Privacy Policy

1. Introduction

Spontom Enterprises Private Limited ("Company", "we", "us") operates RelayKit ("Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

2. Information We Collect

2.1 Account Information

• Email address (for authentication and communication)
• Organization name (for tenant identification)
• Password (stored as a hash, never in plaintext)

2.2 Usage Data

• Participant minutes consumed
• Room creation and session data (join/leave timestamps, duration)
• Recording metadata (duration, file size, storage path)
• API request logs (endpoint, timestamp, response status)
• Bandwidth usage

2.3 Technical Data

• IP addresses (for security and rate limiting)
• Browser and device information (via standard HTTP headers)
• API key usage patterns (last used timestamp)

2.4 What We Do NOT Collect

• Audio or video content from meetings (we do not access or store media streams)
• Chat messages or screen shares within meetings
• Payment card details (processed by Stripe, our payment processor)

3. How We Use Your Information

• To provide, maintain, and improve the Service
• To authenticate your identity and manage your account
• To process billing and generate invoices
• To send transactional emails (password resets, billing alerts)
• To monitor service health and detect abuse
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Data Storage and Security

Your data is stored securely using the following infrastructure:

• Database: Supabase (PostgreSQL) with row-level security
• Authentication: Supabase Auth with bcrypt password hashing
• API keys: SHA-256 hashed, never stored in plaintext
• Video infrastructure: Self-hosted LiveKit with encrypted WebRTC (DTLS-SRTP)
• Recordings: Stored in tenant-configured S3 buckets or our managed storage
• Emails: Sent via Resend with DKIM-signed domain

All data in transit is encrypted via TLS 1.2+. API keys are hashed before storage — we cannot retrieve your original key after creation.

5. Recordings and Media

When you or your end users initiate a recording:

• The recording is processed on our Egress server
• The output file is uploaded directly to your configured S3 bucket
• We do not retain copies of recordings on our servers after upload
• Recording metadata (duration, size, S3 key) is stored in our database

Your responsibility: You must obtain consent from meeting participants before recording and comply with applicable privacy laws in your jurisdiction.

6. Third-Party Services

We use the following third-party services that may process your data:

7. Data Retention

• Account data: Retained while your account is active. Deleted 30 days after account termination.
• Usage data: Retained for 12 months for billing and analytics purposes.
• Recordings: Stored in your S3 bucket — retention is under your control.
• Server logs: Retained for 30 days for debugging and security.

8. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate information
• Deletion: Request account and data deletion
• Export: Download your usage data and recordings
• Objection: Object to specific data processing activities

To exercise these rights, contact privacy@relaykit.live.

9. Cookies

We use essential cookies only for authentication session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.

12. Contact