AI Notetakers in Nonprofit Meetings: Consent, Confidentiality, and a Policy Template
AI notetakers now join meetings by default, transcribing every word your staff, board, donors, and beneficiaries say. That convenience carries real legal and ethical weight for nonprofits. This guide explains consent rules, confidentiality risks, and vendor data practices, then gives you an adaptable policy template you can put in front of your board next week.

A few years ago, taking meeting notes meant a staff member typing during the conversation or writing up a summary afterward. Today, an AI notetaker like Otter, Fireflies, Granola, Fathom, Zoom AI Companion, or Microsoft Copilot can join automatically, capture a verbatim transcript, generate a summary, and email it to attendees before anyone has left the call. For a busy nonprofit team, that feels like a gift. Notes are more accurate, action items are captured, and staff can stay present in the conversation instead of scrambling to write things down.
But that gift comes with strings attached that most organizations have not thought through. AI notetakers create permanent, searchable records of conversations that used to be ephemeral. They send audio and text to third-party vendors whose data practices vary widely. They raise legal consent questions that differ from state to state. And they routinely find their way into meetings where sensitive information about clients, donors, personnel, and board strategy is discussed, exactly the meetings where a leaked or discoverable transcript could do real damage.
This is not a reason to ban the technology. AI notetakers deliver genuine value, and staff will adopt them with or without leadership guidance. It is a reason to put a clear, thoughtful policy in place so that your organization captures the benefits while managing the risks. The goal is not to say no to a useful tool. It is to define when the tool is appropriate, when it is not, and what safeguards apply in each case.
In this guide, we walk through the consent requirements you need to understand, the confidentiality risks specific to nonprofit work, the vendor questions worth asking before you standardize on a tool, and the governance risks that make board and executive sessions a special case. Then we provide a concrete policy template you can adapt to your organization and adopt through your normal governance process. Whether you are a two-person team or a national organization, the principles here apply to any nonprofit whose meetings touch confidential information.
Consent: The Rule That Trips Up Most Organizations
The single most misunderstood aspect of AI notetakers is consent. Many people assume that because a recording bot appears in the participant list, or because a calendar invite says the meeting may be recorded, everyone has effectively agreed. That assumption is legally shaky. Consent under U.S. wiretapping laws generally requires informed agreement, not mere awareness, and no jurisdiction currently treats a visible bot in the attendee list as sufficient notice on its own.
The rules differ by state. Federal law and many states follow a one-party consent standard, meaning a recording is permissible if at least one party to the conversation consents. But roughly a dozen states, including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania, and Washington, require all-party consent for recording private conversations. In those states, every participant must be notified and agree before recording begins. Because meetings routinely include people joining from different states, the safe default is to assume the stricter standard applies. If even one participant is in an all-party consent state, obtain consent from everyone.
This is not a hypothetical concern. A wave of class action litigation has targeted AI notetaker vendors over exactly these consent questions. Cases against Otter.ai allege that its auto-join feature and limited participant notification do not amount to valid consent under federal and state wiretapping laws, and a separate suit against Fireflies raised biometric privacy claims after a participant joined a meeting hosted by an Illinois nonprofit and alleged she never agreed to a voiceprint being created. Whatever the outcome of these specific cases, they signal that the visible-bot-equals-consent theory is being tested and cannot be relied upon.
The practical answer is a consent script and a moment of genuine choice. At the start of a recorded meeting, someone should state clearly that an AI notetaker is capturing a transcript, explain in plain language what happens to that transcript, and give participants a real opportunity to decline. It should be socially and procedurally acceptable to say no. When a participant objects, the notetaker should be turned off, and the organization should fall back to human notes for that meeting.
What Counts as Real Consent
- A verbal announcement at the start that recording and transcription are active
- Plain-language explanation of what happens to the transcript
- A genuine, socially safe option to decline
- Treating the stricter all-party standard as the default
What Does Not Count
- A bot silently appearing in the participant list
- A generic "this meeting may be recorded" line in a calendar invite
- Assuming attendance equals agreement to be recorded
- Recording before anyone has had a chance to object
Confidentiality Risks Unique to Nonprofit Work
Nonprofits hold some of the most sensitive information of any organization type. Case notes about a domestic violence survivor, immigration status details, a client's health or housing situation, a donor's giving capacity and personal circumstances, personnel matters, and legal strategy all pass through nonprofit meetings regularly. When an AI notetaker is running, that information stops being a fleeting conversation and becomes a stored, searchable, shareable record living on a vendor's servers.
The first risk is exposure of client and beneficiary information. Many nonprofits operate under confidentiality obligations, whether from HIPAA, funder requirements, professional ethics, or promises made directly to the people they serve. A transcript that captures a beneficiary's full name alongside their circumstances, then sits in a notetaker account accessible to staff who were never in the meeting, is a confidentiality breach waiting to happen. The convenience of an automatic summary is not worth exposing a vulnerable person's private details. This tension connects to the broader questions we explore in preserving dignity when automating services, where the way you handle people's information is itself a reflection of your values.
The second risk involves donors. Development conversations often reveal a donor's wealth, family situation, health, and giving intentions, information shared in confidence with a trusted fundraiser. If those conversations are transcribed and stored without care, a donor who learns their private discussion was captured by a third-party AI tool may feel their trust was violated. In a sector that runs on relationships, that damage can be lasting.
The third risk is scope creep in what gets captured. AI notetakers transcribe everything, including offhand remarks, half-formed opinions, statements later corrected, and casual comments never meant for the record. A verbatim transcript can misrepresent a thoughtful discussion by preserving a poorly worded aside as if it were a considered position. For meetings where nuance matters, a clean human summary is often safer and more accurate than a raw machine transcript. If your organization is building broader habits around how AI handles institutional information, the same discipline you apply in knowledge management should extend to meeting transcripts.
Where Sensitive Information Hides in Meetings
Categories of confidential content that warrant extra caution before enabling a notetaker
People You Serve
- Client names paired with health, legal, or housing details
- Immigration status and safety-sensitive circumstances
- Case reviews and service coordination discussions
Internal and Relational
- Donor wealth, health, and giving intentions
- Personnel, performance, and compensation matters
- Legal strategy and privileged conversations
Where Transcripts Live and How Long They Stay There
Once a meeting is transcribed, the transcript has to live somewhere. Understanding where, for how long, and who can reach it is essential to any responsible policy. In most consumer AI notetaker setups, transcripts and summaries are stored in the vendor's cloud, tied to the account of the person who enabled the tool. They may be automatically emailed to attendees, synced to a shared workspace, or indexed into a searchable library that anyone on the account can browse. That default sharing behavior is where many confidentiality problems begin.
Retention is the second half of the picture. Many tools keep transcripts indefinitely unless someone actively deletes them. A conversation from three years ago about a specific client or a personnel dispute may still be sitting in an account, fully searchable, long after anyone remembers it exists. For information that is sensitive today and potentially discoverable in future litigation, indefinite retention is a liability rather than a convenience. A defined retention period, after which transcripts are deleted unless there is a specific reason to keep them, dramatically reduces this exposure.
Access control matters just as much as retention. Ask who in your organization can see a given transcript. If your notetaker account is shared, a summary of a sensitive board conversation might be visible to program staff, or a development team's donor notes might be reachable by anyone with the login. Sensitive transcripts should be restricted to the people who genuinely need them, ideally stored in a controlled system rather than left in the notetaker's default library. The same governance instinct that applies to assembling board meeting packets with AI applies here: control who can see what, and design for the sensitive case, not the routine one.
Questions to Answer Before You Trust a Transcript Store
- Where are transcripts and audio physically stored?
- How long are they retained by default, and can that be changed?
- Who on your account can view or search past transcripts?
- Are transcripts auto-shared or auto-emailed to attendees?
- Can you delete a transcript completely, including backups?
- Is there an audit trail of who accessed each record?
Vendor Data Use: Is Your Meeting Training Their Model?
Not all AI notetakers handle your data the same way, and the differences matter enormously for a nonprofit handling confidential information. The central question to ask any vendor is whether they use your meeting content to train their AI models, and whether any third parties get access to it. Vendors' answers to that question vary, and their policies change over time, so this is something to verify directly rather than assume.
Some vendors have moved to reassure business customers on this point. Fireflies, for example, states that it does not use meeting content to train AI models and describes a zero-data-retention posture for enterprise processing, along with SOC 2, GDPR, and HIPAA-related compliance offerings. On the other end, Otter has faced litigation in which plaintiffs allege it used meeting data to train models without the explicit permission of all participants. We cite these as illustrations of the range you will encounter, not as an endorsement or condemnation of any specific product. The lesson is that you must read the terms for the specific plan you are on, because free and consumer tiers frequently have weaker protections than enterprise or business tiers of the same product.
Beyond training, look for concrete assurances a nonprofit can rely on: an option to disable model training on your content, a business associate agreement if you handle protected health information, clear data ownership terms confirming the transcripts belong to you, defined subprocessor lists, and independent security certifications. If a tool cannot tell you clearly what it does with your data, that lack of clarity is itself an answer. Evaluating vendors this way is part of a broader capacity to assess AI tools critically, the kind of judgment we discuss in the nonprofit leader's guide to AI.
Vendor Vetting Checklist
Confirm each item in writing for the specific plan tier you use
- The vendor does not use your content to train AI models, or you can disable it
- Data ownership terms confirm transcripts and recordings belong to your organization
- A business associate agreement is available if you handle protected health information
- Retention settings and deletion controls are available to administrators
- Independent security certifications and a published subprocessor list exist
- Terms and privacy practices are reviewed for the exact plan tier you use, not the marketing page
Board Meetings and Executive Sessions: A Special Case
Board and executive-session meetings deserve their own rules, and for most organizations the safest rule is simple: do not run AI notetakers in them. Several respected law firms advising corporate and nonprofit boards have reached the same conclusion, recommending that boards and executive sessions avoid AI notetakers entirely. The reasons are specific and serious.
The first concern is attorney-client privilege. When a nonprofit's counsel joins a board meeting to discuss legal matters, those communications are typically privileged. But an AI notetaker processes audio through a third-party vendor, and an opposing party in future litigation could argue that involving that third party waived the privilege by disclosing the conversation outside the protected circle. Legal advice that should have stayed confidential could become an open book.
The second concern is discovery. A verbatim AI transcript expands the universe of discoverable material far beyond traditional minutes. Formal board minutes are a curated record of decisions. An AI transcript captures every tangent, every hesitation, every remark someone made and immediately retracted. In litigation or an investigation, that raw record can be subpoenaed and read back in the least charitable light. Directors who would speak candidly in a private deliberation may censor themselves if they know a permanent transcript exists, undermining the frank discussion good governance depends on.
The third concern is the sensitivity of what boards discuss: executive compensation, personnel disputes, litigation strategy, financial distress, and mergers. These are exactly the topics where a leaked or discoverable transcript causes the most harm. The prudent approach is to keep the official record as human-prepared minutes reviewed and approved through your normal process, and to treat AI transcription of governance meetings as prohibited unless the board specifically and knowingly authorizes it for a particular, lower-sensitivity purpose. If you are looking to improve board communication with AI, focus it on preparation and follow-up rather than live capture, an approach consistent with using AI to strengthen board communications.
Why Governance Meetings Warrant a Higher Bar
- Third-party processing may risk waiving attorney-client privilege
- Verbatim transcripts create discoverable records beyond curated minutes
- Permanent records chill the candid deliberation good governance requires
- Executive sessions concentrate the most sensitive organizational topics
A Policy Template You Can Adapt
The most useful thing your organization can do with everything above is turn it into a short, clear policy that staff can actually follow. Below is an adaptable template. It is written as prose so you can lift the language directly into an internal document, adjust the specifics to your context, and adopt it through your normal governance process. Nothing here is legal advice, and you should have counsel review the final version, especially the consent language, if your work involves regulated or highly sensitive information.
The template is organized around six decisions every policy needs to make: when notetakers are allowed, what consent looks like, which meetings are off-limits, how long transcripts are kept, who can access them, and what your vendors must provide. Adapt the bracketed items to your organization.
1. When AI Notetakers Are Allowed
AI notetakers may be used for routine internal meetings that do not involve confidential client, donor, personnel, or legal information, such as team check-ins, project coordination, and general planning sessions. Before enabling a notetaker in any meeting with external participants or sensitive content, the meeting owner is responsible for confirming that use is appropriate under this policy and that consent has been obtained. When in doubt, default to human notes.
2. Consent Script and Practice
Whenever an AI notetaker is active, the meeting owner will announce it at the start using language such as: "I want to let everyone know that we are using an AI notetaker to capture a transcript and summary of this meeting. The notes will be stored in [system] and shared with [who]. If anyone is not comfortable being recorded, please say so now and we will turn it off and take notes by hand instead." The organization treats the stricter all-party consent standard as its default. If any participant declines, the notetaker will be disabled for that meeting.
3. Prohibited Meetings
AI notetakers are not permitted in board meetings, executive sessions, meetings with legal counsel, personnel and disciplinary discussions, or any meeting where confidential client or beneficiary information will be discussed in identifiable form, unless [designated authority, such as the Executive Director or Board Chair] specifically authorizes an exception in advance. For these meetings, the official record is human-prepared notes or minutes.
4. Retention Period
Transcripts and recordings generated by AI notetakers will be retained for no longer than [for example, 30 to 90 days] unless there is a specific, documented reason to keep a summary longer, in which case only the finalized human-reviewed notes are retained and the raw transcript is deleted. Staff are responsible for deleting transcripts of sensitive meetings promptly once notes have been finalized.
5. Access Controls
Transcripts will be stored in [approved system] with access limited to individuals who have a legitimate need. Notetaker accounts will be configured so that transcripts are not automatically shared organization-wide, and sensitive summaries will be restricted to the relevant team. Personal or free notetaker accounts may not be used for organizational meetings; only [approved, administered tools] are permitted.
6. Vendor Requirements
Only AI notetaker tools that have been reviewed and approved by [designated role] may be used. Approved tools must confirm that organizational content is not used to train their AI models (or that training can be disabled), that the organization retains ownership of its data, that administrator-controlled retention and deletion are available, and that appropriate security certifications and, where relevant, a business associate agreement are in place.
Policy Adoption Checklist
Steps to move from draft to an operational policy your team follows
- Adapt the bracketed items to your systems, roles, and retention preferences
- Have counsel review the consent and prohibited-meetings language
- Approve the policy through your normal governance process
- Train staff on the consent script and how to decline gracefully
- Configure notetaker accounts to match your access and retention rules
- Review the policy annually as tools and laws change
Making the Policy Stick Without Killing the Benefits
A policy that no one follows is worse than no policy, because it creates a false sense of protection. The way to make an AI notetaker policy stick is to keep it simple, explain the reasoning, and make the compliant path the easy path. Staff who understand why they are announcing a notetaker and offering people a chance to decline are far more likely to do it consistently than staff handed a rule with no context. Frame the policy as a way to protect the people you serve and the trust your organization depends on, not as a bureaucratic hurdle.
Expect some resistance, both from enthusiasts who love the tools and from skeptics who distrust them. That is normal, and it mirrors the dynamics of introducing any new practice. The techniques that work for other AI adoption efforts, involving people early, addressing concerns honestly, and demonstrating value, apply here too, and are worth reviewing in the context of overcoming staff resistance to AI. When people see that the policy lets them keep the productivity gains while protecting confidential information, buy-in follows.
Finally, treat this as a living document. The vendor landscape shifts quickly, litigation is reshaping expectations around consent, and your own tools will change. Review the policy at least once a year, update your approved-tool list, and revisit the retention and access settings as your organization grows. The specific tools mentioned in this article may look different a year from now, but the underlying principles, informed consent, protecting confidential information, controlling retention and access, and vetting vendors, will remain the foundation of responsible use.
Conclusion: Convenience Worth Governing
AI notetakers are genuinely useful, and they are already in your meetings whether or not you have a policy. The question is not whether your organization will use them, but whether it will use them thoughtfully. Left unmanaged, they create consent exposure, confidentiality breaches, indefinite records of sensitive conversations, and governance risks that can surface at the worst possible moment. Managed well, they free your team to be present in conversations while capturing what matters, without compromising the trust your mission depends on.
The path forward is straightforward. Understand the consent rules and default to the stricter standard. Recognize the confidential information your meetings touch and protect it. Know where transcripts live, how long they last, and who can reach them. Vet your vendors on training, ownership, and security. Keep AI notetakers out of the boardroom and executive sessions unless your board knowingly decides otherwise. Then capture all of that in a short, clear policy your team can actually follow.
A well-crafted notetaker policy is not a standalone document. It fits within a broader approach to using AI responsibly across your organization, from how you evaluate tools to how you plan for the future. For teams thinking about where meeting technology fits into their overall direction, it connects naturally to your strategic planning for AI. Handled with the same care you bring to every other trust-sensitive part of your work, AI notetakers become an asset rather than a liability.
Need Help Building Responsible AI Policies?
We help nonprofits adopt AI tools with the guardrails that protect their people, their donors, and their mission. From consent practices to vendor vetting to full policy development, we can help you get it right.
