Privacy Policy

Effective Date
March 6th, 2026

1. Introduction

Protecting your information is our priority. This Privacy Policy applies to steno.ai and StenoAI Inc. (collectively referred to as “Steno,” “we,” “us,” or “our”) and governs data collection, processing, and usage in relation to our AI-powered services.

Steno provides a B2B SaaS platform that businesses use to build and deploy AI Twin products for their own end users. This means our services involve two distinct groups of people, each with a different relationship to Steno:

  • Customers are the businesses and developers who contract directly with Steno to build on our platform. If you have a Steno account, pay for our services, or access our dashboard, you are a Customer.
  • End Users are the people who interact with AI-powered products built on Steno by our Customers. End Users typically have no direct relationship with Steno and may not know that the product they are using is powered by Steno technology.

This policy describes how we handle data for both groups. Where practices differ, we say so clearly. If you are an End User of a product built on Steno, you should also review the privacy policy of the business whose product you are using, as that business is responsible for its own data practices and disclosures.

By using Steno’s services, you consent to the data practices described in this policy.

2. Who This Policy Applies To

2.1 Customers

This policy applies directly to Customers. Steno acts as a data controller with respect to Customer account information, billing data, and other personal data Customers provide to us in connection with their use of the platform.

2.2 End Users

End Users interact with AI Twin products deployed by Customers, not directly with Steno. With respect to End User data processed through Customer deployments, Steno acts as a data processoron behalf of the Customer, who is the data controller. Customers are responsible for providing appropriate disclosures to their End Users and for ensuring they have a lawful basis for processing End User data.

Customers who require a Data Processing Agreement (DPA) for GDPR or other compliance purposes may request one by emailing legal@steno.ai.

2.3 White-Label and Partner Deployments

In some deployments, Steno’s technology is integrated into a product that does not identify Steno by name. In these cases, End Users may not be aware that the underlying platform is powered by Steno. The business deploying the product is solely responsible for all required privacy disclosures to their End Users. Steno will provide guidance on appropriate disclosure language upon request.

3. Information We Collect

3.1 From Customers

When you create a Steno account or engage our services, we collect:

Account Information: Name, email address, phone number, company name, and billing information.

Customer Content: Text, data, files, and other materials you upload or provide to configure your AI Twin, including training content, prompts, and knowledge base materials.

Communication Information: Records of correspondence when you contact us for support or other inquiries.

Feedback Data: When you submit feedback through the platform, the message content and associated session context may be stored alongside usage analytics for product improvement purposes.

3.2 From End Users (via Customer Deployments)

When End Users interact with an AI Twin deployed by a Customer, Steno processes:

Conversation Data: The content of interactions between End Users and an AI Twin. By default, this data is stored against a pseudonymous user identifier and is not linked to personally identifiable information such as name or email address by Steno. See Section 5 for full details on how conversation data is handled.

Usage Events: Technical events generated during a session, such as session initiation, feature interactions, and session duration. These events are associated with a pseudonymous user identifier.

3.3 Information Collected Automatically

Log Data: Our servers automatically record information sent by your browser or client application, including IP address, browser type, pages visited, and timestamps.

Usage Analytics: We collect information about how Customers and their End Users use our services, including feature usage, session frequency, and interaction volume. Usage analytics associated with Customer accounts may be linked to account identity (such as email address) for purposes including product analysis, service improvement, and customer success outreach. Usage analytics associated with End User sessions are tied to a pseudonymous identifier and are not linked to End User PII by Steno unless a Customer has passed identified user information through their integration (see Section 5).

Device Information: Hardware model, operating system, unique device identifiers, and mobile network information.

3.4 Business and Social Media Interactions

We maintain a presence on professional networking platforms. If you interact with us through these channels, we may collect professional profile information (such as job title, company, and professional experience), business contact details, and communications you initiate. This information is used solely for B2B purposes including networking, lead generation, and sharing information about our services with prospective customers.

3.5 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and administer our website and services and to improve your experience. We use the following types of cookies:

Essential Cookies: Necessary for the website to function. They enable basic functions like page navigation and access to secure areas.

Analytical and Performance Cookies: Allow us to recognize and count visitors and understand how they navigate our website, helping us improve how the site works.

Functionality Cookies: Used to recognize you when you return to our website and to remember your preferences.

You can control and manage cookies through your browser settings, often found under “Tools” or “Preferences.” More information on managing cookies is available at www.allaboutcookies.org. Note that blocking cookies may affect your experience and may not fully prevent data sharing with third parties described in the “Your Rights and Choices” section of this policy.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Configure and operate AI Twin products on behalf of Customers
  • Develop new products and features
  • Analyze usage patterns to identify ways to improve the platform, including reaching out to power users for product feedback and relationship development
  • Provide Customers with access to anonymized conversation transcripts in the Steno dashboard, enabling them to understand how their End Users engage with their AI Twin and improve their content and services
  • Personalize and optimize the experience for Customers using our platform
  • Communicate with Customers about their accounts, services, and updates
  • Protect our services, investigate misuse, and enforce our Terms of Service
  • Comply with applicable legal obligations

We are committed to data minimization and collect only what is necessary to accomplish these purposes. We limit access to personal data to personnel who require it for service delivery.

5. Conversation Data and Anonymity

5.1 Default Anonymous Architecture

By default, conversation content processed through the Steno platform is stored against a pseudonymous user identifier generated at the time of the session. This identifier is not linked to personally identifiable information such as name, email address, or any other account data by Steno. The data table containing conversation content holds only this pseudonymous identifier – it is structurally separate from account and identity data, and no join between these datasets is performed by default in any application query, logging pipeline, or analytics process.

Session authentication uses short-lived tokens that expire automatically, further limiting the linkage window between an active session and stored conversation data.

5.2 Customer Access to Transcripts

Customers have access to conversation transcripts generated within their deployment through the Steno dashboard. These transcripts are accessible only by pseudonymous user identifier and are not linked to End User PII in the dashboard unless the Customer has explicitly passed identified user information through their integration (see Section 5.3). Customers use transcript access to understand how their End Users engage with their AI Twin, to identify content improvement opportunities, and to inform product development.

5.3 Identified Mode

By default, conversations are stored against a pseudonymous identifier. Customers may choose to pass identified user information (such as a name or email address) through their integration, in which case that information may be associated with conversation data within their deployment. Customers who implement identified mode are responsible for disclosing this practice to their End Users and for ensuring they have a lawful basis for doing so. Steno will provide guidance on appropriate disclosure language upon request.

5.4 No Use for Cross-Customer Training

Conversation content is never used to train AI models for other customers. Each Customer’s data and trained models are kept strictly separate. See Section 11 for full details on our AI and LLM data commitments.

6. Sharing of Information

Steno does not sell, rent, or lease Customer or End User information to third parties. We may share information in the following circumstances:

With your consent: Where you have authorized sharing for a specific purpose.

Service providers and sub-processors: We work with third-party service providers to operate our platform, including providers supporting analytics, real-time voice infrastructure, logging and monitoring, and AI language model processing. These providers are contractually bound to use data only for the purposes of providing their services to us and are prohibited from using customer or end user data for their own purposes. A current list of our sub-processors is maintained separately and is available to Customers upon request.

Legal compliance: Where required by law, regulation, legal process, or governmental request.

Protection of rights: To protect and defend the rights, property, or safety of Steno, our Customers, End Users, or others.

Business transfers: In connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case data may be transferred as part of that transaction. We will notify affected parties in accordance with applicable law.

7. Data Retention

We retain Customer account data and associated information for as long as necessary to provide our services. Upon account termination, we will delete or anonymize your data within a reasonable period, unless a longer retention period is required by applicable law or legitimate business purposes such as dispute resolution or legal compliance.

Access to production systems containing customer and end user data is restricted to authorized Steno personnel.

8. Security

We implement security measures designed to protect your information, including:

  • Encryption of data at rest (AES–256) and in transit (TLS 1.3)
  • Access to production systems is restricted to authorized personnel
  • Multi-factor authentication required for internal systems
  • Automated session token expiration
  • Isolated environments for AI model training, separated from main production systems
  • Automated updates and continuous vulnerability monitoring for platform components and dependencies
  • Infrastructure as Code practices to ensure consistency and eliminate manual configuration risk

We maintain strict code provenance practices. All code changes are tracked through version-controlled systems and subject to review processes to prevent unauthorized modifications.

While we implement commercially reasonable measures to protect your information, no method of transmission over the internet or electronic storage is 100% secure.

9. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information, including:

  • The right to access your personal information
  • The right to correct inaccurate personal information
  • The right to request deletion of your personal information
  • The right to object to or restrict certain processing of your personal information
  • The right to data portability

Customers may exercise these rights directly by contacting us at legal@steno.ai.

End Users whose data is processed through a Customer deployment should direct requests to the Customer whose product they use, as that Customer is the data controller for End User data. Where required by applicable law, Steno will assist Customers in responding to End User rights requests.

10. AI and LLM Usage

Our services leverage artificial intelligence and large language models. Our commitments regarding the use of AI in connection with your data are:

No unauthorized training or cross-customer use: We never use Customer Content or End User conversation data to train AI models for other customers or for Steno’s own general-purpose models. Each Customer’s data and trained models are kept strictly isolated.

LLM provider commitments: We partner exclusively with LLM providers who are contractually bound not to copy or use customer data for their own model training purposes. Customers may specify preferred LLM providers and we will advise on the tradeoffs.

Isolated training environments: Model training occurs within segregated environments separated from main production systems and subject to strict access restrictions.

Transparency: We clearly communicate where and how AI operates within our platform. Customers retain control over training data and may audit what data has been used.

Deployment options: We offer SaaS and Private Instance deployment models. The choice of deployment model may affect where and how data is stored and processed. Contact legal@steno.ai for more information.

Healthcare and regulated industries: Steno is not intended for use as a medical device or regulated health service. Customers deploying in healthcare or other regulated contexts are responsible for their own regulatory compliance, including applicable laws governing AI-assisted services. Customers in regulated industries should consult qualified legal advisors before deploying AI for purposes that may be subject to sector-specific regulation.

For detailed technical information about our security and AI data practices, see our documentation at docs.steno.ai/security.

11. Controller and Processor Roles

For clarity regarding data protection law:

  • Steno acts as a data controller with respect to personal data provided by Customers in connection with their accounts and use of the platform (e.g., account information, billing data, communications).
  • Steno acts as a data processor with respect to End User data processed through Customer deployments. In this context, the Customer is the data controller and is responsible for ensuring a lawful basis for processing and for providing required disclosures to their End Users.

Customers who require a Data Processing Agreement for GDPR, CCPA, or other compliance purposes may request one by contacting legal@steno.ai.

12. International Data Transfers

We may transfer your information to countries other than the country in which you are located. Our primary infrastructure is hosted on Microsoft Azure. We use appropriate safeguards to ensure the protection of your information when transferred internationally, in compliance with applicable data protection laws.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on this page and updating the “Last Updated” date above. For material changes, we will also notify Customers via email or in-platform notice. We encourage you to review this policy periodically. Continued use of our services after the effective date of any changes constitutes acceptance of the updated policy.

14. Additional Agreements

This Privacy Policy should be read alongside our Terms of Service, which governs use of the Steno platform and includes specific obligations related to data handling, intellectual property, and Customer responsibilities. Our Terms of Service are available at steno.ai/terms.

15. Customer Responsibilities

Customers are responsible for:

  • Ensuring they have the right to upload or provide any content or data submitted to our services
  • Ensuring their End Users are appropriately informed about the use of AI in any product built on Steno
  • Disclosing to their End Users when their deployment is configured to associate conversation data with identified user information, and obtaining any required consent
  • Managing access controls for their Authorized Users on the Steno platform
  • Ensuring their use of the Steno platform complies with all applicable laws and regulations, including any industry-specific requirements applicable to their deployment context
  • Compliance with sector-specific regulations (including healthcare, financial services, education, and legal) to the extent their deployment implicates those frameworks

16. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

StenoAI Inc.

2261 Market Street STE 10825

San Francisco, CA 94114

United States

Email: legal@steno.ai

Phone: (619) 736–8094

Effective Date: March 6, 2026