Privacy Policy
Last Updated: April 12, 2026
Who We Are
OmniListen is an AI-powered meeting transcription and intelligence platform developed and operated by Empowering Energy (trading as ESAP AI) (CR No. [Insert CR Number]). We help enterprise teams capture, transcribe, and extract actionable insights from Arabic and English meetings with speaker identification, role-based analysis, and automated action item generation.
Our Role: Data Processor
OmniListen operates exclusively in a B2B enterprise context. Your organization is the Data Controller— you determine who uses the platform and for what purpose. Empowering Energy (OmniListen) acts solely as a Data Processor, processing meeting data only on your organization's behalf and strictly under your documented instructions.
Important: Sensitive Personal Data
OmniListen processes voice recordings and performs speaker identification — both classified as Sensitive Personal Data under PDPL Article 23.
This means:
- Your organization must obtain explicit, informed consent from all meeting participants before any recording begins
- Participants must be clearly informed that their voice is being recorded, transcribed, and analyzed by AI
- Sensitive data is subject to stricter processing, storage, and transfer rules
- Empowering Energy will process voice and speaker data only within the scope defined in your signed DPA
What Data We Process
- Authorized User Identity Data — Names, work emails, job titles, employee IDs
- Voice and Audio Data — Audio recordings of meetings (Sensitive Personal Data)
- Transcription Data — Text transcriptions in Arabic and English
- Speaker Identification Data — AI-powered voice analysis labels (biometric-adjacent, treated as Sensitive Personal Data)
- Meeting Metadata — Title, date, time, duration, participant count, language, platform source
- Role-Based Analysis Outputs — Summaries, action items, decisions for PM/HR/Executive roles
- Technical and Security Data — IP addresses, device types, session timestamps, access logs
- Support Communications — Messages exchanged with the support team
Why We Process Your Data
| Purpose | Lawful Basis |
|---|---|
| Meeting transcription and AI analysis | Performance of contract |
| Speaker identification and role-based outputs | Explicit consent (via your organization) |
| User authentication and access | Performance of contract |
| Platform security | Legitimate interest |
| Service quality improvement | Legitimate interest |
| Legal and regulatory compliance | Legal obligation |
We never process data for advertising, profiling, or any purpose outside the contracted scope.
How We Use AI
- All outputs are assistance tools — not final records or legal documents
- Every AI output is labeled: "AI-generated — review before using in formal decisions."
- Speaker identification accuracy is high but not infallible — human review required
- Role-based analysis is for decision-support only — does not constitute HR advice, legal opinion, or management instruction
- We do not use your meeting recordings or transcriptions to train AI models without explicit written consent
- We maintain full documentation of AI models, language capabilities, and processing logic
Participant Consent Obligation
Because OmniListen records voices of all participants — including non-registered users — your organization must:
- Inform all participants before the recording begins
- Obtain explicit consent, particularly for sensitive topics (HR, legal, financial)
- Provide the ability to opt out without professional consequences
- Maintain records of consent for each session
Data Sharing and Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| Cloud Hosting Provider | Infrastructure and encrypted audio storage | USA |
| AI Transcription / NLP Provider | Speech-to-text and language processing | USA |
| AI Model Provider | Meeting analysis and output generation | USA |
| Analytics Platform | Anonymous usage analytics | USA |
30 days' advance notice for any sub-processor changes. Right to object included.
Data Processing and Third-Party Disclosures
To provide the features of OmniListen, we engage limited third-party service providers to act as data processors. These sub-processors are utilized solely for technical processing required to deliver the service (such as data analysis and processing).
We do not sell or share your Google user data for any purposes outside of these core functional requirements. All third-party processors are contractually bound to maintain data confidentiality and are strictly prohibited from using your data to train their own models or for any secondary purposes.
Limited Use Disclosure
OmniListen’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Google API Services User Data Policy.
Cross-Border Data Transfers
All transfers are protected by:
- SDAIA-approved Standard Contractual Clauses (SCCs)
- Encrypted transmission and storage at all international points
- Contractual prohibition on secondary use
Your Organization’s Rights Under PDPL
- Access — Copy of all personal and sensitive data
- Correction — Fix inaccurate metadata, speaker labels, and identity data
- Deletion — Specific recordings, transcriptions, or all data
- Portability — JSON or CSV export
- Objection — Object to processing not in DPA
- Restriction — Restrict processing during dispute
- Audit — Evidence of PDPL compliance
Data Retention
| Data Type | Retention Period |
|---|---|
| Voice recordings (audio files) | 90 days, then auto-deleted |
| Transcription text | Contract duration + 6 months |
| Speaker identification labels | Contract duration + 6 months |
| Role-based analysis outputs | Contract duration + 6 months |
| Meeting metadata | Contract duration + 1 year |
| User account data | Contract duration + 1 year |
| Support communications | 2 years |
| Security and access logs | 6 months |
30-day data export window on termination. Permanent deletion confirmed in writing.
Data Security
- AES-256 encryption at rest for all audio and transcriptions
- TLS 1.3 encryption in transit
- Audio files in isolated, access-controlled storage buckets
- Role-based access controls — only authorized personnel
- No employee access to raw audio without a logged reason
- Regular security audits and vulnerability assessments
- 72-hour SDAIA breach notification + immediate client notification
Contact and Complaints
Empowering Energy — Data Privacy Team
Complaints: SDAIA at sdaia.gov.sa