Privacy Policy

Cephalo.bot collects three groups of information.

Account information. When you sign in with Google, we receive your name, email address, and a stable identifier from Google. We use these to create and recognize your account. We don’t request access to your Gmail, calendar, or any other Google service as part of sign-in.

Things you configure. Your Anthropic API key, and (if you set up the Drive integration) your Google service-account keyfile. Both are encrypted at rest on our servers using AES-256-GCM under a master key that lives outside the database. The Mac app never sees the plaintext of either — they’re used server-side, on your behalf, when the bot needs them.

Things produced by your meetings. Each meeting Claudia joins creates a record with the start and end time and an optional Zoom meeting identifier. When you ask her to capture an action item, decision, or note, we store Claudia’s one-line rewrite of what was said — not the verbatim transcript line — together with the speaker’s display name and a timestamp. When she renders a visual in her video tile, we store the rendered PNG and its source HTML so the dashboard can replay the meeting. Each call from the Mac app to our AI proxy creates a usage record (model, input/output token counts, status) so you can see your spend on the dashboard.

Cephalo.bot is a Mac app paired with a backend. Some data doesn’t reach the backend at all because the Mac app handles it locally:

• The raw audio of each participant during the meeting. The Mac app transcribes it on-device and discards the audio after the meeting ends.
• The video and screen-share content the Mac app receives from Zoom. Frames Claudia uses to ground a response are sent to Anthropic for that response only and aren’t persisted by us.

This is a consequence of the architecture, not a marketing claim. Cephalo.bot is not a privacy product, and we may build features in the future that change which side of the boundary a given piece of data lives on. We’ll update this page when that happens.

We use what we collect to provide the service. Your Anthropic key fuels Claudia’s replies; your Drive keyfile is what lets her search files when you ask. Capture data populates your dashboard so you can replay meetings and share decisions with teammates. Usage records drive the per-account spend tile.

We don’t sell your data, share it with advertisers, or use it to train models.

Three external services are involved in delivering Cephalo.bot.

Anthropic receives the post-transcription text of what was said in the meeting and (when you’re looking at a shared screen) screenshots of that screen so Claudia can answer with context. Anthropic’s standard data-retention policy applies to anything we send them. We don’t opt your account into model training, and Anthropic’s API does not train on API traffic by default.

Google handles sign-in (OAuth) and, if you configure the Drive integration, file search and reads. The Drive integration uses a service account that you create in your own Google Cloud project — Google sees the queries and document IDs Claudia looks up on your behalf.

Cloudflare hosts our backend. Account data, encrypted credentials, and captured visuals live in Cloudflare D1 and R2; backend traffic transits Cloudflare’s network.

When you’re a member of a team workspace, meetings, action items, decisions, and screen-share captures from sessions you run under that workspace are visible to other members. Token usage is pooled to the workspace’s Anthropic key billing.

Switch to your personal workspace from the dropdown in the dashboard or the Mac app’s Settings sheet to keep work private to you. The active workspace is captured at meeting join time — switching mid-meeting doesn’t move that meeting’s data; the next meeting picks up the new workspace.

You can revoke your Anthropic key, disconnect Drive, or leave a team workspace at any time from the Settings page.

To delete your account entirely, use “Delete account” on the Settings page. Deletion removes your sign-in identity, captured meetings and visuals, encrypted credentials, and usage records. Workspaces you co-own with other members stay intact — you’re removed from membership; workspaces you solely own are deleted along with their data. Account deletion is irreversible.

All backend traffic uses TLS. API keys and connector keyfiles are encrypted at rest using AES-256-GCM with a unique nonce per record, under a master key managed outside the database. Cross-account access checks live in middleware and return 404 (not 403) on cross-account misses so the existence of a record isn’t leaked. Sessions are bearer-token based with a 30-day expiry; sign-out invalidates the token immediately.

Cephalo.bot is not intended for use by anyone under 16. We don’t knowingly collect information from children. If you believe a child has signed up, contact us and we’ll delete the account.

We may update this page as the product evolves. Material changes get a notice on the dashboard and a refreshed effective date at the top of this page. Continued use after a change means you accept it.

Email hello@cephalo.bot with any privacy questions, including data-access or deletion requests we can’t resolve through the dashboard.