Privacy Policy

Who we are

Murakami Labs OPC is a small independent studio that operates Polmi. We are the controller of the personal information described in this Privacy Policy. You can reach us at privacy@murakamilabs.com for any privacy question, request, or complaint. Product support is handled at support@polmi.app. Privacy, legal, DMCA, and data-protection inquiries are handled by Murakami Labs OPC at its murakamilabs.com addresses.

Information we collect

We collect the following categories of information.

Account information

When you create an account, we collect your email address and the authentication information used to sign you in and secure your account. If you join or create a study group, we also process information about your group membership.

Audio you record or upload

Polmi records lecture audio through your device or accepts audio files that you upload. This audio is the core input to the Service. We process it to produce transcripts, summaries, and flashcards. You control what you record and upload. We do not fetch audio from third-party services such as YouTube, podcast hosts, or social media. All audio comes from your device microphone or from files you upload from your device.

Recording laws vary by jurisdiction. In some places (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, Washington in the United States, and many countries in the European Union, the United Kingdom, Canada, and elsewhere) recording a conversation requires the consent of all participants. You are responsible for complying with the recording laws of your jurisdiction and the policies of your institution before you press record. Our app may display additional reminders in jurisdictions with stricter consent rules; those reminders are informational and do not constitute legal advice. The Terms and Conditions describe your responsibilities here in detail.

Audio and voice

Audio recordings could be argued to fall within laws that protect biometric or voice identifiers, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington biometric privacy law (RCW 19.375), and Article 9 of the EU and UK General Data Protection Regulation when applicable. These laws generally protect biometric templates created from voice (voiceprints) used for identifying individuals, not raw audio recordings.

Polmi does not create voiceprints. We do not perform speaker identification, voiceprint matching, voice fingerprinting, voice unlock, or any other biometric processing of your audio. We process audio only to produce transcripts, summaries, flashcards, and translations on your behalf, and we retain audio only for the periods described in "Data retention" below. If we ever add features that could be construed as biometric processing, we will update this Privacy Policy and obtain any consents required by applicable law before any such processing begins.

If you are a resident of Illinois or another jurisdiction with a biometric privacy law and you wish to opt out of any processing that might be construed as biometric, contact privacy@murakamilabs.com. Where applicable law requires a separate consent for biometric processing, we will obtain that consent before any such processing.

Generated content

We store the transcripts, notes, summaries, and flashcards that Polmi generates from your audio, along with any edits you make and any items you share with classmates or study groups.

Subscription and billing status

We collect information about your plan, your subscription state, and whether a purchase is active. Individual plans are purchased through the Apple App Store or Google Play. Roundtable (our group bundle of five Notebook seats) is purchased on the web through Paddle (Paddle.com Market Ltd.), which acts as the merchant of record for those transactions. We do not collect or store your full payment card number. The relevant store or payment processor handles the payment instrument and shares limited transaction and subscription-status information with us.

Usage and device information

We collect information about how you interact with the Service, such as features used, actions taken, app version, device type, operating system, language settings, approximate region, identifiers, and diagnostic and crash data. We use this to operate, secure, and improve the Service. Your IP address is logged briefly for security, abuse prevention, and operational purposes. We do not use IP addresses to build a user profile or to track you across other websites. IP-address logs are retained for short operational windows set by our hosting and DNS providers, typically hours to a small number of days.

Device-integrity signals for the free trial

To prevent abuse of the free trial, we use device-integrity signals provided by the operating system, specifically Apple DeviceCheck on iOS and Google Play Integrity on Android. These signals help us confirm that a device has not already used a trial. We use them only for fraud and abuse prevention.

Support communications

When you contact support@polmi.app, we collect the contents of your message and any information you choose to provide so we can respond.

How we use your information

We use personal information to:

• Provide the Service, including recording, transcribing, summarizing, generating flashcards, and, on the top tier, translating transcripts.
• Create and secure your account and authenticate you.
• Process and manage subscriptions and confirm purchase status.
• Operate the free trial and prevent trial abuse, fraud, and other misuse.
• Maintain, troubleshoot, secure, and improve the Service.
• Respond to your support requests.
• Send service and transactional messages, such as account, security, and billing notices.
• Comply with legal obligations and enforce our Terms and Conditions.

AI and cloud processing

Polmi produces transcripts, summaries, flashcards, and translations using third-party artificial intelligence and cloud processing providers. These include speech-to-text providers, large language model providers, and hosting and infrastructure providers. Your audio and generated content are transmitted to and processed by these providers so that the Service can function.

We engage these providers as subprocessors that act on our instructions and under contractual confidentiality and data-protection obligations. The specific providers are listed in the subprocessor table under "How we share information" below, which we update as our providers change.

We do not sell your personal information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not use your audio, transcripts, summaries, or flashcards to train our own general-purpose models, and we instruct our AI subprocessors not to use your content to train their models for their own purposes.

We may use aggregated or de-identified information that does not reasonably identify any individual to operate, troubleshoot, and improve the Service, to analyze usage trends, and to inform product decisions. We do not re-associate de-identified information with you, and we treat de-identified information as not subject to this Privacy Policy.

How we share information

We share personal information only in the following situations.

Subprocessors. We rely on a set of service providers that process personal information on our behalf, under written contracts that require them to use the information only to provide services to us and to protect it. Our current subprocessors are listed below. We will notify users at least 30 days before adding a new subprocessor that processes personal data, except where notice would be incompatible with security or legal obligations. Where you object to a new subprocessor before it begins processing, you may close your account before the change takes effect.

• Study groups and classmates. When you choose to share a transcript, summary, or flashcard set, the people you share it with can see that content. You control these sharing actions.
• App stores and payment processors. We exchange subscription and transaction-status information with Apple, Google, and our web payment processor to operate billing.
• Legal and safety. We may disclose information where we believe in good faith that disclosure is required to comply with law, legal process, or a lawful government request, or to protect the rights, property, or safety of Murakami Labs, our users, or others.
• Business transfers. If Murakami Labs is involved in a merger, acquisition, financing, reorganization, sale of assets, or insolvency, personal information may be transferred as part of that transaction. We will require the recipient to honor this Privacy Policy or provide notice of any material change.

Cookies and similar technologies

Polmi uses a small number of cookies and similar technologies. In the app and the web app, some are strictly necessary to sign you in, keep your session secure, and remember your preferences. On our marketing site at polmi.app we use two measurement tools: a privacy-friendly, cookieless analytics tool that sets no cookies and does not track you across other websites, and Google Analytics 4, which loads only after you accept on our cookie banner. When you accept, Google Analytics sets cookies (such as _ga and _ga_*) to count page views and sessions; these do not contain your name or email. If you decline, no Google Analytics cookies are set and the site works exactly the same. Accept and Decline are offered with equal prominence, and you can change your choice at any time through the Cookie preferences link in the site footer; revoking consent clears existing Google Analytics cookies. We do not use third-party advertising cookies, and we do not run advertising, retargeting, or behavioral profiling. Where your browser or device sends a Global Privacy Control or Do Not Track signal, we treat it as a valid request to opt out of any sale or sharing, neither of which we do. We honor a Global Privacy Control signal as an opt-out where applicable law treats it as such, currently California, Colorado, Connecticut, and a growing number of US states. You can also control cookies through your browser settings, though disabling strictly necessary cookies may stop parts of the Service from working.

Legal bases for processing (EEA and UK)

If you are in the European Economic Area or the United Kingdom, we process your personal information on the following legal bases under the GDPR and UK GDPR:

• Performance of a contract, to provide the Service you request and to administer your account and subscription.
• Legitimate interests, to secure and improve the Service, prevent fraud and trial abuse, and operate our business, balanced against your rights and interests.
• Consent, where we rely on it, for example for certain optional features or communications. You can withdraw consent at any time without affecting prior processing.
• Legal obligation, to comply with applicable law, including tax, accounting, and lawful requests.

Your privacy rights

Depending on where you live, you may have some or all of the following rights:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your personal information.
• Port your information to another service. You can export your data at any time from the in-app Export feature. The export produces a ZIP archive containing your transcripts (JSON), summaries (Markdown), and flashcards (CSV).
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Opt out of the sale or sharing of personal information and of profiling. As stated above, we do not sell or share personal information for these purposes.

EEA and UK residents

You have the rights listed above under the GDPR and UK GDPR, and the right to lodge a complaint with your local supervisory authority. We would appreciate the chance to address your concern first, so please contact us at privacy@murakamilabs.com.

California residents

Under the CCPA and CPRA, you have the right to know what personal information we collect and how we use and disclose it, the right to access and delete it, the right to correct it, and the right to opt out of sale or sharing and to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined under California law. We will not discriminate against you for exercising your rights. You may use an authorized agent to submit a request, subject to verification.

Other US state laws

We extend equivalent access, deletion, correction, opt-out, and non-discrimination rights to residents of states with comprehensive consumer privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, Delaware, Maryland, New Jersey, New Hampshire, Minnesota, Nebraska, Rhode Island, and any US state whose comprehensive privacy law is in effect at the time of your request. Where a state honors a Global Privacy Control signal as an opt-out, we honor that signal.

Philippines (Data Privacy Act of 2012, RA 10173)

You have the right to be informed, to object, to access, to rectify, to erase or block, to damages for unlawful processing, to data portability, and to lodge a complaint with the National Privacy Commission (privacy.gov.ph). Murakami Labs is the personal information controller for the Service.

Brazil (LGPD)

Under the Lei Geral de Protecao de Dados, you have rights of confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. The supervisory authority is the ANPD.

Canada (PIPEDA)

Canadian residents have rights of access and correction with respect to personal information we hold about them, and may complain to the Office of the Privacy Commissioner of Canada.

Australia (Privacy Act 1988)

Under the Australian Privacy Act and the Australian Privacy Principles, you have rights of access and correction with respect to personal information about you that we hold. The Office of the Australian Information Commissioner is the supervising authority.

Switzerland (FADP)

Under the revised Federal Act on Data Protection (in force since 1 September 2023), residents of Switzerland have rights of access, correction, deletion, and objection. The Federal Data Protection and Information Commissioner is the supervising authority. Swiss transfers to certified US recipients are covered by the Swiss-US DPF Extension.

Japan (APPI)

Under the Act on the Protection of Personal Information, you have rights of disclosure, correction, suspension of use, and third-party disclosure records. The Personal Information Protection Commission of Japan is the supervising authority.

Singapore (PDPA)

Under the Singapore Personal Data Protection Act (as amended in 2020), you have rights of access, correction, withdrawal of consent, and data portability for ongoing relationships. The Personal Data Protection Commission of Singapore is the supervising authority.

South Africa (POPIA)

Under the Protection of Personal Information Act (in force since 1 July 2021), residents of South Africa have rights of access, correction, deletion, and objection. The Information Regulator is the supervising authority.

Thailand (PDPA)

Under the Thailand Personal Data Protection Act (in force since 1 June 2022), you have rights of access, correction, deletion, restriction, portability, and to withdraw consent. The Personal Data Protection Committee is the supervising authority.

India (DPDP Act, 2023)

Under the Digital Personal Data Protection Act, 2023, you have rights of access, correction, grievance redressal, and nomination. The Data Protection Board of India is the supervising authority.

China (PIPL)

Under the Personal Information Protection Law (effective 1 November 2021), residents of the People's Republic of China have rights of access, correction, deletion, restriction, portability, and to withdraw consent. The Cyberspace Administration of China is the supervising authority. The Service is not directed at the PRC market and we do not transfer personal data into China. If you are a PRC resident and have a request, write to privacy@murakamilabs.com.

How to exercise your rights

Email privacy@murakamilabs.com from the address associated with your account. We will verify your identity before acting on a request and will respond within the timeframes required by applicable law. We may retain some information where we have a legal basis or obligation to keep it.

Third parties in recordings

If you are a third party who appears in a recording uploaded by a Polmi user without your consent, you may request deletion of that recording. See the equivalent process in our Terms and Conditions under "If you appear in a recording without your consent" or email privacy@murakamilabs.com directly.

International data transfers

We operate from the Philippines, and our subprocessors store and process personal information in the United States and other countries, including countries that may not provide the same level of data protection as your home jurisdiction. If you are in the EEA, the United Kingdom, or Switzerland, your personal information may be transferred outside your region as part of normal operation of the Service. For these transfers we rely on the following mechanisms, in order of preference:

• EU-US Data Privacy Framework (DPF). Where a recipient of your personal information is self-certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023) and its UK Extension and Swiss-US Extension, we rely on that certification for transfers to it. You can verify a provider's current certification at dataprivacyframework.gov.
• Standard Contractual Clauses (SCCs). For transfers to recipients not covered by the DPF, and as a backup mechanism generally, we rely on the Standard Contractual Clauses approved by the European Commission and, for the United Kingdom, the UK International Data Transfer Addendum, together with additional safeguards where needed.
• Data minimization. We limit the personal information transferred to what each provider needs to perform its function, and we instruct providers not to use it for their own purposes.

Schrems III contingency. The EU-US Data Privacy Framework is subject to legal challenge before the Court of Justice of the European Union (the matter brought by NOYB and others, sometimes called Schrems III). If the DPF is invalidated, we will fall back to the Standard Contractual Clauses and apply any supplementary measures required at that time, and we will update this section if the situation changes.

For a copy of the SCCs that apply to a specific transfer, or the DPF certification details for a provider, contact privacy@murakamilabs.com.

Data retention

We keep personal information for as long as your account is active and for as long as needed to provide the Service. When you delete a recording, transcript, summary, or flashcard set, we delete the associated content from our active systems within 30 days. Routine backups are purged on a rolling 90-day schedule. When you close your account, we delete or de-identify all associated content within 30 days, except where we must retain certain information to comply with legal, tax, accounting, or security obligations, to resolve disputes, or to enforce our agreements.

Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, and authentication. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for the security of the devices you use to access the Service.

If we become aware of a security incident that affects your personal information, we will notify you and the appropriate supervisory authority as required by applicable law and within the timelines those laws prescribe. For users in the European Economic Area, the United Kingdom, and the Philippines, this means notification of the supervisory authority within 72 hours of our becoming aware of the incident, where the incident is reportable under the GDPR, the UK GDPR, or the Philippine Data Privacy Act. For users in California and other US states with breach-notification laws, notification will follow each state's required timeline. We will provide affected users with the information required by law, including the nature of the incident, the categories of personal information involved, and the steps we are taking in response.

Children

The Service is intended for users 18 years and older and is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us personal information, contact privacy@murakamilabs.com and we will take steps to delete it.

Third-party services

The Service may link to or interoperate with third-party services, including app stores, payment processors, and the platforms that host your account. Their handling of your information is governed by their own privacy policies, not this one. We encourage you to review them.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide additional notice through the Service or by email. Your continued use of the Service after an update takes effect means you accept the revised Privacy Policy.

Contact us

For any question, request, or complaint about this Privacy Policy or your personal information, contact Murakami Labs at privacy@murakamilabs.com. Depending on your purpose, you can reach us at:

• privacy@murakamilabs.com for privacy questions, data-rights requests, breach inquiries, and objections to a recording in which you appear.
• dpo@murakamilabs.com to reach our Data Protection Officer.
• dmca@murakamilabs.com for copyright and DMCA notices.
• legal@murakamilabs.com for arbitration opt-out and other legal correspondence.
• support@polmi.app for general support and account help.

Data Protection Officer

We have designated a Data Protection Officer for compliance with the Philippine Data Privacy Act and, where applicable, the GDPR and UK GDPR. You may reach our Data Protection Officer at dpo@murakamilabs.com.