Fireflies.ai - GDPR & Data Privacy Overview for European Clients

Version: June 2026 - prepared by WAIMAKERS B.V.

---

1 Purpose

This overview explains how Fireflies.ai tiers (Free, Pro, Business, Enterprise) handle data in relation to GDPR, with a focus on European customers. Fireflies.ai is an AI-powered meeting assistant by Fireflies.ai Corp. that automatically records, transcribes, and summarizes conversations, operating from US infrastructure.

---

2 Comparison of Fireflies.ai Tiers (EU focus)

Notes for Europe

• Visible bot: Fireflies joins meetings as a visible bot (labeled in participant list), which aids transparency and GDPR consent requirements.
• Zero Data Retention (ZDR): Fireflies states it applies a 0-day data retention policy with all vendors and partners (including OpenAI, Anthropic, transcription providers) across its service, so third-party vendors do not store meeting data after processing.
• No AI training: Fireflies states meeting content (audio, video, transcripts, summaries) is not used to train AI models, internally or externally.
• Infrastructure: Fireflies processing occurs on US-based servers. Private Storage changes where meeting data is stored after processing; it does not make processing EU-only.
• Private Storage / BYOS: Fireflies' current Private Storage documentation says this is Enterprise-only and allows customers to choose a storage bucket location. Data is still processed on Fireflies' servers in the US before being stored in the selected bucket.
• EU storage via Private Cloud: Treat any EU storage/private-cloud claim as sales-assisted and contract-dependent; require written confirmation of storage region and processing location.
• EU-US Data Privacy Framework: Fireflies is listed under the EU-US Data Privacy Framework, providing an additional transfer mechanism alongside SCCs.
• DPA & Data Processing Terms: Fireflies provides a Data Processing Agreement (DPA) that includes Data Processing Terms, available upon request. The Privacy Policy explicitly references these terms and incorporates them by reference into the Terms of Service.
• Privacy policy updated March 2026: The current Privacy Policy (dated 6 March 2026) states personal information related to a closed account is deleted within 30 days of account closure (for most data).
• Legal risk - BIPA class actions (Dec 2025–ongoing): Multiple class action lawsuits have been filed alleging Fireflies collected biometric identifiers (voiceprints) from non-consenting meeting participants under Illinois BIPA, including Cruz v. Fireflies.AI (filed December 2025, C.D. Illinois) and Fricker v. Fireflies.AI (filed March 2026, N.D. Illinois). Both cases are ongoing; EU organisations should monitor developments and ensure robust participant consent processes.
• Pricing: Enterprise plan confirmed at $39/user/month (annual billing). Other plans listed in USD. No EUR-specific pricing available.

---

3 Is Fireflies.ai GDPR-Compliant?

Short answer: ⚠️ Partial / conditional. Fireflies can support GDPR compliance only with the right plan, DPA, consent workflow, retention settings, and transfer assessment. Enterprise Private Storage can improve data-at-rest control, but Fireflies still processes meeting data on US servers, so it should not be presented as fully GDPR-compliant for strict EU-localisation requirements.

What applies to all plans (Pro and above):

• Zero Data Retention - Data not stored by AI vendors (OpenAI, Anthropic) after processing.
• No AI training - Fireflies states meeting content is not used to train models.
• Visible bot - Meeting participants see Fireflies bot join, aiding transparency and consent.

What's plan-dependent:

• Free plan: ZDR/0-day retention applies (service-wide default); primarily for personal use.
• Pro plan: Full ZDR, SOC 2 Type II; suitable for non-regulated SMB workloads.
• Business plan: Custom retention, Rules Engine, team controls (HIPAA/BAA is Enterprise-only).
• Enterprise plan: Private Storage/BYOS, advanced security controls, custom retention policies, Super Admin.

Infrastructure limitations (all plans):

• No EU processing residency - Processing remains in the US even when Enterprise Private Storage is configured for customer-selected storage.
• Cross-border transfers - Meeting data transferred to and processed in the United States.

What that means in practice:

• Non-sensitive meetings: Pro or Business plan may be acceptable with proper safeguards (DPA, SCCs, DPIA).
• Regulated industries (healthcare, finance, public sector): Enterprise plan required for HIPAA (Private Storage + signed BAA)/additional controls, but US infrastructure may still pose compliance challenges.
• Strictest GDPR requirements (data localisation mandates, special categories data): Fireflies may not meet requirements due to US-only infrastructure.

Buyer's note: Fireflies should be treated as Partial for EU procurement: Enterprise controls can reduce risk, but US processing, participant consent, and biometric/privacy concerns remain material.

---

4 Details by Offering

Fireflies Free

• Visible bot: Yes (joins meetings as labeled participant)
• Data collection: Meeting audio, transcripts, limited AI summaries
• Training: Not used for AI training by default
• Retention: 400 mins storage/team; ZDR applies (0-day retention with vendors)
• Pricing: Free forever
• When to use: Personal projects, individual learning, non-commercial meetings
• When not to use: Business meetings with confidential information, client calls, regulated workloads

Fireflies Pro

• Zero Data Retention: Fireflies states full ZDR applies with AI vendors
• Visible bot: Yes (meeting transparency)
• Training: No training on meeting data
• Compliance: SOC 2 Type II certified
• Pricing: $10/user/month
• When to use: SMB teams, non-regulated workloads, internal meetings
• When not to use: Regulated industries requiring EU data residency, client meetings under strict NDAs

Fireflies Business

• Zero Data Retention: Fireflies states full ZDR is enforced
• Private Storage: Not the default Business posture. Current Fireflies Private Storage documentation describes Private Storage as Enterprise-only; confirm any Business availability in the executed contract.
• HIPAA compliance: Not available on Business; HIPAA/BAA is Enterprise-only
• Team controls: Rules Engine, custom data retention, admin controls
• Compliance: SOC 2 Type II, GDPR-claimed
• Pricing: $19/user/month
• When to use: Healthcare organisations (with BAA), finance teams, SMB with compliance requirements
• When not to use: Strict EU data localisation mandates, special categories data without DPIA/TIA

Fireflies Enterprise

• All Business features plus:
• Super Admin: Enhanced admin controls and oversight
• Private Storage / BYOS: Customer-selected storage for data at rest; current documentation says data is processed on Fireflies' US servers and then stored in the designated bucket
• EU storage: Possible only if the contracted Private Storage/BYOS setup uses an EU bucket or dedicated arrangement; request written confirmation because processing remains US-based
• Custom retention: Configurable retention policies (e.g., 90 days, 1 year, indefinite)
• Advanced security: SSO/SAML, IP allowlists, custom security reviews
• DPA available: Data Processing Agreement with SCCs
• EU-US Data Privacy Framework: Listed, providing an additional transfer mechanism
• Compliance: SOC 2 Type II, HIPAA, GDPR-claimed, custom security frameworks
• Pricing: $39/user/month (annual billing confirmed)
• When to use: Large enterprises, heavily regulated industries, organisations requiring strict security controls or EU data storage
• When not to use: When EU data localisation for processing (not just storage) is mandatory - processing pipeline remains US-based

---

5 Data Processing Flow

User starts meeting
  ↓
Fireflies bot joins (visible to participants)
  ↓
Audio recording starts
  ↓
Fireflies processing pipeline (US-based)
  ├─ Transcription via third-party providers
  │   └─ ZDR / 0-day retention (all plans, all vendors)
  ├─ AI summarisation (OpenAI/Anthropic)
  │   └─ ZDR enforced (no storage after processing)
  ├─ Storage
  │   ├─ Free/Pro/Business: Fireflies-managed storage unless otherwise contracted
  │   └─ Enterprise: Private Storage/BYOS option for customer-selected storage
  └─ Response/transcript returned to workspace

*All processing in US infrastructure; Enterprise Private Storage changes storage location only*

---

6 Recommendations (GDPR-first)

• For business processing of meeting data, prefer Enterprise where Private Storage/BYOS and stricter retention controls are required; Business may be acceptable only for lower-risk use cases with a DPA, consent workflow, and TIA.
• For regulated data (healthcare, finance, public sector), complete a DPIA and Transfer Impact Assessment (TIA) to assess US processing risks under GDPR Chapter V. Request DPA with SCCs from Fireflies.
• For strictest data localisation requirements, Fireflies may not be suitable due to US-only infrastructure.
• Do not use Free plan for business meetings or confidential information.
• Always obtain consent from meeting participants before recording (visible bot aids but does not replace explicit consent requirements).

---

7 EU Rollout Checklist (Practical)

1. Choose the right plan - Business may provide stronger compliance controls for lower-risk use cases; choose Enterprise if Private Storage/BYOS, custom retention, or stricter governance is required.
2. Conduct DPIA & TIA - Document US processing risks (GDPR Chapter V); determine if SCCs + supplementary measures are sufficient. For special category data or strict localisation mandates, Fireflies may not be suitable.
3. Execute contractuals - Request and sign DPA with SCCs from Fireflies; add explicit ZDR and no-training clauses.
4. Configure Private Storage (Enterprise) - Use customer-selected storage where contracted. Note: processing still occurs in US.
5. Establish consent protocol - Create clear meeting consent process; leverage visible bot but obtain explicit consent from participants before recording.
6. Set retention policies (Enterprise) - Configure custom retention (e.g., 90 days auto-delete) to minimise data exposure.
7. Train team on safe practices - Educate users on when not to use Fireflies (special categories data, highly confidential client meetings, etc.).

---

8 Procurement Quick Answers (EU)

Is my meeting data used to train AI models?

Fireflies says no. It states meeting content is not used for training internally or externally, and that this commitment extends to partners such as transcription providers, OpenAI, and Anthropic.

Can we keep EU meeting data at rest in the EU?

Partially. Enterprise customers can use Private Storage / BYOS for data at rest in a customer-selected bucket. However, Fireflies' processing pipeline still runs on US servers regardless of storage location.

Do meeting participants know they're being recorded?

Yes. Fireflies joins as a visible bot (labeled in participant list). However, explicit consent is still required under GDPR; the visible bot aids but does not replace consent requirements.

How long is data retained?

• Free: 400 mins storage/team
• Pro: 8,000 mins of storage/seat
• Business/Enterprise: Configurable retention policies; can set auto-delete schedules

What about Zero Data Retention (ZDR)?

Fireflies states it applies a 0-day data retention policy with all vendors and partners across its service, so data is not stored by OpenAI, Anthropic, or transcription providers after processing is complete.

What compliance standards?

SOC 2 Type II certified. HIPAA compliance available (Enterprise only, with BAA). GDPR-claimed but note US infrastructure limitation.

Where is data processed?

Processing occurs on US-based Fireflies servers. Enterprise Private Storage affects where meeting data is stored after processing, not where processing happens. This is the primary GDPR concern for European organisations.

Is a Data Processing Agreement (DPA) available?

Yes. Fireflies provides a DPA with Data Processing Terms that can be requested via their website. The Privacy Policy incorporates these terms by reference. Organisations should request the DPA to review Standard Contractual Clauses (SCCs) and ensure proper legal basis for cross-border transfers.

---

9 Notes & Caveats

• US infrastructure: All processing in US; may be problematic for strict localisation requirements.
• Private Storage scope: Current Fireflies documentation describes Private Storage as Enterprise-only. Even with an EU-based customer bucket, the processing pipeline still runs in the US.
• Consent requirements: Visible bot aids transparency but does not replace explicit consent obligations under GDPR.
• Third-party platforms: When recording Zoom, Google Meet, Microsoft Teams meetings, those platforms' terms also apply.
• HIPAA scope: HIPAA compliance requires a Business Associate Agreement (BAA) plus Private Storage; available on the Enterprise plan only.
• GDPR Chapter V transfers: EU customers must conduct Transfer Impact Assessment (TIA) and implement supplementary measures beyond SCCs. The EU-US Data Privacy Framework listing provides an additional transfer mechanism.
• Private Storage documentation update (May 2026): Fireflies now documents that Private Storage is Enterprise-only and that data is processed on Fireflies' US servers before storage in the customer-selected bucket.
• BIPA class actions (Dec 2025–ongoing): Multiple class action lawsuits filed under Illinois BIPA, including Cruz v. Fireflies.AI (December 2025) and Fricker v. Fireflies.AI (March 2026), allege biometric data collection from non-consenting meeting participants. Both cases are ongoing. EU organisations should ensure robust explicit consent processes for all meeting participants to mitigate analogous GDPR Article 9 risks.
• Enterprise pricing confirmed: $39/user/month (annual billing).

---

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Fireflies.ai in production environments - especially when meeting recordings contain personal data or confidential information. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - June 2026.

---

References

• **Fireflies.ai Privacy Policy (2026)** - https://fireflies.ai/privacy_policy.pdf (last updated 6 March 2026; references Data Processing Terms)
• **Fireflies.ai Data Processing Agreement (DPA) Request** - https://fireflies.ai/dpa
• **Fireflies.ai Private Storage** - https://guide.fireflies.ai/articles/3687416644-learn-about-private-storage
• **Fireflies.ai Security & Data Safety** - https://guide.fireflies.ai/articles/2154538358-policy-on-keeping-information-safe
• **Fireflies.ai Pricing** - https://fireflies.ai/pricing
• **Fireflies.ai HIPAA Compliance** - https://fireflies.ai/hipaa