Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Fireflies.ai

Fireflies.ai

CompliantEU: LimitedNo TrainingZero RetentionUS Only

Business Plan Price

$10-18/user (Pro), $19-29/user (Business) - billed in USD

Enterprise Features

Private Storage, Private Cloud (EU), ZDR, BYOS, custom retention, Rules Engine

Last Updated

March 23, 2026

Fireflies.ai - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Fireflies.ai tiers (Free, Pro, Business, Enterprise) handle data in relation to GDPR, with a focus on European customers. Fireflies.ai is an AI-powered meeting assistant by Fireflies.ai Corp. that automatically records, transcribes, and summarizes conversations, operating from US infrastructure.

2 Comparison of Fireflies.ai Tiers (EU focus)

Tier Visible Bot Zero Data Retention (ZDR) Training on data? EU residency Compliance Price
Free ✅ Yes ⚠️ Limited ✅ No (default) ❌ No (US infra) Basic Free
Pro ✅ Yes ✅ Yes ✅ No ❌ No (US infra) SOC 2 Type II $10/user/month
Business ✅ Yes ✅ Yes ✅ No ❌ No (US infra) SOC 2 Type II, HIPAA $19/user/month
Enterprise ✅ Yes ✅ Yes ✅ No ⚠️ EU storage via Private Cloud (Enterprise) SOC 2 Type II, HIPAA, custom controls $39/user/month (annual)

Notes for Europe

  • Visible bot: Fireflies joins meetings as a visible bot (labeled in participant list), which aids transparency and GDPR consent requirements.
  • Zero Data Retention (ZDR): Pro, Business, and Enterprise enforce ZDR with all AI vendors (OpenAI, Anthropic, transcription providers). Data is not stored by third-party vendors after processing.
  • No AI training: Meeting content (audio, video, transcripts, summaries) is never used to train AI models, internally or externally. Contractual prohibition with all partners.
  • Infrastructure: All Fireflies processing occurs in US-based infrastructure. No EU data residency option available.
  • Private Storage / BYOS: Business and Enterprise can use Private Storage (Bring Your Own Storage - customer's own AWS S3 or Google Cloud Storage) for data at rest. Enterprise customers can configure EU-region buckets for GDPR data locality purposes. Note: processing pipeline still runs in US.
  • EU storage via Private Cloud: Enterprise customers can access a dedicated Private Cloud deployment with EU data storage (sales-assisted).
  • EU-US Data Privacy Framework: Fireflies is listed under the EU-US Data Privacy Framework, providing an additional transfer mechanism alongside SCCs.
  • DPA & Data Processing Terms: Fireflies provides a Data Processing Agreement (DPA) that includes Data Processing Terms, available upon request. The Privacy Policy explicitly references these terms and incorporates them by reference into the Terms of Service.
  • Privacy policy updated June 2025: Key updates include 7-day data deletion after account cancellation (for most data) and a 12-month minimum retention period during active subscriptions.
  • Legal risk - BIPA class actions (Dec 2025–ongoing): Multiple class action lawsuits have been filed alleging Fireflies collected biometric identifiers (voiceprints) from non-consenting meeting participants under Illinois BIPA, including Cruz v. Fireflies.AI (filed December 2025) and Fricker v. Fireflies.AI. Both cases are ongoing; EU organisations should monitor developments and ensure robust participant consent processes.
  • Pricing: Enterprise plan confirmed at $39/user/month (annual billing). Other plans listed in USD. No EUR-specific pricing available.

3 Is Fireflies.ai GDPR-Compliant?

Short answer: Fireflies can support GDPR compliance on Business/Enterprise plans, but requires accepting US-only infrastructure without EU data residency. This poses significant challenges for strict data localisation requirements.

What applies to all plans (Pro and above):

  • Zero Data Retention - Data not stored by AI vendors (OpenAI, Anthropic) after processing.
  • No AI training - Meeting content never used to train models (contractual prohibition).
  • Visible bot - Meeting participants see Fireflies bot join, aiding transparency and consent.

What's plan-dependent:

  • Free plan: Limited ZDR coverage; primarily for personal use.
  • Pro plan: Full ZDR, SOC 2 Type II; suitable for non-regulated SMB workloads.
  • Business plan: Adds HIPAA compliance (with BAA), custom retention, Rules Engine, team controls.
  • Enterprise plan: Private Storage (BYOC), advanced security controls, custom retention policies, Super Admin.

Infrastructure limitations (all plans):

  • No EU data residency - All processing/storage in US (Fireflies.ai Corp.).
  • Cross-border transfers - Meeting data transferred to and processed in the United States.

What that means in practice:

  • Non-sensitive meetings: Pro or Business plan may be acceptable with proper safeguards (DPA, SCCs, DPIA).
  • Regulated industries (healthcare, finance, public sector): Business plan required for HIPAA/additional controls, but US infrastructure may still pose compliance challenges.
  • Strictest GDPR requirements (data localisation mandates, special categories data): Fireflies may not meet requirements due to US-only infrastructure.

Buyer's note: Business/Enterprise = GDPR-capable with significant caveats (US infra, no EU residency); Free/Pro = Higher residual risk for regulated workloads.

4 Details by Offering

Fireflies Free

  • Visible bot: Yes (joins meetings as labeled participant)
  • Data collection: Meeting audio, transcripts, limited AI summaries
  • Training: Not used for AI training by default
  • Retention: 800 mins storage/seat; limited ZDR coverage
  • Pricing: Free forever
  • When to use: Personal projects, individual learning, non-commercial meetings
  • When not to use: Business meetings with confidential information, client calls, regulated workloads

Fireflies Pro

  • Zero Data Retention: Full ZDR with all AI vendors
  • Visible bot: Yes (meeting transparency)
  • Training: No training on meeting data
  • Compliance: SOC 2 Type II certified
  • Pricing: $10/user/month
  • When to use: SMB teams, non-regulated workloads, internal meetings
  • When not to use: Regulated industries requiring EU data residency, client meetings under strict NDAs

Fireflies Business

  • Zero Data Retention: Full ZDR enforced
  • Private Storage: Can use own AWS S3 or Google Cloud Storage
  • HIPAA compliance: Available with Business Associate Agreement (BAA)
  • Team controls: Rules Engine, custom data retention, admin controls
  • Compliance: SOC 2 Type II, HIPAA, GDPR-claimed
  • Pricing: $19/user/month
  • When to use: Healthcare organisations (with BAA), finance teams, SMB with compliance requirements
  • When not to use: Strict EU data localisation mandates, special categories data without DPIA/TIA

Fireflies Enterprise

  • All Business features plus:
  • Super Admin: Enhanced admin controls and oversight
  • Private Storage / BYOS: BYOC (Bring Your Own Cloud) for data at rest - supports AWS S3 and GCP; can be configured in EU regions for data locality
  • EU Private Cloud: Dedicated Private Cloud deployment with EU data storage available (sales-assisted)
  • Custom retention: Configurable retention policies (e.g., 90 days, 1 year, indefinite)
  • Advanced security: SSO/SAML, IP allowlists, custom security reviews
  • DPA available: Data Processing Agreement with SCCs
  • EU-US Data Privacy Framework: Listed, providing an additional transfer mechanism
  • Compliance: SOC 2 Type II, HIPAA, GDPR-claimed, custom security frameworks
  • Pricing: $39/user/month (annual billing confirmed)
  • When to use: Large enterprises, heavily regulated industries, organisations requiring strict security controls or EU data storage
  • When not to use: When EU data localisation for processing (not just storage) is mandatory - processing pipeline remains US-based

5 Data Processing Flow

User starts meeting
  ↓
Fireflies bot joins (visible to participants)
  ↓
Audio recording starts
  ↓
Fireflies processing pipeline (US-based)
  ├─ Transcription via third-party providers
  │   └─ ZDR enforced (Pro/Business/Enterprise)
  ├─ AI summarisation (OpenAI/Anthropic)
  │   └─ ZDR enforced (no storage after processing)
  ├─ Storage
  │   ├─ Free/Pro: Fireflies US servers
  │   └─ Business/Enterprise: Private Storage option (customer's cloud)
  └─ Response/transcript returned to workspace

*All processing in US infrastructure; no EU data residency*

6 Recommendations (GDPR-first)

  • For business processing of meeting data, prefer Business or Enterprise plans for full ZDR, HIPAA compliance, and Private Storage options.
  • For regulated data (healthcare, finance, public sector), complete a DPIA and Transfer Impact Assessment (TIA) to assess US processing risks under GDPR Chapter V. Request DPA with SCCs from Fireflies.
  • For strictest data localisation requirements, Fireflies may not be suitable due to US-only infrastructure.
  • Do not use Free plan for business meetings or confidential information.
  • Always obtain consent from meeting participants before recording (visible bot aids but does not replace explicit consent requirements).

7 EU Rollout Checklist (Practical)

  1. Choose Business or Enterprise plan - For full ZDR, compliance certifications, and Private Storage.
  2. Conduct DPIA & TIA - Document US processing risks (GDPR Chapter V); determine if SCCs + supplementary measures are sufficient. For special category data or strict localisation mandates, Fireflies may not be suitable.
  3. Execute contractuals - Request and sign DPA with SCCs from Fireflies; add explicit ZDR and no-training clauses.
  4. Configure Private Storage (Business/Enterprise) - Use your own AWS S3 or Google Cloud Storage (can be EU-based) for data at rest. Note: processing still occurs in US.
  5. Establish consent protocol - Create clear meeting consent process; leverage visible bot but obtain explicit consent from participants before recording.
  6. Set retention policies (Enterprise) - Configure custom retention (e.g., 90 days auto-delete) to minimise data exposure.
  7. Train team on safe practices - Educate users on when not to use Fireflies (special categories data, highly confidential client meetings, etc.).

8 Procurement Quick Answers (EU)

Is my meeting data used to train AI models?

No. Fireflies enforces a contractual prohibition with all AI vendors (OpenAI, Anthropic, transcription providers). Meeting content is never used for training.

Can we keep EU meeting data at rest in the EU?

Partially. Business/Enterprise can use Private Storage / BYOS (Bring Your Own Storage - AWS S3 or Google Cloud in EU regions) for data at rest. Enterprise customers can also request a dedicated Private Cloud deployment with EU data storage (sales-assisted). However, Fireflies' processing pipeline still runs in US infrastructure regardless of storage location.

Do meeting participants know they're being recorded?

Yes. Fireflies joins as a visible bot (labeled in participant list). However, explicit consent is still required under GDPR; the visible bot aids but does not replace consent requirements.

How long is data retained?

  • Free: 800 mins storage/seat
  • Pro: Unlimited storage
  • Business/Enterprise: Configurable retention policies; can set auto-delete schedules

What about Zero Data Retention (ZDR)?

Pro, Business, and Enterprise enforce ZDR with all AI vendors. Data is not stored by OpenAI, Anthropic, or transcription providers after processing is complete.

What compliance standards?

SOC 2 Type II certified. HIPAA compliance available (Business/Enterprise with BAA). GDPR-claimed but note US infrastructure limitation.

Where is data processed?

All processing occurs in US-based infrastructure. No EU data residency option available. This is the primary GDPR concern for European organisations.

Is a Data Processing Agreement (DPA) available?

Yes. Fireflies provides a DPA with Data Processing Terms that can be requested via their website. The Privacy Policy incorporates these terms by reference. Organisations should request the DPA to review Standard Contractual Clauses (SCCs) and ensure proper legal basis for cross-border transfers.

9 Notes & Caveats

  • US infrastructure: All processing in US; may be problematic for strict localisation requirements.
  • Private Storage scope: Even with Private Storage (customer's EU-based cloud), processing pipeline still runs in US.
  • Consent requirements: Visible bot aids transparency but does not replace explicit consent obligations under GDPR.
  • Third-party platforms: When recording Zoom, Google Meet, Microsoft Teams meetings, those platforms' terms also apply.
  • HIPAA scope: HIPAA compliance requires Business Associate Agreement (BAA); available on Business/Enterprise plans only.
  • GDPR Chapter V transfers: EU customers must conduct Transfer Impact Assessment (TIA) and implement supplementary measures beyond SCCs. The EU-US Data Privacy Framework listing provides an additional transfer mechanism.
  • Privacy policy update (June 2025): Data deleted within 7 days after cancellation for most data types. Active subscriptions have a 12-month minimum retention period.
  • BIPA class actions (Dec 2025–ongoing): Multiple class action lawsuits filed under Illinois BIPA, including Cruz v. Fireflies.AI and Fricker v. Fireflies.AI, allege biometric data collection from non-consenting meeting participants. Both cases are ongoing. EU organisations should ensure robust explicit consent processes for all meeting participants to mitigate analogous GDPR Article 9 risks.
  • Enterprise pricing confirmed: $39/user/month (annual billing).

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Fireflies.ai in production environments - especially when meeting recordings contain personal data or confidential information. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • **Fireflies.ai Privacy Policy (2025)** - https://fireflies.ai/privacy_policy.pdf (references Data Processing Terms)
  • **Fireflies.ai Data Processing Agreement (DPA) Request** - https://fireflies.ai/dpa
  • **Fireflies.ai Security & Data Safety** - https://guide.fireflies.ai/articles/2154538358-policy-on-keeping-information-safe
  • **Fireflies.ai Pricing** - https://fireflies.ai/pricing
  • **Fireflies.ai HIPAA Compliance** - https://fireflies.ai/hipaa

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy