Privacy at a product that asks before it acts.
Throughpoint sits close to sensitive work — your meetings, decisions and engineering tools. This policy explains exactly what we touch, what we keep, and the control you have over all of it.
- Effective
- 16 June 2026
- Last updated
- 16 June 2026
This summary is for orientation only. The full terms below are what govern.
Who we are
Throughpoint (“Throughpoint,” “we, ” “us,” or “our”) provides a reconciliation layer for engineering teams. We read what your team decides in meetings and across your tools, detect when those things drift apart, and propose a fix as a Slack card that a human approves before anything is written back.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. It applies to our website, the Throughpoint web dashboard, our Slack app, and the integrations that connect Throughpoint to your engineering tools (together, the “Service”).
Contact & data controller
- Service operator
- Throughpoint, London, United Kingdom
- Privacy contact
- privacy@throughpoint.dev
- General contact
- founders@throughpoint.dev
Roles under the UK GDPR / EU GDPR: for data about your team’s meetings, decisions and connected tools, your organisation is the controller and Throughpoint is a processor acting on your instructions. For our website, waitlist and account administration, Throughpoint is the controller. See §06 for detail.
Scope of this policy
This policy covers personal data processed when you or your organisation:
- Visit our marketing website or join the access waitlist.
- Create or use a Throughpoint account and dashboard.
- Connect a meeting source, tracker, repository, calendar or Slack workspace.
- Interact with proposal cards we post into Slack.
It does not cover the third-party services you connect Throughpoint to (for example Linear, Jira, GitHub, Slack, Google Calendar, Zoom or Google Meet). Those services have their own privacy policies that govern how they handle your data on their side.
The data we collect
We collect only what the Service needs to do its job. We group it into four buckets.
Account & identity data
- Name, work email address and the organisation / team you belong to.
- Authentication identifiers from your sign-in provider.
- Role and permission settings within your Throughpoint workspace.
Meeting content
- Audio from meetings you connect, used only to produce a transcript.
- Transcripts and the structured decisions, commitments, owners and action items we extract from them.
- Meeting metadata: title, time, duration and participant list.
We do not retain a replay of your meetings. Audio is processed for extraction and then dropped — we keep the structured trail (decisions, commitments, owners), not the recording. See §08.
Connected-tool data
When you authorise an integration via OAuth, we read the data needed to detect drift and land approved changes:
- Trackers (Linear, Jira, GitHub Issues): issues, tickets, sprints, statuses, assignees and comments relevant to your team.
- Repositories (GitHub): pull-request and review signals — metadata such as titles, states, reviewers and timestamps. We do not read or store your source code.
- Calendar (Google Calendar): event times, titles and attendees, to surface unbooked follow-ups and scheduling proposals.
- Slack: the channels and workspace metadata needed to post proposal cards and record your approve / dismiss responses.
We store encrypted OAuth tokens for each connection. We never receive or store your passwords for these services.
Usage, device & log data
- Product events: proposals shown, approved or dismissed, and integration sync status.
- Technical logs: I-log entries recording security- and privacy-relevant actions on your account.
How we use your data
We use personal data for the following purposes, and no others:
- To run the reconciliation engine. Extract decisions from meetings, compare them against your tracker, repo and calendar, and detect contradictions, recurring blockers and sprint risk.
- To propose changes for your approval. Generate the Slack proposal cards you approve or dismiss. Nothing is written to your tools until you approve it.
- To maintain organizational memory. Keep a decision ledger so a reversal weeks later can be surfaced against the original commitment.
- To operate, secure and support the Service. Authenticate users, prevent abuse, debug issues, and respond to your requests.
- To communicate with you. Send service and security notices, and — only where permitted — occasional product updates you can opt out of.
- To meet legal obligations. Comply with applicable law and enforce our terms.
What we never do
- We do not sell your personal data. Ever.
- We do not use your meeting content or connected-tool data for advertising.
- We do not train our own or third-party foundation models on your content. See §05.
- We do not take autonomous action in your tools — every write is approval-gated.
AI processing & automated decisions
Throughpoint uses third-party AI providers to transcribe audio, generate embeddings and reason over your decisions. When we send content to these providers we do so under agreements that prohibit using your data to train their models.
How AI is used in the Service
- Transcription: converting meeting audio into text.
- Embeddings & clustering: linking related decisions across meetings and surfacing recurring topics.
- Reasoning / “judge” steps: assessing whether a new decision contradicts a prior commitment or puts a sprint at risk.
No solely-automated decisions with legal or similarly significant effects. Throughpoint only ever proposes. A person on your team reviews and approves or dismisses every change before it lands. You retain meaningful human control at all times.
Sub-processors
We rely on a small set of vetted vendors to run the Service. The categories are below; the current itemised list, with locations, is available on request at privacy@throughpoint.dev.
- Cloud hosting & database
- Application hosting, managed Postgres and object storage.
- AI / model providers
- Transcription, embeddings and reasoning, under no-training terms.
- Communications
- Transactional email and the Slack delivery surface.
- Observability
- Error monitoring and infrastructure logging.
Each sub-processor is bound by a data-processing agreement and may only process data on our documented instructions.
Legal bases for processing (UK / EU GDPR)
Where the UK GDPR or EU GDPR applies and Throughpoint is the controller, we rely on the following legal bases:
- Contract
- To provide the Service to you and your organisation, manage accounts and respond to support requests.
- Legitimate interests
- To secure, debug and improve the Service, and to send service-related communications — balanced against your rights and freedoms.
- Consent
- For optional product marketing and any non-essential cookies. You can withdraw consent at any time.
- Legal obligation
- To comply with applicable laws and lawful requests.
Where your organisation is the controller (your meeting and tool data), we process it as a processor strictly on your organisation’s instructions under our customer agreement and data-processing terms.
How long we keep data
We keep personal data only as long as it serves the purpose it was collected for.
- Meeting audio
- Processed for transcription, then dropped. Not retained for replay.
- Transcripts & decisions
- Retained for the life of your account so cross-meeting memory works. Deleted on request or account closure.
- Connected-tool data
- Kept as a working snapshot while the integration is connected; cleared when disconnected.
- OAuth tokens
- Stored encrypted; revoked and deleted when you disconnect an integration.
- Audit & security logs
- Retained for a limited period for security and compliance, then deleted.
- Waitlist email
- Kept until you ask us to remove it or we close the waitlist.
When your organisation deletes its account, we run a cascading deletion that removes your team’s meetings, transcripts, decisions, proposals and tool connections from our primary systems, and we instruct sub-processors to do the same. Residual copies in encrypted backups age out on our standard backup cycle.
How we protect data
We apply technical and organisational measures appropriate to the sensitivity of the data:
- Encryption in transit (TLS) and at rest for stored data.
- OAuth tokens and other secrets stored encrypted, with access tightly scoped.
- Least-privilege access controls and audit logging of sensitive actions.
- Tenant isolation so one organisation’s data is not exposed to another.
- Approval-gating as a structural safeguard — Throughpoint cannot write without a human.
No system is perfectly secure, but we work to protect your data and will notify you and any relevant regulator of a personal-data breach where the law requires it.
International data transfers
Throughpoint is based in the United Kingdom and may process data in the UK, the European Economic Area, and other countries where our sub-processors operate, including the United States.
Where we transfer personal data outside the UK or EEA, we rely on a lawful transfer mechanism — such as an adequacy decision, the UK International Data Transfer Addendum, or the EU Standard Contractual Clauses — together with additional safeguards where needed.
Your privacy rights
Depending on where you live, you may have some or all of the following rights over your personal data:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data (“right to be forgotten”).
- Restriction & objection — limit or object to certain processing.
- Portability — receive your data in a portable, machine-readable format.
- Withdraw consent — where processing is based on consent.
To exercise any of these, email privacy@throughpoint.dev. We will respond within the timeframe required by law (generally one month under the GDPR). If your data is controlled by your organisation, we may refer your request to them and assist as their processor.
You also have the right to lodge a complaint with a supervisory authority. In the UK that is the Information Commissioner’s Office (ICO). We’d appreciate the chance to address your concern first.
Children's data
Throughpoint is a workplace tool and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy as the Service evolves or the law changes. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or in the dashboard.
Continuing to use the Service after an update takes effect means you accept the revised policy.
Reach a human at privacy@throughpoint.dev. We answer from a real address — no ticket queue.