Privacy Policy

1. Introduction

Lauren is a privacy-first AI meeting notetaker operated by Hustler Capital and Advisory LLC, a Wyoming limited liability company ("we", "us", "our", or "Lauren"). This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and what rights you have in relation to it.

Lauren is designed from the ground up around a zero-knowledge architecture. This means that your meeting audio, transcripts, summaries, and context graph are encrypted with a key derived from your personal passphrase before any optional cloud synchronisation occurs. Lauren's servers store only encrypted ciphertext. We cannot read your meeting content, and we do not. This policy explains that architecture plainly and completely.

By using Lauren, you agree to the collection and use of information in accordance with this policy. If you do not agree, you should not use Lauren.

This Privacy Policy applies to all users of the Lauren desktop application, website at laurenai.xyz, and any related services. It covers users in the Federal Republic of Nigeria, the European Union and European Economic Area, the United States of America, and all other jurisdictions where Lauren is available.

2. Data We Collect — and What We Do Not

2.1 What Lauren Does NOT Collect

Because of Lauren's zero-knowledge local-first architecture, we never collect or have access to the following:

• Meeting audio: Audio captured during meetings is processed entirely in memory on your device, transcribed locally or via a zero-retention AI provider, and immediately and irrecoverably destroyed. Audio is never written to disk, never transmitted to Lauren's servers, and never retained by Lauren in any form.
• Meeting transcripts in readable form: Transcripts are stored locally on your device in encrypted form. If you enable optional cloud sync, transcripts are encrypted with your personal passphrase-derived key before leaving your device. Lauren's servers receive only ciphertext that we cannot decrypt.
• Meeting summaries, action items, decisions, commitments: Same encryption model as transcripts. We see only ciphertext.
• Entity graph data: Your context graph (People, Projects, Decisions, Commitments, Threads, Topics) is stored locally on your device, encrypted with your key. We cannot access it.
• Ingested source content: The content of your emails, documents, or calendar events ingested as additional context sources is processed locally, encrypted locally, and stored locally. We see only ciphertext in optional sync.
• Agent queries or responses: All agent interactions with your local API and MCP server occur on your device. Lauren's servers are not in the data path.

2.2 What Lauren Does Collect

Lauren collects a minimal set of account and operational data necessary to provide the service:

• Account data: Your email address, hashed password credential, and account creation date. Collected at registration and stored on our servers to manage your account and subscription.
• Subscription and billing data: Your subscription tier, billing status, and Stripe customer ID. Payment card details are processed directly by Stripe and are never stored on Lauren's servers.
• Device registration data: A device identifier and registration timestamp used to manage device authorisations for cloud sync. We do not collect device hardware identifiers, operating system details beyond what is necessary for compatibility, or location data.
• Usage telemetry: Aggregate, anonymised usage signals such as whether the app was opened, whether a meeting was captured (not the content), and which integration types were triggered (not the content of actions). This telemetry is anonymised using differential privacy techniques. No meeting content, entity data, or identifying information is included. This telemetry is used solely to improve the product and can be disabled in Settings.
• Error reports: Anonymised crash reports and error logs that do not include meeting content, transcript text, entity data, or any user-generated content. Meeting and entity content fields are explicitly excluded from all diagnostic payloads.
• Customer support communications: If you contact us for support, we collect the content of your communications and your email address to respond to your inquiry.

3. Audio Data — Technical Detail

Audio is the most sensitive data Lauren handles. This section explains our technical handling in plain language:

• Capture: Lauren uses macOS system APIs (ScreenCaptureKit and CoreAudio) to capture two audio streams simultaneously: system audio (other participants) and microphone input (your voice). This capture happens entirely on your device.
• Memory-only processing: Both audio streams are held in memory-locked buffers (mlock). They are never written to your device's storage, never written to a temporary file, and never transmitted anywhere during capture.
• Transcription: Audio is transcribed either entirely on-device using Whisper.cpp (Pro tier) or via AssemblyAI's zero-retention API (Context tier). Where AssemblyAI is used, audio is transmitted directly from your device to AssemblyAI under a Data Processing Agreement that prohibits retention and model training on your content. Lauren's servers are not in this data path.
• Immediate destruction: Immediately upon transcription confirmation, both audio buffers are overwritten with zeros using explicit_bzero() (a cryptographically secure memory zeroing function). The audio no longer exists in any form.
• What remains: Only the text transcript of your meeting remains after this process. That transcript is subject to the encryption model described in Section 4.

The practical effect of this architecture is that Lauren never possesses your audio recording. What Lauren holds, briefly, is a text transcript — and that transcript is encrypted before any optional cloud sync.

4. Local Storage and Optional Cloud Sync

4.1 Local Storage

By default, all of the following are stored only on your device, encrypted at rest using AES encryption with a key derived from your sync passphrase via Argon2/PBKDF2:

• Meeting transcripts and summaries
• Entity graph — People, Projects, Decisions, Commitments, Threads, Topics
• Embedding vectors for semantic search
• Integration action payloads and audit logs
• Agent access audit logs
• Source ingestion state

This data exists only on your device. If you do not enable cloud sync, it never leaves your device in any form.

4.2 Optional Cloud Sync

If you choose to enable cloud sync, the following occurs:

• You set a sync passphrase. Lauren derives an encryption key from this passphrase using Argon2/PBKDF2. This key is never transmitted to Lauren's servers.
• Your meeting content, entity graph, and audit logs are encrypted with this key on your device before transmission.
• The encrypted ciphertext is uploaded to AWS S3 infrastructure operated by Hustler Capital and Advisory LLC.
• Lauren's servers store only the encrypted ciphertext. We cannot decrypt it. We cannot read its contents. Even under legal compulsion, we have nothing to produce that would be meaningful.

Cloud sync is entirely optional. Lauren functions fully without it. The only consequence of not enabling sync is that your data does not persist if your device is lost, damaged, or replaced.

4.3 AI Provider Data Sharing

Lauren uses AI providers to generate meeting summaries and extract structured entities from transcripts. This requires sending your transcript text from your device directly to the AI provider's API. Lauren's servers are not in this data path.

• Primary provider: Google Gemini (Google LLC). Transcript text is sent directly from your device to Google's API under Google's terms of service and data processing terms. Lauren pursues retention-limited API agreements and does not select training-use options.
• Secondary provider (fallback): Grok (xAI). Used automatically when the primary provider is unavailable. Same data handling principles apply.
• Transcription provider (Context tier): AssemblyAI. Audio is sent directly from your device to AssemblyAI's API under a Data Processing Agreement. AssemblyAI is contractually prohibited from retaining your audio or transcript content or using it for model training.

Your audit log records which provider processed each meeting, so you always know which service handled your content.

We cannot guarantee the data practices of third-party AI providers beyond our contractual terms with them. We disclose the applicable providers during onboarding and in Settings, and we update this policy when providers change.

5. Legal Basis for Processing

5.1 European Union (GDPR)

For users in the European Union and European Economic Area, our legal bases for processing personal data are:

• Contract performance (Article 6(1)(b)): Processing your email address, account data, and subscription data is necessary to provide the Lauren service you have contracted for.
• Legitimate interests (Article 6(1)(f)): Anonymised usage telemetry and error reporting to improve the product, where this does not override your rights and interests.
• Consent (Article 6(1)(a)): Where we request your consent for specific processing, such as optional cloud sync. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not process special categories of personal data (Article 9 GDPR) intentionally. Meeting content may incidentally contain sensitive information — this is why it is encrypted with your key and never readable by Lauren.

5.2 Federal Republic of Nigeria (NDPR)

For users in Nigeria, we process personal data in accordance with the Nigeria Data Protection Regulation 2019 (NDPR) and the Nigeria Data Protection Act 2023 (NDPA). Our processing is based on:

• Contractual necessity: Your account data and subscription data are processed to fulfil our service agreement with you.
• Legitimate interest: Anonymised telemetry for product improvement.
• Consent: For optional cloud sync and any processing beyond what is strictly necessary for the service.

We maintain a Data Protection Policy as required under the NDPR and have appointed a data protection compliance officer. Our contact details are in Section 14.

5.3 United States

For users in the United States, Lauren complies with applicable federal and state privacy laws including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) where applicable. We do not sell personal data. We do not share personal data for cross-context behavioural advertising. California residents have the rights described in Section 9.

6. Data Retention

• Account data: Retained for the duration of your subscription and for 90 days following account deletion, after which it is permanently deleted from our servers.
• Billing data: Stripe customer records are retained as required by applicable financial regulations. Payment card details are never stored by Lauren.
• Encrypted sync data: Retained on AWS S3 for as long as your account is active. Deleted within 30 days of account deletion request.
• Usage telemetry: Anonymised aggregate data retained for up to 24 months for product analysis. Individual-level telemetry events are aggregated and anonymised within 30 days.
• Support communications: Retained for 12 months following resolution of your inquiry.
• Local device data: We have no control over data stored on your device. You can delete it at any time from within the Lauren application.

Because of our zero-knowledge architecture, the data most sensitive to you — your meeting content, transcripts, and entity graph — is not on our servers and therefore is not subject to our retention schedule. It is subject entirely to your own decisions about your device and your sync passphrase.

7. International Data Transfers

Hustler Capital and Advisory LLC is a Wyoming corporation. Our infrastructure is hosted on AWS in the United States. If you are located in the European Union or Nigeria, your account data and encrypted sync ciphertext may be transferred to and stored in the United States.

• For EU users: Transfers to the United States are made under Standard Contractual Clauses (SCCs) as approved by the European Commission, or other appropriate safeguards under Chapter V of the GDPR.
• For Nigerian users: Transfers are made with appropriate safeguards as required under the NDPA 2023, including data transfer agreements where required.
• Encrypted ciphertext: Because Lauren's zero-knowledge architecture means we cannot read sync data, the practical privacy risk of international transfer of that data is minimal. The data is meaningless without your passphrase, which we do not hold.

8. Your Rights — EU (GDPR)

If you are located in the European Union or EEA, you have the following rights under the GDPR:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You have the right to correct inaccurate personal data we hold about you.
• Right to erasure (Article 17): You have the right to request deletion of your personal data, subject to certain exceptions.
• Right to restriction of processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory authority.

To exercise any of these rights, contact us at privacy@laurenai.xyz. We will respond within 30 days. Note that for data stored locally on your device and encrypted with your key, your right of access and portability are exercised directly through the Lauren application's export function — we cannot produce data we cannot decrypt.

9. Your Rights — Nigeria (NDPR/NDPA) and United States (CCPA/CPRA)

9.1 Nigerian Users

Under the NDPR and NDPA 2023, you have rights including the right to access your personal data, the right to rectification, the right to object to processing, and the right to erasure. You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC). Contact us at privacy@laurenai.xyz to exercise these rights.

9.2 California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect, the right to delete personal information, the right to opt-out of the sale of personal information (Lauren does not sell personal information), and the right to non-discrimination for exercising these rights. To submit a verifiable consumer request, contact privacy@laurenai.xyz. We do not sell or share personal information for cross-context behavioural advertising.

10. Recording Consent and Applicable Law

Lauren captures meeting audio on your device. You are solely responsible for ensuring that your use of Lauren complies with all applicable laws governing the recording of conversations in your jurisdiction, including but not limited to:

• Two-party or all-party consent laws in certain US states (including California, Florida, Illinois, and others) that require all parties to a conversation to consent to being recorded.
• Applicable Nigerian law governing the recording of private communications.
• EU member state laws implementing the GDPR's requirements around recording of personal data.

Lauren provides a pre-meeting consent email feature that allows you to notify meeting participants that a notetaking tool is in use. Lauren strongly recommends using this feature for any meeting with external participants. The legal obligation to obtain consent rests with you as the user, not with Lauren.

Lauren is not a recording tool in the traditional sense — audio is immediately destroyed after transcription — but we make no legal representations about how your jurisdiction characterises the capture process. You should seek legal advice if you are uncertain about your obligations.

11. Children's Privacy

Lauren is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children under these ages. If you believe a child has provided us with personal data, please contact us at privacy@laurenai.xyz and we will delete it promptly.

12. Cookies and Tracking

The Lauren desktop application does not use cookies. The Lauren website (laurenai.xyz) uses minimal cookies for:

• Essential functionality: Session management for authenticated users. These are strictly necessary and cannot be disabled.
• Analytics: We use privacy-respecting analytics (Plausible Analytics) that do not use cookies, do not track individuals across sites, and do not send data to third parties. No consent is required for this analytics approach.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technology. We do not deploy Google Analytics or Meta Pixel on our website, as these would be inconsistent with our privacy positioning.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address and by a prominent notice within the Lauren application at least 30 days before the change takes effect. Your continued use of Lauren after the effective date of any change constitutes your acceptance of the updated policy.

The current version of this policy is always available at laurenai.xyz/privacy.

14. Contact and Data Protection Officer

If you have a concern about our data practices that we have not resolved to your satisfaction, you have the right to complain to your national data protection authority: in the EU, your relevant supervisory authority; in Nigeria, the Nigeria Data Protection Commission (NDPC); in California, the California Privacy Protection Agency (CPPA).