Privacy Policy for Orgmem

Effective Date: May 26, 2026
Last Updated: June 5, 2026
Operator: Orgmem, Oslo, Norway
Contact: privacy@orgmem.com

1. Introduction and Who We Are

Orgmem is a platform for organizational memory, knowledge management, and AI extraction from meeting recordings, audio, transcripts, and related business context.

This Privacy Policy explains how Orgmem (“we,” “our,” or “us”) collects and uses personal data when you visit our public websites, apply for early access, use the Orgmem application, or interact with public Library pages. We process personal data in accordance with the Norwegian Personal Data Act (personopplysningsloven) and the General Data Protection Regulation (GDPR), the EU privacy law as incorporated in the European Economic Area (EEA).

You can contact us about privacy at privacy@orgmem.com.

2. Our Role: Controller vs. Processor

Our legal role depends on the type of data and the way you interact with Orgmem.

• Orgmem as controller: We decide how and why we process data for our own business operations, including the public website, early-access applications, account administration, authentication, security logs, product telemetry, support, and error monitoring.
• Orgmem as processor: When a customer uses Orgmem to capture meetings, upload or record audio, transcribe content, generate memories, create entities and relations, search organizational knowledge, or ask assistant questions over that content, the customer controls the purpose of that processing. We process that customer content on the customer’s documented instructions and under the customer’s service terms with Orgmem.

Customer content can contain personal data about employees, contractors, customers, prospects, suppliers, investors, advisers, meeting participants, and other people who are mentioned in recordings, transcripts, notes, memories, entities, relations, or source material. The customer is responsible for having a lawful basis to put that content into Orgmem.

3. Information We Collect

3.1 The Marketing Website (orgmem.com)

We use limited browser analytics on the marketing website to understand visits, referral sources, campaign parameters, call-to-action clicks, and early-access funnel progress. We do not use advertising pixels or intentionally send form free-text content, meeting content, transcripts, customer documents, or private customer content to marketing analytics.

We may process:

• Theme preference: If you choose a light or dark theme, your browser may store that preference locally on your device. This is used only to remember the visual theme.
• Limited marketing telemetry: If analytics is enabled, our analytics provider may process page path, page title, referrer host and path, UTM (Urchin Tracking Module) campaign parameters, call-to-action metadata, and early-access form interaction metadata such as required-field counts, completion counts, validation counts, and coarse length buckets. We do not send names, email addresses, organization names, website URLs, role text, or free-text application responses as marketing analytics event properties.
• Browser storage for analytics: The analytics provider may use cookies, local storage, or similar browser storage to distinguish visits and measure usage, depending on provider configuration and browser settings. Where consent is legally required for non-essential cookies or tracking, we rely on consent or keep the relevant tracking disabled until appropriate controls are in place.
• Connection and security logs: Our hosting, network, and security providers may process technical request data such as IP (Internet Protocol) address, user agent, requested URL, timestamps, and basic network metadata to deliver the site, prevent abuse, and keep the domain available.

3.2 Early-Access Applications

If you apply for early access, we collect the information submitted in the form:

• name;
• work email;
• organization;
• role, if provided;
• team size;
• website, if provided;
• free-text information about what your team needs to remember.

The application endpoint also stores limited technical metadata for abuse prevention and operational follow-up, including IP address, user agent, referrer, submission source, and timestamps. We use spam-prevention controls and rate limits to reduce abuse. We store the application in Orgmem and may send internal notifications to review the request.

3.3 The Main Application (app.orgmem.com)

When you use the main Orgmem application, we process several categories of data.

• Account and authentication data: We collect email address, account credentials, account settings, organization membership, role, spaces, invitations, timestamps, and other access-control data.
• Organization and space configuration: Customers and authorized users may provide organization descriptions, extraction guidance, language settings, space names, and membership configuration. These settings guide how Orgmem structures knowledge for that organization.
• Capture and meeting metadata: We process meeting links, meeting platform type, meeting time, capture status, upload state, source metadata, participant or speaker metadata where available, and related technical state.
• Audio, transcripts, and source material: Depending on how the customer uses the service, Orgmem may process recordings, uploaded or browser-recorded audio, transcripts, speaker segments, timestamps, notes, and other source artifacts.
• Derived organizational knowledge: Orgmem generates and stores memories, summaries, decisions, action points, assumptions, open questions, entities, relationships, source references, provenance metadata, review state, and user edits to those artifacts.
• Product telemetry: We use a product analytics service to understand product usage, diagnose product friction, and improve the service. Authenticated product events may include your internal Orgmem user ID, email address, request path, page or feature context, timestamps, navigation context, and event-specific metadata such as feature actions or counts. We do not intentionally send raw meeting audio, full transcripts, or full customer documents to product analytics.
• Error and performance monitoring: We use an error-monitoring service to detect and debug application errors. Error reports may include stack traces, exception messages, release and environment data, breadcrumbs, request context, technical logs, and user or account identifiers where needed to investigate an issue. We do not intentionally send raw meeting audio, full transcripts, or full customer documents to error monitoring.
• System, deletion, and security logs: We keep logs needed for security, reliability, debugging, deletion workflows, abuse prevention, and operational support.

3.4 Meeting Bot and Transcription

When a customer starts a meeting capture, Orgmem can use a third-party meeting capture provider to send a bot named “Orgmem Notetaker” to supported meeting platforms. The bot may record meeting audio or media and process meeting metadata needed to complete the capture.

Orgmem uses third-party transcription providers to turn audio into text. These providers may process audio, transcript job metadata, generated transcripts, processing status, and provider-side identifiers needed for audit, support, or cleanup.

Customers are responsible for informing meeting participants and obtaining any required consents or lawful basis before recording or processing a meeting in Orgmem.

3.5 AI Processing and Search

Orgmem uses third-party AI service providers to extract, structure, summarize, search, and answer questions over customer content. Depending on the feature, text, transcripts, prompts, source snippets, structured schemas, and derived artifacts may be sent to these providers.

We use business service terms rather than consumer AI products, and we limit prompts, audio, transcripts, and metadata to what is needed for the relevant task. Under the commercial terms for our current AI providers, customer content sent through Orgmem is not used by those providers to train their general or public AI models unless that use is separately agreed or enabled. Orgmem does not enable model training for customer content.

3.6 The Public Library (library.orgmem.com)

The public Library is a no-login, read-only surface for curated public material. It does not use Orgmem application accounts or private platform data.

The Library may process:

• Anonymous usefulness feedback: If you rate a public item as useful or not useful, the Library may use a signed cookie or similar anonymous token to prevent duplicate feedback and apply rate limits.
• Public telemetry: Library browser events may be sent to a product analytics service using public, allowlisted properties. Raw search text, user identifiers, account identifiers, private identifiers, and private customer content are not intentionally sent.
• Technical logs: The Library may process ordinary request, security, and error-monitoring data needed to operate a public read-only service.

4. How We Use Your Information and Legal Basis

We process personal data only where we have a legal basis under GDPR Article 6.

• Performance of a contract, Article 6(1)(b): We process account data, authentication data, organization and space settings, product configuration, and service communications needed to provide Orgmem to users and customers.
• Legitimate interests, Article 6(1)(f): We process product telemetry, security logs, deletion records, diagnostic logs, error reports, spam-prevention metadata, and limited operational support data to keep Orgmem secure, reliable, understandable, and improvable. We balance these interests against the privacy impact on users and avoid intentionally sending raw customer content to analytics and error-monitoring tools.
• Consent, Article 6(1)(a): We rely on consent for optional marketing communications and for any future non-essential cookies or browser tracking that require consent.
• Legal obligations, Article 6(1)(c): We may process and retain data where required for accounting, tax, security, regulatory, or lawful-request obligations.
• Customer instructions: For customer content processed in Orgmem as a processor, the customer determines the lawful basis and instructs Orgmem through the service, the customer’s configuration, and agreed written terms.

5. Service Providers and Third-Party Processing

We use service providers to run Orgmem. Some of these providers process personal data for us or for our customers through Orgmem.

Provider categories include:

• hosting, storage, database, backup, logging, and infrastructure providers;
• network, domain, and traffic-security providers;
• transactional email providers;
• product analytics providers;
• error-monitoring and application-diagnostics providers;
• meeting capture and recording providers;
• transcription providers;
• AI model processing and search providers;
• professional advisers and other service providers where needed for legal, security, accounting, or operational purposes.

For customer content, some service providers act as sub-processors under our customer agreements. Current sub-processor details are made available to customers and design partners through the applicable agreement or on request. We will update this policy or provide appropriate notice if we add provider categories that materially change how personal data is processed.

6. International Data Transfers

Orgmem is operated from Norway, which is part of the European Economic Area (EEA). Our primary production application infrastructure is located in the EU/EEA. Some service providers may be established outside the EEA or may involve support, security, or processing operations outside the EEA.

Where personal data is transferred outside the EEA, we rely on a valid transfer mechanism under GDPR Chapter V, such as an adequacy decision, the European Commission’s Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework where the provider is certified, or another lawful transfer basis with appropriate supplementary measures.

We maintain internal documentation of relevant transfer mechanisms for customer content sub-processors and can make non-confidential information available to customers on reasonable written request.

7. Data Retention

We keep personal data only for as long as needed for the purposes described in this policy, the customer’s instructions, service delivery, security, legal obligations, or dispute handling.

• Early-access applications: We keep applications while they are relevant for evaluating and contacting early-access applicants, unless deletion is requested earlier or we need to retain limited records for legal or operational reasons.
• Active accounts and customer workspaces: Account data, organization settings, spaces, captures, transcripts, memories, entities, relationships, source metadata, and related customer content are retained while the customer account or agreement is active, unless the customer deletes data earlier or agreed terms say otherwise.
• Customer deletion and termination: When a customer deletes a capture or other source artifact, Orgmem’s deletion workflows are designed to delete associated artifacts that are solely derived from that source where applicable. After service termination, active customer data may be kept for a limited period to complete return, reactivation, handover, legal handling, or deletion.
• Backups and logs: Data deleted from active systems may remain in backups, object versions, operational logs, security logs, analytics events, error reports, email-provider records, or vendor-side metadata until the relevant lifecycle, retention, or deletion process completes.
• Provider-side processing: Meeting capture, transcription, AI processing, analytics, email, error-monitoring, and other provider data follow separate retention and deletion processes appropriate to the provider and purpose.

8. Data Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure.

These measures include:

• HTTPS and TLS (Transport Layer Security) for data in transit where relevant;
• encryption at rest where supported by production infrastructure;
• private storage and controlled access to customer content;
• role-based access, organization and space scoping, and private default access patterns;
• multi-factor authentication (MFA) requirements for staff access where configured;
• production secrets handled through approved secrets management rather than source code;
• deletion records and follow-up workflows for erased resources;
• backup and recovery procedures.

No internet service can guarantee perfect security. If we discover a personal-data breach affecting customer content, we will notify the affected customer without undue delay, and within 48 hours where Orgmem acts as processor, so the customer can assess any required notification to supervisory authorities or affected individuals.

9. Your Privacy Rights

Depending on your location and the context of processing, you may have rights to:

• request access to personal data we hold about you;
• ask us to correct inaccurate or incomplete personal data;
• ask us to delete personal data, subject to legal, security, backup, and contractual limits;
• restrict or object to certain processing;
• receive a portable copy of personal data where the right to data portability applies;
• withdraw consent where processing is based on consent;
• object to processing based on legitimate interests, including product analytics where applicable.

For data where Orgmem is the controller, contact privacy@orgmem.com. For customer content where Orgmem acts as processor, we may need to refer your request to the relevant customer, because that customer controls the content and determines how the request should be handled.

Orgmem does not use solely automated decision-making that produces legal or similarly significant effects on individuals under GDPR Article 22.

You also have the right to lodge a complaint with a supervisory authority. In Norway, the supervisory authority is:

Datatilsynet
P.O. Box 458 Sentrum, 0105 Oslo, Norway
www.datatilsynet.no

10. Changes to This Policy

We may update this Privacy Policy as Orgmem changes. If we make material changes to how we process personal data, we will provide notice in a way that fits the change, such as an in-app notice or an email to the registered address.

11. Contact Information

For privacy requests, legal questions, deletion requests, or access requests, contact:

Orgmem
Oslo, Norway
Email: privacy@orgmem.com