Private, GDPR-Compliant Meeting Transcription

Private, GDPR-compliant meeting transcription means your transcripts are stored in the EU, encrypted, isolated per user, and never used to train AI models. Nod stores notes in Supabase Postgres in Ireland (AWS eu-west-1), AES-256 at rest, with per-user Row-Level Security, and runs inference under Zero Data Retention with no model training.

If you handle EU data — or you just have to justify a tool to your legal or security team — "we're GDPR compliant" on a marketing page isn't enough. You need to know where the data lives, how it's secured, whether it trains a model, and how a deletion request actually works. This article answers those questions for AI meeting transcription, with the specific facts you'd cite in a vendor review.

What makes meeting transcription "GDPR-compliant"?

GDPR doesn't certify products; it sets principles you have to be able to demonstrate. For an AI note taker, the ones that matter most are concrete:

• Lawful basis. There's a clear reason to process the data — here, performing the service you signed up for (Art. 6(1)(b), contract), plus narrow legitimate-interest uses like quota enforcement and a consent audit log.
• Data minimization. You only keep what you need. The strongest possible version for transcription is not storing the audio at all — keeping only the text you'll actually use.
• Storage limitation and residency. Data is kept where you expect, for only as long as needed, and is deletable.
• Security of processing (Art. 32). Encryption in transit and at rest, access isolation, backups.
• Purpose limitation. Your data isn't quietly reused for something else — most importantly, not used to train models.
• Data-subject rights. You can access, export, correct, and erase your data, and know who the subprocessors are.

A tool is "GDPR-compliant" in any useful sense only when it can point to a real answer for each of these — not a badge. The rest of this article maps Nod to each one, with links to the policy pages that back the claims.

Where is your transcript actually stored?

Data residency is usually the first question a DPO asks, so here's the direct answer. Nod stores everything in the European Union — specifically Supabase Postgres running on AWS eu-west-1 (Ireland). Your transcripts, summaries, search embeddings, and account profile all live in that region.

The security around them:

• AES-256 encryption at rest in Postgres, with daily encrypted backups retained on a rolling basis.
• TLS 1.2+ in transit (TLS 1.3 by default; older protocols rejected), including for direct database connections.
• Per-user Row-Level Security on every table, so one account can never read another account's rows. Notes are private by default — there are no team workspaces, shared notes, or public links.

This is the foundation GDPR's Article 32 ("security of processing") is asking about, and it's all documented in Nod's Security & Privacy page, including the infrastructure table and the how-data-flows diagram.

Does the AI train on your meetings?

No — and this is where a lot of "private" tools quietly fall down, because the product might not train on your data while an upstream model provider does. Nod closes both gaps.

Nod does not train any model on your data, and it's configured so its subprocessors can't either. Transcription (Whisper) and summarization (an LLM) calls are routed through a gateway with Zero Data Retention enabled, and every "may train on request data" route — paid and free — is explicitly disabled. First-party model endpoints are turned off; traffic goes to enterprise endpoints (Azure OpenAI, Google Vertex AI) that contractually do not use customer data for training. Search embeddings are generated in-region by Supabase's built-in model inside an Edge Function, so your transcript text isn't sent to an external embedding provider at all.

The net effect: your meetings are used to produce your notes and nothing else. They don't become training data for anyone. The exact configuration is spelled out in the model-training section of the Security page.

How Nod maps to GDPR

Here's each principle, mapped to what Nod actually does.

Data minimization

The single biggest minimization choice is that Nod stores no audio. Sound is held in memory for roughly five seconds per chunk to transcribe, then released — no file, no waveform, no cloud recording. Only the transcript and summary are kept. You can't lose what was never written. Beyond that, Nod doesn't embed analytics or advertising SDKs, doesn't track you across the web, and doesn't read your calendar, email, or contacts.

Storage limitation and residency

Data stays in the EU (eu-west-1) and is deletable on your terms. Deleting a meeting in the app is a soft delete — it moves to a trash that's permanently purged after 30 days by a nightly job. Account-level deletion is honored within 30 days. Retention windows for each data type (meetings, transcripts, usage metadata, backups) are published in the Privacy Policy.

Security of processing (Art. 32)

AES-256 at rest, TLS 1.2+ in transit, per-user Row-Level Security on every table, daily encrypted backups, and server-side isolation of secrets (API keys never touch your Mac). This is the concrete Article 32 checklist most reviews want to see.

Purpose limitation

Your transcripts are used to generate your notes and power your own searchable history — nothing else. No training, no secondary use, no selling of personal data. Inference runs under Zero Data Retention, so the processing hop doesn't create a hidden secondary copy.

Data-subject rights and subprocessors

Nod supports the GDPR rights you'd expect: access (a copy of your data), portability (export of transcripts and summaries in a machine-readable format, Art. 20), rectification, erasure (full account deletion, plus per-meeting deletion you control), restriction, and objection to legitimate-interest processing. Requests are acted on within 30 days. The complete rights list is in the Privacy Policy, and the third parties that process your data are named in the Subprocessors list. Note that recording consent is a separate duty that's on you, not the tool — see consent and GDPR for a regional reference.

Capture is local, processing is EU cloud — what that means

It's worth being precise so you don't over- or under-state this in a vendor review. Nod's audio capture is local on your Mac, and no audio is ever stored. But the transcription and summarization run in the EU cloud, not on your device. The short audio chunks and the transcript text are sent over an encrypted connection to inference services, processed, and released.

Nod is therefore local capture plus EU cloud inference — not a fully on-device, offline model. The privacy guarantee for that cloud hop is Zero Data Retention plus no training: the providers process the chunk to return a result and don't retain or learn from it. If your requirement is specifically that nothing leaves the machine under any circumstances, that's a different architecture — see the rundown of on-device Mac note takers, which are honest about running fully offline. For most EU-data requirements, EU residency + encryption + ZDR + no training is the bar that actually matters, and that's the bar Nod is built to.

A couple of practical notes for adoption: Nod supports eleven languages (English, Mandarin, Hindi, Spanish, French, Arabic, Bengali, Portuguese, Russian, Urdu, and Ukrainian), is macOS-only (no iOS or web app), and is built by an individual developer, Dima Barabash. It's transparent on its own policy pages that there's no incorporated company yet and no SOC 2 — those are disclosed honestly rather than glossed over, which is the kind of thing a careful reviewer would rather know up front.

Frequently asked questions

Is Nod GDPR compliant?

Nod is built around GDPR principles: EU data residency, encryption at rest and in transit, per-user isolation, no model training, and the full set of data-subject rights with export and erasure. A GDPR DPA is available on request. Nod also discloses, openly, that it's currently operated by an individual developer and has not completed a SOC 2 audit — see the Security and Privacy pages.

Where is my data stored?

In the European Union — Supabase Postgres on AWS eu-west-1 (Ireland), encrypted at rest with AES-256, with per-user Row-Level Security.

Does Nod train AI on my transcripts?

No. Neither Nod nor its subprocessors train on your data. Inference runs under Zero Data Retention with all "may train" routes disabled, and traffic goes to enterprise endpoints that contractually don't train on customer data. Embeddings are generated in-region.

Can I delete my data or exercise GDPR rights?

Yes. You can delete individual meetings in the app (30-day trash, then permanent purge) or request full account deletion, honored within 30 days. You can also request a portable export of your transcripts and summaries. Details and contacts are in the Privacy Policy.

Who are the subprocessors?

The third parties that help operate Nod — the database/auth host, the inference gateway, and the enterprise model endpoints — are named, with their roles and locations, in the Subprocessors list. Updated lists and DPAs are available on request.

Try Nod

Nod is a bot-free AI notepad for macOS that captures your Mac's own audio, stores no recording, and keeps your transcripts encrypted in the EU with no model training. If you want private, searchable meeting notes you can defend to a security review, it's free during private beta (pricing will be published before any billing). You can download Nod for Mac, or read the broader case for meeting notes without a bot first.