Privacy Policy
Last updated: January 2026
Your privacy is our priority
We understand you're trusting us with sensitive call recordings. Here's our commitment to protecting your data:
- Your data stays yours. We never sell your data, share it with advertisers, or use your recordings to train AI models. Period.
- Enterprise-grade encryption. Every recording is encrypted with AES-256 at rest and TLS 1.3 in transit—the same standards used by banks.
- UK data residency. Your recordings, transcripts, and analyses are stored exclusively in UK-based secure data centres.
- You control access. Only you and team members you explicitly invite can access your calls. Even our support team cannot access your recordings without permission.
- Delete means delete. Deleted calls are immediately removed from production systems and purged from all backups within 30 days.
- Full data portability. Export all your data anytime in standard formats (JSON, CSV). No lock-in.
1. Introduction
Momentra ("we", "us", "our") is committed to protecting your privacy and the confidentiality of the sensitive information you entrust to us. This policy explains how we collect, use, store, and safeguard your information when you use our call analysis and coaching service at momentra.co.uk (the "Service").
This policy was last updated: January 2026
We are UK-based and comply with:
- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
2. Information we collect
2.1 Account information
When you create an account, we collect:
- Email address
- Full name
- Organisation name (if applicable)
- Authentication credentials (managed by our authentication provider)
If you sign up via single sign-on (SSO), we receive your basic profile information (name, email, profile picture) from your identity provider.
2.2 Call recordings (the most sensitive data)
This is the most sensitive information we handle. When you upload a call recording for analysis, we collect and process:
- Audio file: The raw recording in MP3, WAV, or M4A format
- Transcription: A text transcript generated from the audio
- Speaker identification: Labels distinguishing between speakers (e.g., "Seller" and "Prospect")
- Analysis data: AI-generated coaching insights, scores, and recommendations
- Metadata: File name, upload date, duration, file size, use case type
⚠️ Important: Recording consent is your responsibility
It is your legal responsibility to ensure you have obtained proper consent from all parties before recording and uploading calls. Laws vary by jurisdiction. In the UK, it's generally legal to record your own calls if you're a party to them. Check your local laws and company policies.
2.3 Team and organisation data
If you use team features:
- Team member names and email addresses
- Roles and permissions
- Organisation name and settings
- Team member activity (who uploaded which calls)
2.4 Usage and analytics data
We collect information about how you use the Service:
- Pages visited and features used
- Browser type and device information
- IP address (anonymized for analytics, full for security and fraud prevention)
- Session duration and frequency
- Error logs and performance metrics
- Geographic location (country/city level only)
We use Google Analytics to understand how visitors use our website and marketing pages. Google Analytics collects anonymous usage data including page views, session duration, and referral sources. Your IP address is anonymized before being sent to Google. Google Analytics data is used only in production environments and not during local development.
This data is used solely to improve the Service, debug issues, and detect security threats. Analytics data from your call recordings, transcripts, or coaching insights is never sent to Google Analytics or any third party.It is never sold or shared with advertisers.
You can opt out of Google Analytics by using browser extensions like Google Analytics Opt-out Browser Add-on.
2.5 Payment information
Payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor. We never see or store your full credit card number.
We do receive and store:
- Stripe customer ID
- Last 4 digits of card number
- Card brand (Visa, Mastercard, etc.)
- Card expiry date
- Billing email and address
- Subscription status and billing history
2.6 Communications
If you contact support or respond to our emails, we store:
- Your messages and our responses
- Any attachments or screenshots you provide
- Support ticket history
3. How we use your information
3.1 To provide the core Service
- Transcription: Convert your audio to text using our proprietary speech processing engine
- Speaker diarisation: Identify and separate different speakers
- AI analysis: Generate coaching insights using our bespoke AI analysis system
- Storage: Securely store your recordings, transcripts, and analyses
- Display: Present your data in the web interface
- Search: Enable you to find and filter your calls
3.2 To manage your account
- Authenticate your access securely
- Manage team members and permissions
- Track usage limits and quotas
- Process payments and manage subscriptions
3.3 To communicate with you
- Send transactional emails (analysis complete, upload errors)
- Payment receipts and billing notifications
- Critical security or privacy updates
- Respond to support requests
We do not send marketing emails unless you explicitly opt in, and you can unsubscribe at any time.
3.4 To improve the Service
- Analyse aggregate usage patterns (not individual call content)
- Debug errors and performance issues
- Develop new features based on usage trends
- Conduct security audits
Important: Service improvement is done using anonymized, aggregate data only. We never review individual call recordings or transcripts for product development purposes.
4. AI and machine learning
✓ We do NOT use your recordings or transcripts to train AI models
This deserves emphasis because it's a major concern: Your call data is never used for AI model training, fine-tuning, or improvement.
4.1 How we process your calls
- Speech-to-text transcription: Our proprietary transcription engine converts audio to text. Your audio data is processed transiently and is not retained or used for training purposes.
- AI analysis system: Our bespoke AI coaching engine analyses transcripts and generates insights. We have contractual guarantees with our technology providers that data submitted is not used to train or improve AI models.
4.2 Data flow
When you upload a call, here's what happens:
- Audio file uploaded via encrypted connection to UK-based secure storage
- Our speech processing engine processes it in real-time → generates transcript
- Transcript sent to our AI analysis system → generates coaching analysis
- Results stored in our database (EU-based)
- Your original data is not retained by our processing systems beyond what is necessary to complete the analysis
4.3 Technology providers
We work with enterprise-grade technology providers under strict contractual agreements that include the following protections:
- No customer data used for model training or improvement
- No human review of customer content (except on request for support)
- Data is not shared across customers
- Automated abuse monitoring only (privacy-preserving)
- All processing occurs in UK or EU data centres
5. Data sharing and access
5.1 Who can access your call recordings?
By default, only you. Your recordings are private and accessible only to your account. Specifically:
- You: Full access to all calls you upload
- Team members you invite: Access to calls shared within your organisation (you control this via team settings)
- Our support team: NO access unless you explicitly grant permission for troubleshooting purposes
- Other Momentra customers: NO access, ever
- Third parties: NO access, except for our contracted technology providers who process data transiently and securely under strict data processing agreements
5.2 Service providers (subprocessors)
We share data with trusted service providers necessary to operate the Service. These providers are contractually bound to protect your data:
- Cloud infrastructure provider: Hosts recordings, processes transcription and AI analysis. UK data residency. ISO 27001, SOC 2, GDPR compliant.
- Database provider: Database for metadata and user accounts. EU (Frankfurt) data residency. SOC 2 Type II compliant.
- Authentication provider: Authentication and user management. US-based, SOC 2 Type II compliant, GDPR Data Processing Agreement in place.
- Stripe: Payment processing. PCI DSS Level 1 compliant. Does not have access to call recordings.
See Section 6 for the complete subprocessor list.
5.3 We never sell your data
We do not, have not, and will never sell, rent, or trade your personal data or call recordings to third parties. This includes:
- No selling to data brokers
- No sharing with advertisers
- No cross-platform tracking or profiling
- No monetising your content in any way
5.4 Legal disclosure
We may disclose your information if required by law:
- In response to a valid court order or subpoena
- To comply with legal obligations
- To protect our rights, property, or safety
- To prevent fraud or security threats
If we receive a legal request for your data, we will:
- Notify you unless legally prohibited
- Verify the validity of the request
- Provide only the minimum data required
- Challenge overly broad or unlawful requests
6. Subprocessors (detailed list)
We use carefully vetted third-party services to provide the Service. All subprocessors are bound by data processing agreements (DPAs) that comply with UK GDPR and EU GDPR requirements.
| Provider | Purpose | Data Handled | Location | Compliance |
|---|---|---|---|---|
| Cloud infrastructure provider | Storage, transcription, AI analysis | Audio files, transcripts, analyses | UK | ISO 27001, SOC 2, GDPR |
| Database provider | Database | Account data, metadata | EU (Frankfurt) | SOC 2 Type II, GDPR |
| Authentication provider | Authentication | Email, name, auth credentials | US (with EU DPA) | SOC 2 Type II, GDPR DPA |
| Stripe | Payment processing | Payment details, billing address | US/EU | PCI DSS Level 1, GDPR |
| Hosting provider | Website hosting | Session cookies, IP addresses | Global CDN | SOC 2, GDPR |
| Email provider | Transactional email | Email addresses, message content | US | GDPR compliant |
| Google Analytics | Website analytics (marketing pages only) | Anonymous page views, sessions, anonymized IP | US/Global | GDPR compliant, IP anonymization enabled |
Data transfers outside UK/EU: Where we use US-based providers for non-core services (authentication, payment processing, email), we rely on Standard Contractual Clauses (SCCs) and ensure they have appropriate technical and organisational measures in place. Critically, your call recordings remain in the UK at all times.
7. Data retention
We only keep your data as long as necessary to provide the Service or as required by law. Here's exactly how long we retain different types of data:
7.1 Call recordings and transcripts
- Active calls: Stored indefinitely until you delete them or close your account
- When you click delete:
- Immediately removed from the web interface
- Removed from production database within 24 hours
- Removed from secure cloud storage within 48 hours
- Purged from all backup systems within 30 days
Delete means delete. Once the 30-day backup retention period passes, your recording is permanently and irreversibly destroyed.
7.2 Account data
- Active accounts: Retained as long as your account is active
- After account closure:
- Account data retained for 30 days (in case of accidental deletion)
- After 30 days, all personal data is permanently deleted
- Exception: Anonymized usage statistics may be retained for analytics
7.3 Payment and billing records
- Invoices and receipts: Retained for 7 years (UK tax law requirement)
- Payment card details: Never stored by us (handled by Stripe)
- Billing history: Available in your account for 3 years, then archived
7.4 Support communications
- Support tickets and email correspondence retained for 3 years
- Can be deleted on request unless required for legal/compliance purposes
7.5 System logs
- Application logs: 90 days (for debugging and security monitoring)
- Security logs: 1 year (for incident investigation)
- Access logs: 30 days
All logs are pseudonymised where possible (using account IDs rather than names).
8. Data security
Protecting your sensitive call recordings is our highest priority. We implement enterprise-grade security measures across every layer of the Service.
8.1 Encryption
- At rest: All recordings and data encrypted with AES-256 in our secure UK storage infrastructure (same standard used by banks and government agencies)
- In transit: All connections use TLS 1.3 with perfect forward secrecy
- Database: Our database provider encrypts all data at rest with AES-256
- Backups: Encrypted with same standards as production data
8.2 Access controls
- Authentication: Multi-factor authentication (MFA) available and recommended for all accounts
- Authorisation: Role-based access control (RBAC) for team features
- Session management: Secure, httpOnly cookies with strict same-site policies
- API access: Secured with bearer tokens, rate-limited to prevent abuse
- Admin access: Our engineers have zero standing access to customer data. Emergency access requires multi-person approval and is fully audited.
8.3 Infrastructure security
- Cloud infrastructure: ISO 27001, SOC 2 Type II, ISO 27018 certified
- Network isolation: Virtual networks, private endpoints, no public access to storage
- DDoS protection: Enterprise-grade distributed denial of service protection
- Intrusion detection: Automated monitoring for suspicious activity
- Vulnerability scanning: Automated and manual security testing
8.4 Application security
- Code reviews: Security-focused peer review of all code changes
- Dependency scanning: Automated checks for vulnerable libraries
- Input validation: All user inputs sanitized to prevent injection attacks
- OWASP compliance: Protection against top 10 web vulnerabilities
8.5 Monitoring and incident response
- 24/7 automated monitoring for security events
- Audit logging of all data access and administrative actions
- Incident response plan with defined escalation procedures
- Breach notification: If a data breach occurs, we will notify affected users within 72 hours as required by GDPR
8.6 Physical security
Your data is hosted in Tier 3+ certified UK data centres with:
- 24/7 physical security and video surveillance
- Biometric access controls
- Redundant power and cooling systems
- Geographic redundancy for disaster recovery
8.7 Employee access
- Background checks: All employees undergo security vetting
- Training: Regular security and privacy training
- Confidentiality: All staff sign confidentiality agreements
- Least privilege: Employees only have access to systems required for their role
- Zero access: No employee can access call recordings without explicit customer permission
9. Your rights (GDPR/UK GDPR)
You have comprehensive rights over your personal data under UK GDPR and EU GDPR. We make it easy to exercise these rights.
9.1 Right of access
You can request a copy of all personal data we hold about you, including:
- Account information
- All call recordings and transcripts
- Analysis and coaching data
- Payment history
- Usage logs
How to exercise: Use the export feature in your account settings, or email privacy@momentra.co.uk. We'll respond within 30 days (usually much faster).
9.2 Right to rectification
You can correct any inaccurate or incomplete personal data.
How to exercise: Update your account information directly in settings, or contact us to correct other data.
9.3 Right to erasure ("right to be forgotten")
You can request deletion of your personal data. We will comply unless we have legal grounds to retain it (e.g., tax records).
How to exercise:
- Delete individual calls directly from your dashboard
- Close your account in settings to delete all data
- Email us for complete erasure requests
Data will be permanently deleted within 30 days (see section 7 on retention).
9.4 Right to data portability
You can receive your data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another service.
How to exercise: Use the export feature in account settings. We provide:
- All transcripts as JSON/text files
- Original audio files
- Analysis data in JSON format
- Metadata in CSV format
9.5 Right to object
You can object to processing of your data for:
- Direct marketing (we don't do this by default anyway)
- Research or statistical purposes
9.6 Right to restrict processing
You can request we limit how we use your data while you contest its accuracy or lawfulness.
9.7 Right to withdraw consent
Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.
9.8 Right to lodge a complaint
If you believe we're not handling your data properly, you can complain to:
- UK: Information Commissioner's Office (ICO) -ico.org.uk/make-a-complaint
- EU: Your local Data Protection Authority
We'd appreciate the chance to address your concerns first. Please contact us at privacy@momentra.co.uk and we'll do our best to resolve the issue.
9.9 How to exercise your rights
Email: privacy@momentra.co.uk
Please include:
- Your full name and email address associated with your account
- Which right you're exercising
- Any specific data or time periods relevant to your request
We'll verify your identity (to protect your data) and respond within 30 days. Most requests are fulfilled within 1 week.
Response time: Within 30 days (usually within 1 week)
Cost: Free for first request; may charge reasonable admin fee for excessive or repeat requests
10. Cookies and tracking
10.1 What cookies we use
Essential cookies (always on):
- Authentication token (keeps you logged in)
- Session ID (maintains your session)
- CSRF token (prevents security attacks)
- Cookie consent preferences
These are required for the Service to function and cannot be disabled.
Analytics cookies:
- Google Analytics (_ga, _gid, _gat): Used to understand how visitors use our marketing website (not the app itself). These cookies collect anonymous information about page views, session duration, and traffic sources.
- Anonymous usage analytics (page views, feature usage)
- Performance monitoring (error tracking, load times)
Google Analytics only tracks activity on our public marketing pages (homepage, pricing, blog, etc.). Your authenticated app usage and call recordings are never tracked by Google Analytics.
You can opt out of Google Analytics tracking using:
- Google Analytics Opt-out Browser Add-on
- Browser "Do Not Track" settings
- Privacy-focused browsers (Brave, DuckDuckGo, etc.) automatically block tracking
10.2 No advertising or tracking
We do NOT use:
- Advertising cookies
- Social media tracking pixels
- Cross-site tracking
- Third-party behavioral analytics
10.3 Managing cookies
You can manage cookie preferences in your browser settings. Note that disabling essential cookies will prevent you from using the Service.
11. Legal basis for processing
Under GDPR, we must have a legal basis for processing your personal data. Here's what we rely on:
11.1 Contract performance (primary basis)
Processing is necessary to provide the Service you've signed up for:
- Transcribing and analysing your calls
- Storing and displaying your data
- Managing your account and team
- Processing payments
11.2 Legitimate interests
We may process data based on legitimate interests:
- Preventing fraud and security threats
- Improving service performance and reliability
- Internal analytics and business operations
We balance these interests against your rights and only proceed when appropriate.
11.3 Legal obligation
Some processing is required by law:
- Tax and accounting records (7 years UK requirement)
- Responding to valid legal requests
- Compliance with financial regulations
11.4 Consent
For optional features (e.g., marketing emails, optional analytics), we ask for your explicit consent, which you can withdraw at any time.
12. International data transfers
Your call recordings remain in the UK at all times, stored in UK data centres.
Some account data and metadata may be processed by US-based providers (Clerk, Stripe). For these transfers, we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Contractual requirements for appropriate technical and organisational measures
- Regular assessments of data protection adequacy
The most sensitive data—your call recordings and transcripts—never leaves the UK.
13. Business use and compliance
13.1 Using Momentra for business purposes
If you use Momentra as part of your business:
- You are the data controller for any personal data of your customers/prospects that appear in call recordings
- We are the data processor acting on your instructions to transcribe and analyse the calls
- Your responsibility: Ensure you have legal basis and consent to record calls and share them with us for processing
13.2 Data Processing Agreement (DPA)
Our Terms of Service include standard GDPR-compliant Data Processing Agreement terms. For enterprise customers requiring a custom DPA, please contact enterprise@momentra.co.uk.
13.3 Your obligations as a data controller
When using Momentra for business, you must:
- Inform call participants they're being recorded
- Obtain appropriate consent where legally required
- Have a privacy policy covering how you handle call recordings
- Comply with applicable laws (UK GDPR, PECR, sector-specific regulations)
- Only upload calls where you have legal right to do so
13.4 Compliance certifications
Our infrastructure providers maintain the following certifications:
- ISO 27001 (Information Security Management)
- ISO 27018 (Cloud Privacy)
- SOC 2 Type II (Security, Availability, Confidentiality)
- PCI DSS Level 1 (Payment Card Industry - via Stripe)
Certification documentation available on request for due diligence purposes.
13.5 Regulated industries
Financial services (FCA regulated): Our service can support your record-keeping obligations. Call recordings are retained as per your instructions and can be exported for regulatory submission.
Healthcare (not recommended): Momentra is NOT designed for healthcare uses involving patient data. Do not upload calls containing Protected Health Information (PHI) or conversations subject to medical confidentiality.
Legal services: Be aware of legal professional privilege. Consult your compliance team before uploading privileged communications.
14. Children's privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@momentra.co.uk and we will delete it.
15. Changes to this policy
We may update this policy to reflect changes in our practices, technologies, or legal requirements.
Material changes: We'll notify you via email and/or prominent notice in the app at least 30 days before changes take effect.
Minor changes: Will be posted here with an updated "Last updated" date.
Version history: Available on request.
Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
16. Data protection officer
For data protection inquiries, you can contact our privacy team:
Email: privacy@momentra.co.uk
Response time: Within 3 business days for acknowledgment
17. Contact information
For privacy-related questions, concerns, or to exercise your rights:
Privacy enquiries: privacy@momentra.co.uk
General support: support@momentra.co.uk
Security issues: security@momentra.co.uk
Postal address:
Momentra
United Kingdom
This privacy policy was last updated on January 3, 2026.