MS
MinuteSmith
Terms of ServicePrivacy Policy

Privacy Policy

Last updated: May 8, 2026

For a procurement-grade overview of architecture, vendor handling, and limitations see the Trust Center.

1. Introduction

JES Ventures LLC (“MinuteSmith,” “we,” “us,” or “our”) operates the minutesmith.com website and service. This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

2. Information Collection & Use

We collect several different types of information for various purposes to provide and improve our Service:

2.1 Personal Data

  • Email address (for authentication and communication)
  • Name (optional, for board member records)
  • Phone number (optional, if you provide it)
  • Billing information (if you purchase a paid plan)

2.2 Usage Data

  • Pages visited and time spent
  • Features used (meetings created, documents uploaded, etc.)
  • Device information (browser type, IP address)
  • Referral source

2.3 Board Content

When you create boards and meetings, we store:

  • Board information (name, type, logo)
  • Meeting minutes and notes
  • Board member information
  • Uploaded documents
  • Meeting dates and attendee lists

3. Use of Data

MinuteSmith uses the collected data for various purposes:

  • To provide and maintain the Service
  • To notify you about changes to our Service
  • To allow you to participate in interactive features when you choose to do so
  • To provide customer support
  • To gather analysis or valuable information so we can improve the Service
  • To monitor the usage of the Service
  • To send emails regarding your account or subscription

4. Security of Data

No method of transmission or electronic storage is perfectly secure. We use commercially reasonable measures to protect your data, but cannot guarantee absolute security.

Specific protections in place today:

  • HTTPS / TLS for all traffic between your browser and the Service
  • Database and object-storage encryption at rest (provided by Supabase)
  • Postgres Row-Level Security policies on every customer table — board access is enforced at the database layer, not just in application code
  • Per-board signed download URLs (currently capped at one hour) — no public file URLs anywhere
  • Audit logging for sensitive actions (document downloads, exports, member changes)
  • Cron jobs authenticate via a shared secret and fail closed in production
  • No storage of payment card data (Stripe handles all card processing)

For the full operational security posture and what we explicitly do not claim, see /security.

4a. AI Privacy

MinuteSmith uses commercial APIs from Anthropic (Claude) for minute generation, summarization, and Ask AI; and OpenAI (Whisper for transcription, text-embedding-3-small for retrieval). Under both vendors’ commercial API agreements, customer data submitted via the API is not used to train their models. Vendor trust-and-safety retention of up to 30 days applies. We are not currently on either vendor’s zero-data-retention enterprise plan.

When you use Ask AI, your question text and relevant excerpts from your meeting history are transmitted to Anthropic and OpenAI servers to generate an answer. This transmission is protected by HTTPS but is not end-to-end encrypted — AI processing requires server-side access to content. Ask AI results are scoped to your boards only, enforced at the SQL level inside the database.

Additional protections in place:

  • No customer’s data is used as context for another customer’s AI request.
  • An optional redaction layer (currently disabled by default) can strip emails, phone numbers, SSNs, and payment-card patterns from prompts before they reach AI vendors.
  • Production logs do not contain prompt bodies, transcript content, signed download URLs, or session tokens.
  • AI-generated answers can be wrong. Always verify important facts against original meeting documents.

Plain-English explanation of how Ask AI works, what data leaves MinuteSmith, and full limitations →

5. Data Retention

We retain your personal data for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by applicable law.

Specifically:

  • Account data: Retained while your account is active
  • Board/meeting content: Retained until you delete it
  • Deleted content: Soft-deleted for 90 days (recovery window), then permanently removed
  • Audit logs: Retained for 1 year for compliance and security purposes
  • Usage analytics: Aggregated and anonymized, retained indefinitely

6. Your Rights (GDPR/CCPA)

If you are in the EU (GDPR) or California (CCPA), you have the right to:

  • Request access to your personal data
  • Request correction of inaccurate data
  • Request deletion of your data (right to be forgotten)
  • Request restriction of processing
  • Request portability of your data
  • Withdraw consent at any time
  • Object to processing for marketing purposes

To exercise these rights, contact us at [email protected]

7. SMS & Phone Number Data

If you or a board member voluntarily provides a phone number and explicitly opts in to SMS notifications, we collect and use that phone number solely to deliver transactional board notifications (meeting reminders, minutes review / approval reminders, action item reminders, urgent board notices, and account updates). Specifically:

  • Phone numbers are stored in encrypted form in our database.
  • We never sell, rent, or share phone numbers with third parties for marketing purposes.
  • Phone numbers are transmitted only to Twilio (our SMS delivery provider) to deliver messages you have consented to receive.
  • SMS consent is recorded at the time of opt-in and may be withdrawn at any time by replying STOP to any message, or by unchecking the SMS opt-in in your board settings.
  • Consent is member-specific and board-specific — opting in on one board does not opt you in on others.
  • Phone numbers are deleted when your board membership is permanently removed, or upon verified account deletion request.

See our SMS & A2P Policy for full details.

8. Third-Party Service Providers

We use the following third-party services to operate MinuteSmith:

  • Supabase (database, authentication, storage) — supabase.com/privacy
  • Railway (application hosting) — railway.app/legal/privacy
  • Stripe (payment processing) — stripe.com/privacy
  • Resend (transactional email delivery) — resend.com/privacy
  • Twilio (SMS delivery) — twilio.com/en-us/legal/privacy
  • Anthropic (AI — Claude API for minute generation, summaries, Ask AI) — anthropic.com/legal/privacy. Commercial API data is not used to train Anthropic’s models.
  • OpenAI (AI — Whisper transcription and text-embedding-3-small for retrieval) — openai.com/policies/privacy-policy. Commercial API data is not used to train OpenAI’s models.

These providers are contractually bound to use your data only for providing services to us.

9. Children's Privacy

Our Service is not directed to anyone under the age of 13. We do not knowingly collect personally identifiable information from children under 13. If we become aware that a child under 13 has provided us with Personal Data, we immediately delete such information and terminate the child's account.

10. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

12. Cookies & Tracking

We use essential cookies to maintain your authentication session. These cookies are necessary for the Service to function and cannot be disabled while using MinuteSmith.

We may use analytics tools to understand aggregate usage patterns. This data is not used to personally identify you.

We do not use tracking pixels, fingerprinting, or third-party advertising networks.

Terms of Service →SMS & A2P Policy →