I. IDENTITY AND ADDRESS OF THE DATA CONTROLLER
Juan Carlos Rivera Alvarado, individual with business activity, domiciled in León, Guanajuato, México (hereinafter, the "Data Controller"), is responsible for the processing of your personal data in connection with the Ponuz platform (hereinafter, the "Platform" or the "Service").
Contact information:
This Privacy Notice applies to all Ponuz products and services, including:
| Component | Description |
|---|
| Desktop application | Desktop application for macOS and Windows |
| Backend API | Cloud services that process data |
| Website | ponuz.com (marketing, documentation, legal pages) |
This Notice applies regardless of how you access the Platform (direct download, website, workspace invitation).
III. PERSONAL DATA WE COLLECT
A. Data You Provide to Us Directly
| Category | Specific Data | Primary Purpose |
|---|
| Identification data | Full name, email address | Account creation and management |
| Account data | Workspace name, team role | Organization and collaboration |
| Profile data | Avatar/profile photo, preferred language, time zone | Service personalization |
| Web contact data | Name, email, phone (optional), service type | Contact form on ponuz.com |
| Customized AI data | Personal context for the assistant, AI preferences, company instructions | AI response optimization |
B. Data Generated by Your Use of the Platform
| Category | Specific Data | Primary Purpose |
|---|
| Meeting transcriptions | Transcribed text, speaker labels, timestamps, titles, duration, participants | Automatic documentation |
| AI summaries and insights | Generated summaries, extracted tasks, key points | Productivity |
| Tasks and projects | Titles, descriptions, rich notes, statuses, priorities, assignments, due dates, tags | Project management |
| Knowledge base | Articles, categories, tags, AI-generated content, prompts used | Team documentation |
| AI conversations | Complete message history with the assistant, contextual mentions (@task, @meeting, @document) | Intelligent assistance |
| AI agent memory | Facts and preferences the system learns from your interactions to personalize future responses | Continuous personalization |
| Uploaded documents | PDF, DOCX, XLSX files imported by the user | Knowledge base, OCR, analysis |
| Generated documents | Word/Excel files generated by the AI assistant | Productivity |
| Voice dictation data | Audio processed to create tasks or text via voice | Quick content creation |
C. Audio and Screenshot Data
| Data | Processing | Retention |
|---|
| Microphone audio | Real-time streaming for transcription | Not stored on server by default* |
| System audio (macOS) | Captured and processed in streaming | Not stored on server by default* |
| Screenshots | Sent to AI providers for visual analysis | Not permanently stored |
*Audio may be stored in the cloud if the user enables this option in the settings. In such case, it is retained until the user deletes it or cancels their account.
D. Automatically Collected Data
| Data | Purpose |
|---|
| Time zone (auto-detected or manual) | Display dates and times correctly |
| Browser/system language | Interface language configuration |
| Session tokens | Secure authentication |
| Last access | Session management and online status |
| Application version and operating system | Compatibility and technical support |
| System permission status (microphone, screen capture) | Application functionality |
| System audio component status (macOS) | System audio functionality |
E. Usage and Billing Data
| Data | Purpose |
|---|
| AI credit consumption | Billing and usage limits |
| Storage used | Plan resource management |
| Service usage logs | Service quality monitoring |
| Subscription and payment data (managed by Stripe) | Payment processing |
F. Website Data (ponuz.com)
| Data | Purpose |
|---|
| Consent cookie (ponuz_cookie_consent) | Remember your cookie preferences |
| Language preference | Display the site in your language |
| Contact form data (name, email, optional phone, service) | Respond to business inquiries |
| Vercel Analytics (pageviews, Web Vitals) | Website performance and improvement |
G. Sensitive Data
⚠️ IMPORTANT: Ponuz does NOT intentionally collect sensitive personal data such as: racial or ethnic origin, health status, genetic information, religious beliefs, union membership, political opinions, or sexual preference.
However, due to the nature of the meeting transcription, screen capture, document import, and AI chat functionalities, such data may incidentally appear in the content you process through the Platform. You are responsible for not processing sensitive data of third parties without their express written consent.
We do NOT collect: IP addresses for commercial tracking purposes, third-party advertising cookies, precise geolocation data, or biometric information.
IV. SPECIAL FEATURES AND THEIR DATA PROCESSING
A. Meeting Audio Transcription
How it works:
- When you start a recording, audio is captured from the microphone and, on macOS, optionally the system audio.
- The audio is transmitted in real time (streaming) to our transcription service.
- Automatic speaker identification (diarization) is performed.
- After the meeting, the AI generates automatic summaries and extracts tasks/action items.
- An automatic voice notice is played at the beginning of each recording.
Data processed:
- Audio from the microphone and system (processed in streaming, not stored by default)
- Text transcription with speaker labels and timestamps (stored)
- Metadata: title, duration, participants, timestamps (stored)
- AI-extracted summaries and tasks (stored)
Optional audio storage: If you enable the option to save audio, the files are stored securely in the cloud and retained until you delete them.
Your responsibility:
- You declare that you have the consent of all meeting participants to record and transcribe.
- You are responsible for informing participants about the recording before starting it.
- In jurisdictions that require two-party consent (such as California, USA), you must obtain explicit consent from each participant.
B. Screen Capture and Visual Analysis
How it works:
- The floating AI assistant overlay can, when sending a message, capture an image of what is displayed on your screen.
- An explicit consent dialog is shown before each capture.
- The capture is sent to AI providers to provide visual context and analysis.
Data processed:
- Image of the current screen (processed, not permanently stored)
- Any information visible on the screen at the time of capture
⚠️ IMPORTANT WARNING:
- The screen capture may include personal, sensitive, or confidential information visible on your screen, including content from other applications.
- Before using this feature, make sure there is no confidential third-party information visible.
- You are solely responsible for the captured content.
C. AI Assistant (Agent/Copilot)
How it works:
- Contextual chat that accesses your meetings, tasks, and documents.
- Can perform web searches and social media searches.
- Supports contextual mentions (@task, @meeting, @document) to enrich responses.
- Generates Word and Excel documents on demand.
- Offers real-time voice sessions.
- Sends proactive notifications: daily briefings, deadline alerts, and reminders.
- Stores "memory facts" about your preferences and interactions to personalize future responses.
Data the assistant processes:
- Meeting content (transcriptions, summaries)
- Tasks and their details
- Knowledge base articles
- User messages and generated responses
- Web and X/Twitter search results
- Screenshots (when enabled)
- User memory facts
AI providers involved:
- Anthropic (Claude): Chat, summaries, visual analysis, content generation
- OpenAI: Chat, summaries, task extraction, semantic search
- xAI: Social media searches
- Brave Search: Web searches
D. Knowledge Base and Document Import
How it works:
- Rich text editor for creating and editing articles.
- AI-powered article generation from prompts or meetings.
- Bulk document import (PDF, DOCX) with optical character recognition (OCR).
- Contextual chat per article or category.
- Intelligent semantic search.
Data processed:
- Documents uploaded by the user (stored securely in the cloud)
- Text extracted by OCR
- Semantic search indexes of the content
E. Floating Overlay
How it works:
- Always-visible window on top of any system application.
- Enables AI chat, recording control, voice dictation, and screenshots.
- Configurable global keyboard shortcuts.
Required system permissions:
- Microphone (for recording and dictation)
- Screen capture (for system audio on macOS and screenshots for AI)
- Global keyboard shortcuts
- Access to secure system storage (for authentication tokens)
F. Voice Dictation
How it works:
- Audio is processed in real time to convert speech to text.
- Used to create tasks or generate content quickly.
- Audio is transmitted and processed but not stored on our servers.
G. Workspace and Team Management
How it works:
- Teams with hierarchical roles: Owner, Admin, Member.
- Email invitations to new members.
- Customized AI configuration per workspace (company context, tool permissions).
- Shared tags/labels across the team.
- Enterprise SSO available.
Data shared within the workspace:
- Workspace members can view transcriptions, tasks, articles, and generated content according to their role permissions.
- The workspace owner has access to all workspace data.
- Administrators can manage members and settings.
V. PURPOSES OF DATA PROCESSING
A. Primary Purposes (Necessary for the Service)
These purposes are necessary for the contractual relationship and do NOT require your additional consent:
- Create and manage your user account
- Authenticate your identity and protect your account
- Provide the Platform functionalities:
- Meeting transcription and documentation
- Task and project management
- Knowledge base with semantic search
- AI assistant with chat, voice, tools, and proactive notifications
- Floating overlay with quick access
- Voice dictation
- Document import and generation
- Process payments and manage your subscription (via Stripe)
- Send service-related communications (changes to terms, security updates, account notifications, deadline alerts)
- Monitor and improve service quality
- Ensure Platform security
- Comply with legal and tax obligations
- Respond to ARCO rights exercise requests and privacy requests
B. Secondary Purposes (Optional)
These purposes DO require your consent, which you may deny without affecting the provision of the service:
- Sending promotional and marketing communications
- Preparation of statistical and market studies (anonymized data)
- Customer satisfaction surveys
If you do not wish your data to be used for these secondary purposes, you may indicate so by sending an email to contact@ponuz.com with the subject line "REVOCATION OF CONSENT FOR SECONDARY PURPOSES".
VI. DATA TRANSFERS TO THIRD PARTIES
A. Service Providers (Data Processors)
For the provision of the service, your data is processed by the following third parties:
| Data Processor | Country | Purpose | Data Received |
|---|
| Amazon Web Services (AWS) | USA | Cloud infrastructure, storage, database | All account and content data |
| WorkOS | USA | Enterprise SSO authentication | Email, name, authentication tokens |
| Deepgram | USA | Real-time audio transcription | Streaming audio |
| OpenAI | USA | AI chat, summaries, task extraction, semantic search | Text from meetings, tasks, documents |
| Anthropic (via AWS Bedrock) | USA | AI chat, vision analysis, content generation | Text, screenshots |
| xAI | USA | Social media search | Search queries |
| Brave Search | USA | Web search | Search queries |
| Stripe, Inc. | USA | Payment and subscription processing | Email, payment data |
| Resend | USA | Transactional email delivery | Recipient email, email content |
| Sentry | USA | Error monitoring | Application errors (sensitive data redacted) |
| Vercel | USA | Website hosting and analytics | Pageviews, performance metrics |
| Cloudflare | USA | CDN and website protection | Web traffic |
B. Use of Data by AI Providers
Regarding the processing of your data by artificial intelligence providers:
- We do not use your content to train AI models. The providers we use (Anthropic, OpenAI via API, xAI) have policies stating that data sent through their APIs is not used to train their models.
- Data is sent solely to generate responses to your specific queries.
- AI provider access keys are never exposed to the client; processing is always performed through our secure backend.
C. Safeguards for International Transfers
Given that all our providers are located in the United States:
- We maintain data processing agreements (DPAs) that ensure the protection of your information.
- Our main providers hold internationally recognized security certifications (SOC 2, ISO 27001).
- For European Union users, transfers are carried out under Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable.
- For users in Mexico, transfers comply with Article 36 of the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP).
D. Transfers that Do NOT Require Consent
In accordance with applicable legislation, we may transfer your data without your consent when:
- It is necessary for compliance with a legal obligation
- It is necessary for the provision of the contracted service
- There is a court order or order from a competent authority
- It is necessary to protect a vital interest of the data subject or another person
A. ARCO Rights (Mexico — LFPDPPP)
| Right | Description |
|---|
| Access | Know what personal data we hold about you and how we process it |
| Rectification | Request the correction of inaccurate or incomplete data |
| Cancellation | Request the deletion of your data from our databases |
| Opposition | Object to the processing of your data for specific purposes |
B. Additional Rights (GDPR — European Union Users)
If you reside in the European Economic Area (EEA), you additionally have the right to:
- Portability: Receive your data in a structured, commonly used format
- Restriction: Request the temporary restriction of processing
- Not be subject to automated decisions: Request human intervention in decisions based solely on automated processing
- Lodge a complaint with the data protection authority of your country
C. Additional Rights (CCPA/CPRA — California Residents, USA)
If you reside in California, you have the right to:
- Know the categories and specific pieces of personal information collected
- Delete your personal information
- Correct inaccurate personal information
- Non-discrimination for exercising your privacy rights
- Ponuz does not sell or share your personal information as defined by the CCPA
D. Additional Rights (LGPD — Brazil Residents)
If you reside in Brazil, you have equivalent rights under the Lei Geral de Proteção de Dados (General Data Protection Law), including access, correction, anonymization, portability, and deletion.
E. Exercise of Rights — Procedure
1. Integrated self-service tools:
- Data summary: Available in the Platform (equivalent to GDPR Art. 15)
- Data export: Requestable from the Platform (portability, GDPR Art. 20)
- Account deletion: Available from the Platform settings (GDPR Art. 17)
2. Request by email to: contact@ponuz.com
3. Your request must include:
- Full name
- Email address registered with Ponuz
- Clear description of the right you wish to exercise
- Documents proving your identity (as required by the applicable jurisdiction)
4. Response timelines:
- Mexico (ARCO): 20 business days for a decision + 15 business days for execution
- European Union (GDPR): 30 calendar days (extendable by 60 days in complex cases)
- California (CCPA): 45 calendar days (extendable by an additional 45 days)
5. The request may be denied when:
- The requester is not the data subject or cannot prove legal representation
- The data is not found in our databases
- There is a legal impediment or an applicable exception
- Third-party rights would be harmed
F. Revocation of Consent
You may revoke your consent at any time by sending an email to contact@ponuz.com with the subject line "REVOCATION OF CONSENT". The revocation shall not have retroactive effects.
Technical Measures
- ✅ Encryption in transit: All communications are encrypted via TLS/HTTPS
- ✅ Encryption at rest: Sensitive data is encrypted using industry standards (AES-256)
- ✅ Robust authentication: Enterprise SSO with digitally signed tokens
- ✅ Secure credential storage: Authentication tokens are stored in the operating system's protected storage
- ✅ Web attack protection: CSRF, strict CSP, security headers, restricted CORS
- ✅ Data validation: Strict validation on all backend endpoints, input sanitization, and SQL injection prevention
- ✅ Rate limiting: Per-endpoint request limits to prevent abuse
- ✅ Desktop application security: Restricted inter-process communication, no direct system API access from the interface
- ✅ Protected API keys: Third-party service access keys are never exposed to the client
- ✅ Sensitive data redaction: Sensitive data is redacted before being sent to error monitoring services
Organizational Measures
- ✅ Data access based on the principle of least privilege
- ✅ Internal information handling policies
- ✅ Confidentiality and data processing agreements with providers
- ✅ Roles and permissions within workspaces (Owner, Admin, Member)
Security Breach Notification
In the event of a security breach affecting your personal data:
- We will notify the competent authorities within 72 hours of discovery (in accordance with the GDPR where applicable).
- We will notify affected users without undue delay when the breach poses a high risk to their rights and freedoms.
- We will document the incident, its effects, and the corrective measures taken.
IX. COOKIES AND SIMILAR TECHNOLOGIES
Cookies We Use
| Type | Name/Identifier | Purpose | Duration |
|---|
| Strictly necessary | Session tokens (Keychain) | Keep your session active securely | Until logout / expiration |
| Preferences | ponuz_cookie_consent | Remember your cookie decision | Persistent |
| Preferences | Language, time zone | Remember your interface preferences | Persistent |
| Analytics (website) | Vercel Analytics | Website performance metrics (Web Vitals, pageviews) | Per Vercel |
Cookies/Technologies We Do NOT Use
- ❌ Advertising or retargeting cookies
- ❌ Third-party tracking cookies (Google Analytics, Facebook Pixel, etc.)
- ❌ Tracking pixels
- ❌ Browser fingerprinting
For more details, see our Cookie Policy.
| Data Type | Retention Period |
|---|
| Account and profile data | As long as you maintain an active account |
| Meeting content (transcriptions, summaries) | Until you delete it or cancel your account |
| Stored audio (if enabled) | Until you delete it or cancel your account |
| Tasks, documents, and knowledge base | Until you delete it or cancel your account |
| AI conversations and agent memory | Until you delete it or cancel your account |
| Billing data | 5 years after the last payment (tax obligation) |
| Detailed usage logs | 180 days |
| Webhook events | 90 days |
| Completed jobs | 14 days |
| Security logs | 1 year |
| Inactive workspaces | Subject to cleanup after 60 days of inactivity |
Upon account cancellation:
- Your personal data will be deleted within 30 days.
- Your workspace content will be permanently deleted, including transcriptions, tasks, articles, documents, AI conversations, and agent memory.
- Data of other workspace members will not be affected.
- If you are the workspace owner and the workspace is to be deleted, we will notify the other members.
- We will retain only the information required by law for the legally established periods.
Ponuz is intended exclusively for individuals over 18 years of age. We do not intentionally collect data from minors. If we detect that a minor has created an account, we will proceed to delete it along with all their data immediately.
If you believe that a minor has provided personal data through our Platform, please contact us immediately at contact@ponuz.com.
XII. AUTOMATED DECISIONS AND PROFILING
Ponuz uses automated processing in the following functionalities:
- Automatic transcription of audio to text
- Summary generation and AI-powered task extraction
- Semantic search using vector embeddings
- Proactive notifications based on deadline and pending task analysis
- Personalization of the AI assistant through memory facts
These functionalities are assistance tools and do not make decisions with legal or significant effects on you. You always have ultimate control over the actions you take on the Platform.
Your rights regarding automated processing:
- You have the right to request human intervention
- You have the right to an explanation of how our automated systems work
- You have the right to object to automated processing
- You can delete the AI agent's "memory facts" at any time
XIII. CHANGES TO THE PRIVACY NOTICE
We reserve the right to modify this Privacy Notice. In the event of substantial changes:
- We will publish the updated notice at https://ponuz.com/privacy
- We will notify you by email at least 15 days in advance
- For material changes, we will request your express acceptance
- The "Last updated" date and version number will reflect the current version
Continued use of the service after notification and without expressing opposition constitutes your acceptance of the changes.
XIV. DATA PROTECTION AUTHORITIES
Depending on your location, you may file complaints with:
| Jurisdiction | Authority | Contact |
|---|
| Mexico | Secretaría de Anticorrupción y Buen Gobierno (SABG) | https://www.gob.mx/sabg |
| European Union | Data Protection Authority of your country of residence | Varies by country |
| California, USA | California Privacy Protection Agency (CPPA) | https://cppa.ca.gov |
| Brazil | Autoridade Nacional de Proteção de Dados (ANPD) | https://www.gov.br/anpd |
By creating an account on Ponuz, you acknowledge that:
- ✅ You have read and understood this Privacy Notice in its entirety
- ✅ You consent to the processing of your data for the primary purposes described herein
- ✅ You understand the special features (audio transcription, screen capture, AI assistant with tools, knowledge base, overlay, voice dictation) and their implications for data processing
- ✅ You accept the international data transfers described in Section VI
- ✅ You understand that it is your responsibility to obtain the consent of third parties whose data you may process through the Platform
For secondary purposes, your consent will be requested separately.
Juan Carlos Rivera Alvarado
Data Controller for Personal Data Processing
León, Guanajuato, México