Kitra:

  • Booking confirmations and reminders
  • Meeting recap summaries
  • Account security notifications
  • Service updates and changes

13.2 Marketing Emails

With your consent, we may send:

  • Product updates and new features
  • Tips and best practices
  • Promotional offers

You can unsubscribe from marketing emails at any time using the link in any email or through your account settings.

14. Cookies & Similar Technologies

14.1 Essential Cookies

We use essential cookies for:

  • User authentication and session management
  • Security and fraud prevention
  • Remembering your preferences

14.2 Analytics

We may use analytics tools to understand how our service is used and to improve the user experience.

14.3 No Advertising Cookies

We do not use third-party advertising cookies or sell your data to advertisers.

15. Children's Privacy

Kitra is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

16. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.

17. Data Breach Notification

In the event of a data breach that affects your personal data, we will:

  • Notify affected users within 72 hours of becoming aware of the breach
  • Notify relevant supervisory authorities as required by law
  • Provide information about the nature of the breach and steps being taken

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • We will update the "Last updated" date at the top of this policy
  • For significant changes, we will notify you via email or through the service
  • Continued use of Kitra after changes constitutes acceptance of the updated policy

19. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: support@kitra.io

Mailing Address:
30 N Gould St, STE R
Sheridan, WY 82801, USA

For GDPR-related inquiries, you may also contact your local data protection authority.

20. Summary of Key Points

  • What we collect: Account info, calendar data, audio recordings, text transcripts, and usage data
  • Audio usage: Only for transcription and playback — never for voice biometrics or AI training
  • What we DON'T store: Video recordings or biometric voice data
  • How we use AI: Transcription, summaries, action items, and semantic search — all under our control
  • The Notetaker: Visible participant in meetings named "Kitra Notetaker"
  • Data storage: EU (Ireland) primary database, with processing in EU and USA
  • Retention: 14-90 days for audio and transcripts depending on plan; then automatically deleted
  • Your rights: Access, correct, delete, and export your data at any time
  • Security: Encryption, access controls, and industry-standard security practices
  • No data sales: We never sell your personal data to third parties

This Privacy Policy is effective as of January 2026.

Create a free website with Framer, the website builder loved by startups, designers and agencies.