Privacy Policy.
Controller / Verantwortlicher
[PLACEHOLDER — legal company name, address, email, registration number. See Impressum.]
Data-sovereign by design
Consana is local-first. Your meeting content — transcripts, canvases, notes — is stored in a folder you choose on your own device by the desktop app. This website (the account and billing portal) does not receive or store your session content. It processes only the account, billing, and usage data described below.
Data we collect and the legal basis
We process the following categories of personal data, each on the legal basis stated (Art. 6(1) GDPR):
| Data | Legal basis |
|---|---|
| Account data — name, email address, authentication identifiers | Art. 6(1)(b) — performance of the contract (providing your account) |
| Billing data — plan, subscription status, invoices, payment metadata (card data is handled by Stripe, never stored by us) | Art. 6(1)(b) contract and Art. 6(1)(c) legal obligation (tax/accounting) |
| Usage & log data — minutes consumed, feature usage, IP address and request metadata needed to operate and secure the service | Art. 6(1)(f) — legitimate interest in a secure, functioning service |
| Analytics data — pages viewed and interactions, via Google Analytics with anonymised IP | Art. 6(1)(a) — your consent (opt-in; withdrawable at any time) |
| Error-diagnostics data — stack traces and browser metadata via Sentry | Art. 6(1)(a) — your consent (opt-in; withdrawable at any time) |
Cookies & analytics
We set strictly-necessary cookies to run the service. Optional analytics — Google Analytics 4 and Sentry error monitoring — load only after you opt in. Google Analytics is configured with IP anonymisation, with Google Signals and ad personalisation disabled, and sets no advertising cookies.
| Type | Purpose | Examples | Retention |
|---|---|---|---|
| Strictly necessary | Required for the service to function — authentication sessions and security tokens. Cannot be disabled. | Session cookie (auth), CSRF token | Session / 7 days |
| Functional | Remember your preferences such as theme, language, and dashboard layout. | Theme preference, dashboard layout | 12 months |
| Analytics — Google Analytics | Product and marketing analytics via GA4, loaded only after you opt in. IP anonymised, Google Signals and ad personalisation disabled, no advertising cookies. | _ga, _ga_<container-id> | Up to 13 months |
| Analytics — Sentry | Error monitoring, active only with your consent. Collects error stack traces and browser metadata; no personal communications data. | __sentry_tracing, sentry-sdk session envelope | 90 days |
| Third-party / Stripe | Stripe sets cookies on checkout pages to detect fraud and enable payment processing, governed by the Stripe privacy policy. | __stripe_mid, __stripe_sid | 1 year / session |
Your cookie preferences
Loading…
You can also control and delete cookies through your browser settings. Disabling strictly necessary cookies will prevent you from signing in to Consana. Most browsers allow you to block third-party cookies independently of first-party cookies.
Subprocessors
Consana uses the following third-party subprocessors to operate the service. Each is subject to a Data Processing Agreement and processes data only as instructed.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI reasoning — processing transcript excerpts to generate canvas content, summaries, and action items. | EU (via Azure West Europe) |
| Microsoft Azure Cognitive Services | Live speech-to-text transcription of session audio. | Azure West Europe |
| Microsoft Azure | Cloud infrastructure — compute, storage, authentication. | Azure West Europe |
| Stripe | Payment processing — subscription billing, invoicing, top-up packages. | EU |
| Google (Google Ireland Ltd / Google LLC) | Google Analytics 4 — website usage statistics. Loaded only with your consent; IP anonymised; Google Signals and ad personalisation disabled. | EU, with transfer to the USA under SCCs / EU–US Data Privacy Framework |
| Sentry | Error tracking and performance monitoring. Loaded only with your consent. Configured to exclude PII. | EU |
International data transfers
Where a subprocessor transfers data outside the EU/EEA — notably Google Analytics, which may transfer data to Google LLC in the United States — the transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the processor's certification under the EU–US Data Privacy Framework. Our core infrastructure and AI processing run in Azure West Europe.
Data retention
- Account data: for the life of your account, then deleted or anonymised after closure (subject to statutory retention below).
- Invoices and tax-relevant billing records: retained for the statutory period required by German commercial and tax law (§257 HGB, §147 AO — up to 10 years).
- Google Analytics data: up to 14 months.
- Sentry error data: 90 days.
- Server logs: rotated on a short cycle for security and operations.
Your rights (GDPR Art. 15–22)
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right to withdraw consent at any time (Art. 7(3)) — for analytics, use the cookie preferences above
To exercise your rights, contact us at privacy@consana.ai.
Supervisory authority
You have the right to lodge a complaint with a data-protection supervisory authority. [PLACEHOLDER — competent authority (Datenschutzbehörde) for the company's jurisdiction, e.g. Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).]
Changes to this policy
We update this policy when our processing changes materially and note the revision date above. Material changes affecting consent-based processing will be surfaced through the cookie-consent banner so you can review your choices.
Questions? Email us at privacy@consana.ai.