What Reline collects, why we collect it, and how to remove it.

Reline is an AI note-taking product. We record audio, transcribe it, generate summaries with large language models, and store the result so you can search, share, and collaborate on it.

This policy describes what we collect, why we collect it, who has access, and how to remove it. We've kept it short on purpose. If something is unclear, email privacy@reline.so.

Who we are. The data controller for your account data is Reline AI, Inc. ("Reline"). For workspace content you create or share, your organization (or you, on a personal plan) is the controller and Reline acts as a processor under our Data Processing Addendum. You can reach our privacy team at privacy@reline.so; our registered postal address is available on request.

Account data. Name, email, profile image, and SSO provider identifiers (Google or Microsoft Entra ID).

Workspace content. Notes, transcripts, recordings, summaries, Lenses, and chat threads you create or that are shared with you.

Calendar metadata. If you connect Google or Microsoft, we receive each event's title, description, start and end time, all-day flag, location, attendee list (email, name, and RSVP status), organizer, conference/meeting link, and recurring-series identifier — used to show your meetings, attach notes to them, and build your private contacts directory. See the Google API Services section for the full Google Calendar disclosure.

Operational telemetry. Crash reports and product-usage metrics — which features are used and where errors happen — used for capacity planning and bug-fixing. When you are signed in and have consented, these events are associated with your account (your user ID, email, and name) so we can support you and understand real usage; you can opt out at any time. Our product-usage events do not contain note, transcript, or recording content. If you consent to analytics, session recordings may additionally capture your on-screen activity — including note and transcript content visible while you use Reline — to help us reproduce and fix issues; password fields are always masked and we do not record network payloads. You can decline or withdraw consent at any time. See our cookie policy for the specifics.

• To provide the product (record, transcribe, summarize, sync).
• To enforce per-plan quotas (free plan: 1 hour per note, 10 hours per user per month).
• To investigate bugs, abuse, and security incidents.
• To process payments and manage your subscription.
• With your consent, to measure product usage so we can improve Reline.

Legal bases (GDPR Art. 6). Where the GDPR applies, we rely on: performance of a contract (Art. 6(1)(b)) to deliver the service you sign up for, including recording, transcription, summarization, sync, and billing; our legitimate interests (Art. 6(1)(f)) in keeping the service secure, preventing abuse, and fixing bugs, balanced against your rights; your consent (Art. 6(1)(a)) for optional product analytics and any non-essential cookies, which you can withdraw at any time; and compliance with a legal obligation (Art. 6(1)(c)) where the law requires us to retain or disclose data.

What we never do. We do not sell your data. We do not use your audio or transcripts to train third-party AI models. Other than the sub-processors that operate Reline (listed below) and, where you consent, the session-recording analytics described above, we do not share workspace content with anyone outside your workspace, except under your explicit instruction or legally required disclosure.

If you connect a Google account, Reline requests three read-only scopes: the Google Calendar events scope (https://www.googleapis.com/auth/calendar.events.readonly), to read events from your primary calendar, plus userinfo.email and userinfo.profile, to identify your account at sign-in. Using the calendar scope, Reline reads metadata from your primary calendar only: each event's title, description, start and end time, all-day flag, status, location, conference/meeting link (Zoom, Google Meet, or Microsoft Teams), the organizer (name and email), the attendee list (each attendee's email, display name, and RSVP response status), and the recurring-series identifier. We read only your primary calendar and never create, modify, delete, or share calendar events.

We use this data only to (1) display your upcoming meetings inside Reline, (2) attach notes and transcripts to the correct meeting, (3) surface attendee context, and (4) build a private directory of the contacts and companies you meet with — their name, email, and the company inferred from their email domain, plus how often and when you last met — so you can find and search related notes by person or company. These derived contact and company records are visible only to you.

Calendar metadata is stored in our managed database (Convex), which encrypts data at rest, and is transmitted only over TLS 1.2 or higher; the OAuth tokens that connect your account are additionally encrypted by Reline using AES-256-GCM. We never sell Google user data, never use it for advertising, and never use it to train or improve any AI or machine-learning model — neither our own nor any third party's. When you use Reline's AI features (such as asking questions about your notes), the contact and company labels derived from your calendar may be passed to our model providers solely to generate the answer you requested; those providers process it only to return your result and do not retain it or train on it. No Reline employee accesses your Google data except where you ask us to (for example, a support request), where strictly necessary for security, or where required by law.

Reline keeps only a rolling window of your calendar — roughly the past few hours through the next 30 days — and a daily job automatically deletes any synced event more than 7 days past. You can disconnect at any time from Settings → Calendar in Reline. Disconnecting revokes Reline's access with Google, deletes the stored access and refresh tokens, and purges your cached calendar events together with the contacts and companies derived from them. You can also remove Reline's access directly from your Google Account permissions.

Reline's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Connecting Slack is optional. If you connect a Slack workspace (from Settings → Integrations), Reline uses Slack's standard OAuth flow and requests four bot scopes: channels:read and groups:read, to list the public and private channels you can post to; and chat:write and chat:write.public, to post the summaries you choose to send. Reline does not request access to your Slack message history and never reads your Slack messages.

What we receive and store. From Slack we receive and store — encrypted — an OAuth access token and your Slack workspace (team) ID, so Reline can post on your behalf. When you set a default Slack channel for a workspace or a folder, we store that channel's ID so future pushes can default to it. The list of your channels is fetched from Slack on demand each time you choose a destination and is held only briefly in memory to populate the channel picker — it is not stored on our servers.

How we use it. Reline uses the Slack connection only when you explicitly click Push to Slack on a note. We then post a message containing the note's title, a short intro, and the note's summary (as threaded replies), plus a link back to the note in Reline. We never post your raw transcript or recording, and we never post automatically — every post is initiated by you.

Data we receive but do not retain. When Reline posts to Slack, Slack's API returns the posted message's timestamp and channel; Reline uses the timestamp only to attach the summary as a reply in the same thread during that request, and does not store it. Reline receives no inbound data from Slack — there are no Slack events, slash commands, or webhooks delivered to Reline.

Storage, security, retention, and deletion. Your Slack OAuth token is encrypted by Reline using AES-256-GCM and stored in our managed database (Convex); the channel IDs you select are stored alongside your workspace and folder settings. We keep these only while the connection is active. You can disconnect at any time from Settings → Integrations; disconnecting immediately deletes the stored Slack token and the channel selections derived from it. You can also remove Reline from the Slack side via your Slack workspace's Manage apps settings. For any access or deletion request, email privacy@reline.so and we respond within 30 days.

We use a small set of vetted vendors to operate Reline. The current list is:

• Convex (USA) — primary database, authentication, and realtime sync. Your account data and calendar metadata are stored here, encrypted at rest.
• Cloudflare R2 (USA) — object storage for your audio recordings and uploaded files.
• Speech-to-text provider (USA) — real-time speech-to-text. Audio is streamed during a recording session; the provider does not retain audio or transcripts from the real-time service and does not train on your data.
• OpenAI, Anthropic, and DeepSeek — large language models for summaries and chat answers, accessed via the AI SDK gateway. They process content only to return your result and do not train on it.
• Vercel (USA) — hosting for the web application.
• WorkOS (USA) — enterprise SSO and directory sign-in, when your organization enables it.
• Lemon Squeezy (USA, a Stripe company) — merchant of record and payment processing. It receives your billing details to process payments.
• Resend (USA) — transactional email (sign-in links, notifications).
• PostHog (USA/EU) — first-party product analytics, only when analytics is enabled and you have consented.

Each sub-processor receives only the minimum data required for their function, under a data processing agreement. The current list, with at least 30 days' advance notice of changes, is maintained here and in our Data Processing Addendum.

Workspace content (notes, transcripts, recordings) is retained for as long as the workspace exists.

When a note is deleted, it goes to trash and is permanently removed after 30 days. Deleting a workspace removes all its content.

You can export your data or delete your account yourself from Settings → Profile inside the app. Export produces a machine-readable file of your account and content; account deletion is permanent and removes your personal data and the content you own. Prefer email? Write to privacy@reline.so and we respond within 30 days.

Google Calendar data follows the separate retention described in the Google API Services section: only a rolling window of recent and upcoming events is kept, events more than 7 days past are deleted daily, and all cached calendar data — including the contacts and companies derived from it — is purged immediately when you disconnect.

Encryption in transit (TLS 1.2+) and at rest. SSO via Google or Microsoft Entra ID (Okta and generic SAML are on the enterprise roadmap). Granular per-note permissions and an append-only audit log. See our security page for the full posture matrix.

If you're in the EEA, UK, or California, you have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your account and content (restriction and erasure).
• Export your content in a machine-readable format (portability).
• Object to, or request restriction of, processing for legitimate-interest purposes.
• Withdraw consent for analytics or non-essential cookies at any time, without affecting prior processing.

You can exercise access, export, and deletion yourself from Settings → Profile, or email privacy@reline.so for any request. We do not charge for these and respond within 30 days.

International transfers. Reline and its sub-processors are primarily in the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses, the UK Addendum, and equivalent safeguards, as described in our Data Processing Addendum.

Complaints. You have the right to lodge a complaint with your local data protection supervisory authority (for example, your national authority in the EEA, the UK Information Commissioner's Office, or the relevant Swiss authority). We'd appreciate the chance to address your concern first at privacy@reline.so.

Reline is not directed to children under 16. We do not knowingly collect data from children under 16.

We update this page when our practices change. Material changes will be communicated by email and announced in the changelog. The effective date at the top of this page always reflects the current version.