hawkO

Privacy Policy

Last updated: May 26, 2026

1. Introduction

hawkO, a venture of Surfboard India Pvt. Ltd. is operated by Surfboard India Pvt. Ltd. ("we", "us", or "our") at Surfboard Pvt. Ltd, Virar, India. Contact: admin@hawko.ai.

hawkO collects certain Personal Data and Usage Data to provide, maintain, and improve services. Some information is required for the platform to function properly. If you do not provide requested information where required, some services may be unavailable. See also our Terms and Conditions.

2. Information We Collect

2.1 Personal Data

  • Email address
  • First name and last name
  • Organization domain from your Google ID token (hosted domain, when Google includes it)
  • Organization display name when available from your Google profile (via the People API using your sign-in authorization), or otherwise derived from your email domain for labeling your organization in hawkO only

This data supports account creation, communication, authentication, and service delivery.

Sign-in via Google OAuth only: hawkO does not support password or other sign-in methods. You must sign in with Google OAuth using a work or organization email on a non-consumer domain (not personal providers such as Gmail, Yahoo, Outlook.com, or similar free email services). Google Workspace accounts on your organization domain are supported; we do not require every eligible domain to be on Google Workspace. After you sign in, you may connect Google Calendar using any Google account you authorize, including personal accounts.

2.2 Usage Data

  • Meeting transcription records
  • AI-generated summaries and derived meeting metadata
  • Speech-to-Text usage count
  • Platform usage metrics

Insights are generated only from user-authorized meeting data and are not used for profiling unrelated to user-requested functionality. Meeting data including transcriptions, summaries, and related insights is primarily stored in our self-hosted MongoDB. Meeting summary chunks and artifacts are also stored in ChromaDB and Neo4j.

3. Google Calendar Data We Access

hawkO currently supports Google Calendar only. Other calendar providers may be added in the future; this section describes Google Calendar data only.

hawkO requests read-only access to calendar events (https://www.googleapis.com/auth/calendar.events.readonly) in two situations: when you sign in with Google (initial authorization) and when you connect an additional Google Calendar account in settings. We access only the minimum fields necessary to power meeting workflow features you explicitly request. The specific fields we read, and the sole purpose for each, are:

  • Event title to identify and display your upcoming meetings.
  • Start and end time to surface the correct meeting at the right time and enable timely workflow triggers.
  • Attendee names and email addresses to show meeting participants within the meeting workflow view.

We do not read or store event descriptions, locations, organizer details, conferencing links, or any other calendar fields. We read events from the primary calendar of each Google account you connect. We do not access calendars you have not authorized. This data is used solely to display upcoming meetings and enable meeting workflow features you request. It is not used for advertising, unrelated profiling, sale, or model training.

You may connect more than one Google account for Calendar. Each connection is separate: hawkO only reads the primary calendar for accounts you have authorized, and upcoming meetings from all connected accounts may appear together in your workflow. Disconnecting one Calendar connection in hawkO does not remove access for other connected accounts.

4. Google Calendar Data Flow

The following describes where Google Calendar data goes and does not go within hawkO:

  • Fetched from Google: Upcoming events are read from Google when you use calendar features (for example, to show upcoming meetings). We do not keep a full copy of your Google Calendar.
  • Stored in MongoDB: When you start or link a meeting session from a calendar event, we store the event title, scheduled start and end time, and participant names and email addresses in your meeting records, along with encrypted OAuth tokens and integration settings for each Google account you connect.
  • Stored in Neo4j: Meeting titles and related meeting context from your records may be used to build meeting relationship graphs for cross-meeting insights and search.
  • Stored in ChromaDB: Meeting titles, schedule times, and participant information from your meeting records may be stored as vector embeddings to enable meeting search and context retrieval for AI-powered features.
  • Sent to OpenAI when: you use an AI-powered meeting feature (for example, summaries, briefs, or meeting assistance). Only the calendar and meeting fields needed for that feature, such as title, time, and participants for the relevant meeting, are included. Calendar data is not sent to OpenAI for unrelated purposes.
  • Not sent to: PostHog, Deepgram, Soniox, Slack, or Atlassian (Jira). These systems do not receive Google Calendar event content.

Google Calendar data is never combined with analytics telemetry, advertising systems, or unrelated product features.

5. Cookies and Tracking Technologies

hawkO uses cookies and similar tracking technologies across our website and applications. Cookies help authenticate sessions and improve navigation and product quality.

Purpose of Cookies:

  • Authentication Cookies: verify user accounts and login state.
  • Analytics Cookies: understand usage patterns and feature interactions.

6. Analytics

hawkO uses PostHog for product analytics and monitoring. PostHog receives product usage telemetry (feature interactions, session behavior, system performance) to help us improve functionality and user experience. PostHog does not receive Google Calendar event content, transcription text, or any Google user data.

7. Third-Party Service Providers

hawkO shares data with the following named processors only to deliver the service. Each processor is listed with the data it receives and whether it receives Google user data:

  • OpenAI receives meeting transcription text and, when you use AI meeting features, relevant meeting and calendar context (such as title, scheduled time, and participants for that meeting). Data is processed under OpenAI's API terms; not used for model training.
  • Google Authentication handles OAuth sign-in and issues access/refresh tokens. Governed by Google's own terms.
  • Deepgram receives audio data for speech-to-text transcription. Does not receive Google Calendar event content.
  • Soniox receives audio data for speech-to-text transcription. Does not receive Google Calendar event content.
  • Neo4j stores meeting graph artifacts and may receive meeting titles and related context from your meeting records (including data originally sourced from Google Calendar when you link a meeting) to build relationship graphs.
  • ChromaDB stores meeting vector embeddings and may receive meeting titles, schedule times, and participant information from your meeting records to enable search and context retrieval for AI features.
  • Slack API used for the optional Slack bot integration. Operates independently and does not access or combine Google Calendar data. Slack scope details are in the Slack Bot Integration subsection below.
  • Atlassian (Jira Cloud API) used for the optional Jira integration. Does not receive Google Calendar event content. Operates independently of Google user data. See the Jira Integration subsection below.
  • PostHog receives product usage telemetry only. Does not receive Google Calendar event content or transcription data.

All third-party processors are contractually bound to process data only for service delivery purposes and to comply with applicable data protection obligations. They are not permitted to use your data for their own purposes.

Slack Bot Integration

Slack integration operates independently and does not access or combine Google user data. Our bot may request the following Slack scopes:

  • Send messages in chats.
  • Post in public channels it can access.
  • Read basic user profile info.
  • Read user email address when available.
  • Read public channel list and details.
  • Start or send direct messages.

The bot cannot read private channels unless explicitly added by a user. Slack user listing can include profile fields like id, name, and email when available from Slack APIs.

Jira Integration

Jira integration is optional. It operates independently and does not access or combine Google user data or Google Calendar event content.

If you connect Jira Cloud, connection details and data needed to use Jira features are stored and processed securely in hawkO. Content you choose to send to Jira is handled only when you use Jira features in the app. Optional AI-assisted drafting follows the same secure practices as other hawkO AI features described in Section 9.

You can disconnect Jira in hawkO settings at any time. Atlassian's terms and privacy policy govern data held in your Jira Cloud site.

8. Google Authentication and Calendar Access

When you sign in with Google, we request OpenID scopes: openid, email, and profile, plus read-only Google Calendar events access (https://www.googleapis.com/auth/calendar.events.readonly). When you connect an additional Google account for Calendar in settings, we request the same calendar scope for that account. Sign-in is Google OAuth only and requires a work or organization email on a non-consumer domain (not personal providers such as Gmail, Yahoo, Outlook.com, or similar free email services). Calendar connections may use any Google account you authorize.

Using the same sign-in authorization, we may read your Google ID token's hosted domain (when present) and request your organization display name from the Google People API when available. We use this only to show your organization name and group your account; it is not used for advertising, sale, or model training. We do not request additional Google OAuth scopes beyond those listed above for this purpose.

We access Google Calendar data only to display upcoming meetings and enable meeting workflow features explicitly requested by you. Calendar fields are retained in your meeting records when you create or link a meeting session; we do not store calendar data unrelated to your meeting workflows.

OAuth authorization includes offline access to support uninterrupted meeting workflows without requiring you to re-authenticate for each session. Refresh tokens obtained via offline access are:

  • Encrypted at rest in our backend database.
  • Accessible only to the backend services that require them to fetch calendar data on your behalf.
  • Replaced with a new token upon each re-authentication; the previous token is discarded.
  • Permanently deleted from our systems after we process a verified account deletion request (see Section 11).

Where Google user data is involved, processing and retention follow the applicable Google API Services User Data Policy.

9. Jira Integration

When you connect Atlassian Jira, we request the following OAuth scopes to create and manage issues on your behalf:

  • read:jira-work — read issues, projects, fields, and project metadata.
  • read:jira-user — read assignable users for a project so you can pick an assignee when creating a ticket.
  • write:issue:jira — create and update issues.
  • write:comment:jira, write:comment.property:jira — add comments to issues.
  • write:attachment:jira — attach files to issues.
  • Additional read scopes for fields, field options, field defaults, field configuration, issue metadata, issue types, project properties, application roles, and avatars — used to populate issue creation forms.

Jira access tokens and refresh tokens are encrypted at rest. We access your Jira data only to fulfil actions you explicitly request (e.g. creating a ticket from a meeting). We do not read existing Jira issues beyond what is needed to populate dropdowns or validate your selections. You can disconnect Jira at any time from Settings; doing so immediately revokes our stored tokens.

10. AI and Speech Processing Services

To provide AI-powered features, hawkO processes meeting transcriptions and related context through OpenAI's API. When you use AI meeting features, relevant context for that meeting, such as title, scheduled time, and participants, may be included. This context may originate from your meeting records, including fields sourced from Google Calendar when you link a calendar event. Calendar data is not sent to OpenAI for unrelated purposes. Data sent to OpenAI is not used for model training and is handled under OpenAI's API data usage policies.

For transcription workflows, audio is processed by Deepgram and/or Soniox. Transcription providers do not receive Google Calendar event content. Insights are generated only from user-authorized meeting data and are not used for profiling unrelated to user-requested functionality.

11. Limited Use Compliance

hawkO's use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not:

  • Use Google user data for advertising or ad targeting.
  • Sell Google user data to any third party.
  • Use Google user data to train AI or machine learning models.
  • Share Google user data with any party other than the named processors listed in Section 7, and only to the extent described.
  • Use Google user data for any purpose other than providing or improving the meeting workflow features you have requested.

12. Data Retention and Deletion Requests

We retain meeting data only as long as necessary to provide the service. The following retention rules apply specifically to Google user data:

  • Google OAuth refresh tokens are replaced on each re-authentication and permanently deleted after we process a verified account deletion request.
  • Calendar data in your meeting records (event title, scheduled start/end time, participant names and emails) is permanently deleted after we process a verified account deletion request.
  • Jira connection data is removed when you disconnect Jira in hawkO and is permanently deleted after we process a verified account deletion request.
  • Active data derived from Google Calendar and other meeting data is removed from all active systems within 30 days after we verify your account deletion request.

hawkO does not offer self-service account deletion in the app. To request deletion of your main hawkO account and all associated data, including meeting records, Google Calendar data, Jira connection data, and OAuth tokens for your sign-in Google account and every additional Calendar account you connected. Email admin@hawko.ai. We aim to send an initial response within 24–48 business hours and complete deletion of that main account and all linked data within 30 days after we verify your request.

13. Your Controls and How to Revoke Access

You have the following controls over your connected integrations and data:

  • Disconnect an additional Google Calendar account (in hawkO): In hawkO settings, you can disconnect Calendar integrations you added after sign-in. This removes that connection's calendar tokens and stops calendar reads for that account. It does not sign you out, does not revoke your Google sign-in, and does not delete meeting data already stored in hawkO. Calendar access tied to your sign-in Google account cannot be turned off in hawkO; use Google Account permissions below.
  • Disconnect Jira (in hawkO): In hawkO settings, you can disconnect Jira at any time. You may also revoke hawkO's access in your Atlassian account at id.atlassian.com/manage-profile/apps.
  • Disconnect Slack (in hawkO): In hawkO settings, you can disconnect your Slack workspace at any time. This removes hawkO's stored connection for that workspace.
  • Remove or revoke the hawkO Slack app (Slack workspace): A workspace owner or app manager can remove hawkO from Slack entirely, or revoke a specific installation. On Slack desktop: workspace name Tools & settings Manage appsInstalled apps → select hawkO → App details Configuration. To remove the app from the workspace, choose Remove app. To revoke one authorisation without removing the app for everyone, under Authorisations, open See all and select Revoke next to the setup you want to remove. If you do not see these options, ask a workspace owner. See Slack's guide: Remove apps from your workspace.
  • Delete your main account and all connected data: Email admin@hawko.ai to request deletion of your main hawkO account. After we verify the request, we delete your account and associated data across all connected Google Calendar accounts and other systems described in this policy. We aim to send an initial response within 24–48 business hours and complete deletion within 30 days after we verify your request.
  • Revoke Google access (Google Account): Visit myaccount.google.com/permissions, find hawkO (it may appear as hawkO or hawkO AI), and remove access. This revokes OAuth permissions at Google, including sign-in and Calendar access. hawkO cannot revoke sign-in Google access from inside the app; use Google Account permissions for that.
  • Privacy questions: Contact us at admin@hawko.ai for any questions about how your data is handled.