Privacy Policy

This Privacy Policy explains how IntraQ, Inc. ("we," "us," "our") collects, uses, and protects information when you use IntraQAI (the "Service"), our AI-powered HR command center. By using the Service, you agree to this Policy and our Terms & Conditions.

1. Information We Collect

• Account & Registration Data: name, email address, company name, job title, password (hashed and encrypted).
• Tenant & Configuration Data: organizational structure, user roles and permissions, integration settings (Google Drive, SharePoint, OneDrive connections), workflow configurations, approval processes, and expert designations within your organization.
• HR Content & Documents: employee handbooks, HR policies, compliance documents, job descriptions, offer letters, investigation reports, audit logs, performance documentation, and any other HR-related content you create, upload, or generate through the Service.
• Query & Interaction Data: search queries, prompts submitted to AI models, questions asked, policy generation requests, compliance checks, and AI-generated responses and recommendations.
• Usage & Analytics Data: feature usage patterns, search frequency, model routing decisions, response quality feedback, login activity, session duration, device information, browser type, IP address, and diagnostic logs.
• Payment & Billing Information: processed securely by third-party payment providers (e.g., Stripe). We receive limited billing metadata such as subscription tier (Founders, Growth, Team, Scale, Enterprise), billing cycle, payment status, and invoice history. We do not store full credit card numbers.
• Support & Communication Data: messages, attachments, and contact details you provide through support channels, including emails, in-app chat, and feedback submissions.

2. How We Use Information

We use the information we collect to provide, operate, secure, and improve the Service. Specific uses include:

• Provide Core Functionality: Authenticate users, manage tenant accounts, process HR policy generation requests, answer compliance questions, create workflows, and deliver AI-powered recommendations.
• AI Model Orchestration: Route queries to appropriate AI providers (OpenAI, Anthropic, Google) to generate policies, answer questions, and provide HR guidance. We contractually require these providers not to use your data for model training where such controls are available.
• Knowledge Management: Index and search your HR documents, detect knowledge gaps, suggest missing policies, and maintain version history of your HR content.
• Compliance & State Coverage: Provide state-specific policy guidance, flag multi-state compliance requirements, and generate legally compliant HR documents based on your jurisdiction.
• Security & Access Control: Manage role-based permissions, maintain audit logs, detect suspicious activity, and protect against unauthorized access.
• Product Improvement: Analyze aggregated usage patterns, identify feature gaps, optimize AI model performance, and enhance user experience. We do not use individual Customer Content for model training.
• Communication: Send service notifications, product updates, security alerts, billing reminders, and respond to support requests.
• Legal Compliance: Meet legal obligations, enforce our Terms, respond to lawful requests, and protect our rights and those of our users.

3. Sharing & Disclosure

We share information only as necessary to provide the Service and as described below. We do not sell your personal information or Customer Content.

• Service Providers & Processors: Cloud hosting (e.g., AWS, Vercel), database services (e.g., MongoDB), authentication services, email delivery, analytics platforms, logging and monitoring tools, and customer support platforms. These providers are contractually bound to protect your data.
• AI Model Providers: We route queries to third-party AI providers (e.g., OpenAI, Anthropic, Google) to generate policies and provide recommendations. We select appropriate models automatically; you do not choose specific providers. We configure these services to prevent training on your data where such controls are offered, and we maintain data processing agreements with major AI providers.
• Integration Partners: Document storage and retrieval services (Google Drive, Microsoft SharePoint, OneDrive) via integration platforms like Apideck. We access only the content you explicitly authorize and configure.
• Payment Processors: Stripe or similar payment services to process subscriptions, handle billing, and manage invoices. Payment processors have their own privacy policies.
• Legal & Regulatory Requirements: We may disclose information if required by law, court order, subpoena, or government request, or to protect rights, property, safety, or to prevent fraud or abuse.
• Business Transfers: If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

We do not: Sell or rent personal information; share Customer Content with advertisers; use your HR policies or documents for marketing; or train our own AI models on your proprietary content.

4. Data Storage & International Transfers

Your data is primarily stored in secure data centers located in the United States. We may transfer and process data in other countries where we and our service providers operate. When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without adequate data protection laws, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

For enterprise customers with specific data residency requirements, we may offer regional hosting or on-premises deployment options. Contact us to discuss custom arrangements.

5. Security Measures

We implement comprehensive security controls to protect your information:

• Encryption: Data in transit is encrypted using TLS 1.2+. Data at rest is encrypted using AES-256 or equivalent standards.
• Access Controls: Role-based permissions, multi-factor authentication support, SSO/SAML integration, and least-privilege access principles.
• Tenant Isolation: Logical data segregation ensures your organization's data is isolated from other tenants.
• Audit Logging: Comprehensive activity logs for compliance, security monitoring, and incident response.
• Infrastructure Security: Regular security assessments, vulnerability scanning, penetration testing, and compliance with industry standards (SOC 2, GDPR, HIPAA where applicable).
• Incident Response: Documented procedures for detecting, responding to, and notifying affected parties of security incidents.

Despite our safeguards, no system is 100% secure. You are responsible for maintaining the confidentiality of your credentials, managing user access within your tenant, and promptly reporting suspected security incidents.

6. Data Retention

We retain personal data and Customer Content for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on data type and legal requirements:

• Active Accounts: Data is retained while your subscription is active and for a reasonable period afterward to facilitate reactivation.
• Deleted Accounts: Upon account deletion, we delete or anonymize personal data within 90 days, subject to legal retention requirements and backup retention cycles (typically 30 days).
• Audit Logs: Retained for compliance purposes, typically 1-7 years depending on applicable regulations.
• Billing Records: Retained for tax and accounting purposes as required by law (typically 7 years).
• De-identified Data: We may retain aggregated, anonymized data indefinitely for analytics and product improvement.

Tenant administrators can request data deletion at any time. We recommend exporting critical content before terminating your subscription.

7. Your Rights & Choices

Depending on your location, you may have certain rights regarding your personal information. These rights may include:

• Access: Request a copy of the personal information we hold about you.
• Correction: Update or correct inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Export: Receive your data in a structured, machine-readable format (data portability).
• Restriction: Request that we limit how we process your personal information.
• Objection: Object to certain types of processing, such as direct marketing.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact your tenant administrator (who manages access within your organization) or email us at privacy@intraqai.com. We will verify your identity and respond within the timeframe required by applicable law (typically 30 days).

EEA/UK/Swiss Residents: You have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

8. Cookies & Tracking Technologies

We use cookies and similar technologies (web beacons, local storage) to provide and improve the Service:

• Essential Cookies: Required for authentication, security, and core functionality. These cannot be disabled without affecting Service operation.
• Functional Cookies: Remember your preferences, settings, and customization choices.
• Analytics Cookies: Help us understand how users interact with the Service to improve performance and user experience.

You can control cookies through your browser settings. Note that disabling certain cookies may limit Service functionality. We do not use third-party advertising cookies.

9. Third-Party Links & Integrations

The Service may contain links to third-party websites or integrate with external services (e.g., Google Drive, Microsoft 365). These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review their policies before providing them with information.

10. Children's Privacy

The Service is designed for business use and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child under 18, we will take steps to delete it promptly.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of personal information
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising your rights

To exercise these rights, contact us at privacy@intraqai.com.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent laws. We process personal data based on the following legal bases:

• Contract Performance: Processing necessary to provide the Service under our Terms & Conditions
• Legitimate Interests: Service improvement, security, fraud prevention
• Legal Obligation: Compliance with applicable laws
• Consent: Where specifically requested (e.g., marketing communications)

For enterprise customers, we can provide a Data Processing Addendum (DPA) that includes Standard Contractual Clauses. Contact legal@intraqai.com to request a DPA.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the revised version with an updated "Effective" date at the top of this page.

Material changes will be communicated via email or through a prominent notice in the Service at least 30 days before taking effect. Your continued use of the Service after changes become effective constitutes acceptance of the revised Policy.

If you do not agree to the revised Policy, you must discontinue use of the Service and may terminate your subscription.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: