Privacy Policy

SumaFlow Minutes · Last updated: May 13, 2026

SumaFlow Minutes does not see your meetings. The app records, transcribes, and generates minutes entirely on your phone. We do not receive your audio, transcripts, or minutes — there is no server for them to travel to.

This policy explains how the SumaFlow Minutes Android app handles your data. It is separate from the policy that covers the SumaFlow website. If anything is unclear, email hello@sumaflow.app.

1. What this policy covers

This policy applies to the SumaFlow Minutes mobile application for Android, distributed through Google Play. It does not cover the SumaFlow website, future SumaFlow products, or any third-party app that you may use alongside SumaFlow Minutes (for example, your email client when you choose to email an exported PDF).

2. The privacy contract

The seven promises this product is built on:

  1. Audio never leaves the device.
  2. Transcripts and minutes are stored encrypted at rest.
  3. The core app makes zero outbound network calls. There is no telemetry, no analytics, no anonymous counters.
  4. Every export is user-initiated, one recording at a time, and requires a confirmation screen.
  5. No account, no cloud sync, no login.
  6. The privacy architecture is openly documented — see /minutes/privacy-architecture.
  7. Privacy-critical code is open source on GitHub.

3. What the app collects

The app processes the following data, all locally on your device:

  • Audio recordings — captured from your microphone when you tap the record button. Stored in app-private storage and encrypted at rest.
  • Transcripts — generated locally by Whisper (a speech recognition model that ships inside the app) once you stop recording. Saved to the encrypted database.
  • Minutes — structured summaries generated locally by Gemini Nano (on supported devices) or by a built-in template extractor (on every other device). Saved to the encrypted database alongside the transcript.
  • Metadata — meeting title, optional client label, date, duration, consent mode, and the template you chose. Stored locally.
  • Export audit log — for each export you initiate, the app records a timestamp, the destination type (PDF / email / clipboard / share), and a SHA-256 hash of the exported content. Stored locally, append-only, viewable in Settings.

We do not collect any of this. None of it is transmitted to SumaFlow servers or to any third party.

4. What leaves your device

The only way your audio, transcripts, or minutes leave the app is through an export that you explicitly initiate. The app offers four export options:

  • PDF export — generates a formatted PDF you can save or share.
  • Email draft — opens your email app with the content pre-filled.
  • Share sheet — uses Android's standard share intent to hand the content to another app of your choice.
  • Copy to clipboard — copies the minutes as plain text.

Every export shows a confirmation screen with a preview of the content and the destination. After you confirm, an entry is written to the export audit log. This is the only path data takes off your device. Where the data goes next is governed by the receiving app's own privacy policy (your email provider, the PDF viewer you share to, and so on).

5. Permissions the app uses

On install, Android will ask you to grant the following permissions. Each has a single purpose:

  • RECORD_AUDIO — required to capture meeting audio.
  • FOREGROUND_SERVICE and FOREGROUND_SERVICE_MICROPHONE — required to keep recording when your screen is off or the app is in the background.
  • FOREGROUND_SERVICE_DATA_SYNC — used by the on-device transcription service so transcription progress can continue while the app is backgrounded.
  • POST_NOTIFICATIONS — used to show the recording and transcription progress notifications.

The INTERNET permission is intentionally absent in v1. The core app cannot make outbound network calls because Android does not allow an app to use the network without this permission. You can verify this by inspecting the APK or reading the manifest in the open-source privacy-core repository.

6. Storage and encryption

All data is stored in your device's app-private storage area, which Android isolates from other apps:

  • Audio files — encrypted at rest with AES-256-GCM. The encryption key is derived from a per-install random key stored in the Android Keystore (using StrongBox-backed hardware where the device supports it).
  • Transcripts, minutes, settings, and audit log — stored in a SQLite database encrypted with SQLCipher. The database key is also held in the Android Keystore.
  • Key management — keys never leave the secure enclave for export. Uninstalling the app destroys the keys and renders any leftover storage unrecoverable.

7. Export audit log

The app maintains a local, append-only log of every export action so you have a tamper-evident record for your own compliance review. Each entry captures: timestamp, recording ID, destination type, SHA-256 hash of the exported payload, and app version. The log:

  • Cannot be edited or deleted from within the app.
  • Survives app updates.
  • Can be exported to CSV from Settings → Export History.
  • Is cleared only by uninstalling the app.

8. Optional model download

The app ships with the Whisper "base.en" model bundled inside the APK — no download is required for transcription. A larger and more accurate model ("small.en", ~500 MB) is available as an opt-in download in Settings. If you choose to download it, the app fetches the model file over Wi-Fi only and verifies its checksum. The download endpoint is the only outbound request the app will make, and only when you explicitly enable the feature.

9. Third parties

The app uses the following third-party components. None of them receive your data:

  • Google Play — distributes the app. Google may collect standard install metrics. See Google's Privacy Policy.
  • Android AICore / Gemini Nano — Google's on-device language model framework. Runs locally on supported devices. Per Google's documentation, AICore processes prompts on-device and does not transmit them to Google's servers.
  • whisper.cpp — an open-source speech recognition implementation. Ships as native code inside the app. Has no network functionality.
  • SQLCipher — open-source database encryption. Local-only.

10. Data retention

You control retention entirely. The app supports configurable auto-delete policies: 30 days, 90 days, 1 year, 7 years, or indefinite. The default is indefinite — the app does not delete anything unless you ask it to. You can also delete any individual recording with a single tap, which atomically removes the audio file, transcript, and minutes for that meeting. The only thing that survives a delete is the export audit log entry (which contains no content, only the hash).

11. Children

SumaFlow Minutes is designed for professional use and is not directed at children under 13.

12. Compliance framing

SumaFlow Minutes is designed to support professionals operating under confidentiality obligations. We are deliberate about the claims we make.

We do not claim:

  • HIPAA certification
  • FINRA, SEC, FCA, ASIC, or MAS certification
  • SOC 2 Type 1 or Type 2 certification
  • GDPR-compliant or ISO 27001-certified status

What we do say:

  • The architecture is designed for professionals handling confidential conversations.
  • The product is built with regulated professionals in mind.
  • On-device processing means there is no third-party data sharing built into the product.
  • Whether the architecture supports compliance with any specific regulatory framework is a question for you and your compliance officer. We recommend reviewing the privacy architecture page with them before adoption.

Compliance certifications such as SOC 2 Type 1 are on the roadmap for when revenue justifies the audit.

13. Your rights

Because SumaFlow Minutes does not transmit your data to us or to any third party, the rights commonly granted under GDPR, UK GDPR, the Philippine Data Privacy Act, and the California Consumer Privacy Act (CCPA) are largely exercised by you, in the app:

  • Right to access — you have access to all your data inside the app.
  • Right to correction — you can edit minutes and metadata directly.
  • Right to deletion — one-tap delete for any recording; uninstall to remove everything.
  • Right to portability — every recording can be exported to PDF or plain text.
  • Right to lodge a complaint — you may contact your local data protection authority. For any privacy-related question or concern you would like SumaFlow to address, email privacy@sumaflow.app.

14. Crash reporting

The app does not transmit crash reports automatically. If a crash occurs, the app may write a local log file you can review and choose to share with us via email if you want help diagnosing the issue. Nothing is sent without your explicit action.

15. Changes to this policy

We may update this policy when we change how the app works — for example, when adding a new feature that touches data. Material changes will be reflected in the "Last updated" date at the top of this page and, where appropriate, in the app's release notes. We will not retroactively expand the scope of data handling without a clearly announced version change.

16. Contact

For privacy questions, data-rights requests, or complaints about how SumaFlow Minutes handles your data, email privacy@sumaflow.app. For security vulnerability reports, email security@sumaflow.app. For anything else, hello@sumaflow.app. We aim to respond within a reasonable timeframe.

This policy covers the SumaFlow Minutes app only. The SumaFlow website (sumaflow.app) is covered by a separate policy. For the technical detail behind the claims on this page, see the privacy architecture page.