Subscribe
answers

Do they own your data? Fellow Privacy Policy Reviewed.

Fellow's AI meeting management shows promise but faces critical enterprise privacy challenges. Our analysis reveals a 6/10 readiness score - good privacy controls can't offset high-risk data residency and minimization issues. Partially ready for enterprise deployment.

audio-thumbnail
Listen to this review
0:00
/0

Final Enterprise Readiness Rating: 6/10

⚠️ Partially ready (Reviewed 2026).

Area

Verdict

Notes

Data Residency & Storage

❌  High Risk

Only mentions AWS hosting with no geographic controls or data residency options

AI Model Use

⚠️  Partial

Uses third-party AI services that can be disabled at workspace level, but no bring-your-own-model options

Data Minimization

❌  High Risk

Collects extensive calendar data, biometric voice samples, and creates work graphs with broad permissions

Privacy Controls

✅  Good

Provides individual opt-out for voice data and workspace-level controls for AI features

Compliance & Auditability

⚠️  Partial

GDPR compliant but no mention of SOC 2, ISO 27001, or HIPAA certifications

Consent Handling

❌  High Risk

No mention of meeting participant consent workflows or recording notifications

Model Explainability

❌  High Risk

No visibility into AI processing, decision-making, or audit trails for AI actions

Data Retention & Deletion

✅  Good

15-day deletion commitment with clear backup retention policies

Third-Party Sharing

⚠️  Partial

Shares with AI providers and analytics services, but provides sub-processor list and controls

⚠️ Recommendation for Enterprises:

Adopt Fellow with caution. Be especially careful if you handle:

  • Confidential client communications
  • Health, financial, legal, or regulated data
  • Sensitive IP or trade secrets

Instead, consider AI tools that:

  • Offer full control over data use
  • Allow bring-your-own model
  • Support SOC 2 Type II, HIPAA, GDPR
  • Have consent automation and enterprise contracts ready

Better Alternative:

BuildBetter.ai — GDPR, SOC 2 Type 2, and HIPAA compliant

Zero training on customer data

You own your data. Fully opt-in privacy model.

🔍  Fellow Privacy Policy – Enterprise Risk Assessment

Audience: Security-conscious enterprise organizations evaluating AI meeting management for agendas, notes, and action items for internal use in highly sensitive or regulated environments (e.g. legal, healthcare, finance, tech/IP-heavy orgs).

⚠️ Where Fellow Falls Short – Critical Gaps

🔒  1. Data Residency & Storage

Quote: "Our servers (hosted by Amazon Web Services) collect information including the type of browser and O/S you use, your IP Address, domain name and the timing / duration of your visit to our Site."

Risk: Enterprises in regulated industries often require data to remain in specific jurisdictions. Without explicit data residency controls, this creates compliance risks for EU, Canadian, and other regulated entities.

Enterprise Issue:

  • No data residency guarantees
  • No geographic storage options
  • No on-premises or VPC deployment options

Verdict:Fails basic compliance checklist

🧠  2. AI Model Use

Quote: "The transfer of your organizations' data to AI-related third party service providers can be controlled by administrators in your organization with a toggle in your Workspace settings"

Risk: While the toggle provides some control, enterprises need guarantees that their data won't train external models and should have options to use their own AI infrastructure for maximum security.

Enterprise Issue:

  • Default enables third-party AI processing
  • No bring-your-own-model capability
  • No zero-trust AI options

Verdict: ⚠️ Risky default with opt-out control

📊  3. Data Minimization

Quote: "In order to offer these Services, we require access to the following information: Calendar: We access data about the events that you participate in such as organizer, title, attendees and optional attendees (names and emails), date, time, duration, calendar resources (meeting rooms) and recurrence of events."

Risk: The extensive calendar and voice data collection creates significant privacy exposure. Enterprises need granular controls over what data is collected and processed.

Enterprise Issue:

  • Broad calendar data collection
  • Automatic voice sample collection
  • Work graph analytics on relationships

Verdict:Excessive data collection for core function

⚙️  4. Privacy Controls

Quote: "Users can opt out at any time by disabling 'voice detection' in their user settings. Workspace administrators can disable voice matching for their entire workspace through workspace settings"

Risk: Good granular controls, but enterprises need these to be opt-in by default rather than opt-out for maximum compliance.

Enterprise Issue:

  • Voice collection is opt-out rather than opt-in
  • AI features enabled by default

Verdict:Strong user controls with admin oversight

📦  5. Compliance & Auditability

Quote: "For residents of the European Economic Area, Fellow generally processes Personal Data in order to fulfill contracts we have with the Organizations that are our customers"

Risk: Enterprises typically require SOC 2 Type II and other security certifications to validate vendor security practices. GDPR alone is insufficient for enterprise procurement.

Enterprise Issue:

  • No SOC 2 certification mentioned
  • No ISO 27001 compliance
  • No HIPAA compliance options

Verdict: ⚠️ Basic GDPR compliance, missing enterprise certifications

Risk: For enterprises handling client communications, automatic meeting processing without explicit participant consent creates legal liability. This is a critical gap for professional services.

Enterprise Issue:

  • No meeting participant consent workflows
  • No recording notification systems
  • No guest privacy protections

Verdict:Fails duty-of-care for meeting recordings

🔍  7. Model Explainability

Risk: Enterprises need transparency into AI operations for compliance and risk management. Without explainability, it's impossible to validate AI decisions or troubleshoot issues.

Enterprise Issue:

  • No AI audit trails
  • No model explainability features
  • No observability into AI operations

Verdict:Black box AI operations

🧼  8. Data Retention & Deletion

Quote: "We will delete this information within 15 days of your request. Your information may stay on our backup servers for up to an additional 30 days but will no longer be present thereafter."

Risk: Good deletion timeline, though enterprises may want configurable retention policies for different data types.

Enterprise Issue:

  • Fixed retention periods, not configurable
  • No legal hold capabilities mentioned

Verdict:Clear retention with fast deletion

🤝  9. Third-Party Sharing

Quote: "A list of our current Sub-Processors is available here. We will take reasonably necessary steps, including contractual measures and other legal requirements, to ensure that your Personal Data is dealt with the same level of caution and care"

Risk: While sub-processors are listed, enterprises need guarantees that no data is used for training or shared beyond explicit service delivery.

Enterprise Issue:

  • Data shared with AI providers
  • Analytics services access user data
  • No guarantee against training data use

Verdict: ⚠️ Controlled sharing but broad permissions

✅ What Fellow Does Right (Credit Where It's Due)

  • Workspace-level AI controls allow disabling third-party processing
  • Clear biometric data controls with individual opt-out
  • Fast data deletion timeline (15 days)
  • GDPR compliance with proper data controller/processor roles
  • Transparent sub-processor listing
  • Strong voice data encryption and isolation per workspace

Disclaimer: This evaluation is based solely on publicly available information and documentation. For formal enterprise vetting, always request a vendor's latest DPA, security whitepaper, and third-party audit reports.

Read next