Privacy Policy

This Privacy Policy explains how TopoTopic ("TopoTopic", "we", "us") collects, uses, and shares information when you use our website and services at topotopic.com (the "Service").

For the purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, the controller identity and operator disclosures are listed in our Legal Notice / Imprint.

This policy applies to the Service, including workspaces, capture/import flows, and AI-assisted features. For contractual terms, see our Terms of Service.

Contact: support@topotopic.com

We collect information in these categories:

• Account and profile data (such as email address, display name, authentication identifiers, and account settings).
• Workspace content you upload or create (for example: recordings, uploads, transcripts, notes, collections, messages, and related metadata).
• Derived and operational data created to run the Service (for example: summaries, embeddings, keywords, graph structures, and indexing artifacts).
• Usage and device data (such as IP address, user agent, timestamps, feature usage, error logs, and security/audit events).
• Billing data when you subscribe to a paid plan (handled by payment providers such as Stripe; we receive limited billing metadata).

We use the information we collect to:

• Provide, maintain, and operate the Service (including storage, sync, search, and retrieval).
• Process content to deliver requested features (such as transcription, summarization, and indexing).
• Personalize and improve workspace experiences (such as recommendations and ranking).
• Develop and launch current and future product capabilities using Service Data.
• Protect the Service (fraud prevention, abuse detection, account security, and audit logging).
• Provide support, communicate with you, and respond to requests.
• Comply with legal obligations.

Required capture settings (including speaker attribution and audio retention) are processed as required service settings for recording/transcription features and are not treated as optional analytics consent.

Where permitted by law, we may use de-identified and aggregated data for analytics, product development, operational benchmarking, and commercial planning.

We do not sell your personal information.

We may share information in these situations:

• Service providers: vendors that help us operate the Service (for example: cloud hosting, storage, analytics, payments, and AI processing). These providers are permitted to process information only to provide services to us.
• Within your workspace: content you add to a shared workspace may be visible to other workspace members according to roles and workspace settings.
• Public sharing: if you choose to make content public, it may be accessible to others. Link-shared content is accessible to anyone who has the link and can be forwarded by recipients.
• Legal and safety: to comply with law, protect rights and safety, and prevent fraud or abuse.
• Business transfers: if we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction.

We do not intentionally submit link-shared pages to search engines. We cannot control indexing behavior from third parties that receive those links.

We maintain a transparency schedule of primary providers at /subprocessors, including provider name, purpose, data categories, regions, and transfer safeguards.

We use cookies and similar technologies for essential functionality (authentication, security, and service operation), and for analytics when you choose to enable it.

Essential cookies help the Service function. For example, the Service may set a topotopic-session-id cookie to stabilize sessions for features like A/B assignment and request correlation. In production, this cookie is set with SameSite=Lax and the Secure flag.

Analytics may include first-party measurement and optional third-party analytics (such as Google Analytics) when analytics consent is enabled.

Speaker attribution and audio retention are required service settings for recording and transcription features. If these required settings are not accepted, those features (and in some cases the Service) are unavailable.

For details about specific cookies and their lifetimes, see our Cookie Policy.

The Service can process workspace content using third-party providers (for example: transcription, document understanding, and language model features). This may involve sending portions of your content to those providers to generate outputs you request.

We do not use Customer Content to train or fine-tune general artificial intelligence or machine learning models. When we send content to third-party AI providers (such as OpenAI and AssemblyAI), it is processed only to generate the outputs you request, and we do not permit those providers to use Customer Content for model training.

We may use Service Data and de-identified aggregated Derived Data to operate, secure, measure, and improve the Service. We use providers as service providers, not as advertisers.

We take measures to ensure appropriate AI literacy for staff who develop, operate, or support AI-assisted features.

When you use voice recording features:

• Audio is captured on your device and transmitted to our servers
• Audio may be sent to transcription services (such as AssemblyAI) to generate text transcripts
• Audio is retained with session records until deleted by you or a workspace administrator
• Transcripts are stored in your workspace for search and retrieval

Speaker attribution in this context is diarization (for example "Speaker 1" / "Speaker 2") within a session. TopoTopic does not create voiceprints or use audio to uniquely identify people across sessions or customers.

Voice recording requires capture settings for speaker attribution and audio retention. If your recordings include other individuals, you are responsible for obtaining their consent where required by law.

When you import YouTube content:

• We retrieve publicly available metadata and captions using the YouTube API
• We do not download or store the video file itself
• Caption text and metadata are indexed in your workspace

You must have the right to import and process any content you submit. Our use of the YouTube API is subject to the YouTube Terms of Service and Google Privacy Policy.

Workspace content is retained until it is deleted. If you delete your account, your account record is removed and you lose access to the Service. Content you contributed to shared workspaces may remain available to other workspace members or administrators, and references to your user may be removed or set to null.

Retention periods:

• Account data: Retained until you delete your account, plus up to 30 days for backups to cycle out
• Workspace content: Retained until deleted by you or a workspace administrator
• Derived data (embeddings, keywords): Deleted within 30 days of source deletion
• Security and audit logs: Retained for up to 90 days depending on log type and system (some logs may have shorter retention)
• Export files: Available for 7 days after generation
• Session cookies: Up to 60 minutes (see Cookie Policy)

Currently, exports include collection and session records (metadata) from your default workspace. Exports do not currently include uploaded files or full session transcripts.

If you are the last owner of a workspace, you may need to transfer ownership to another member before account deletion can complete.

We may retain limited information for security, audit, fraud prevention, and legal compliance. Backup copies and logs may persist for a period of time after deletion and are overwritten or deleted according to our operational practices.

To request an export or delete your account, use Settings → Privacy.

Depending on where you live, you may have rights to access, correct, export, or delete certain information, or to object to certain processing. You can manage key controls in the Service (including export and deletion) through account settings.

If you have questions about your rights or want to make a request, contact us using the details below.

Some processing is required to run TopoTopic safely and lawfully (for example account security, required legal acceptance, and required capture settings such as speaker attribution and audio retention). If those required settings are withdrawn, access to relevant features or the Service may be unavailable.

We use administrative, technical, and organizational safeguards designed to protect information. This includes controls such as HTTP-only cookies for sessions, access controls, and audit logging.

No system is 100% secure. You are responsible for maintaining the security of your account and devices.

The Service may process and store information in countries other than where you live, including where our service providers operate. We take steps designed to protect information when it is transferred internationally.

Questions or requests can be directed to support@topotopic.com. Operator details are published in /legal-notice.

We aim to respond to privacy requests within 30 days when practicable.

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: You have the right to opt out of the "sale" of personal information. We do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, use Settings → Privacy or contact support@topotopic.com. We will verify your identity before processing requests.

Categories of personal information collected in the past 12 months:

• Identifiers (email, account ID)
• Internet activity (usage logs, device info)
• Professional information (workspace content)
• Audio/visual information (recordings, uploads)
• Inferences (AI-generated summaries, keywords)

We have not sold personal information in the preceding 12 months.

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection law:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion ("right to be forgotten")
• Restriction: Request limited processing
• Portability: Receive your data in a portable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent

Legal bases for processing:

• Contract performance: To provide the Service you requested
• Legitimate interests: Security, fraud prevention, service improvement, and product development using Service Data and de-identified/aggregated datasets
• Contract performance or legitimate interests: Required capture settings for speaker attribution and audio retention in core recording and transcription features
• Consent: Optional analytics (when enabled) and optional marketing communications
• Legal obligation: Compliance with applicable laws

To exercise your rights, use Settings → Privacy or contact support@topotopic.com.