Privacy policy
Last updated: 10 July 2026
Who we are
cmdk ("we") provides an AI workspace for teams: chat, automations and meeting intelligence. This policy explains what personal data we process when you use cmdk or visit this website, and the rights you have under the GDPR.
Data controller: [Company legal name], [address], Netherlands. Chamber of Commerce (KvK): [number]. Contact: privacy@cmdk.io.
Data we process
- Account data: name, email address, profile picture, sign-in method (email, Google or Apple).
- Workspace content: chats, automations, documents, tables and files you or your team create in cmdk.
- Meeting data: when you invite the notetaker, recordings, transcripts, summaries and action items of that meeting.
- Billing data: plan, seat count and payment status. Card details are handled by our payment provider and never touch our servers.
- Usage analytics: pageviews and feature usage, only if you accepted analytics cookies (see the cookie policy).
- Support communication: emails you send us.
Why and on what legal basis
- To provide the service you signed up for (performance of a contract): accounts, workspaces, chats, automations, meetings, billing.
- To run AI features you invoke (performance of a contract): your prompts and relevant workspace context are sent to the model provider you or your workspace selected.
- To improve the product (consent): analytics only after you accept.
- To keep the service secure and reachable (legitimate interest): server logs, abuse prevention.
- To meet legal obligations: tax and bookkeeping records.
Subprocessors
We use a small set of processors to run cmdk. Each is bound by a data processing agreement:
- Vercel (hosting, EU region where available)
- Neon (PostgreSQL database)
- Google Cloud Storage (file storage)
- AI model providers (Anthropic, OpenAI, Google), invoked only for the requests you make
- Composio (app integrations you connect)
- PostHog EU (analytics, only with consent)
- Resend (transactional email)
- Pusher (realtime updates)
Retention
- Workspace content: for as long as your workspace exists; deleted within 30 days after you delete it.
- Account data: for as long as your account exists.
- Meeting recordings: until you or a workspace admin deletes them.
- Analytics: up to 12 months.
- Invoices: 7 years (legal requirement).
Your rights
Under the GDPR you can ask us for access, correction, deletion, restriction, portability, and you can object to processing based on legitimate interest. You can withdraw analytics consent at any time on the cookie settings page. Email privacy@cmdk.io and we respond within 30 days. You can also complain to the Dutch supervisory authority, the Autoriteit Persoonsgegevens.
International transfers
We keep data in the EU where possible. Where a processor operates outside the EU (for example some AI model providers), transfers are covered by the EU Standard Contractual Clauses or an adequacy decision.
Security
Workspaces are isolated with role-based access control, data is encrypted in transit and at rest, and access to production systems is restricted and logged. Enterprise plans add SSO/SAML, audit logs and retention controls.
Changes
We update this policy when the product or our processors change and note the date at the top. For significant changes we notify you in the app or by email.