§ Privacy

Privacy policy.

In plain English: We're a small shop. We take your Plaud recordings, run them through Anthropic's AI to figure out what goes where, and route them to the tools you've connected. We store the audio, transcripts, and summaries in Supabase (US). We do not train AI on your recordings. We do not sell your data. You can delete any recording with one click, or nuke your whole account whenever you want.

Effective date · April 21, 2026

1. Who we are

Cordari is operated by Radiant Maple Studios LLC, a California limited liability company ("Radiant Maple," "we," "us," "our"). This Privacy Policy explains how we collect, use, store, and share information when you use Cordari at cordari.ai and any related services (the "Service").

For privacy questions or to exercise your rights, contact privacy@radiantmaple.com.

2. Scope

This policy applies to information we collect through the Service. It does not apply to:

  • Plaud (the hardware and the Plaud cloud service operated by Plaud's manufacturer). Plaud's own privacy policy governs your use of Plaud's hardware and cloud.
  • Third-party destinations you connect (Notion, Obsidian, Google Drive, Todoist, Google Calendar, email inboxes, webhook endpoints). Once we deliver content to a destination you authorized, that content is governed by that third party's terms and privacy policy.

3. Information we collect

TL;DRYour Google account info, your Plaud bearer token, the recordings/transcripts/ summaries we pull from Plaud, your integration tokens, payment info (via Stripe), and basic service logs.

3.1 Account information

We use Google Sign-In as the only authentication method. When you sign in, Google provides us:

  • Your name
  • Your email address
  • Your Google account ID
  • Your profile picture (if set)

We do not store your Google password. You can revoke Cordari's access from your Google Account at any time.

3.2 Plaud access credentials

To retrieve your recordings from Plaud, you supply a Plaud bearer token. We store this token encrypted and use it to make authenticated requests to Plaud on your behalf. You can revoke or rotate this token at any time from your Plaud account or from Cordari's settings.

We are not affiliated with, endorsed by, or operated by Plaud. Our access to Plaud depends on credentials you provide and on interfaces Plaud exposes, which Plaud may change or restrict at any time.

3.3 Content from Plaud

Once authenticated, we retrieve and store:

  • Audio recordings
  • Transcripts (produced by Plaud)
  • Summaries (produced by Plaud)
  • Associated metadata (title, duration, timestamps, speaker labels)

3.4 Integration credentials and configuration

When you connect a destination (Notion, Google Drive, Todoist, Google Calendar, Obsidian vault via its API, email addresses, or webhook URLs), we store the OAuth tokens, endpoint URLs, signing secrets, and routing preferences needed to deliver content. OAuth tokens and webhook signing secrets are stored encrypted.

3.5 Derived content

Our AI router generates classifications, task extractions, calendar-event extractions, and routing decisions from your Plaud content. This derived content is stored alongside the source content and deleted on the same schedule.

3.6 Payment information

Payments are processed by Stripe. We do not see or store full payment card numbers. We store a Stripe customer ID, subscription status, plan, and a redacted card descriptor (brand and last four digits) returned by Stripe.

3.7 Service logs and operational data

We collect standard operational data: IP address, user agent, timestamps, API request paths, error traces, and integration delivery status. These logs are used for security, debugging, abuse prevention, and service reliability.

4. How we use information

We use your information to:

  • Authenticate you and secure your account
  • Retrieve your content from Plaud using the credentials you supplied
  • Classify and route content using AI (see Section 5)
  • Deliver content to the destinations you have authorized
  • Send operational notifications (email digests, webhook deliveries) that you have configured
  • Bill you, prevent fraud, and administer your subscription
  • Detect abuse, debug failures, and maintain the Service
  • Communicate with you about the Service (account notices, material changes)

We do not use your recordings, transcripts, or summaries to train AI models. We do not sell your personal information.

5. Subprocessors

We share information with a limited set of service providers ("subprocessors") strictly to operate the Service. As of the effective date, they are:

SubprocessorPurposeData processedRegion
AnthropicAI routing and classification of summariesSummaries and transcript excerpts necessary for classificationUS
SupabaseAuthentication, database, file storageAll stored content and account dataUS
RailwayApplication hosting and computeData in transit during processing; operational logsUS
StripePayment processingBilling identifiers, subscription status, card metadataUS / global
GoogleOAuth identity (sign-in) and, if you connect them, Google Drive and Google Calendar deliveryIdentity tokens; content you route to Drive or CalendarUS / global

We do not send Plaud content to any subprocessor other than those listed above, and only as needed to deliver the Service. An updated list is maintained at cordari.ai/subprocessors.

6. Legal bases (EEA, UK, Switzerland)

If you are in the EEA, UK, or Switzerland, we process your data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) — to deliver the Service you've subscribed to.
  • Legitimate interests (Art. 6(1)(f) GDPR) — to secure the Service, prevent abuse, and improve reliability.
  • Consent (Art. 6(1)(a) GDPR) — for any processing you specifically opt into (e.g., marketing email, if we ever add it).
  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with applicable law.

7. International transfers

We are based in the United States and store data in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. Where required, we rely on the European Commission's Standard Contractual Clauses and equivalent UK/Swiss mechanisms with our subprocessors.

8. Retention

TL;DRFree tier: 30-day rolling retention of your content. Pro tier: unlimited, until you delete it. Account deletion is non-cascading — we can't delete the copies already pushed to your Notion, Drive, Todoist, etc.
  • Solo (free): Recordings, transcripts, summaries, and derived content are automatically deleted 30 days after they were ingested.
  • Pro: Retained until you delete them or close your account.
  • Any tier: You can delete any recording with a single click. Deletion is immediate in our database and purged from object storage within 30 days.
  • Account closure: When you delete your account, we delete your stored content, integration tokens, and Plaud credentials. We retain minimal records (billing history, fraud-prevention signals, and legal-compliance records) for as long as required by law, typically up to seven years for financial records.

Non-cascading deletion. Content we have already delivered to your connected destinations (Notion pages, Drive files, Todoist tasks, Calendar events, emails, webhook payloads) lives in those destinations under your control. Deleting the source in Cordari does not delete those downstream copies. You must delete them in the destination tool yourself.

9. Security

  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • Plaud bearer tokens, OAuth tokens, and webhook signing secrets are stored encrypted with keys separate from the application database.
  • Access to production systems is limited to authorized personnel and audited.
  • We do not train AI models on your recordings, transcripts, or summaries.
  • No system is perfectly secure. We will notify you of a security incident affecting your personal data without undue delay and, where legally required, within 72 hours of becoming aware of it.

10. Your rights

Depending on where you live, you have rights regarding your personal information. These may include:

  • Access — get a copy of the data we hold about you.
  • Correction — correct inaccurate data.
  • Deletion — delete your data (see Section 8).
  • Portability — receive your data in a portable format.
  • Restriction / objection — limit or object to certain processing.
  • Withdraw consent — where processing is based on consent.
  • Complaint — lodge a complaint with your local data-protection authority.

Most of these can be exercised directly in Cordari's settings. For anything else, email privacy@radiantmaple.com. We respond within 30 days.

11. California residents (CCPA / CPRA)

California residents have additional rights:

  • Right to know what categories of personal information we collect, the purposes, and the categories of third parties we share it with (disclosed in Sections 3–5).
  • Right to delete your personal information (Section 8).
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" we do not sell or share your personal information as those terms are defined under the CPRA.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the Service.
  • Right to non-discrimination for exercising these rights.

To exercise these rights, email privacy@radiantmaple.com. We may need to verify your identity before fulfilling a request.

12. Children

The Service is intended for users 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn we have collected information from a person under 18, we will delete it. If you believe a minor has provided us information, contact privacy@radiantmaple.com.

13. Cookies and similar technologies

We use strictly necessary cookies and similar technologies to keep you signed in and to secure the Service. We do not use third-party advertising cookies.

14. Law-enforcement requests

We will disclose personal information when required by valid legal process (subpoena, court order, warrant) or where we have a good-faith belief that disclosure is necessary to protect our rights, users, or the public. We will push back on overbroad requests and notify you where not legally prohibited.

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a notice in the Service at least seven days before the changes take effect. The "Effective date" at the top reflects the current version.

16. Contact

Radiant Maple Studios LLC
Carlsbad, California, USA
Privacy: privacy@radiantmaple.com
Legal: legal@radiantmaple.com