Legal

Privacy Policy

Last updated: May 31, 2026

MeetingPrep (“MeetingPrep,” “we,” “our,” or “us”) is committed to protecting the privacy of the people and organizations who use our services (“you,” “your,” or “Customer”). This Privacy Policy explains what information we access, how and why we process it, how long we keep it, the safeguards we apply, and the rights and choices available to you.

This Privacy Policy applies to all properties operated by MeetingPrep, including the website at meetingprep.ca, the MeetingPrep web application, our mobile applications, our browser extension, and any related applications, integrations, and services (collectively, the “Service” or “Services”). By creating an account or using the Services, you acknowledge that you have read and understood this Privacy Policy.

MeetingPrep is operated from British Columbia, Canada. We have designed the Service around a single guiding principle: we access the minimum data necessary to prepare your meeting briefings, we use it only for that purpose, and we do not retain it any longer than we need to. The sections below describe exactly what that means in practice.

Summary — The Short Version

For convenience, here is a plain-language summary. It does not replace the full policy below, but it captures the essentials:

  • We connect to services you explicitly authorize (such as Google Calendar, Gmail, Microsoft Outlook, Slack, Notion, and Zoom) using industry-standard OAuth. We never see or store your passwords for those services.
  • We request read-only access wherever the platform allows it. We do not send, delete, or modify your emails, files, or messages.
  • Content we pull from your connected services to build a briefing is processed transiently and is automatically purged within 30 days. We are not building a long-term archive of your inbox or calendar.
  • We do not sell your data. We do not use it for advertising. We run no third-party analytics or ad-tracking in the Service.
  • We do not use your private content to train third-party or foundation AI models.
  • Sensitive personal information is encrypted, access is tightly restricted, and we are working toward formal CASA (Cloud Application Security Assessment) Tier 2 verification.
  • You can disconnect any integration, delete your account, and request deletion of your data at any time.

Information We Collect

We collect and process information in three broad categories: information you give us directly, information we access from services you connect, and limited technical information generated automatically when you use the Service.

1. Account Information

When you create an account, we collect your email address and a securely hashed representation of your password (we never store passwords in plain text). If you sign in through a third-party identity provider, we receive a basic identifier and your email address from that provider. We may also store your display name, time zone, and account preferences so the Service behaves the way you expect.

2. Calendar Data

When you connect Google Calendar or Microsoft Outlook, we access your calendar events to identify upcoming meetings and to generate briefings for them. This includes meeting titles, descriptions, dates and times, locations, and attendee names and email addresses. We use this information to determine which meetings to prepare for and who will be in the room.

3. Connected Services Data

When you authorize additional integrations, we access only the data relevant to preparing a briefing for a specific meeting. Depending on which services you connect, this may include relevant email and its attachments, messages, calendar activity, documents and files, code activity, and meeting metadata associated with a meeting or its attendees.

We request read-only access — MeetingPrep does not send, post, modify, or delete anything in your connected accounts. We access this content only to surface what is relevant to your meeting. A per-platform summary of the permissions we request appears under “Permissions and Scopes We Request” below.

4. Briefings We Generate

The Service produces a briefing document for each meeting you prepare for. A briefing is derived from the data described above and may contain summaries, names, dates, and other details drawn from your connected services. Briefings are associated with your account so you can view them, and sensitive content within them is encrypted at rest (see “How We Protect Your Information”).

5. Technical and Usage Information

When you use the Service, we automatically receive certain technical information necessary to operate and secure it, such as your IP address, browser or device type, and timestamps of requests. We use this strictly for authentication, security, abuse prevention, error diagnosis, and reliability. We do not use this information to build advertising or behavioral profiles, and we do not employ third-party analytics or advertising trackers in the Service.

How We Use Your Information

We use the information we collect only for the following purposes:

  • To provide the Service. We use your calendar and connected-service data to identify meetings and generate the briefings that are the core purpose of MeetingPrep.
  • To authenticate and secure your account. We use account and technical information to verify your identity, protect against unauthorized access, and prevent abuse.
  • To communicate with you. We may send you transactional messages about your account, security notices, and important changes to the Service. We do not send marketing email without a basis to do so, and you can opt out of non-essential communications.
  • To maintain and improve reliability. We use limited operational and error information to keep the Service running correctly and to diagnose problems.
  • To comply with law. We may process information where necessary to meet legal obligations or to protect the rights, safety, and property of our users and of MeetingPrep.

We do not use your private content for advertising, we do not sell or rent it, and we do not use it to train third-party or foundation AI models.

Data Minimization and Our Ephemeral Processing Model

MeetingPrep is deliberately built so that it does not become a permanent copy of your inbox, calendar, or workspace. This is a core design decision, not an afterthought.

Just-in-time access

When a briefing is prepared, the Service reaches into your connected accounts at that moment, retrieves only the items relevant to the meeting at hand, and uses them to assemble the briefing. We do not perform bulk exports of your accounts, and we do not continuously mirror your data into our systems.

Transient working data

The raw content used during briefing generation is treated as transient working data. It exists only as long as needed to produce your briefing and the limited context required to keep your briefings useful and current.

Automatic 30-day purge

Content drawn from your connected services is automatically purged within 30 days. We do not retain the underlying source material from your inbox, calendar, or workspace beyond this window. This purge runs as a routine, automated part of how the Service operates — it does not depend on you requesting it. The result is that, by design, MeetingPrep holds only a recent, rolling window of working data rather than an indefinite archive of your personal or business communications.

If you delete your account, or disconnect an integration, the associated data is removed on the timelines described in “Data Retention and Deletion” below.

How We Protect Your Information

Security is not a feature we bolted on — it is built into how MeetingPrep is engineered, from the way we encrypt data to the way every single request is authenticated, rate-limited, and logged. The measures below describe the safeguards that are actually implemented in the Service today.

Encryption everywhere — in transit and at rest

All traffic to and from the Service, and between the Service and the platforms you connect, is encrypted in transit using HTTPS/TLS. Beyond that, we apply application-layer encryption to the most sensitive data before it is ever written to storage. Both your OAuth access tokens and your personal content are encrypted using Fernet authenticated encryption (AES-128 in CBC mode with an HMAC-SHA256 integrity check), so the data cannot be silently tampered with or read in plain form — even within our own database. The encryption keys are derived using PBKDF2-HMAC-SHA256 with 100,000 iterations, and we use separate, independent keys for OAuth tokens versus personal content, so a compromise of one does not expose the other.

Passwords are hashed, never stored

We never store your MeetingPrep password. Passwords are hashed with bcrypt using a per-password salt and a deliberately high work factor, which makes them computationally impractical to reverse. We only ever store the resulting hash, and we verify your password by hashing what you enter and comparing — the original is never written down anywhere.

Hardened authentication and session security

Sessions are protected by hardened JSON Web Tokens. Access tokens are short-lived (15 minutes) to limit the value of any intercepted token, while longer-lived refresh tokens use automatic rotation — each time a refresh token is used, the old one is immediately invalidated and blacklisted, which defeats token-replay and reuse attacks. Tokens are bound to a specific issuer and audience and validated on every request, and logging out actively revokes your tokens rather than merely forgetting them client-side.

OAuth-based access — we never see your passwords for other services

Every integration is connected using OAuth, the industry-standard authorization protocol. You authenticate directly with the provider (Google, Microsoft, Slack, Notion, Zoom, and others), and the provider issues MeetingPrep a scoped access token — we never receive, see, or store the passwords for your connected accounts. Those access tokens are held under the encryption described above, scoped to only the permissions required, and can be revoked by you at any time from within MeetingPrep or directly from the provider’s own security settings.

Read-only and least-privilege scopes

Wherever a platform offers it, we request read-only access. We design every integration around the principle of least privilege: we ask for the narrowest set of permissions that still lets us prepare a useful briefing, and nothing more. We do not request the ability to send email, delete files, or modify your content, and we do not use any access for purposes beyond preparing your briefings.

Defense-in-depth at the edge of every request

Every request to the Service passes through multiple layers of protection before it reaches your data:

  • Strict security headers on every response — HTTP Strict Transport Security (HSTS) to force encrypted connections, a restrictive Content-Security-Policy, X-Frame-Options set to DENY and a frame-ancestors ‘none’ policy to prevent clickjacking, X-Content-Type-Options nosniff, a strict Referrer-Policy, and a locked-down Permissions-Policy. Sensitive responses are additionally marked no-store so they are never cached.
  • Rate limiting using a sliding-window algorithm, applied per-IP for anonymous requests and per-user for authenticated ones, to throttle abuse and brute-force attempts.
  • Request body-size limits that reject oversized payloads up front — before the body is even read — to protect against denial-of-service attempts.
  • Strict CORS with an explicit allow-list of origins and headers — no wildcards — so the API only accepts requests from our own properties.
  • Input sanitization layered on top of a parameterized, ORM-based data layer, guarding against injection and cross-site-scripting attacks.
  • Signed-webhook verification using HMAC-SHA256 with timestamp and replay protection, so inbound events from third-party providers are cryptographically proven authentic before we act on them.

Auditing, tracing, and monitoring

Every API request is recorded in a structured audit log and tagged with a unique request ID that is carried end-to-end, so activity can be traced and investigated precisely if needed. We monitor access to production systems for security and reliability, apply security updates to our dependencies and platforms, and follow secure software-development practices throughout.

Access controls and isolation

Access to production systems and customer data is restricted to a small number of authorized personnel, and only where strictly necessary to operate, maintain, or support the Service. Customer data is logically isolated per account, and every request is authenticated and authorized so that one account can never reach another account’s data.

Hosting and infrastructure

The Service runs on established cloud infrastructure providers that maintain their own rigorous physical and operational security programs. We rely on managed, hardened platforms for compute and storage rather than self-managed servers, which lets us inherit strong baseline protections and timely security patching.

Minimized retention as a security control

Our 30-day automatic purge is itself one of our strongest security measures. The less data a service retains, the less there is to expose in any incident. By holding only a recent, rolling window of working data — rather than a permanent archive of your inbox, calendar, or workspace — we structurally limit the amount of sensitive information at risk at any moment. The best protection for data is simply not to keep it, and we don’t.

No method of transmission or storage is ever completely secure, and no service can promise absolute security. We work continuously to strengthen our protections, but we cannot guarantee that the Service will be invulnerable. If we become aware of a security incident that affects your personal information, we will act promptly and notify affected users and applicable authorities as required by law.

CASA Compliance and the Google API Services Policy

Because MeetingPrep integrates with Google services and accesses certain restricted scopes (such as read access to Gmail and Drive content used to build briefings), it is subject to Google’s API Services User Data Policy, including its Limited Use requirements, and to Google’s security assessment process for applications that access sensitive and restricted scopes.

What CASA is

CASA (Cloud Application Security Assessment) is an industry security-assessment framework, governed under the App Defense Alliance, that applications handling sensitive user data are evaluated against. It examines an application’s security controls across areas such as authentication and access control, data handling and storage, encryption, dependency and platform security, and secure development practices. Google requires applications that access restricted scopes to undergo this assessment at the appropriate tier.

Our status

MeetingPrep is actively working toward CASA Tier 2 verification and has built its data-handling and security practices to align with that framework’s requirements. The Tier 2 assessment involves a deeper review than the entry tier, including validation of how an application authenticates users, restricts access, encrypts and stores data, manages third-party dependencies, and handles the lifecycle of the data it touches.

Google Limited Use commitment

MeetingPrep’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use data obtained through Google APIs only to provide and improve the user-facing features of MeetingPrep — namely, preparing your meeting briefings.
  • We do not transfer or sell this data for advertising, for purposes unrelated to the Service, or to data brokers or information resellers.
  • We do not use this data to train, improve, or develop generalized or foundation AI/ML models.
  • We allow humans to read this data only in narrow, permitted circumstances — such as with your explicit consent, where necessary for security or to comply with applicable law, or where the data has been aggregated and anonymized.

The same Limited Use principles guide how we handle data from every other service you connect.

Permissions and Scopes We Request

We believe you should know exactly what each integration can and cannot do. Below is a complete, plain-language list of the authorization scopes MeetingPrep requests from each platform, and why. We request read-only access in every case — MeetingPrep does not send, post, modify, or delete anything in your connected accounts.

Google

MeetingPrep requests the following Google OAuth scopes, all read-only:

  • Calendar (auth/calendar.readonly) — to read your calendar events and identify the meetings to prepare briefings for, including their times and attendees.
  • Gmail (auth/gmail.readonly) — to read email relevant to a meeting or its attendees, including the contents of attachments on those messages, so your briefing reflects the context you already have. We never send, draft, modify, or delete email.
  • Drive (auth/drive.readonly) — to read files relevant to a meeting so they can inform your briefing. We never create, modify, or delete files.
  • Docs (auth/documents.readonly) — to read the contents of documents relevant to a meeting.
  • Basic profile and email (auth/userinfo.email, auth/userinfo.profile) — to identify your account and associate your briefings with you.

Our use of information received from these Google APIs, and the data derived from them, adheres to the Google API Services User Data Policy, including the Limited Use requirements. You can review and revoke MeetingPrep’s access at any time at myaccount.google.com/permissions.

Other connected services

For every other service you choose to connect, we request read-only permissions scoped to reading the calendar events, messages, documents, and related activity relevant to a meeting and its attendees. We do not request permission to send, post, modify, or delete anything in those accounts. You can disconnect any integration at any time from your MeetingPrep dashboard settings, which revokes our access, and you can also revoke access directly from each provider’s own security or connected-apps settings.

How We Share Information

We do not sell your personal information, and we do not share it for advertising. We share information only in the limited circumstances below:

  • Service providers (sub-processors). We rely on a small number of trusted infrastructure and service providers — for example, cloud hosting, database, and the AI processing provider used to generate briefings — who process data on our behalf, under contract, and only to provide services to us. They are not permitted to use your data for their own purposes.
  • With your direction. When you connect an integration, you are directing us to access data from that provider on your behalf.
  • Legal and safety. We may disclose information if required by law, subpoena, or other legal process, or where we believe in good faith that disclosure is necessary to protect rights, safety, or property, or to investigate fraud or security issues.
  • Business transfers. If MeetingPrep is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will require that any successor honor the commitments in this Privacy Policy, and we will notify you of any change in ownership or in how your information is handled.

Artificial Intelligence and Automated Processing

MeetingPrep uses automated processing, including AI language models provided by a trusted processing partner, to read the relevant context for a meeting and generate your briefing. This processing happens to deliver the feature you requested. We do not use your private content to train third-party or foundation AI models, and our processing partners are contractually restricted to processing data on our behalf rather than for their own model training or other purposes. Briefings are generated to assist you; you remain responsible for reviewing and verifying their contents before relying on them.

Data Retention and Deletion

We retain different categories of information for different periods, guided by the principle of keeping data only as long as necessary:

  • Source content from connected services is automatically purged within 30 days, as described above.
  • Account information (such as your email and preferences) is retained for as long as your account is active.
  • Access tokens are retained, encrypted, for as long as an integration remains connected, and are deleted when you disconnect it.
  • Briefings are retained so you can refer back to them, and are removed when you delete them or when you delete your account.

Disconnecting an integration

You can disconnect any connected service at any time from your dashboard settings. Disconnecting revokes our access token for that service so we can no longer access new data from it. You may also revoke access directly from the provider’s own account security settings.

Deleting your account

You can delete your account at any time from your settings, or by emailing us at info@meetingprep.ca. When you delete your account, we delete your account information and briefings and revoke connected access tokens. Source content is in any case subject to the automatic 30-day purge. We may retain a limited amount of information where necessary to comply with legal obligations, resolve disputes, or enforce our agreements, after which it is deleted.

Your Rights and Choices

Depending on where you live, you may have rights regarding your personal information, including the right to access, correct, delete, or obtain a copy of it, and to object to or restrict certain processing. We honor these rights for all users regardless of location, to the extent practicable.

  • Access and portability. You can request a copy of the personal information we hold about you.
  • Correction. You can ask us to correct inaccurate information.
  • Deletion. You can delete your account and request deletion of your personal information.
  • Withdrawal of consent. You can disconnect integrations and withdraw permissions at any time.

To exercise any of these rights, contact us at info@meetingprep.ca. We may need to verify your identity before acting on a request.

Canadian Privacy Law (PIPEDA)

As a company operating from British Columbia, Canada, MeetingPrep handles personal information in a manner consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This includes obtaining consent for the collection and use of personal information, limiting collection to what is necessary, safeguarding the information we hold, and providing individuals with access to their information on request.

GDPR — Users in the European Economic Area and UK

If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with specific rights regarding your personal data. We process personal data on the lawful bases of performing our contract with you (to provide the Service), your consent (which you grant by connecting integrations and which you may withdraw), and our legitimate interests in operating and securing the Service. You have the right to access, rectify, erase, restrict, and port your data, and to object to certain processing. To learn more about your rights, visit https://gdpr.eu. To exercise them, contact us at info@meetingprep.ca.

International Data Transfers

MeetingPrep is operated from Canada and relies on cloud infrastructure that may process or store data in Canada, the United States, or other regions. Where personal data is transferred across borders, we take steps to ensure it remains protected in a manner consistent with this Privacy Policy and applicable law.

Children’s Privacy

Our Services are not directed to individuals under 18 years of age, and we do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete it promptly. If you believe we may have collected information from a child under 18, please contact us at info@meetingprep.ca.

Cookies and Tracking

We use only the cookies and similar technologies necessary to operate the Service — for example, to keep you signed in and to maintain your session securely. We do not use third-party advertising cookies, and we do not run third-party analytics or behavioral-tracking scripts in the Service.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and revising the “Last updated” date above. For significant changes, we may provide additional notice. Your continued use of the Services after an update constitutes acceptance of the revised Privacy Policy.

Contact Us

If you have any questions about this Privacy Policy or our privacy and security practices, please contact us at:

Email: info@meetingprep.ca
Website: https://meetingprep.ca
Location: British Columbia, Canada