Privacy Policy

1. Introduction

This Privacy Policy explains how TakeNote Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the TakeNote website at www.takenote.ai and our meeting intelligence platform (together, the "Service").

TakeNote Ltd is registered in England and Wales (company number 14828718) with its registered office at 7 Bell Yard, London, WC2A 2JR. We are registered with the Information Commissioner's Office (ICO registration: ZB622400).

For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, we are the data controller in respect of your account data and website usage data. Where we process meeting recordings, transcriptions, and summaries on behalf of an FCA-regulated advisory firm under a Data Processing Agreement, that firm is the data controller and we act as the data processor. See Section 5 for details.

Please read this Privacy Policy carefully. By using the Service, you acknowledge that you have read and understood this policy.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by the UK GDPR.

"Service" means the TakeNote website at www.takenote.ai and the TakeNote meeting intelligence platform, including all features for meeting recording, transcription, summarisation, compliance documentation, and related functionality.

"Advisory Client" means an FCA-regulated advisory firm that uses TakeNote under a Data Processing Agreement for the recording, transcription, and compliance documentation of client meetings.

"Website User" means any individual who visits the TakeNote website or uses the Service without an Advisory Client relationship.

"Client Meeting Data" means meeting recordings, transcriptions, AI-generated summaries, compliance documentation, and associated metadata processed by TakeNote on behalf of an Advisory Client.

3. Data we collect

3.1 Data you provide to us

When you register for an account, use the Service, or communicate with us, we may collect:

• Account registration information, including your name, email address, job title, firm name, and password.
• Payment and billing information (processed by our third-party payment provider — we do not store card details).
• Communications you send to us, including support enquiries and demo requests.

3.2 Data collected through the meeting intelligence platform

When an Advisory Client uses TakeNote for meeting recording and compliance documentation, the following data is collected and processed on behalf of that Advisory Client:

• Audio recordings of client meetings (via Microsoft Teams, Zoom, Google Meet, or the TakeNote mobile application for in-person meetings).
• Transcriptions generated from meeting audio.
• AI-generated structured summaries, including FCA suitability notes, risk profile assessments, capacity for loss indicators, vulnerable customer flags, and action items.
• Speaker identification and labelling.
• Meeting metadata, including date, time, duration, participants, and platform.

3.3 Data collected automatically

When you access the TakeNote website, we automatically collect:

• IP address and approximate geographic location.
• Browser type, operating system, and device information.
• Pages visited, access times, frequency of use, and interaction patterns.
• Cookies and similar tracking technologies (see Section 11).

4. How we use your data

We process your personal data for the following purposes and on the following legal bases:

4.1 Performance of contract

• To provide the TakeNote meeting intelligence platform, including recording, transcription, summarisation, and compliance documentation features.
• To create and manage your account.
• To process payments and manage subscriptions.

4.2 Legitimate interests

• To improve and develop the Service, including analysing anonymised and aggregated usage patterns.
• To ensure the security and integrity of the Service.
• To respond to your enquiries and provide customer support.
• Internal record keeping and administration.

4.3 Consent

• To send you marketing communications about our products and services. You may withdraw your consent at any time (see Section 9).

4.4 Legal obligation

• To comply with applicable laws, regulations, and legal processes.

5. Client Meeting Data — our role as data processor

This section explains how we handle Client Meeting Data processed on behalf of Advisory Clients. This is the core of the TakeNote service and the area where the highest data protection standards apply.

5.1 Processing and storage

All Client Meeting Data — including audio recordings, transcriptions, AI-generated summaries, and associated metadata — is processed and stored exclusively within the United Kingdom on Microsoft Azure UK South infrastructure. At no point does Client Meeting Data leave the United Kingdom.

This is not a configurable setting. It is how TakeNote is architecturally built. For further details, see our Data Residency page.

5.2 Retention

Client Meeting Data is retained for the period specified by the Advisory Client. The default retention period is five years, in accordance with MiFID II record-keeping requirements. The Advisory Client may instruct a different retention period where appropriate.

Retention is immutable — records cannot be prematurely deleted during the retention period, and all records are protected by tamper-proof audit trails with timestamps.

At the end of the retention period, or upon termination of the service agreement, Client Meeting Data is securely deleted using industry-standard methods. Written confirmation of deletion is provided within 30 days.

5.3 No copies retained by TakeNote

TakeNote does not retain any copies of Client Meeting Data beyond those held on behalf of the Advisory Client. When an Advisory Client requests deletion or the retention period expires, all copies — including backups — are securely destroyed. TakeNote does not maintain a separate archive, dataset, or repository of Client Meeting Data for any purpose.

5.4 No use for model training

Client Meeting Data is never used to train, fine-tune, evaluate, or otherwise improve AI models — whether TakeNote's own models, third-party models, or any other machine learning system. This applies without exception and is contractually guaranteed in our Data Processing Agreement.

5.5 Access controls

Access to Client Meeting Data is governed by role-based access controls. Individual advisers can access only their own meeting records. Compliance officers have firm-wide visibility as appropriate to their supervisory role. TakeNote personnel do not access Client Meeting Data except where strictly necessary for technical support, and only with the Advisory Client's prior authorisation.

5.6 Advisory Client responsibilities

The Advisory Client, as data controller, is responsible for ensuring a lawful basis for recording client meetings, providing appropriate privacy notices to meeting participants, and obtaining any necessary consents. TakeNote's Data Processing Agreement sets out the full allocation of responsibilities between controller and processor.

6. Third-party data processors

We engage the following categories of third-party service providers who may process personal data on our behalf:

• Cloud infrastructure and AI transcription processing: Microsoft Azure (UK South region). All Client Meeting Data is processed and stored exclusively within the UK on Azure infrastructure.
• Payment processing: Handled by our third-party payment provider. We do not store payment card details.
• Website analytics: We use analytics tools to understand how visitors interact with the TakeNote website. These tools may process data outside the United Kingdom — see Section 6.1 below.
• Email and communications platforms: Used for transactional emails (account verification, password resets) and, with consent, marketing communications. These tools may process data outside the United Kingdom — see Section 6.1 below.

All third-party processors are bound by data processing agreements and are required to process data only in accordance with our instructions and applicable data protection law.

6.1 International data transfers — website operational data only

Some of our website operational sub-processors (analytics providers and email platforms) may process limited data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements, including Standard Contractual Clauses approved by the ICO or reliance on adequacy decisions.

A complete list of our sub-processors and their processing locations is available on request by contacting dpo@takenote.ai.

7. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Retention periods vary depending on the type of data and the context in which it is processed:

• Client Meeting Data: Retained in accordance with the Advisory Client's instructions, with a default retention period of five years under MiFID II requirements. All copies are securely deleted upon expiry or upon customer request.
• Account data: Retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations.
• Payment records: Retained as required by applicable tax and financial regulations.
• Website usage data: Retained in anonymised or aggregated form for analytics purposes.

Even after deletion, data may persist on backup or archival media for a limited period for legal, tax, or regulatory purposes.

8. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to request correction of inaccurate or incomplete data.
• Right to erasure — to request deletion of your personal data in certain circumstances.
• Right to restrict processing — to request that we limit how we use your data.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• Right to object — to object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at dpo@takenote.ai. We will respond to your request within one month, as required by law.

If you are not satisfied with our handling of your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). Details can be found at https://ico.org.uk/.

9. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encrypted data transmission (TLS/SSL).
• Secure cloud infrastructure hosted on Microsoft Azure UK South.
• Role-based access controls restricting data access to authorised personnel only.
• Password-protected user accounts.
• Tamper-proof audit trails for Client Meeting Data.

If you suspect any misuse, loss, or unauthorised access to your data, please notify us immediately at security@takenote.ai.

10. Cookies

We use cookies and similar technologies to enhance your experience, analyse website traffic, and understand usage patterns. You can manage your cookie preferences through your browser settings. For detailed information, please refer to our Cookie Policy.

11. Third-party links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites and recommend that you review their privacy policies before providing any personal data.

12. Children's privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

13. Changes of business ownership

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and ensure that the receiving party is bound by equivalent data protection obligations.

14. International data transfers

Client Data Residency: All audio files, transcriptions, and directly related client data are processed and stored exclusively within Microsoft Azure UK South infrastructure. This data never leaves the United Kingdom under any circumstances.

Non-Client Data: Non-sensitive personal data, such as website analytics and general platform usage information collected via cookies, may be processed by third-party analytics providers located outside the United Kingdom. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements, including Standard Contractual Clauses approved by the ICO or reliance on adequacy decisions.

For clarity: Your meeting recordings, transcriptions, and any data derived from them remain exclusively within UK infrastructure and are not transferred internationally.

15. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified to you via email or a prominent notice on the website. The date of the most recent revision will be indicated at the top of this policy.

16. Contact us

If you have any questions about this Privacy Policy or our data processing practices, please contact us at: