Privacy Policy

You can opt out of analytics by enabling Do-Not-Track in your browser, or by adding a meetwrap_analytics_opt_out cookie set to true.

Google user data

The information described in this policy — your Google account email address and Google Calendar event metadata — is what Google's API Services User Data Policy refers to as "Google user data." Meetwrap's collection, use, storage, sharing, and protection of Google user data complies with the Google API Services User Data Policy, including its Limited Use requirements. We use Google user data only for the user-facing features explicitly described in this policy.

What we collect

When you sign in with Google, we receive your email address (for account identification) and a short-lived OAuth access token to read your Google Calendar.

From your calendar we read only event metadata for the displayed week:

• Event start and end times
• Event titles (processed in your browser only; never written to our database in raw form)
• Attendee count and attendee email addresses (used in your browser only for unique-people deduplication; never written to our database)
• Recurring-event metadata (to distinguish recurring meetings from one-time)

We do not read event descriptions, attachments, conferencing links, RSVP statuses, or any other event content beyond what is listed above.

How we use Google user data

Each piece of Google user data we read is used for one or more specific user-facing features. The full mapping is:

• Your Google account email address is used to identify your Meetwrap account, persist your account across sessions, and (if you opt in) deliver weekly digest emails. It is never used for advertising, sold to any third party, or used to identify you on the public share pages (which are anonymized by default).
• Event start and end times are used in your browser to compute four user-facing statistics shown on your wrap: total meeting hours, average meeting length, longest uninterrupted focus block, and the recurring-vs-one-time hours breakdown.
• Event titles are used in your browser to identify your "biggest recurring time sink" — the recurring meeting with the highest cumulative weekly hours. Event titles are never transmitted to our servers, never stored in our database in raw form, and are replaced with the placeholder "Recurring meeting" in any anonymized share snapshot.
• Attendee count is used in your browser to distinguish 1:1s from group meetings and to filter out broadcast meetings (e.g. all-hands with 20+ attendees) from the unique-people-met count.
• Attendee email addresses are used in your browser solely to deduplicate unique people you met across the week (the "People Met" stat). They are read once per session, lowercased and counted in browser memory, then discarded — never stored on our servers, never transmitted to third parties, and never used for any other purpose.
• Recurring-event metadata is used in your browser to compute the recurring-vs-one-time hours breakdown shown on your wrap.

A short text-based "verdict" line is also generated automatically based on your total meeting hours; the verdict text is selected algorithmically from a pre-written library and is not generated using AI or machine learning models trained on your data.

We do not use Google user data for any purpose other than providing or improving the user-facing features of Meetwrap described above. Specifically, we do not:

• use Google user data for advertising of any kind, including targeted, personalized, retargeted, or interest-based advertising
• sell, rent, lease, or trade Google user data to data brokers, information resellers, or any third party
• use Google user data to determine credit-worthiness, for lending purposes, or for any decisioning about a user's eligibility for a financial product or service
• use Google user data to create databases intended for resale or for enriching third-party data products
• use Google user data to develop, improve, or train any generalized or non-personalized AI or machine-learning models
• allow humans to read Google user data, except where required for security, investigation of a legitimate user-reported issue, or compliance with valid legal process

These prohibitions apply both to Meetwrap and to all sub-processors with whom we share Google user data.

Where it is stored

Authentication and account data (your email address and sign-in records) are stored on Supabase infrastructure hosted in the EU (Frankfurt, Germany).

Raw Google Calendar event data is processed in your browser to generate your weekly wrap and is not written to our database.

When you choose to create a public share URL by clicking the "Share" button on your wrap, an anonymized snapshot of your weekly statistics is stored on Supabase. This snapshot contains only:

• Aggregated numbers (total meeting hours, meeting count, average meeting length, longest focus block, unique people count, recurring vs one-time hours)
• The auto-generated verdict text shown on your wrap
• The week-start date

The snapshot does NOT contain any meeting titles, attendee names, attendee email addresses, or other identifying information. Recurring meeting titles are replaced with the placeholder text "Recurring meeting" before storage. The public share URL itself contains an unguessable 8-character random identifier.

Sharing and disclosure of Google user data

Meetwrap does not sell, rent, or trade Google user data. We share Google user data with sub-processors only as described below, and only to the minimum extent necessary to operate the user-facing features of Meetwrap. Each sub-processor's role and the specific data it receives are listed.

• Google (https://policies.google.com/privacy) — receives the OAuth authentication request and returns calendar event metadata for the displayed week. Data is exchanged directly between your browser and Google; Meetwrap's servers do not intermediate or log calendar event data.
• Supabase (https://supabase.com/privacy), EU-hosted in Frankfurt — receives and stores: your email address (for account identification) and any anonymized share-snapshot rows you explicitly create (aggregate numbers + verdict text only, no titles or emails). Supabase does NOT receive raw Google Calendar event data, raw event titles, or raw attendee email addresses.
• Vercel (https://vercel.com/legal/privacy-policy) — application and marketing-site hosting. Vercel hosts the Meetwrap web application at app.meetwrap.io and the marketing site at meetwrap.io. Your browser fetches the application code from Vercel's infrastructure when you load either site. Calendar data is processed entirely in your browser; Vercel's hosting layer does NOT log, persist, or have access to your calendar event data.
• PostHog (https://posthog.com/dpa), EU-hosted — product analytics. PostHog receives anonymous product-usage events (such as signin_completed, wrap_viewed, share_button_clicked) tied to a randomly-generated user identifier. PostHog does NOT receive Google Calendar event data, event titles, attendee names, or attendee email addresses.
• Loops (https://loops.so/privacy) — transactional and marketing email. Loops receives only your email address (for account identification and to send the optional weekly meeting digest and account-related emails). Loops does NOT receive Google Calendar event data, event titles, attendee names, or attendee email addresses.
• Cloudflare (https://www.cloudflare.com/privacypolicy/) — DNS and CDN services on the meetwrap.io domain. Cloudflare may briefly process request metadata (IP address, request URL) as part of routing traffic. Cloudflare does NOT receive Google Calendar event data, event titles, attendee names, or attendee email addresses.

We do not transfer Google user data to any third party for purposes other than the user-facing features described in this policy. We do not transfer Google user data outside the European Economic Area, except to Google itself (which is governed by Google's own privacy policy and the Standard Contractual Clauses).

We will disclose Google user data to law-enforcement or regulatory authorities only when legally required to do so under EU or Dutch law, or under valid legal process. In the event of such a disclosure, we will (where legally permitted) notify the affected user.

We do not transfer Google user data to any third party for advertising of any kind, data-broker resale, information reseller services, credit-worthiness assessment, lending purposes, AI or machine-learning model training, or any purpose other than the user-facing features described in this policy.

Security and data protection

Meetwrap implements the following technical and organizational measures to protect Google user data:

Encryption in transit. All connections between your browser, our application, and our sub-processors use TLS 1.2 or higher (HTTPS). OAuth tokens issued by Google and Supabase are transmitted over encrypted channels only.

Encryption at rest. All data persisted to Supabase (account records and anonymized share snapshots) is encrypted at rest using AES-256 by default, including backups.

Authentication. Sign-in is handled exclusively through Google OAuth 2.0. Meetwrap does not store, see, or process passwords. Access tokens issued by Google are short-lived and refreshed transparently by Supabase Auth; long-lived tokens are not retained in application code.

Access controls. All Supabase tables enforce Row-Level Security (RLS) policies. Account data is readable, insertable, and updatable only by the authenticated account owner. Anonymized share snapshots are inserted and updated only by the snapshot's author; they are publicly readable by share-ID, but the share-ID is an unguessable 8-character random identifier (~30 trillion combinations) functioning as a capability key. No party other than the authenticated owner of a row can access account-scoped data.

Data minimization. Raw Google Calendar event data — including event titles, attendee names, and attendee email addresses — is processed exclusively in your browser and is never written to our database. Only aggregated, anonymized statistics are persisted, and only when you explicitly create a public share URL.

Operational measures. Meetwrap's infrastructure is hosted in the European Economic Area (Frankfurt, Germany). Sub-processor selection prioritizes EU-hosted services and GDPR-compliant data-processing agreements. Privacy and security incidents involving Google user data will be communicated to affected users without undue delay.

Retention

We keep your account, email address, and any anonymized share snapshots until you delete your account. You can delete your account at any time from the wrap page (bottom-right "Delete my account" link). Deletion is immediate and irreversible — all associated Meetwrap data, including any anonymized share snapshots you have created, is removed within 30 days.

You can also revoke Meetwrap's access to your Google Calendar at any time via your Google Account → Security → Third-party app access. Revoking access prevents future calendar reads but does not automatically delete your existing Meetwrap account data — to delete your account, use the in-app deletion link.

Your GDPR rights

You have the right to access, correct, export (data portability), and delete your personal data. You also have the right to lodge a complaint with your local data protection authority (in the Netherlands, this is the Autoriteit Persoonsgegevens). To exercise any of these rights, email us at privacy@meetwrap.io.

Children

Meetwrap is not directed at children under 18 and does not knowingly collect data from minors.

Changes to this policy

We may update this policy when we change how we handle data. Material changes will be communicated to existing users via email. The "Last updated" date at the top of this page indicates the most recent revision.

Contact

For privacy questions, to exercise your GDPR rights, or to request data deletion, email us at privacy@meetwrap.io.