Last updated: June 5, 2026

Privacy Policy

This Privacy Policy explains how RecordFlow ("we", "us", or "our") collects, uses, and protects your information when you use our service. We are committed to protecting your privacy and handling your data transparently.

Data Controller

The data controller responsible for your personal data is:
Adam Dobrawy
al. Jerozolimskie 89/43, 02-001 Warszawa, Poland
NIP: 7011027851 | VAT EU: PL7011027851
Contact: support@recordflow.org

1. Information We Collect

Account Information (from Zoom OAuth)

When you sign in with Zoom, we receive and store:

  • Your Zoom user ID
  • Display name
  • Email address
  • OAuth access and refresh tokens (encrypted with AES-GCM)
  • The list of OAuth scopes you have granted us (used to gate optional features such as auto-delete)
  • Disconnection timestamp (recorded when your Zoom connection expires; cleared when you reconnect)

Optional scope — recording deletion: If you enable the optional Auto-delete after archive feature, RecordFlow additionally requests thecloud_recording:delete:meeting_recording scope. This scope is requested only at the moment you opt in and only used to move recordings to your Zoom Trash after they have been successfully transferred to your Google Drive. If you turn the feature off, RecordFlow stops issuing delete calls; revoking the scope from Zoom's app settings has the same effect — if Zoom reports that the permission was revoked, we stop trying to delete and you'll need to reconnect Zoom to turn auto-delete back on.

Admin-managed deployment data

RecordFlow offers a separate admin-managed Zoom Marketplace app for organizations where a single administrator archives recordings on behalf of other users in the same Zoom account. When an admin installs this app, we additionally receive and store:

  • The Zoom account identifier (account_id from Zoom's OAuthusers/me response) and an optional human-readable account name.
  • The list of active Zoom users in that account (Zoom user ID, name, email), fetched through the user:read:list_users:admin scope. New members are added with archival off by default; subsequent fetches refresh each member's name, email, and Zoom-side status. If a member disappears from a fresh fetch, we mark them as removed in our records — and if they reappear later, we restore them along with the admin's earlier choice about whether to archive them. The admin uses this list to choose which members to archive; only members the admin explicitly toggles "on" are in scope for sync.
  • The admin app reads cloud-recording metadata, recording files, and transcripts on behalf of the enabled members, using Zoom's admin-scoped APIs. We use them only to copy enabled members' recordings into the admin's Google Drive folder. The same per-meeting sync activity described below is stored for each enabled member.

Member visibility: the admin who installs the admin-managed app can see every active user's name and email in their Zoom account. If your Zoom admin has installed the admin-managed app and enabled your Zoom user, your cloud recordings are archived to a Google Drive folder controlled by an admin on your Zoom account.

For admin-managed installs, the Google Drive authorization is stored once per Zoom account, not per admin. The stored authorization belongs to the admin who connected Drive. If that admin disconnects Google Drive (in RecordFlow or by revoking access in their Google account), the stored authorization is cleared and sync pauses. Any other admin on the same Zoom account can reconnect Drive to resume sync; their authorization replaces the previous one for the whole account.

Member rights pathway: If your Zoom admin enabled you in RecordFlow and you want to see, correct, or delete your data — or stop archival entirely — you can email us at support@recordflow.org or ask your Zoom admin to turn your toggle off (or uninstall the app). Either route works; we'll route the request appropriately and confirm back to you.

Google Drive Connection (from Google OAuth)

When you connect Google Drive, we receive and store:

  • OAuth access and refresh tokens (encrypted with AES-GCM)
  • Your selected Drive folder ID
  • Disconnection timestamp (recorded when your Google Drive connection expires; cleared when you reconnect)

We request only the drive.file scope, which limits RecordFlow's access to files and folders that RecordFlow itself creates in your Google Drive and to folders you explicitly select via the Google Picker during setup. Selecting a folder does not grant RecordFlow access to existing files within it — RecordFlow can only access the folder itself and any files it subsequently creates there. RecordFlow cannot read, modify, or delete any other files in your Drive.

Preferences and Feature Settings

We store your in-app preferences:

  • Email notification preference (on/off)
  • Transcript-only sync preference (on/off)
  • Auto-delete after archive preference (on/off)
  • Feature flags enabled for your account (used to gate optional features during rollout)

Session Data

We use encrypted cookies to maintain your login session. These cookies contain your user ID encrypted with AES-GCM and are strictly necessary for the Service to function.

Recording Content

We do not permanently store your recording content. Recordings are streamed from Zoom's servers through our Cloudflare Worker and uploaded to your Google Drive in small chunks. File data is held in memory only during the active transfer and is not persisted on our infrastructure.

Sync Activity

We store meeting-level sync activity to display on your dashboard:

  • Zoom meeting topic and start time
  • Sync status (observed, started, in-sync, processing, synced, cancelled, blocked, or error)
  • Google Drive folder ID for the meeting's archived files
  • The list of Zoom recording-file identifiers we've already transferred for the meeting, so we don't re-create files you've deleted from your Drive
  • Error messages if sync failed
  • Timestamps of sync completion
  • Cumulative bytes uploaded to Google Drive per meeting

Deletion state (Optional)

When you use any Zoom deletion feature — the automatic Auto-delete after archive toggle or the on-demand Delete from Zoom button in your sync history — RecordFlow stores additional per-meeting fields on top of the sync activity above: the moment a recording becomes eligible for deletion (start time + 24h or sync time, plus a 3-day grace window, whichever is later), the moment we issue the delete call, the moment we confirm success, and the moment a recording is detected absent from Zoom (by any means — our delete, user-side trash, or Zoom retention policy). We also write an immutable audit row for every attempt — successful or failed — recording the meeting UUID, how many files we had on record as transferred to your Drive for the meeting, the Zoom HTTP status, any Zoom error code, and what triggered the attempt. We never modify these entries after writing them; the log is retained for 24 months for security forensics and customer-dispute resolution.

Notification deduplication token: When we send you an email that a recording has been archived, we store a short opaque token so we don't email you about the same meeting twice (Zoom delivers recording files in waves — video, audio, transcript, AI summary — and we collapse those into a single notification). The token is an HMAC-SHA-256 hash of the Zoom meeting UUID, keyed with a server-side secret. It is not reversible without our secret, it does not contain the meeting topic, date, or participants, and it is deleted automatically after two years.

2. How We Use Your Information

We use the information we collect to:

  • Authenticate you and maintain your session
  • Access your Zoom cloud recordings via the Zoom API
  • Upload recordings to your specified Google Drive folder
  • Deduplicate recordings (by checking Zoom file IDs in Drive file descriptions)
  • Manage sync locks to prevent concurrent operations
  • Send you email notifications when recordings are ready in your Google Drive (if enabled in your settings)
  • Notify you if your Zoom or Google Drive connection expires and needs to be re-established
  • Track and display sync progress for each meeting on your dashboard
  • Send you a one-time confirmation email when your account is deleted, and ask why you left.
  • When you opt into Auto-delete after archive: move recordings to your Zoom Trash three days after every archivable file from the recording has been successfully transferred to your Google Drive. Whatever you do with the Drive copies after that — moving, renaming, even deleting them — doesn't change the schedule. We never call Zoom's permanent-delete endpoint, so recordings remain restorable from your Zoom Trash for thirty days.

3. Data Storage and Security

Your data is stored using Cloudflare's infrastructure:

  • Cloudflare D1 (SQLite database): Stores user accounts, encrypted OAuth tokens, and sync meeting history

Security measures include:

  • All OAuth tokens are encrypted with AES-256-GCM before storage
  • OAuth 2.0 with PKCE for both Zoom and Google authentication
  • Encrypted session cookies (AES-GCM)
  • All data transmitted over HTTPS
  • No plaintext credential storage

4. Third-Party Services

RecordFlow integrates with the following third-party services:

  • Zoom Video Communications: To access your cloud recordings. Subject to Zoom's Privacy Policy
  • Google (Google Drive): To store archived recordings. Subject to Google's Privacy Policy
  • Cloudflare: Infrastructure provider for compute and database. Subject to Cloudflare's Privacy Policy
  • Resend (Resend, Inc.): Transactional email delivery for account, archive, and offboarding notifications. When email notifications are enabled, Resend receives your email address and name for email delivery. Resend does not receive your recordings, OAuth tokens, or other credentials. Subject to Resend's Privacy Policy
  • Sentry (Functional Software, Inc.): Error tracking and performance monitoring. When errors occur, Sentry receives diagnostic data including error messages, stack traces, browser/device information, and your email address (for identifying affected users). Sentry does not receive your recordings, OAuth tokens, or other sensitive credentials. Subject to Sentry's Privacy Policy

5. Google API Services User Data Policy

RecordFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google Drive access to upload your Zoom recordings and create organizational folders in your selected Drive destination.
  • We do not use Google data for advertising, market research, or email campaigns.
  • We do not sell or transfer Google data to third parties except as necessary to provide the service (Cloudflare for infrastructure).
  • We do not use Google data for purposes unrelated to the core functionality of archiving Zoom recordings to Google Drive.
  • A human can review your data only with your affirmative consent, for security purposes, to comply with applicable law, or for our internal operations solely related to providing the Service.

6. Data Retention

  • Account data: Retained while your account is active. Deleted immediately upon Zoom app deauthorization (or within 30 days of any other form of account termination). Immediately after deletion, we use your email address one final time to send a deletion-confirmation email (see §2) and then discard it; no post-deletion copy is retained on our infrastructure.
  • Sync history: Retained while your account is active. Deleted within 30 days of account termination.
  • Member directory data (admin-managed app): Retained while the admin-managed app is authorized on the Zoom account. Deleted within 30 days of Zoom telling us the app has been removed from the admin-managed account, mirroring the Terms of Service and our Data Processing Addendum.
  • Session cookies: Expire based on cookie lifetime settings.
  • Sync lock and rate-limit data: Stored in the D1 database with short TTLs (15 seconds to 24 hours). Automatically cleaned up on the next access after expiry.
  • Auto-delete audit log: Retained for 24 months from the date of each deletion attempt. We never modify entries after writing them.
  • Archived recordings: Stored in your Google Drive under your control. We do not manage or delete files in your Drive.

7. Your Rights

You have the right to:

  • Access your data: View your account information through the dashboard
  • Delete your data: Request account deletion by contacting us. You can also revoke OAuth access at any time through your Zoom and Google account settings.
  • Data portability: Your recordings are stored in your own Google Drive and are fully under your control
  • Manage notifications: Enable or disable email notifications at any time from your dashboard settings

For EU/EEA Residents (GDPR)

If you are located in the EU/EEA, you have additional rights under GDPR including the right to rectification, restriction of processing, and the right to lodge a complaint with your local data protection authority (in Poland, the Prezes Urzędu Ochrony Danych Osobowych — UODO).

Our lawful bases under Article 6 GDPR are:

  • Contractual necessity (Art. 6(1)(b)): account creation, authentication, syncing your recordings to Google Drive, sync-status notifications, and connection-expiry reminders — all necessary to provide the Service you have requested.
  • Legal obligation (Art. 6(1)(c)): responding to your rights requests under GDPR, including confirming when your data has been deleted.
  • Legitimate interests (Art. 6(1)(f)): security and abuse prevention (rate limits, audit logging for the optional auto-delete feature), and a single post-deletion email that confirms account closure and invites optional feedback. You may object to processing based on legitimate interests at any time by contacting support@recordflow.org.

Controller / processor split for the admin-managed app. For the admin-managed Zoom Marketplace app, RecordFlow processes member personal data (Zoom user records, cloud-recording content, member-level sync history) on the admin organization's documented instructions, as a processor under Art. 28 GDPR. The admin organization is the controller and warrants — under the Terms of Service — that it has identified its own lawful basis for the processing (typically Art. 6(1)(b) performance of an employment / engagement contract, or Art. 6(1)(f) legitimate interest in business-record retention), and that it has given members the information required by Art. 14. For the standalone user-managed app, RecordFlow remains the controller for the data you provide about yourself. Our full processor obligations and sub-processor list are documented in our Data Processing Addendum.

International data transfers. RecordFlow's primary infrastructure is Cloudflare D1 (a SQLite database) and Cloudflare Workers. Cloudflare operates a global multi-region network; D1 reads and writes can be served from any Cloudflare data centre, including data centres in the United States. Where personal data originating in the EU/EEA is processed outside an adequacy-decision country, the transfer mechanism is the European Commission's Standard Contractual Clauses (SCCs), incorporated into our agreement with Cloudflare and (for downstream processors) with Google, Resend, and Sentry. Copies of the operative SCCs and our sub-processor list are available on request to support@recordflow.org.

For California Residents (CCPA)

California residents have the right to know what personal information is collected, request deletion of personal information, and opt out of the sale of personal information. We do not sell your personal information.

8. Cookies and Similar Technologies

RecordFlow uses strictly necessary cookies for authentication session management. We do not use advertising or marketing cookies.

We use Sentry for error monitoring and session replay. Session replays (DOM snapshots of user interactions) are captured for all browsing sessions to help diagnose issues and improve the user experience. Replays do not record passwords, credit card numbers, or other sensitive input fields.

9. Children's Privacy

RecordFlow is not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us for removal.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at support@recordflow.org.

Correspondence address:
al. Jerozolimskie 89/43, 02-001 Warszawa, Poland