Privacy Policy

The controller of your personal data within the meaning of Art. 4(7) GDPR is:

Talari AI Services OU is a private limited company (osaUhing) incorporated under the laws of the Republic of Estonia and entered in the Estonian Commercial Register (Ariregister).

We have designated a Data Protection Officer (DPO) who can be contacted for any queries regarding the processing of your personal data or the exercise of your rights under the GDPR:

The DPO is available to address concerns related to our data processing activities and will respond within 30 calendar days of receipt of a request.

Depending on how you use our platform, we may collect and process the following categories of personal data:

• Account data — name, email address, username, role, tenant affiliation.
• Session transcription data — audio converted to text during NinaSession documentation sessions.
• Anonymisation mappings — lookup tables linking personally identifiable information (PII) to anonymised tokens, used to de-identify transcripts before AI processing.
• AI analysis outputs — structured reports generated by AI models from anonymised session transcripts.
• Session metadata — timestamps, session duration, session mode (solo, remote, text), language settings.
• Remote session guest data — consent records, microphone permissions, IP addresses, and WebRTC connection metadata for guests joining via invite link.
• Uploaded documents — professional context documents (e.g. client histories, reference materials) uploaded for retrieval-augmented generation (RAG).
• Billing data — subscription tier, payment method identifiers, invoicing data. Full payment card details are processed exclusively by Stripe and never stored on our servers.
• Authentication data — hashed passwords (bcrypt), JWT tokens, Redis session identifiers, two-factor authentication secrets.
• Audit logs — records of login events, administrative actions, data access, and system events for security monitoring.
• LLM provider interaction data — anonymised prompts and responses exchanged with third-party AI model providers.

The following table sets out the specific purposes for which we process your personal data, the legal basis under the GDPR, and the applicable retention period:

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

We process such data under Art. 9(2)(h) GDPR, which permits processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services. In such cases, the professional user of talari.ai acts as the Data Controller for their clients' data, and Talari acts as the Data Processor.

Sensitive data is always anonymised (PII replaced with tokens) before being sent to any third-party AI model provider. The anonymisation mapping is maintained solely within the user's tenant environment and is permanently purged when the session is finalised.

talari.ai employs automated processing, including AI-powered analysis, to generate reports and documentation from session transcripts. This processing involves:

• Automatic transcription of audio to text using speech-to-text models.
• PII detection and anonymisation to protect data subjects.
• AI-generated structured reports based on anonymised transcripts and professional templates.

This automated processing does not constitute profiling within the meaning of Art. 22 GDPR. No decisions with legal or similarly significant effects are made solely on the basis of automated processing. All AI-generated outputs are presented as drafts for professional review and are not intended to replace clinical, legal, or other professional judgement.

We engage the following sub-processors to deliver our services. Each processor is bound by a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR:

All data sent to US-based processors is anonymised (PII stripped) before transmission. We maintain Data Processing Agreements with each sub-processor that include technical and organisational measures appropriate to the nature of the data processed.

Certain sub-processors are located outside the European Economic Area (EEA), specifically in the United States. For these transfers, we rely on the following safeguards pursuant to Chapter V of the GDPR:

• Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46(2)(c) GDPR, incorporated into our Data Processing Agreements with each US-based processor.
• EU-U.S. Data Privacy Framework (DPF) where the processor is certified under the adequacy decision of 10 July 2023 (applicable to Stripe).
• PII anonymisation— personally identifiable information is stripped from all data before it is transmitted to AI model providers (Anthropic, Groq), ensuring that no personal data within the meaning of Art. 4(1) GDPR leaves the EEA.

Copies of the applicable SCCs and transfer impact assessments are available upon request from dpo@talari.ai.

We retain personal data only as long as necessary for the purposes set out in this policy:

• Active and saved sessions: Session data (transcripts, anonymisation mappings, AI analysis) is retained until the session is finalised by the user.
• Finalised sessions: Upon finalisation, all sensitive content (transcripts, PII mappings, raw audio references) is permanently and irreversibly purged. Only non-sensitive metadata (timestamps, duration, mode) is retained for usage tracking.
• Reports: AI-generated reports are retained until the user explicitly deletes them.
• Context documents: Uploaded professional documents are automatically deleted after 24 hours.
• Authentication sessions: Redis-based sessions expire automatically after 2 hours of inactivity.
• Audit logs: Security and administrative audit logs are retained in accordance with automated retention policies and applicable regulatory requirements.
• Account data: Retained for the duration of your account. Upon account deletion, personal data is purged within 30 days, subject to legal retention obligations.

You have the following rights regarding your personal data:

• Right of access (Art. 15)— obtain confirmation of whether we process your personal data and receive a copy of that data.
• Right to rectification (Art. 16)— request correction of inaccurate personal data.
• Right to erasure (Art. 17)— request deletion of your personal data. Note that session finalisation constitutes an irreversible erasure mechanism built into the platform.
• Right to restriction of processing (Art. 18)— request limitation of processing in certain circumstances.
• Right to data portability (Art. 20)— receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21)— object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3))— where processing is based on consent (e.g. remote session guest participation), you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right not to be subject to automated decision-making (Art. 22)— our AI processing does not produce decisions with legal or similarly significant effects. All outputs are professional drafts subject to human review.

To exercise any of these rights, please contact our Data Protection Officer at dpo@talari.ai. We will respond within 30 calendar days of receipt of your request, in accordance with Art. 12(3) GDPR. This period may be extended by a further 60 days for complex or numerous requests, in which case we will inform you within the initial 30-day period.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR.

As our company is established in Estonia, the lead supervisory authority is:

You also have the right to lodge a complaint with the supervisory authority of the EU/EEA Member State of your habitual residence or place of work.

talari.ai uses only strictly necessary (functional) cookies for the operation of the platform:

• Session cookie — maintains your authenticated session (HttpOnly, Secure, SameSite=Lax).
• Language preference — stores your selected interface language.

We do not use advertising, tracking, or third-party marketing cookies. Functional cookies are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive (2002/58/EC) as they are strictly necessary for the provision of the service.

If analytics are implemented in the future (e.g. Google Analytics), they will be activated only with your prior explicit consent via a cookie banner compliant with the GDPR and ePrivacy Directive.

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or platform features. Material changes will be communicated via email notification to registered users and prominently displayed on the platform at least 14 days before they take effect.

The “Last updated” date at the top of this document indicates the date of the most recent revision. We encourage you to review this policy periodically.