GDPR & Data Processing
Last updated · July 2, 2026
For your DPO or legal team: your organization is the controller of the research data it uploads; Intexo processes it on your instructions under a Data Processing Agreement. This page summarizes the arrangement — request a countersigned DPA at [dpa@intexo.com].
1. Roles
| Data | Your organization | Intexo |
|---|---|---|
| Research content: recordings, transcripts, highlights, reports | Controller | Processor |
| Account, billing, and usage data of your team members | — | Controller (see Privacy Policy) |
Practically: the people your team interviews are your data subjects. You decide what to record and upload and must have a lawful basis for it; we process that material only to provide the features you use.
2. Data Processing Agreement
Our DPA incorporates GDPR article 28 requirements: processing only on documented instructions, confidentiality, security measures, subprocessor flow-down, assistance with data subject requests and breach notification, and deletion or return of data at the end of the engagement. Request a copy for countersignature at [dpa@intexo.com].
3. Subprocessors
We use the following subprocessors to provide the service. We will notify organization owners at least [30] days before adding or replacing one, so you can object.
| Provider | Purpose | Personal data touched | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All service data | [EU region — confirm] |
| Deepgram | Speech-to-text transcription | Uploaded recordings | [US — confirm] |
| Anthropic | AI summaries, themes, report drafting | Transcripts and highlights you run AI on | [US — confirm] |
| OpenAI | Embeddings for semantic search | Transcript text | [US — confirm] |
| Lemon Squeezy | Payments and tax (merchant of record) | Billing contact and payment data | [US — confirm] |
4. International transfers
Where processing happens outside the EEA, it is covered by the EU Standard Contractual Clauses and, for US providers certified under it, the EU–US Data Privacy Framework. Transfer details are listed per provider in the DPA.
5. Security measures
- Encryption in transit (TLS) and at rest.
- Tenant isolation enforced in the database with Postgres row-level security.
- Media files are private by default and served only through short-lived signed URLs.
- Role-based access control inside organizations (owner, admin, member) and per-project sharing.
- Least-privilege internal access, with production access limited and logged.
- Continuous backups with a bounded retention window.
6. Data subject requests
If someone whose data appears in your research contacts us directly, we will refer the request to you as controller and assist you in fulfilling it — locating, exporting, correcting, or deleting the relevant content.
7. Export and deletion
Organization admins can delete research entries, projects, or the whole organization from within the product at any time. Deleted data is removed from production immediately and rolls out of backups within [30] days. Content export for offboarding is available [on request — confirm tooling].
8. Breach notification
If we become aware of a personal data breach affecting your data, we will notify the affected organization owners without undue delay and share what we know: scope, likely consequences, and the measures taken.
9. Contact
Privacy questions: [privacy@intexo.com] · DPA requests: [dpa@intexo.com]