Is Granola Actually Private? What 'Private by Default' Really Means for Your Meeting Notes

The 'private by default' claim that wasn't

Granola has spent two years convincing professionals that bot-free capture equals privacy. Its security page says notes are 'private by default.' Then on April 2, 2026, The Verge's Emma Roth published a PSA that landed differently: Granola notes are viewable by anyone with a link, and the company also feeds them into internal AI training unless you opt out.

Roth tested it herself. She opened her own Granola note from a private browser window with no login. The page even showed the note's owner and creation date. Clicking any bullet revealed the underlying transcript quote and AI summary. The setting that controls this — 'Default link sharing: Anyone with the link' — sits buried under the profile menu.

The story matters because Granola is not a fringe tool. Krisp's 2026 review notes Granola raised $20 million in late 2024 and another $43 million in May 2025 specifically on its bot-free vision. Time magazine named it one of the best AI note-taking tools. It's installed across startups, VC firms, customer-research teams, and boardrooms. And every note created on a non-Enterprise plan was, until users found the toggle, a forwarded email away from leaking.

What The Verge actually found

Three distinct issues, all on by default:

• Link-accessible notes. The default share scope is 'Anyone with the link', not 'Only my company' or 'Private.' Granola characterizes this as similar to unlisted Dropbox links. A LinkedIn user, Nik Gupta, had flagged the behavior in 2025: links aren't indexed by Google, but if they're shared or leaked accidentally, anyone who finds them can read the note.
• AI training opt-in by default. Granola's own model-training documentation states: 'By default, we may use anonymized data to improve our services… You can opt out of model training in Settings. For Enterprise customers, admins can enforce the model training setting across the entire organization, and by default are opted out.' So the protection that compliance officers care about is gated behind the Enterprise SKU.
• Real enterprise consequences. According to The Verge's reporting, at least one major company has already barred a senior executive from using Granola due to security concerns.

The settings can be changed. But as TechBuzz framed it, defaults that favor data collection while privacy protections require active opt-out 'sets up a false sense of security that's particularly problematic.'

Why 'bot-free' got conflated with 'private'

Bot-free capture solved a real problem. When Otter or Fireflies joins a Zoom call as a visible participant, candor evaporates — clients soften pushback, executives swap to side channels, and qualitative research breaks down. Granola's pitch was that capturing system audio from your own device removes that friction.

That part is true. But participant invisibility and data privacy are different problems. The transcript still has to go somewhere. Granola's security page is explicit: 'Granola uses best-in-class transcription providers (like Deepgram and Assembly) and AI providers (like OpenAI and Anthropic) to summarize your meeting.' Audio leaves your device, hits Deepgram or AssemblyAI for transcription, then OpenAI or Anthropic for summarization, then lands in Granola's cloud database — where it gets a publicly addressable URL.

Granola contractually blocks its sub-processors from training their own models on your data. That's a meaningful protection. But it doesn't change the fundamental architecture: your meeting content is now sitting in four different vendors' infrastructure, and the artifact your team interacts with is a shareable web link.

Cloud bot-free vs. cloud-with-bot vs. fully on-device

The discourse has flattened a three-way distinction into a two-way one. Here's the reality:

The point isn't that Granola is uniquely bad. It's that the bot-free category is structurally cloud, and 'cloud' always reintroduces the same three problems: a stored artifact, a sharing model, and a training pipeline. The only architecture that escapes all three is one where the audio never leaves the device.

What 'private by default' should actually mean

The Meridiem's enterprise tech analysis put it well: 'private by default' has become marketing language whose technical meaning varies wildly between vendors. Some interpret it as encryption at rest. Some as 'links exist but aren't indexed.' Some as opt-out training.

For an IT security team or a compliance officer, a useful definition is stricter. 'Private by default' should mean:

• The artifact has no addressable URL outside of explicit, authenticated access.
• No vendor or sub-processor can use the content to train any model, full stop, on any plan.
• No audio is retained anywhere.
• Audit logs exist for every read.

By that bar, Granola's non-Enterprise plans fail on points one and two. The Enterprise plan fixes point two and gives admins control over point one, but you have to pay for it and configure it. The Verge's investigation forced this distinction into the open.

The regulatory backdrop nobody is talking about

Defaults matter legally, not just ethically. Article 25 of the GDPR ('Data protection by design and by default') requires controllers to implement measures ensuring that, by default, only personal data necessary for a specific purpose is processed — and that personal data is not made accessible 'to an indefinite number of natural persons' without the individual's intervention. A default share scope of 'anyone with the link' for notes that may contain interview subjects' names, candidate evaluations, or patient discussions is hard to reconcile with that text.

Article 5 adds purpose limitation and data minimization — using meeting content to train an AI model is a different purpose than 'help me remember what was said,' which is the purpose the user signed up for. Under California's CCPA/CPRA, that secondary use likely requires affirmative notice and a clear right to opt out.

For healthcare, the calculus is starker. HIPAA's Privacy Rule requires a Business Associate Agreement with any vendor handling protected health information. Granola does not advertise a HIPAA BAA. Twofold's 2026 clinician review frames this clearly: 'ambient AI continuously captures audio, transmits it to cloud servers for processing, and may use the data to train its underlying models — creating PHI vulnerabilities that static data entry never had.' Therapists and clinicians evaluating bot-free desktop tools should treat 'bot-free' as orthogonal to HIPAA.

How Basil AI solves this

Basil AI takes the architecture in the opposite direction: instead of replacing the bot with a cloud pipeline, it eliminates the cloud entirely. Audio is captured by the device microphone, transcribed in real time by Apple's on-device Speech framework running on the Apple Neural Engine, and stored locally. Summaries and action items are generated on-device using Apple's Foundation Models on supported hardware.

What this means concretely for the issues The Verge surfaced:

• No shareable link can exist by default — or by any setting. There's no Basil cloud database housing your notes. Export to Apple Notes via iCloud if you want syncing; otherwise the note lives in your device and your iCloud account.
• No training pipeline exists. Basil cannot use your transcripts to train a model because Basil never receives them. There's no opt-out toggle because there's nothing to opt out of.
• No sub-processors. Granola routes audio through Deepgram, AssemblyAI, OpenAI, and Anthropic. Basil routes audio through Apple's on-device APIs, full stop. Your vendor list is one company.
• Works in airplane mode. Because there's no cloud round-trip, Basil records and transcribes with the network off. Useful for sensitive in-person meetings, depositions, or anywhere a clean radio environment matters.
• 8-hour continuous capture. For full-day workshops, depositions, or off-sites — the kind of session where 'just trust the cloud' becomes an unacceptable answer.

This isn't a knock on Granola's engineering; it's a knock on the cloud-shaped hole at the center of every cloud product. If you want a deeper technical comparison, see our AI meeting notetaker comparison guide and our breakdown of how leaked meeting audio becomes training data.

What if you still want to use Granola?

Reasonable. The product is well-designed and the team has been responsive on privacy questions. If you're going to use it for non-sensitive meetings, do at minimum what every analysis after the Verge story recommended:

1. Open Settings → Default link sharing and change 'Anyone with the link' to 'Only my company' or 'Private.' This was the specific remediation step documented by The Verge.
2. Toggle off model training in Settings. Granola's model-training help page confirms all users on any plan can opt out.
3. Don't use it for HR, legal, M&A, or clinical conversations. The blast radius of a forwarded link in those contexts is catastrophic. As The Meridiem noted, link accessibility means notes can leak through forwarded emails, Slack messages, or compromised devices without triggering any access controls or audit logs.
4. Push for Enterprise. If your team is using Granola at scale, Granola's Enterprise plan includes org-wide training opt-out, SSO, admin controls for sharing, and org-wide auto-deletion periods. The defaults you want are paywalled, but they exist.

For everything else — anything where the words 'attorney-client,' 'PHI,' 'pre-IPO,' 'severance,' or 'M&A' might come up — choose an architecture where the cloud isn't an option.

The category inflection point

The Meridiem's analysis compared the moment to the 2012 Dropbox proliferation that forced IT departments to either ban file sharing or build governance frameworks around it — except compressed from five years into eighteen months because the regulatory scrutiny is immediate. Every AI notetaker — Otter, Fireflies, Fathom, Granola, Jamie — now has to answer the same question: what is your real default, and what does an opt-out actually do?

The vendors that survive the next year will be the ones whose defaults match their marketing. The cleanest way to make the marketing match the defaults is to have no cloud at all. That's the architectural bet behind Basil AI, and it's why the 'private by default' debate doesn't apply to us: there's nothing to default from.

The bottom line

Granola is a thoughtfully designed product whose bot-free pitch solved a real workflow problem. But The Verge's April 2026 reporting made clear that 'bot-free' and 'private' are not synonyms, and that defaults optimized for sharing and training quietly accumulate enterprise risk. If you're choosing tools for your team — or your therapy practice, or your law firm — read the defaults, not the landing page. And if the defaults don't match what 'private' means to you, the only architecture that closes the gap is one where the audio never leaves your device.

Try truly private meeting notes

Basil AI runs entirely on your iPhone or Mac. No cloud upload. No shareable links. No training pipeline. Just Apple's Neural Engine doing the work locally — the way 'private by default' should actually work.