Last updated: March 2026 · Passhai Technologies Private Limited
SafeMinutes is built for company governance, not for data collection. This policy explains exactly what we collect, why we collect it, where it is stored, and what rights you have over it. We have written it to be readable, not to bury important things in legal language.
When you create an account, we collect your name, email address, and the password you choose (stored as a bcrypt hash — we never see the plaintext). If you use Google sign-in, we receive your name and email from Google and store nothing else from that flow.
When you use the platform, we collect the data you enter: company details, director information, meeting records, agenda items, resolutions, votes, and uploaded documents. This is your data. It exists to produce the governance records your company needs.
We collect standard server logs — IP addresses, request timestamps, and HTTP status codes — for security monitoring and debugging. These are retained for 30 days and then deleted.
Your data is used exclusively to operate SafeMinutes. Specifically: to authenticate you, to show you your company's meetings and resolutions, to generate minutes PDFs and attendance registers, and to send notifications you have triggered (meeting invites, vote requests, draft minutes circulation).
We do not use your data to train machine learning models. We do not sell your data. We do not share it with third parties except the infrastructure providers listed below, who process it only on our instructions.
All data is stored in India. Our database runs on Google Cloud SQL in the asia-south1 region (Mumbai). File uploads — documents, PDFs, compliance forms — are stored in Google Cloud Storage in asia-south1 with server-side AES-256 encryption at rest.
Signed minutes and certified copies are stored with an additional object-level retention hold, meaning they cannot be deleted by any application code path. This is a deliberate design choice to preserve the statutory record.
Email delivery uses Resend (resend.com), which processes email addresses and message content to send notifications. Resend operates under standard data processing agreements.
Account data is retained for as long as your account is active. If you close your account, your personal data (name, email, password hash) is deleted within 30 days.
Company governance records — meetings, resolutions, minutes, and audit logs — are retained for 8 financial years from the date of the meeting, consistent with the Companies Act 2013 requirement for preservation of statutory records. If you delete a company workspace, we retain the governance records for this period before deletion.
Signed and locked documents are subject to the GCS object-level retention hold described above and cannot be deleted before the retention period expires, regardless of account status.
You can export all your company data at any time from the Archive section of your workspace. The export includes meeting records, resolutions, vote tallies, minutes content, and audit logs in a portable format.
You can request deletion of your personal account data by emailing hello@safeminutes.com. We will complete the deletion within 30 days. Note that governance records associated with your company workspace will be retained for the statutory period described above, as these are not personal data — they belong to the company record.
You can correct your profile information (name, email) from your account settings at any time.
Passwords are hashed with bcrypt at cost factor 12. All data in transit is encrypted with TLS 1.2 or higher. All data at rest is encrypted with AES-256. Access to production infrastructure is restricted to authorised personnel only, with audit logging on all access.
We use JWT tokens for session management with a 7-day expiry. Google OAuth is available as an alternative to password authentication.
If you discover a security vulnerability, please email hello@safeminutes.com. We will respond within 48 hours.
SafeMinutes uses a single session cookie for the Google OAuth flow only. This cookie has a 10-minute lifetime and is used solely to maintain OAuth state during the sign-in handshake. It is not used for tracking or analytics.
We do not use any third-party analytics or advertising cookies. We do not use Google Analytics, Mixpanel, or any equivalent service.
If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. The date at the top of this page reflects when the policy was last updated. Continued use of SafeMinutes after the effective date constitutes acceptance of the updated policy.
For any privacy-related questions, to exercise your data rights, or to report a concern, contact us at hello@safeminutes.com.
SafeMinutes is operated by Passhai Technologies Private Limited, registered in India.