Notis.ai Privacy Policy

Effective date: November 13, 2023

Last updated: September 29, 2025

This Privacy Policy describes how Notis.ai (operated by Mind The Flo S.à.r.l., “Notis,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects your information when you visit our websites, use our applications, or connect third‑party accounts (including Google services) to Notis.ai.

Google API Services Disclosure

When you connect a Google account, Notis uses Google user data solely to provide user‑facing features you request (e.g., reading and sending emails you ask it to handle, managing your calendar events, referencing your contacts, and working with Google Drive files you authorize). We comply with the Google API Services User Data Policy, including its Limited Use requirements. We never sell Google data or use it for ads. Humans do not read your Google data unless you explicitly consent, it’s necessary for security or legal reasons, or to comply with applicable law. See Section 6 and Appendix A for details.

1) Who We Are & Scope

This policy applies to Notis.ai products and services, including our web apps, messaging/voice integrations, and APIs (collectively, the “Services”). If our Services link to a different privacy policy (for a specific feature or integration), that policy controls for that feature.

Entity responsible (EU/CH): Mind The Flo S.à.r.l.

Registered office: Chemin du Motélon 87, 1638 - Morlon, Switzerland

Contact: privacy@notis.ai (preferred) or flo@mindtheflo.cm

2) Information We Collect

We collect information in three ways: (a) you provide it to us, (b) it is collected automatically, and (c) we receive it from third parties you choose to connect (e.g., Google, Notion, WhatsApp/Telegram, etc.).

2.1 Information You Provide

• Account & Profile: name, email, password (hashed), photo, language, timezone.

• Billing: country, VAT/Tax ID, and payment details processed by our payment provider (Stripe). We do not store full card numbers.

• Content & Instructions: voice notes, transcripts, prompts, files, tasks, labels, preferences, and any other content you submit to be processed by Notis.

• Support & Feedback: messages, recordings (if you choose), and contact details.

2.2 Automatically Collected Information

• Usage & Device Data: IP address, device identifiers, OS/browser, pages viewed, timestamps, referrers.

• Diagnostics & Telemetry: error logs, performance metrics, and feature flags.

• Cookies & Similar Tech: for authentication, security, preferences, and analytics. See our Cookie Policy.

2.3 Third‑Party Sources You Connect

Note on integration platform (Composio): Certain integrations in Notis may be powered by our processor Composio. When you connect an app, authentication may be provisioned via Composio’s developer application for that provider. OAuth tokens and minimal metadata necessary to operate the integration may be generated and stored securely by Composio solely to deliver the features you enable. You can disconnect at any time in Notis or at the provider. Composio does not sell data or use it for advertising, and for Google data it adheres to Google’s Limited Use requirements.[1][2]

When you connect third‑party accounts, we receive data only as authorized by you and by the provider’s APIs/OAuth scopes. Examples include:

• Google: Gmail messages/metadata you select, draft/sent items, labels; Calendar events; Contacts; Drive files and folders you authorize (including files Notis creates on your behalf); basic profile (emails, name, language), and other profile fields you opt to share.

• Messaging/Voice Platforms: WhatsApp, Telegram, Twilio, VAPI—message/audio content and metadata as needed to deliver features you enable.

• Knowledge/Storage Apps: Notion and others, as authorized.

3) How We Use Information

We process your information to deliver and improve the Services and to fulfill our contract with you or our legitimate interests, including:

• Core Features You Request: transcribe voice notes; generate content; draft, read, send, and organize emails; read/write calendar events; look up or use your contacts; find, read, create, update, and organize Google Drive files/folders that you authorize; create and manage tasks/notes; synchronize to your chosen apps.

• Personalization: settings, language, timezone, and model/tool preferences.

• Security & Abuse Prevention: authentication, fraud/spam/misuse detection, incident response.

• Customer Support & Operations: troubleshooting, logs, and usage analytics.

• Legal/Compliance: enforcing terms, complying with lawful requests, accounting, and tax.

AI Processing & Providers. To perform voice transcription, summarization, routing, and other AI features, we may process your content with model providers (e.g., OpenAI or comparable vendors) under data processing terms that restrict use to your instructions and our provision of the Services. Where feasible, we instruct providers not to use your data to train their models. See Section 7.

4) Our Legal Bases (EU/UK/CH)

Depending on context, we rely on: Contract (to provide Services you request); Legitimate Interests (e.g., security, service improvement, non‑intrusive analytics); Consent (e.g., marketing, certain optional connectors); and Legal Obligation (e.g., tax/record‑keeping).

5) Data Sharing

We do not sell your personal data. We share data only as described:

• Integration platform (Composio) acting as processor: Some integrations are powered by Composio on our behalf. For those, authentication and action execution may occur via Composio’s developer application for the relevant provider. Composio processes data solely to operate the integration features you enable and does not sell data or use it for advertising. For Google user data accessed via Composio, Limited Use restrictions apply (no ads use, no sale, no model training beyond providing the service).[1]

• Vendors/Processors: cloud hosting, data storage/backup, authentication, analytics/observability (e.g., PostHog, Langfuse, Google Analytics), customer support (e.g., Intercom), payments (e.g., Stripe), voice/messaging (e.g., Twilio/VAPI), and AI inference providers (e.g., OpenAI). Vendors are bound by contracts and process data only on our instructions.

• Integrations You Enable: When you connect apps (e.g., Google, Notion), we share data as needed to deliver those features (e.g., saving a drafted email to Gmail, attaching or saving a file to Google Drive, or adding an event to Calendar). You can disconnect at any time.

• Compliance & Safety: to comply with law or enforce our terms; to protect rights, safety, and security.

• Business Transfers: if we undergo a merger, acquisition, or asset sale, your data may transfer subject to this Policy or successor terms.

A current list of key subprocessors is available on request and may include: Google Cloud/Supabase (hosting & DB), Stripe, Intercom, PostHog, Langfuse, Google Analytics, Twilio, VAPI, OpenAI.

Third parties we currently use include:

• Google Analytics: web analytics

• PostHog: platform analytics

• Langfuse: LLM tracing

• Intercom: customer support and automation

• Stripe: payment gateway

• mem0: long term memory

• Composio: integrations with third party platforms

6) Google API Services User Data

If you connect a Google account, we access and use Google user data only to provide the features you ask for. We adhere to Google’s Limited Use policy:

• No Selling / No Ads: We do not sell Google user data or use it for ad targeting.

• Human Access: We do not allow humans to read Google data unless (i) you give explicit consent; (ii) it’s necessary for security (e.g., investigating abuse); (iii) it’s required to comply with law; or (iv) it’s strictly necessary for our Service’s operation and shown to you.

• Restricted Use & Transfer: We only use data for the features you enable; transfers are limited to providing or improving those features or for compliance.

• Granular Permissions: We request the minimum scopes needed for the features you select; you can revoke access at any time in your Google Account or within Notis.

See Appendix A for the enumerated scopes (including Drive) and why they are required.

7) Data Storage, Security & International Transfers

• Encryption: Data in transit is protected with TLS. Data at rest (including OAuth tokens) is encrypted. Credentials are stored using industry‑standard key management.

• Access Controls: Role‑based access, least privilege, and audit logging for administrative access.

• Segregation & Isolation: Logical tenant isolation where applicable; secrets stored separately.

• Retention: See Section 8.

• Locations: We may process data in the EU/EEA, Switzerland, the United States, and other jurisdictions where we and our vendors operate. Where data is transferred internationally, we use appropriate safeguards (e.g., SCCs) as required by law.

• Integrations powered by Composio: For certain integrations, Composio acts as our processor to manage authentication and execute actions in connected apps. Where Composio processes data outside your region, transfers are protected by appropriate safeguards such as EU Standard Contractual Clauses. Security incidents affecting our processors, including Composio, are covered by our incident response and notification procedures.[1]

8) Data Retention & Deletion

• Account Data: kept while your account is active and for a reasonable period thereafter (typically up to 24 months) for record‑keeping, fraud prevention, and to comply with legal obligations, unless you request earlier deletion where feasible.

• Content/Transcripts/Emails/Events/Files: retained to provide your ongoing features and history; you can delete content within the app where available.

• Backups/Logs: short‑lived operational logs; encrypted backups retained for a limited period (typically up to 180 days) and then purged on a rolling basis.

• Google Disconnect: when you disconnect Google, we revoke tokens promptly and cease new data ingestion. We delete cached Google content (including Drive metadata/content cached for features) not required for legal or operational integrity within 30 days, subject to backup cycles.

• Your Right to Delete: You may request deletion at any time via in‑app settings or by contacting privacy@notis.ai. We will confirm and act within applicable legal timeframes.

9) Your Rights

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your data, and to object to certain processing. You can:

• Access/export data and disconnect integrations in your account settings.

• Request changes or deletion at privacy@notis.ai.

• Withdraw consent for marketing at any time (unsubscribe links or settings).

You also have the right to lodge a complaint with your local data protection authority.

10) Children

Our Services are not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us and we will take appropriate action.

11) Changes to This Policy

We may update this Policy to reflect changes to our practices or for legal, technical, or regulatory reasons. We will post the updated version and update the “Last updated” date. For material changes, we will provide additional notice as required by law.

12) Contact

Data controller: Mind The Flo S.à.r.l.

Email: privacy@notis.ai (preferred) or flo@mindtheflo.cm

Postal address: chemin du Motélon 87, 1638 - Morlon, Switzerland

Appendix A: Google OAuth Scopes & Feature Mapping (How We Access, Use, Share, Store, Retain)

Below we enumerate the Google scopes our app may request, their purpose, and our handling aligned with Google’s Limited Use requirements.

A.1 Non‑Sensitive Scopes

1. userinfo.email – See your primary Google Account email address.

2. userinfo.profile – See your basic profile info (e.g., name, avatar).

3. profile.language.read – See your language preferences.

4. user.addresses.read – View your street addresses.

5. user.birthday.read – See your exact date of birth.

6. user.emails.read – See all Google Account email addresses.

7. user.phonenumbers.read – See your phone numbers.

A.2 Sensitive Scopes (Approval Required)

1. calendar – See, edit, share, and permanently delete all calendars you can access.

2. calendar.events – View and edit events on all your calendars.

3. contacts.readonly – See and download your contacts.

4. contacts.other.readonly – Read “Other contacts.”

5. profile.emails.read – See and download all of your Google Account email addresses.

6. drive – Full access to Google Drive.

A.3 Restricted Scopes (Approval Required)

1. gmail.modify – Read, compose, and send email; manage drafts, labels, and message state.

Appendix B: User Controls

• Connect/Disconnect Google: Settings → Integrations → Google → Connect/Disconnect. Revokes tokens and stops data flow.

• Scope Management: Consent screens detail scopes; you can remove access in your Google Account at any time.

• Data Export: Request an export at privacy@notis.ai.

• Deletion: Delete content in‑app where possible and/or request account deletion; or email us.

Appendix C: Security Overview

• TLS in transit; encryption at rest; secret rotation; token scoping and expiry; least‑privilege RBAC; audit logging; anomaly detection.

• Separate environments for development, staging, and production; production data never used to train third‑party models for unrelated purposes.

Appendix D: Region‑Specific Notices

• GDPR/UK GDPR/Swiss nFADP: you have rights of access, rectification, erasure, restriction, objection, and portability; contact us to exercise. We rely on SCCs for international transfers where required.

• CCPA/CPRA (California): We do not sell or share personal information for cross‑context behavioral advertising. California residents can exercise rights to know, delete, correct, and limit use of sensitive information.