Privacy Policy
ShortenItUp
Bottova 2/A, 811 09 Bratislava, Slovak Republic
Data protection contact: gdpr@shortenitup.com
General contact: string@shortenitup.com
Effective date: 1 March 2026
Article 1 — Identity and Contact Details of the Controller
The controller of personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter: "GDPR"), is ShortenItUp, with registered office at Bottova 2/A, 811 09 Bratislava, Slovak Republic (hereinafter: "controller", "we", "us" or "our"). All questions relating to data protection should be addressed exclusively to: gdpr@shortenitup.com.
Article 2 — Scope
These Privacy Policy (hereinafter: "Policy") govern the collection, processing, storage, disclosure and other operations constituting processing within the meaning of Art. 4(2) GDPR in connection with: (i) the controller's website and all its subdomains, landing pages and related web services (hereinafter: "website"); and (ii) the ShortenItUp software platform provided as software as a service, its APIs, integrations and all related features (hereinafter: "application" or "service"). This Policy is interpreted and applied in accordance with the GDPR, Act No. 18/2018 Coll. on the Protection of Personal Data as amended, Act No. 452/2021 Coll. on Electronic Communications, and the guidelines of the European Data Protection Board and the Office for Personal Data Protection of the Slovak Republic (hereinafter: "OPDP SR").
Article 3 — Data Protection Officer
As of the effective date of this Policy, the controller has not established a data protection officer (hereinafter: "DPO") role within the meaning of Art. 37 GDPR. The controller continuously evaluates the obligation to appoint a DPO in accordance with Art. 37(1)(b) and (c) GDPR, particularly with regard to the processing of voice and behavioural data. Until a DPO is appointed, all data protection queries may be directed to: gdpr@shortenitup.com.
Article 4 — Personal Data Processed Through the Website
4.1 Cookies and Similar Tracking Technologies
The website uses cookies and functionally analogous client-side storage mechanisms. By continuing to browse and use the website after the cookie notice is displayed, the user accepts their use in accordance with this Policy. If the user does not consent to their use, the user must immediately cease using the website. Cookies are divided into the following categories:
(a) Functional cookies. The controller uses functional cookies exclusively to store user-selected interface preferences, specifically the display language and visual theme configuration (light or dark mode). The legal basis for this processing is the controller's legitimate interest pursuant to Art. 6(1)(f) GDPR in ensuring a consistent and technically functional user experience.
(b) Analytics and measurement cookies. The controller uses third-party tools specialising in website traffic measurement, user behaviour analysis, interaction heatmap display and website performance tracking for analytical and statistical purposes (hereinafter: "analytics tools"). These tools may collect data including, but not limited to, anonymised or pseudonymised IP addresses, device and browser identifiers, operating system information, referring URLs, pages visited, session duration, click paths, cursor movement and scroll depth. The legal basis for this processing is the user's continued use of the website after the cookie notice is displayed, constituting consent within the meaning of Art. 6(1)(a) GDPR. Where such tools transfer personal data to third countries, such transfers are made on the basis of standard contractual clauses within the meaning of Art. 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914), supplemented by appropriate supplementary measures. The current list of analytics tools used is available upon request at gdpr@shortenitup.com.
4.2 Waitlist, Pre-registration Form and Marketing Communications
The controller collects the following categories of personal data via a web form provided by an external form services provider: (i) full name; and (ii) email address; for the following purposes: (a) informing the data subject of the public commercial availability or launch of the application; and (b) sending marketing communications including newsletters, updates, news and commercial offers of the controller (hereinafter: "marketing communications"). The legal basis for this processing is the free, specific, informed and unambiguous consent of the data subject pursuant to Art. 6(1)(a) GDPR, evidenced by the mandatory and voluntary act of ticking the relevant checkbox explicitly confirming consent to this Policy prior to submitting the form, with the scope of consent expressly including the sending of marketing communications. No form shall be processed without such consent. Consent to the sending of marketing communications may be withdrawn at any time by clicking the unsubscribe link in each marketing message or by sending a request to gdpr@shortenitup.com. Collected data is retained until consent is withdrawn, a valid erasure request is received pursuant to Art. 17 GDPR, or the period necessary for the relevant marketing purposes expires.
Article 5 — Personal Data Processed Through the Application
5.1 Registration and Authentication Data
For identity verification and account management purposes, the controller processes authentication data through an external identity and access management service, including email address, hashed credentials, session tokens, refresh tokens, permissions and authentication event logs. The current list of authentication service providers is available upon request at gdpr@shortenitup.com. The legal basis is the performance of a contract to which the data subject is party pursuant to Art. 6(1)(b) GDPR.
5.2 Payment Data
For the purpose of processing subscription and pre-order payments, the controller uses the external payment infrastructure provided by Stripe Payments Europe, Limited, with registered office at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter: "Stripe"). The controller does not have direct access to the User's payment data including card number, expiry date and CVV code; such data is sent directly to Stripe's systems and processed exclusively by Stripe in accordance with its own privacy policy and PCI DSS certification. The controller retains only confirmatory payment metadata necessary for subscription management, such as transaction identifier, payment status, payment method type and last four digits of the card. The legal basis for this processing is the performance of a contract pursuant to Art. 6(1)(b) GDPR. The transfer of payment data to Stripe is made on the basis of standard contractual clauses pursuant to Art. 46(2)(c) GDPR. Users are encouraged to review Stripe's Privacy Policy available at stripe.com/privacy.
5.3 Calendar Integration Data
Based on explicit authorisation granted by the data subject through the relevant authorisation process, the application integrates calendar management systems including, but not limited to: Google Calendar, Apple Calendar, Microsoft Outlook Calendar and Microsoft Exchange, Zoho Calendar, Lark Calendar and any calendar system accessible via the CalDAV protocol or iCalendar (ICS) file format. The controller accesses calendar event data including in particular the event title, event description including any embedded agenda, list of invited attendees including names and associated email addresses, and scheduled metadata, exclusively for the following purposes: (i) extraction and operationalisation of the meeting agenda; (ii) provision of the AI-powered agenda management feature; and (iii) coordination of bot attendance at meetings. The legal basis is contractual necessity pursuant to Art. 6(1)(b) GDPR and, where relevant, consent pursuant to Art. 6(1)(a) GDPR.
5.4 In-Meeting Processing Data
5.4.1 Participant Identification
The controller processes names and identification attributes of meeting participants obtained from calendar event data for the purpose of speaker diarization, enabling the distinction and attribution of individual contributions within a meeting. To the extent that such processing involves the analysis of voice characteristics for the purpose of uniquely identifying natural persons, it may constitute processing of biometric data within the meaning of Art. 4(14) GDPR; the controller processes such data on the basis of explicit consent pursuant to Art. 9(2)(a) GDPR where such basis applies.
5.4.2 Real-Time Voice Data and Transcription Processing
The application accesses audio streams from supported meeting platforms — currently including Slack, Google Meet, Zoom, Cisco Webex, Discord and Microsoft Teams, with potential future expansion to additional platforms subject to technical and legal feasibility — for the following purposes: (i) real-time speech-to-text transcription; (ii) semantic analysis of spoken content in relation to the meeting agenda; and (iii) triggering agenda-compliant interventions through the voice AI mechanism. Raw voice data is processed exclusively on a temporary basis and is irrevocably and permanently deleted immediately upon completion of speech-to-text transcription, with no permanent storage occurring at any point. The speech-to-text transcript is retained for a period of six (6) months from the date of the relevant meeting, or until deletion of the data subject's account, whichever occurs first. Processing is carried out using external speech processing and AI services; the current list of sub-processors involved in audio and transcription processing is available upon request at gdpr@shortenitup.com. The legal basis is Art. 6(1)(b) GDPR and, with respect to participants who are not registered users, Art. 6(1)(f) GDPR, as further set out in Article 6.2.
5.4.3 Optional Meeting Recording
The meeting organiser may, at their own discretion, activate optional audio or video recording of the meeting. By activating this feature, the organiser unconditionally represents, warrants and irrevocably confirms that: (i) all meeting participants were duly informed of the recording prior to or at the commencement of the meeting; and (ii) all consents required by applicable national law have been obtained. The controller is not responsible for the organiser's compliance with these obligations. Recordings are retained for the period determined by the organiser.
5.4.4 Meeting Minutes
Upon completion of each meeting, the controller generates a uniform structured summary (hereinafter: "minutes") distributed equally to all meeting participants, containing an overview of topics discussed, decisions taken and tasks identified and assigned. The minutes are derived from transcript analysis and do not reproduce the underlying transcript verbatim. Minutes are retained from the time of creation until deletion of the data subject's account or receipt of a valid erasure request.
5.4.5 End Quiz
The application may generate an end quiz following the conclusion of a meeting to verify comprehension of topics discussed (hereinafter: "end quiz"). The end quiz and the data subject's responses are retained from the time of creation until deletion of the data subject's account or receipt of a valid erasure request.
5.4.6 Individual Personalised Feedback
The controller generates and delivers to each individual meeting participant a personalised feedback document (hereinafter: "feedback"), containing a concise assessment of: (i) conduct and contributions identified as effective; and (ii) areas identified as requiring improvement. Feedback is made accessible exclusively to the relevant recipient and is retained from the time of creation until deletion of the account or receipt of a valid erasure request.
5.4.7 Behavioural Analytics Data
The application collects and retains data relating to each participant's adherence to the meeting agenda, including the frequency and cumulative duration of identified deviations from agenda topics (hereinafter: "behavioural data"). Behavioural data is made accessible exclusively to the data subject to whom it relates and may under no circumstances be disclosed to other meeting participants, the organiser or the controller's personnel, except where required by binding applicable law.
5.5 Operational Logs
The controller retains operational logs necessary to ensure the technical operation, security and diagnostics of the service. These logs contain exclusively an anonymous account identifier and technical event metadata (e.g. time, operation type, error code); they never contain personal data of data subjects, meeting content, transcripts, minutes or any other data enabling identification of a natural person.
5.6 Product Analytics and Sharing of Analytics Data with Third Parties
The controller may use product and operational analytics tools to analyse usage patterns, improve service performance and functionality, and for marketing and business purposes. Aggregated and pseudonymised analytics data about the use of the website and application (hereinafter: "analytics data") may be shared with or sold by the controller to third parties operating in the fields of data analytics, audience measurement, advertising and related industries. Such sharing occurs exclusively in relation to data processed and pseudonymised so as to minimise the possibility of direct identification of natural persons. The current list of categories of recipients and specific partners is available upon request at gdpr@shortenitup.com. The legal basis for sharing analytics data with third parties is the controller's legitimate interest pursuant to Art. 6(1)(f) GDPR; data subjects have the right to object to this processing at any time pursuant to Art. 21 GDPR by sending a request to gdpr@shortenitup.com.
Article 6 — Legal Bases for Processing
| Purpose of processing | Legal basis |
|---|---|
| Functional cookies | Art. 6(1)(f) GDPR — legitimate interest |
| Analytics cookies | Art. 6(1)(a) GDPR — consent by using the website |
| Waitlist (name, email) | Art. 6(1)(a) GDPR — consent |
| Marketing communications | Art. 6(1)(a) GDPR — consent |
| Registration and authentication | Art. 6(1)(b) GDPR — contract |
| Payment data (Stripe) | Art. 6(1)(b) GDPR — contract |
| Calendar integration | Art. 6(1)(b) and/or (a) GDPR |
| Voice data (immediately deleted) | Art. 6(1)(b) GDPR — contract |
| Speech-to-text transcript | Art. 6(1)(b) GDPR — contract |
| Speaker diarization / voice biometric attributes | Art. 6(1)(b) + Art. 9(2)(a) GDPR |
| Meeting minutes | Art. 6(1)(b) GDPR — contract |
| End quiz | Art. 6(1)(b) GDPR — contract |
| Individual feedback | Art. 6(1)(b) GDPR — contract |
| Behavioural data | Art. 6(1)(f) GDPR — legitimate interest |
| Optional recording | Art. 6(1)(a) GDPR — consent (organiser's responsibility) |
| AI model training (opt-in) | Art. 6(1)(a) GDPR — consent |
| Product analytics | Art. 6(1)(f) GDPR — legitimate interest |
| Sharing / selling analytics data to third parties | Art. 6(1)(f) GDPR — legitimate interest |
6.1 Legitimate Interest Assessment
Where the controller relies on the legal basis of legitimate interest pursuant to Art. 6(1)(f) GDPR, the controller has carried out a legitimate interest assessment and concluded that: (i) the controller pursues a legitimate interest in operating, maintaining, securing and improving the service; (ii) the processing is necessary and proportionate to achieving that interest; and (iii) such interest is not overridden by the interests, fundamental rights and freedoms of data subjects, having regard to data subjects' reasonable expectations in a professional meeting context and the minimisation measures implemented. Data subjects retain the right to object at any time pursuant to Art. 21 GDPR.
6.2 Unregistered Meeting Participants
The controller acknowledges that meetings may involve persons who are not registered users of the service (hereinafter: "unregistered participants"). The controller fulfils its transparency obligation pursuant to Art. 14 GDPR by ensuring the visible labelling of the controller's AI assistant as a named participant in the meeting calendar invitation, thereby providing all invited participants with advance notice of AI processing. The meeting organiser bears sole responsibility for ensuring the proper notification of unregistered participants joining via direct links or other channels.
Article 7 — Retention Periods
| Data category | Retention period | Configurable |
|---|---|---|
| Raw voice data | Immediately deleted after transcription — not stored | no |
| Speech-to-text transcript | 6 months from meeting or until account deletion | no |
| Meeting minutes | Until account deletion or verified erasure request | yes |
| End quiz and responses | Until account deletion or verified erasure request | yes |
| Individual feedback | Until account deletion or verified erasure request | yes |
| Behavioural data | Until account deletion or verified erasure request | yes |
| Optional recordings | As configured by the organiser | yes |
| Operational logs | Technically necessary period; no personal data | no |
| Payment metadata | Duration of contractual relationship + statutory minimum | no |
| Waitlist data | Until consent withdrawal or period necessary for marketing purposes | no |
| Registration and authentication data | Duration of account + applicable statutory minimum | no |
Data subjects may adjust applicable retention periods through the application settings or by sending a written request to gdpr@shortenitup.com.
Article 8 — Infrastructure, Security and International Transfers
8.1 Infrastructure and Data Location
All personal data processed by the controller is stored exclusively on servers located within the territory of the European Union. Information on the specific infrastructure location is available upon request at gdpr@shortenitup.com. All personal data is encrypted both in transit via TLS protocol and at rest via storage-level encryption. Such processing does not constitute a transfer to a third country within the meaning of Chapter V GDPR.
8.2 International Transfers
Certain processing sub-processors engaged by the controller — including but not limited to providers of speech processing, authentication services, payment services and analytics tools — may process personal data in the United States of America or other third countries. Such transfers are made exclusively on the basis of standard contractual clauses pursuant to Art. 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914) or another adequate mechanism within the meaning of Chapter V GDPR, supplemented by appropriate technical and organisational measures. Further information is available upon written request at gdpr@shortenitup.com.
8.3 Staff Access
No member of the controller's personnel has access to customers' or users' personal data in the course of normal operations. Access to personal data is technically excluded through strict role-based access controls. Operational logs contain exclusively an anonymous account identifier and technical metadata necessary for diagnostics, never the personal data of data subjects.
Article 9 — Recipients and Disclosure
The controller does not sell application personal data to third parties for their own purposes, except for the sharing of pseudonymised analytics data pursuant to Article 5.6 of this Policy. Personal data may be disclosed to: (i) authorised processors acting exclusively on the basis of documented instructions from the controller pursuant to data processing agreements under Art. 28 GDPR, including cloud infrastructure, speech processing, authentication and payment service providers; (ii) Stripe Payments Europe, Limited as the payment transaction processor, exclusively to the extent of data necessary for processing the relevant payment; (iii) third parties operating in the fields of data analytics and advertising to the extent of pseudonymised analytics data pursuant to Article 5.6; (iv) competent public authorities, regulatory bodies or courts to the extent required by a legal obligation; and (v) acquirers or legal successors in the context of a corporate transaction, subject to assumption of obligations under this Policy.
Article 10 — Rights of Data Subjects
In accordance with Chapter III GDPR, data subjects have the right to exercise the following rights by sending a request to gdpr@shortenitup.com or through the controls in the application:
- Right of access (Art. 15 GDPR) — to obtain confirmation of processing and a copy of personal data
- Right to rectification (Art. 16 GDPR) — to achieve correction of inaccurate or incomplete data
- Right to erasure (Art. 17 GDPR) — to achieve erasure subject to the fulfilment of statutory conditions
- Right to restriction of processing (Art. 18 GDPR) — to achieve restriction of processing during the resolution of disputed matters
- Right to data portability (Art. 20 GDPR) — to obtain data in a structured, commonly used and machine-readable format; currently exercised by sending a request to gdpr@shortenitup.com, with planned implementation of direct export in the application
- Right to object (Art. 21 GDPR) — to object to processing based on legitimate interest including the sharing of analytics data with third parties
- Right to withdraw consent (Art. 7(3) GDPR) — at any time, without affecting the lawfulness of processing prior to withdrawal
The controller will respond within one (1) month of receipt of a verified request, which period may be extended by a further two (2) months in cases of complexity.
Article 11 — AI Model Training
The controller does not use personal data originating from meetings, transcripts, minutes, end quizzes or feedback for the purposes of training, fine-tuning or otherwise improving artificial intelligence models, except where the data subject grants free, specific, informed and unambiguous consent by way of an active opt-in in the application settings. This processing is disabled by default. Consent may be withdrawn at any time by changing the relevant setting without affecting prior lawful processing.
Article 12 — Changes to the Policy
The controller reserves the right to change this Policy at any time. Registered users will be notified of material changes via the application and/or email. Continued use of the Service following the entry into force of any change constitutes consent to the amended Policy.