Legal

Privacy Policy

Last updated: May 2026

1. Introduction

Harlan Research ("we", "us", "our") operates Grammar, an AI-native workspace application ("the Service"). This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data. By using Grammar you agree to the practices described here.

2. Information We Collect

We collect only what is necessary to provide the Service. This includes: (a) Account information — your name, email address, and profile picture provided via Google OAuth when you sign in. (b) Workspace content — notes, canvas drawings, diagrams, and any other content you create inside Grammar. Page notes and meeting transcripts are stored in encrypted form at the application layer. (c) Meeting data — audio streams, transcripts, and summaries generated when you use meeting capture. (d) Usage data — page visits, feature interactions, and error logs collected to improve reliability and performance. We do not collect payment information directly; any billing is handled by our payment processor.

3. How We Use Your Information

We use your information solely to operate and improve the Service: to authenticate your identity and maintain your session; to store and sync your workspace content across devices; to generate AI transcripts, summaries, and diagrams on your behalf; to diagnose bugs and improve product performance; and to send important service notices (e.g. downtime, security alerts). Encrypted notes and transcripts are decrypted only to provide the Service to you (for example, when you open a page or share content you have explicitly made shareable). We do not use your content to train AI models, and we do not sell or rent your data to any third party.

4. Sessions & Authentication

Grammar uses secure HTTP-only cookies to manage your authenticated session. Sessions are created when you sign in via Google OAuth and expire after a period of inactivity. Session tokens are cryptographically signed and never exposed to client-side JavaScript. You can revoke Grammar's access to your Google account at any time from your Google account settings, which will invalidate your active session immediately.

5. Meeting Capture & Audio Data

When you enable meeting capture, Grammar may join or record a video call to transcribe and summarize the conversation. You are solely responsible for obtaining all required participant consent and for complying with applicable recording laws. Grammar is not responsible for unlawful or non-consensual recording by users. Audio is streamed to our transcription providers (Deepgram and Meetstream) over TLS-encrypted connections; those providers automatically delete their raw processing copies within 24 hours. Grammar does not store raw audio in our database. After processing, meeting audio from desktop live recording and meeting bots is archived in a private AWS S3 bucket with server-side encryption (SSE-S3, AES-256). Playback is served via short-lived presigned URLs. Encrypted transcripts and AI-generated summaries are saved to your workspace and remain under your control — you can delete them at any time.

6. Calendar Integration & Event Data

When you connect Google Calendar, Grammar receives your upcoming calendar events to display them in the app. We do not store calendar event details — titles, descriptions, attendee lists, or any other event metadata are never written to our database. The only calendar-related data we persist is the calendar event ID, and only when you explicitly schedule a meeting bot for that event. This ID is used solely to match the bot to the correct meeting when it joins. It is deleted automatically once the meeting ends and the bot has been dismissed.

7. AI Processing

Grammar uses third-party AI providers (including OpenAI and Anthropic) to power features such as diagram generation, content summarisation, and research assistance. Content you submit to these features may be processed by those providers subject to their own data processing agreements. We have data processing agreements in place with each provider that prohibit them from using your content to train their models.

8. Data Storage & Security

Your workspace data is stored in our cloud infrastructure (hosted on AWS). We protect sensitive content with multiple layers: (1) Application-layer encryption — all page notes and meeting transcripts are encrypted with AES-256-GCM before being written to our database. Ciphertext is decrypted only to provide the Service to you (for example, when you open a page). We do not store plaintext transcript bodies in auxiliary tables. (2) Meeting audio — desktop live recordings and bot meeting audio are stored in a private S3 bucket with server-side encryption (SSE-S3, AES-256). Access is limited to our API and background workers via IAM credentials; end users receive time-limited presigned URLs for playback. (3) Infrastructure encryption — all data at rest on AWS is encrypted (AES-256) and all traffic is encrypted in transit (TLS 1.2+). We apply the principle of least privilege to all internal data access — no employee can access your content without an explicit support request from you. We conduct periodic security reviews and vulnerability assessments.

9. Data Retention & Deletion

We retain your data for as long as your account is active. When you delete your account, all associated workspaces, notebooks, pages, canvas data, and meeting summaries are permanently and irrecoverably deleted within 30 days. You can delete individual items (pages, notes, meeting records) at any time from within the app. Usage and error logs are retained for up to 90 days for operational purposes, after which they are purged automatically.

10. Cookies & Local Storage

Grammar uses a single HTTP-only session cookie for authentication. We do not use advertising cookies or third-party tracking pixels. We may use localStorage to persist your UI preferences (e.g. sidebar state, theme selection) locally in your browser — this data never leaves your device.

11. Third-Party Services

Grammar integrates with the following third-party services: Google OAuth (authentication), Google Calendar (meeting scheduling data, with your permission), Meetstream (meeting bot capture), Deepgram (audio transcription), OpenAI and Anthropic (AI features), and AWS (cloud infrastructure and encrypted audio storage). Each provider is governed by their own privacy policy. We share only the minimum data required for each integration to function.

12. Children's Privacy

Grammar is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Your Rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; request correction of inaccurate data; request deletion of your data; object to or restrict certain processing; and data portability. To exercise any of these rights, contact us at the address below. We will respond within 30 days.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent in-app notice at least 14 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

15. Contact

For privacy-related questions or to exercise your data rights, please contact Harlan Research at: ruben.murga@harlanresearch.io