InTensionAi Privacy Policy

Last Updated: September 2025

InTensionAi was purpose-built, even at the MVP stage, with enterprise-grade security and privacy foundations. Our orchestration platform is designed to respect organizational and individual privacy, applying controls such as encryption, data minimization, differential privacy, and vendor retention management. This Policy explains how we collect, use, and protect information in line with our commitment to privacy-first, enterprise-ready infrastructure.

This Privacy Policy ("Policy") explains how InTensionAi ("InTensionAi," "we," "our," or "us") collects, uses, and protects information when you use our website, platform, and related services (the "Services"). The Policy is incorporated into and forms part of our Terms of Service. By using the Services, you agree to the practices described below.

1. Information We Collect

Information You Provide

We collect information you provide directly, such as:

  • Account registration details (e.g., name, email).
  • Workspace or organization details if you sign up on behalf of a team.
  • Communications you send us (support requests, inquiries, or feedback).

Automatically Collected Information

When you use the Services, we collect limited technical information automatically, such as:

  • Device and browser type.
  • IP address and approximate location.
  • Usage data (e.g., pages visited, features used, session time).
  • Cookies and similar technologies (see Section 5 below).

We do not knowingly collect sensitive categories of data (such as health or financial data) unless you or your organization intentionally choose to process such data through the Services.

We collect only the personal information reasonably necessary to provide the Services, and do not use it for purposes incompatible with this Policy.

2. How We Use Information

We use information to:

  • Provide and improve the Services.
  • Secure accounts and authenticate users.
  • Monitor platform performance and prevent misuse.
  • Respond to inquiries and provide customer support.
  • Comply with legal or regulatory obligations.
  • Conduct internal research to improve reliability, explainability, and responsible use of AI systems.

We may use privacy-focused analytics tools (such as GA4, Plausible, or Mixpanel) to understand how the Services are used, improve reliability, and enhance user experience. Analytics data is collected in an aggregated or anonymized form and is not shared with advertisers.

InTensionAi does not use personal data to make automated decisions that have legal or similarly significant effects on individuals. AI-generated outputs are designed to support user queries and always require human review before being relied on for consequential decisions.

Where feasible, we apply privacy-enhancing techniques such as pseudonymization, hashing, and differential privacy when analyzing usage data or conducting internal research. These measures reduce the risk of re-identification and help ensure insights are generated in a privacy-preserving manner.

Individuals may have rights under applicable privacy laws including GDPR, UK GDPR, CCPA/CPRA, and similar frameworks to access, correct, delete, restrict, or export their personal information. We verify the identity of requestors before fulfilling such requests and respond within the timeframes required by law (typically 30 days). Where technically feasible, we also honor browser-based opt-out signals, such as Global Privacy Control (GPC), consistent with applicable regulations.

We do not sell personal information.

3. How We Share Information

We may share information only with:

  • Service providers who support the Services (e.g., cloud hosting, authentication, analytics). These providers are bound by confidentiality and data protection commitments.
  • Affiliates or successors in connection with a merger, acquisition, or similar corporate transaction.
  • Legal and compliance authorities if required to comply with applicable law, enforce agreements, or protect rights and safety.

We do not share personal information with advertisers or unrelated third parties.

4. Subprocessors & Third-Party Services

To provide the Services, we rely on carefully selected third-party providers ("subprocessors"), such as hosting, authentication, analytics, payment, and AI model providers. These subprocessors are contractually bound to confidentiality and security obligations.

We maintain a current list of subprocessors and will notify Customers in advance of any material changes.

5. Security

We apply industry-standard security measures to protect personal information, including:

  • Encryption in transit and at rest.
  • Access logging and monitoring.
  • Role-based access controls.
  • Regular reviews of our security practices and service providers.

We configure third-party infrastructure and vendor systems to minimize default data retention wherever feasible, ensuring that only the minimum information necessary for security, support, or billing is stored. While no system can be guaranteed 100% secure, we work to continuously improve safeguards aligned with SOC 2 and ISO 27001 standards.

In the event of a data breach affecting personal data, we will notify affected Customers without undue delay and, where legally required, within 72 hours of becoming aware of the incident. Notifications will describe the nature of the breach, its potential impact, and steps taken to mitigate risks.

6. Cookies and Tracking

We use cookies and similar technologies for the following limited purposes:

  • Essential cookies – to provide secure login, authentication, and session continuity.
  • Functional cookies – to remember user preferences (e.g., language, UI settings).
  • Analytics cookies – to measure usage trends and improve Service reliability. Analytics are aggregated or anonymized.

We do not use cookies or similar technologies for behavioral advertising, cross-site tracking, or sharing data with advertisers. You can manage or disable cookies in your browser settings. Where required by law, we provide a cookie preference manager to configure non-essential cookies before they are placed.

7. Your Rights & Choices

Depending on your location, you may have rights under applicable law to access, correct, delete, restrict, or export your personal information. These rights are provided as required under applicable laws, including GDPR, UK GDPR, CCPA/CPRA, and similar frameworks. We verify the identity of requestors before fulfilling rights requests and will respond within 30 days (or the timeframe required by applicable law). Further, where technically feasible, we honor browser-based opt-out signals such as Global Privacy Control (GPC), consistent with applicable law.

To exercise your rights, please contact us at hello@intensionai.com.

8. Data Residency, Transfers & Retention

We retain personal information only as long as needed for the purposes described above, to comply with legal obligations, or to resolve disputes. When data is no longer required, it is securely deleted or anonymized. Customer Data is primarily processed and stored in the United States. Where transfers of personal data occur across jurisdictions (including from the EU, UK, or Canada), InTensionAi relies on recognized transfer mechanisms such as Standard Contractual Clauses or other lawful bases to ensure adequate protection in compliance with applicable data protection laws.

Default retention periods include:

  • Authentication/session metadata: up to 30 days
  • Support requests and communications: up to 24 months
  • Billing and account records: up to 7 years
  • AI interaction content: not persisted by default; where enabled by Customer, retained per Customer's configuration.

Enterprise Customers remain controllers of their organizational data. End-users of those organizations may exercise their individual rights (e.g., access, correction, deletion) either directly through their organization or by contacting InTensionAi, in which case we will coordinate with the relevant Customer to fulfill the request.

Data that is no longer required is securely deleted or anonymized.

9. Children's Privacy

The Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors. In the United States, Canada, and Australia, privacy laws (such as COPPA in the U.S.) set 13 as the minimum age for online data collection without parental consent. Below that age, parental consent is required. In other jurisdictions, the threshold may be higher (e.g., up to 16 under the EU GDPR). If we discover that we have collected personal data from a child below the legally applicable age threshold in their jurisdiction, we will promptly delete the data and, where feasible, notify the parent or guardian.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the Services after changes constitutes acceptance.

11. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at hello@intensionai.com