Echoprysm
ENDADEESITSV

Echoprysm review

Privacy-first AI meeting notetakers for small teams (2026)

If a small team records client calls, the notetaker you pick decides where those transcripts live and whether they help train someone's AI. This is a public-evidence comparison of five tools — Otter, Fireflies, Fathom, tl;dv and Granola — on the questions privacy-conscious teams actually ask: where data sits, whether it trains AI, how you export it, and price. No hands-on test and no invented scores; every claim is from the vendors' own pages, checked in June 2026.

By Echoprysm Editorial7 min read
A small team video call on a laptop with an AI transcript panel open, beside notes comparing privacy options.

Quick verdict: who each tool suits

There is no single ‘most private' winner — it depends on which risk you care about most. Based on each vendor's public pages:

  • tl;dv — the one to shortlist first if EU data residency is the priority; it states that data is processed and stored in the EEA and publishes a DPA.
  • Granola — suits teams that want local, on-device capture; it records device audio and does not join the call as a visible bot, and says audio is discarded after transcription.
  • Fireflies — worth a look if you want a stated 0-day retention option and SOC 2, and EU-only hosting is not a hard requirement.
  • Fathom — fits teams for whom SOC 2 and HIPAA matter and US/Canada hosting is acceptable; note it uses de-identified data to improve its own models, with an org-level opt-out.
  • Otter — widely used and capable, but weigh that it states it trains its own AI on de-identified audio before you record sensitive calls.

These are positioning claims from public pages, not a hands-on audit. Always read the current DPA and privacy page before you commit a team to one.

What ‘private' means for a small team

For a team without a dedicated security person, ‘private' comes down to four answerable questions. Use them as the lens for everything below, and as a checklist when you talk to a vendor.

  • Where is the data stored, and can you choose the region?
  • Is your meeting content used to train AI, by default or at all?
  • Who can access, share and delete a recording — and how?
  • Can you export transcripts and notes, in a format you can reuse?

Our AI meeting-notes privacy checklist expands each of these into questions you can paste into an email to a vendor.

The comparison, by public evidence

Everything in this table is what each vendor states on its own privacy, security or pricing pages, read in June 2026. Policies change, so treat it as a starting point and verify the current DPA before you buy.

ToolData location (stated)Trains AI on your content?ExportNotable
tl;dvEEA (EU) processing and storageStates no customer data used to train AI; AI training can be disabledYes; publishes a DPA and retention controlsEU-residency focus; uses Anthropic via Google Vertex for summaries
GranolaAWS, United StatesDoes not let third-party AI train on data; Enterprise training off org-wideYesLocal device-audio capture; audio discarded after transcription; SOC 2 Type II
FirefliesUS; region/private storage on EnterpriseStates meeting data is not used for AI training, with a 0-day retention optionYesSOC 2; AES-256 at rest, TLS in transit; HIPAA BAA on Enterprise
FathomAWS, US and CanadaSub-processors barred from training; uses de-identified data for its own models, with org opt-outYesSOC 2 Type II and HIPAA stated
OtterAWS, United StatesStates it trains its own AI on de-identified audioYes (data portability)EU/UK transfers via Standard Contractual Clauses

EU compliance: what to actually check

A meeting recording is personal data, so GDPR applies whatever tool you choose. The practical work is not reading the law — it is getting four things in writing: a Data Processing Agreement, the sub-processor list, the data location, and the retention and deletion terms. Every vendor above offers GDPR-relevant features, but ‘offers features' is not the same as ‘compliant for your use'.

The EU AI Act adds transparency duties but classifies most general notetakers well below the ‘high-risk' tier, so for a small team it mostly reinforces what GDPR already asks. If you want a vendor-questionnaire angle, our EU AI Act vendor checklist and the Copilot meeting-notes admin checklist are the companions to this review. Separately, many EU jurisdictions expect you to inform participants before recording — treat consent as a requirement, not a courtesy, and check local rules.

Export and lock-in

Privacy and portability are the same question asked twice: if you can leave with your data, a vendor has less hold over you. All five tools offer some export, but the texture differs. Otter frames export around data-portability rights; Fireflies, Fathom, tl;dv and Granola let you pull transcripts and notes out, with formats and bulk-export depth varying by plan.

Before you standardise a team on any of them, export a real meeting and check what survives the round trip — speaker labels, timestamps, highlights and summaries often degrade or drop. An export that loses the structure you relied on is only half an exit.

Who each tool is not for

Honest mismatches matter more than feature lists. Skip a tool if one of these is you:

  • tl;dv — not for teams that want fully local, no-cloud capture; it is cloud-based, just EU-hosted.
  • Granola — not for teams that need a bot to join and record meetings automatically, or who are not on desktop; its model is local device capture.
  • Fireflies and Otter — not the default pick if strict EU-only data residency is non-negotiable; check enterprise/region options first.
  • Otter — not ideal if you are uneasy about a vendor training its own AI on (de-identified) audio of your calls.
  • All five — not a fit for ‘nothing may ever touch a US cloud' unless you have verified a specific EU or self-hosted option in writing.

Sources

How we compared these — and what we did not test

This is a public-evidence review. We read each vendor's own privacy, security and pricing pages in June 2026 and compared the stated claims. We did not run a logged-in security test, sign a DPA, or audit anyone's infrastructure, so each point is ‘what the vendor states', not a verified fact about your future contract. We did not assign star ratings, because a fair score would need hands-on and contractual access we do not claim. Prices and policies change — verify the current DPA and pricing before you buy.

Frequently asked questions

Which AI notetaker is best for EU data residency?
On public evidence, tl;dv is the one that explicitly states EEA (EU) processing and storage and publishes a DPA. Otter, Fathom and Granola describe US (AWS) infrastructure, and Fireflies offers region or private storage on its Enterprise plan. Confirm the current DPA and region options before you commit.
Do AI notetakers train on my meetings?
It varies, so check each policy. tl;dv, Fireflies and Granola state they do not use your content to train AI by default; Otter states it trains its own AI on de-identified audio; and Fathom bars its sub-processors from training but uses de-identified data to improve its own models, with an org-level opt-out. Policies change — verify before recording sensitive calls.
Can I export my transcripts and notes?
All five offer some export. The detail that matters is what survives: speaker labels, timestamps, highlights and summaries can drop or degrade. Export a real meeting and check it before you standardise a team on one tool.
Are these tools GDPR compliant?
They provide GDPR-relevant features such as DPAs, deletion and export, but compliance depends on how you configure and use them. Sign a DPA, review the sub-processor list and data location, and set retention deliberately. This review is orientation, not a legal opinion.
Is a notetaker that joins the call as a bot a problem?
It is visible to everyone and adds another data path, which some clients dislike. Granola takes a different approach by capturing device audio locally without joining as a participant. Either way, tell participants they are being recorded.
Do we need consent to record meetings?
In much of the EU you should inform participants before recording, and in some cases obtain consent. Build a short notice into your meeting flow and check the rules in your country; this review does not replace legal advice.

More from Echoprysm

Methodology: public-evidence review

We did not access a live dashboard, make a payment, run a full product test or verify private customer data. This page summarizes public evidence available on the verification date.

What we could not verify

We could not verify private customer outcomes, dashboard-only functions, non-public contracts, private pricing or internal security controls unless the page explicitly says otherwise.

Sources and verification date

Verification date: 2026-06-14. These links support the verification framework for this public-evidence page; private dashboard-only claims remain unverified unless stated in the article.