Privacy Policy

Effective: 13 May 2026

1. Introduction

This Privacy Policy explains how Moment42 ApS (CVR 45575357) ("Moment42", "we", "us", "our"), a private limited company organised under the laws of Denmark with its registered office at Laurids Bings Alle 2, 2000 Frederiksberg, Denmark, collects, uses, stores, shares, and discloses information when you use the Moment42 web application, mobile applications, and supporting services (collectively, the "Service").

Moment42 is the data controller for personal data processed through the Service. If you have questions about this policy or how we handle your personal data, contact us at privacy@moment42.com.

2. Information we collect

2.1 Account data

When you create or use a Moment42 account we collect: your email address, name, locale, time zone, avatar, hashed login passcodes, hashed refresh tokens, and registered passkey credential metadata (the public key and credential identifier - we do not receive or store your biometric data).

2.2 Meeting data

We collect and store the meeting information you create or that is shared with you through the Service, including: meeting subjects and intents, participant lists, proposed and confirmed time windows, locations, follow-up actions, meeting templates, and the conversation history of the AI assistants you interact with inside meetings.

2.3 Calendar, contacts, and online-meeting data from third-party providers

With your explicit OAuth consent we connect to Google (Google Calendar, Google Contacts, Google Meet), Microsoft (Microsoft 365 Calendar, Microsoft personal Calendar, Microsoft Teams via Microsoft Graph), and Zoom (Zoom Meetings). The Service reads availability information, reads or creates calendar events, reads contact suggestions, and creates online-meeting links on your behalf, in each case strictly within the scopes you granted at connection time. You can revoke a connection at any time from your account settings or from the provider's own account dashboard.

2.4 Communications data

On your behalf and at your direction we send meeting invitations, follow-up emails, and ICS calendar attachments. We also process inbound emails (for example RSVP replies) that participants send to a Moment42-controlled inbound address; this lets us reflect responses on your meetings. Email delivery and inbound parsing are handled by Twilio SendGrid.

2.5 Notifications data

When you register a device for push notifications we store the device push token (iOS APNs, Android FCM, or Web Push) and the associated platform identifier so we can deliver notifications you have opted into.

2.6 Telemetry and diagnostics

Standard server logs include your IP address, user agent, request paths, response codes, and timing information. We also capture distributed traces and error reports via OpenTelemetry. This data is used only for operating, debugging, and securing the Service, and to detect abuse.

2.7 Cookies

We use a minimal set of strictly necessary cookies: moment42.access_token and moment42.refresh_token for authentication, an anti-forgery cookie to protect form submissions, and a SiteAccess cookie that gates access during private beta. We do not use third-party advertising or analytics cookies that track you across sites.

3. How we use information

We use the information described above to:

• Operate the Service: authenticate you, render meetings, find times, send invitations, and process RSVPs.
• Provide AI features: power the conversational and functional AI assistants, meeting skills, and virtual participants you have chosen to use.
• Send transactional notifications related to your meetings and account.
• Debug, secure, and improve the Service.
• Comply with our legal obligations.

4. Legal bases (GDPR Article 6)

• Performance of a contract - operating the Service for users who have signed up.
• Legitimate interests - security, abuse prevention, troubleshooting, and improving the Service.
• Consent - connecting Google, Microsoft, Zoom, or other third-party accounts; receiving optional product communications.
• Legal obligation - tax and accounting records, responding to lawful requests.

5. Google API Services User Data Policy / Limited Use disclosure

Moment42's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The scopes we request from Google when you connect a Google account are used as follows:

• Google Calendar (read and write events) - read your availability and meetings, create and update events for the meetings you organise, and add or remove participants you have explicitly added in Moment42.
• Google Contacts (People API) - suggest participants to add to your meetings based on your contacts and recent collaborators.
• Google Meet - create or attach Google Meet conferencing links to the meetings you schedule through Moment42.

Specifically, in respect of data received from Google APIs:

• We use Google user data only to provide and improve the user-facing features of Moment42 that are visible in the product (scheduling, calendar reading and writing, contact suggestions, and creation of Google Meet links).
• We do not transfer Google user data to others except as necessary to provide or improve these user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (in which case we will provide notice).
• We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read Google user data, except: (a) with your affirmative consent for specific messages; (b) to the extent necessary for security purposes, such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized and is used to operate, maintain, or improve the Service.

6. Microsoft Graph and Zoom analogous disclosure

The same principles apply to data received via Microsoft Graph (Microsoft 365 Calendar, Microsoft personal Calendar, and Microsoft Teams) and via Zoom OAuth scopes:

• We use Microsoft Graph and Zoom data only to provide the scheduling, calendar, and online-meeting features visible in Moment42.
• We do not transfer the data to third parties except as needed to provide these features, to comply with law, or as part of a corporate transaction.
• We do not use the data to serve advertising of any kind.
• We do not allow humans to read the data except with your consent, for security investigations, for legal compliance, or in aggregated and anonymized form.

7. Sub-processors

We rely on the following sub-processors to operate the Service. Each is bound by data protection obligations consistent with this policy:

• Microsoft Azure - cloud hosting, SQL database storage, blob storage, push notification delivery via Azure Notification Hubs, and large language model inference via Azure OpenAI.
• Google - Google Calendar, Google Contacts (People API), and Google Meet access initiated by you via OAuth.
• Google Places API - server-to-server place lookups using Moment42's API key, used to resolve the meeting location text you type into an address and place identifier. No user OAuth is involved and no user-account data is sent to Google Places beyond the location text you have entered.
• Microsoft (consumer and enterprise identity) - Microsoft Graph access to Microsoft 365 Calendar, personal Calendar, and Microsoft Teams initiated by you via OAuth.
• Zoom Video Communications - Zoom OAuth and Zoom Meetings creation initiated by you.
• Twilio SendGrid - transactional email delivery and inbound email parsing (RSVP processing).

8. Data sharing

We do not sell your personal data. We share personal data only with the sub-processors listed above (acting on our instructions), with meeting participants you have explicitly added (so that they can receive your invitations and follow-ups), and where required by law.

9. International transfers

Personal data is primarily processed within the European Economic Area. Some sub-processors operate infrastructure or support functions outside the EEA (notably in the United States). For such transfers, we rely on the European Commission's Standard Contractual Clauses and, where applicable, additional safeguards consistent with EU data protection law.

10. Retention

• Account data is retained while your account is active. When you delete your account, we delete your personal data and meeting data without undue delay. Some data may persist in backups for a limited period and then expires automatically, and we may retain limited records where we are required to do so by law (for example tax and accounting obligations).
• Meeting data is retained while your account is active unless deleted by you.
• Server logs and traces are retained for up to 90 days.
• Refresh tokens have a maximum lifetime of 30 days and are rotated on each refresh; revoked tokens are kept only as long as needed to detect token replay.

11. Your rights

Under the GDPR you have the right to: access your personal data; have inaccurate data corrected; have your data erased; restrict or object to processing; receive a portable copy; and lodge a complaint with a supervisory authority. The supervisory authority for Moment42 ApS is the Danish Data Protection Agency (Datatilsynet, datatilsynet.dk).

To exercise these rights, email privacy@moment42.com.

12. Security

We protect personal data with transport-layer encryption (TLS) in transit, encryption at rest provided by the underlying cloud platform, hashed storage of login passcodes and refresh tokens, and registration of WebAuthn passkey credentials by public key only. We maintain an incident-response process; if a personal data breach affecting you is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with applicable law.

13. Children

Moment42 is not directed at children under 16. We do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, contact us so we can delete it.

14. Changes to this policy

We may update this policy from time to time. When we do, we update the "Effective" date at the top. For material changes we will additionally surface a notice inside the Service.

15. Contact