Last updated: 29 June 2026 · For customer and security-review use
Mastt AI processes meeting and email content to generate minutes, tasks and actions for construction owner's representatives. This one-pager explains what personal data we handle, why, where it lives, and who else processes it.
What we process
- Account & identity: name, email address, time zone, and optional profile details (role, region/jurisdiction, sector) used to personalise assistance.
- Customer content: meeting titles, dates and attendee lists; pasted or uploaded transcripts; generated minutes; uploaded documents; extracted tasks and action items; and — where the customer enables email forwarding — the forwarded email content.
- AI conversations: the questions and responses exchanged with the in-app assistant.
- Integration tokens: OAuth credentials for any third-party services the customer chooses to connect (e.g. Microsoft, Xero, Procore), stored encrypted.
Why we process it
- To deliver the service: generate minutes, extract and track tasks/actions, and answer questions about a customer's own projects and meetings.
- We do not sell personal data and do not use it for advertising.
AI processing & model training
- The in-app assistant and minutes/task generation send relevant content — transcripts, minutes text, the items being extracted, the assistant conversation, and any optional profile context — to Anthropic's Claude API, called directly over TLS.
- Document semantic search sends uploaded document pages and images (and the text of scanned PDFs, for OCR) to Google's Gemini API to build the search index. This applies only when the feature is enabled.
- Some uploaded documents and AI-generated files are processed in, and stored transiently by (~30 days), Anthropic's secure file/code-execution environment to support document generation.
- Neither Anthropic nor Google uses these inputs or outputs to train its models.
- AI outputs (e.g. generated minutes, extracted actions) are stored in the customer's account so they can be reviewed and edited.
Data residency
- All customer data we store for this specific product — database records and uploaded files — resides in a United States Azure region.
- AI sub-processors (Anthropic, Google) process API requests on their own infrastructure and do not train on the data; processing region is governed by their commercial terms.
Sub-processors
We use a small set of vendors to operate the service. Personal data is shared only as needed to provide it:
Sub-processor
Purpose
Microsoft Azure
Hosting, database, and file storage (US region)
Anthropic
Assistant and minutes/task AI (Claude API); no training on customer data
Google
Document search embeddings & scanned-PDF OCR (Gemini API); no training on customer data
Inngest
Background-job and workflow processing
Sendgrid (Azure-hosted)
Inbound email capture — only if the customer enables email forwarding
Customer-connected integrations are engaged only when the customer explicitly connects them, and data flows to/from those services at the customer's direction.
Retention & deletion
- Customer content is retained for the life of the account so it remains available in the product.
- On account or organisation closure, associated data is deleted (or returned on request) within a commercially reasonable period.
- Customers can delete individual meetings, documents, tasks and conversations from within the product at any time.
Your rights
- Customers and their users can access, export, correct and delete their personal data, in line with applicable privacy laws.
- We act on verified requests to access or erase personal data and assist customers in meeting their own obligations to data subjects.
Security of personal data
- Personal data is encrypted in transit and at rest, isolated per organisation, and access-controlled. See the Cyber Security Overview for detail.
Compliance posture
- We align our handling of personal data with core data-protection principles (lawful basis, data minimisation, purpose limitation, security).
Privacy contact: security@mastt.com · We respond to privacy and data-subject requests at this address.