Back to Pitara.ai

Privacy Policy

Last updated: May 8, 2026

At Pitara.ai ("we", "our", or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our service at pitara.ai.

1. Information We Collect

1.1 Account Information

When you sign up using Google OAuth or GitHub OAuth, we collect:

  • Account ID - A unique identifier from your authentication provider
  • Email Address - Your account email
  • Display Name - Your name as shown on your account
  • Profile Picture URL - Link to your profile picture

1.2 Content You Create

We store content you create within Pitara.ai, including:

  • Collections and their settings (name, description, visibility)
  • Items within collections (images, videos, documents, code, text, links)
  • AI chat conversations and history
  • 3D model configurations and thumbnails
  • Notebooks and their content

1.3 Files You Upload

Any files you upload to Pitara.ai are stored securely, including:

  • Images (JPEG, PNG, GIF, WebP, SVG)
  • Videos (MP4, WebM, MOV)
  • Documents (PDF, DOC, DOCX, TXT)
  • Audio files (MP3, WAV, M4A, OGG)
  • Code files
  • 3D models (GLB, GLTF)

1.4 Usage Information

We automatically collect:

  • AI Usage Data - Tokens used, models accessed, operations performed
  • Activity Timestamps - Account creation date, last active time
  • Error Logs - Browser errors for debugging (if you report a bug)
  • Device Information - Browser type, operating system (for bug reports)

1.5 Optional Google Workspace Access (Drive and Calendar)

If you choose to connect Google Workspace services, we request only the minimum scopes needed and store OAuth tokens securely to maintain the connection.

  • Google Drive (drive.file scope) - When you import Google Docs, we use the Google Picker so you select which documents to share with Pitara. We request per-file access only to the documents you explicitly choose, not access to your entire Drive.
  • Google Calendar (calendar.readonly scope) - When you connect Calendar, we read your event metadata (titles, times, attendees, descriptions, conferencing links) so Pitara can show upcoming meetings, attach transcripts to the right event, and ground "what is my next meeting" style queries. We do not modify, create, or delete events.

You can disconnect either service at any time from your Google Account's Security settings, which immediately revokes our access.

1.6 Google Workspace API Limited Use

Limited Use Disclosure. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

In plain language, this means:

  • We use Workspace data only to provide and improve the user-facing features you have connected (Drive import, Calendar grounding).
  • We do not transfer Workspace data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition with adequate notice.
  • We do not use Workspace data for advertising.
  • We do not allow humans to read Workspace data, except with your explicit consent for specific user-initiated support, when needed for security (e.g. investigating abuse), to comply with applicable law, or for internal operations on aggregated and anonymized data.
  • We do not use Workspace data to develop, improve, or train generalized AI or ML models.

1.7 Pitara Desktop App (Mac, Windows, Linux)

If you install the Pitara Desktop app, the following additional disclosures apply:

  • Microphone audio - When you start a meeting capture, the Desktop app records audio from the microphone you select. The audio is staged on your device under your operating system's protected user-data directory (file mode 0600) until it is either uploaded for transcription or you discard the session.
  • How audio reaches AssemblyAI - Either (a) the recorded audio file is uploaded to the Pitara backend, which forwards it to AssemblyAI for transcription, or (b) for real-time transcription the Desktop app opens a direct WebSocket connection to AssemblyAI using a short-lived token that the Pitara backend issues. The AssemblyAI API key never leaves our server.
  • What we do not capture - The Desktop app does not record system or other-participant audio, capture your screen, take screenshots, use your camera, monitor your keyboard, or read your clipboard.
  • Local encrypted storage - Your Documents (Notes and Transcripts), settings, and a local copy of your synced Pitara data are stored in a per-user encrypted SQLite database under your operating system's user-data directory. Encryption uses a per-user Data Encryption Key (DEK) that is itself encrypted by your operating system's secure keystore - Windows DPAPI, macOS Keychain, or Linux libsecret - via Electron's safeStorage. Your Pitara JSON Web Tokens (JWT access and refresh tokens) are protected the same way.
  • Calendar on Desktop - The Desktop app does not call the Google Calendar API directly. Calendar reads route through the authenticated Pitara backend, which holds the OAuth token and applies the Limited Use restrictions described in section 1.6.
  • No analytics or telemetry - The Desktop app does not include third-party analytics, crash reporting, or telemetry SDKs. Diagnostic logs stay on your device unless you choose to attach them to a bug report.

2. How We Use Your Information

  • Provide the Service - Store and display your collections and content
  • AI Features - Process your prompts through AI services to generate responses and images
  • Account Management - Authenticate you and manage your subscription
  • Communication - Send collection invitations and sharing notifications
  • Improvement - Analyze usage patterns to improve our service
  • Support - Respond to bug reports and provide assistance

3. Third-Party Services

Pitara.ai integrates with the following third-party services. When you use features that involve these services, your data is transmitted to them according to their respective privacy policies:

Service Purpose Data Shared Privacy Policy
Google OAuth Authentication Email Name Profile Google Privacy Policy
Google Calendar API Read upcoming meetings; attach transcripts to events Event titles Times Attendees Descriptions Conferencing links Google Privacy Policy
Google Drive API Per-file import of user-selected Google Docs File contents (selected files only) File metadata Google Privacy Policy
OpenAI API AI Chat, Image Generation Chat messages Uploaded files Images OpenAI Privacy Policy
Google Gemini API AI Chat, Image Generation Chat messages Uploaded files Images Google Privacy Policy
Amazon Web Services (S3) File Storage All uploaded files Generated images AWS Privacy Policy
Amazon SES Email Notifications Email addresses Invitation details AWS Privacy Policy
Unsplash Stock Image Search Search queries Unsplash Privacy Policy
GitHub OAuth Authentication Email Username Profile GitHub Privacy Statement
AssemblyAI Audio transcription (file uploads from web and Desktop, plus real-time streaming from the Desktop app) Audio files Real-time audio stream AssemblyAI Privacy Policy
Important Note on AI Services: When you use AI chat or image generation features, your messages and any attached files are sent to OpenAI or Google Gemini for processing. These services may retain data according to their own policies. We recommend not sharing sensitive personal information in AI conversations.

4. Data Storage and Security

4.1 Where We Store Data

  • Database - User accounts, collections, and metadata are stored in PostgreSQL hosted on Amazon RDS
  • File Storage - Uploaded files are stored in Amazon S3 with encryption at rest
  • Sessions - Login sessions are managed via secure, signed cookies
  • Desktop App Local Storage - The Desktop app keeps an encrypted SQLite vault per signed-in user under your operating system's user-data directory, plus a short-lived audio staging directory used only during a recording session. Encryption details are in section 1.7.

4.2 Security Measures

  • HTTPS encryption for all data in transit
  • OAuth 2.0 for secure authentication (no passwords stored)
  • Encrypted storage for OAuth tokens
  • Operating-system keystore protection for credentials and per-user encryption keys in the Desktop app (Windows DPAPI, macOS Keychain, Linux libsecret)
  • Content Security Policy (CSP) headers to prevent XSS attacks
  • Rate limiting on API endpoints

5. Data Retention

  • Account Data - Retained until you delete your account
  • Content - Collections and items are retained until you delete them
  • AI Chat History - Stored with your items until deleted
  • Usage Logs - Retained for billing and analytics purposes
  • Bug Reports - Retained for debugging, may be deleted after resolution

6. Your Rights and Choices

6.1 Access and Control

  • View Your Data - Access all your collections and content through the app
  • Delete Content - Delete individual items or entire collections at any time
  • Export Data - Download your files and content
  • Disconnect Services - Revoke Google Drive or Google Calendar access from your Google Account's Security settings, or use the in-app "Disconnect" controls. Deleting the Desktop app from your device also removes its local encrypted vault.

6.2 Account Deletion

To delete your account and all associated data, please contact us at privacy@pitara.ai. Upon request, we will:

  • Delete your account and profile information
  • Delete all your collections and items
  • Delete all uploaded files from our storage
  • Remove your usage records

7. Sharing and Collaboration

When you share a collection with others:

  • The recipient can view or edit content based on permissions you set
  • We send email notifications about shared collections via Amazon SES
  • Public collections are accessible to anyone with the link
  • You can revoke access at any time

8. Children's Privacy

Pitara.ai is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

9. International Data Transfers

Our services are hosted in the United States. If you access Pitara.ai from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by:

  • Posting the new policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for material changes

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Related Documents: