Privacy notice

Data we process

When our B2B customers (“organisations”) connect their tools, we process some workspace data in order to deliver the service.

Across these integrations, we may process names, work email addresses, job titles, communication content, meeting participation, timestamps, and interaction metadata.

• From Google Calendar, we access event titles, dates and times, attendees, meeting links, and references to transcript attachments. This access is strictly read-only.
• From Google Docs, we access the content of Google Meet transcripts that are automatically attached to calendar events. This access is also read-only.

We never create, edit, delete, search, or browse any Google content. Access is limited to authorised data required to provide the service.

How we use it

• Calendar data is used to trigger scheduled tasks, such as preparing meeting briefings before meetings.
• Transcript content is processed to generate meeting summaries and contextual analysis that helps managers reflect on communication and leadership style.

As readywhen is a data processor for this type of processing, the organisation is responsible for determining the appropriate lawful basis for their employee data.

Third-party sharing

In the course of providing our services, we may share limited personal data with carefully selected third-party service providers who support our infrastructure, analytics, and processing capabilities. We only share information where it is necessary for specific purposes, and we ensure that appropriate safeguards are in place to protect your data.

• Anthropic’s Claude API — transcript content may be sent for processing. Anthropic retains inputs for up to 30 days for trust and safety purposes, and then deletes them. Anthropic does not use this data for model training.
• Datadog — receives operational metadata only, such as user IDs, event IDs, and content length. It does not receive transcript content.

No other third parties receive Google user data.

Retention and deletion

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including providing our services, maintaining security, and complying with legal and regulatory obligations. When personal data is no longer required, we delete or anonymise it in accordance with applicable data protection laws.

• OAuth tokens are deleted immediately when a user disconnects their Google account. Raw Google data is not retained beyond the processing session.
• Derived outputs such as meeting briefings are retained for the duration of the user’s account. Controller data such as billing information may be retained longer where required by law.
• Users may request deletion of their data by contacting data.protection@readywhen.ai.

User control

As a user, you can authorise access to the data via OAuth 2.0 when connecting integrations. You can also revoke access at any time by disconnecting your Google account or other integrations within the service. Once access is revoked, the service immediately stops retrieving data from those sources.

Storage and security

We apply access controls, logging, and regular security reviews to protect data.

• OAuth tokens for integrations are encrypted at rest using AES-256-GCM in our PostgreSQL database. Data is encrypted in transit and access is restricted to authorised systems.
• Raw transcripts are never stored. They are fetched on demand from Google Docs, processed in memory, and not persisted. Only derived outputs such as briefings and contextual analysis are stored. Google Docs remains the source of truth for transcript content.

Additional information about our security can be found in the “Extra steps we take to protect your data” section below, or in our Trust Centre.

Data we process

When we act as a controller (for customer relationship and service provision), we collect and process personal data necessary to manage customer accounts and deliver our services, including:

• Account registration details (such as name, email address, organisation, and role)
• Billing and payment information
• Customer support communications
• Usage and service interaction data
• Technical and operational metadata (such as user IDs, timestamps, and system logs)
• Contractual and relationship management information

How we use it

When we act as a controller, we use customer relationship and service data to:

• Provide and manage user accounts
• Deliver and maintain our services
• Communicate with customers regarding service updates or support requests
• Process billing and contractual obligations
• Monitor usage for operational performance and security
• Improve service functionality and user experience
• Comply with legal and regulatory requirements

Where required, we rely on legal bases such as legitimate interests, or compliance with legal obligations. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

Third-party sharing

We share personal data with third parties only where this is necessary to provide our services, maintain system reliability, or comply with legal obligations. When acting as a processor on behalf of our customers, we share data only in accordance with our customers’ instructions and applicable data protection laws. When acting as a controller for customer relationship management and service provision data, we determine the purposes and means of processing and ensure appropriate safeguards are in place.

Third parties may include:

• Cloud hosting and infrastructure providers that store and process data on our behalf
• AI service providers used to analyse conversation content in accordance with customer instructions
• Analytics and monitoring providers that receive limited operational or technical metadata
• Customer support and communication tools used to manage service delivery
• Professional advisers, auditors, or regulatory authorities where required by law

All third-party providers are subject to contractual data protection obligations, including confidentiality, security requirements, and restrictions on using data for their own purposes. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are implemented, such as Standard Contractual Clauses or equivalent lawful transfer mechanisms.

A full list of our data processors is included in our Trust Centre.

Retention and deletion

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including providing the service, maintaining customer relationships, and complying with legal obligations.

When we act as a controller, we retain:

• Account and CRM information for the duration of the customer relationship
• Billing and transactional data for the period required by applicable financial and tax laws
• Support communications for a limited period necessary to resolve issues and improve services

Once retention periods expire, personal data is securely deleted or anonymised. Backup copies are overwritten according to our backup lifecycle schedules.

Storage and security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Data is stored in secure cloud infrastructure operated by reputable providers that comply with industry security standards. Access to personal data is limited to authorised personnel who require it to perform their duties. We also maintain incident response procedures to detect, investigate, and respond to potential security events.

We use Sprinto to manage our security posture, risk, and compliance

Sprinto is a trust management platform that helps centralise security for organisations.

Oliva uses Sprinto for governance purposes in relation to ISO 27001 and the GDPR. Our Sprinto documentation and risk posture is regularly reviewed and updated by our business owners, and reports on our compliance are discussed at our quarterly Management Review meetings.

Please visit our Trust Centre for further information about our security governance.

We successfully achieved the following security certifications

We understand that having independent validation of our security program is important to our customers and users, which is why we are taking continuous steps to assess and improve our security posture and provide assurances to our customers through certifications.

We’ve already successfully passed the following:

• ISO 27001:2022 — an international standard to manage information security. Oliva achieved ISO 27001 certification in April 2024. As part of our certification process, we carry out regular internal audits and external audits with the certification body.

You can find additional information about our security governance in our Trust Centre, or read our Security FAQs.

Exercising your rights

When readywhen acts as a data processor, most workspace data is processed on behalf of your organisation. In these cases, you should contact your employer or organisation to exercise your rights — they determine the purpose and lawful basis for processing. We will assist them where required.

When readywhen acts as a data controller, you may contact us directly to exercise your rights in relation to account data, technical logs, and support communications. You can do so by emailing data.protection@readywhen.ai, or by writing to us at Oliva Health Ltd, 3rd Floor, 86–90 Paul Street, London, Greater London, England, EC2A 4NE. We’ll acknowledge your request as soon as possible and aim to provide the information requested within one month.

Our Data Protection Officer

Our Data Protection Officer (DPO) is Cristina Patru, Data Privacy Counsel. You can contact Cristina at data.protection@readywhen.ai.