Privacy Policy
Last updated · July 2, 2026
The short version:
- We collect what we need to run the service — nothing for advertising.
- No tracking or analytics cookies; only strictly necessary ones. No cookie banner needed.
- Your research content belongs to your organization. For that data we act as a processor — see our GDPR & DPA page.
- AI features only process your content when you invoke them, via the subprocessors listed below.
- We never sell personal data.
1. Who we are
Intexo is operated by [Company legal name], [registered address] (“Intexo”, “we”). For account, billing, and usage data described in this policy we are the data controller. You can reach us at [privacy@intexo.com].
For research content your organization uploads (recordings, transcripts, notes), your organization is the controller and we process it on their instructions — that relationship is described on the GDPR & DPA page.
2. Data we process
Account data
Name, email address, hashed password, and preferences (such as interface language). Authentication is handled by Supabase Auth; we never store plaintext passwords.
Organization data
Organization name, memberships and roles, teams, and invitations (the email address an invite was sent to).
Customer content
Everything your organization creates in the product: projects, uploaded recordings and media, transcripts, highlights and tags, opportunity trees, whiteboards, insight reports, readout comments and reactions. Recordings and transcripts may contain personal data of the people your team interviews — your organization is responsible for having a lawful basis to record and upload them (see the Terms of Service).
Billing data
Your plan, credit balance, and purchase history. Payments are processed by Lemon Squeezy as merchant of record — card details go directly to them and never touch our servers.
Usage and logs
AI credit consumption, security-relevant events, and standard server logs (including IP addresses) kept for security and troubleshooting.
3. Why we process it (legal bases)
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Providing the service: accounts, projects, transcription, AI features | Performance of a contract |
| Transactional email: confirmation codes, password resets, invitations | Performance of a contract |
| Billing, invoicing, and tax | Contract & legal obligation |
| Security, abuse prevention, and troubleshooting | Legitimate interests |
| Improving the product using aggregated, de-identified usage data | Legitimate interests |
We do not send marketing email without your consent, and we do not profile you.
4. AI features
When you use an AI feature, the relevant content is sent to the provider that powers it: recordings are transcribed by Deepgram, summaries and report drafts are generated by Anthropic, and semantic search uses OpenAI embeddings. This happens only when you invoke the feature. These providers are bound by data processing agreements and do not use your content to train their models [confirm current provider terms].
5. Subprocessors
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, and file storage | [EU region — confirm] |
| Deepgram | Speech-to-text transcription | [US — confirm] |
| Anthropic | AI summaries, themes, and report drafting | [US — confirm] |
| OpenAI | Embeddings for semantic search | [US — confirm] |
| Lemon Squeezy | Payments, invoicing, and tax (merchant of record) | [US — confirm] |
6. International transfers
Where a subprocessor processes personal data outside the EEA, transfers rely on the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
7. Retention
- Account data: for as long as your account exists, then deleted within [30] days.
- Customer content: until your organization deletes it or the organization is closed, then deleted within [30] days.
- Backups: rolled off within [30] days of deletion.
- Billing records: kept as long as bookkeeping law requires.
8. Cookies
We use only strictly necessary cookies: your Supabase authentication session and a few interface preferences (such as sidebar state and active project). There are no analytics, advertising, or third-party tracking cookies — which is why you don't see a cookie banner.
9. Your rights
Under the GDPR you can request access to, rectification of, or erasure of your personal data, restriction of or objection to processing, and a portable copy of data you provided. Write to [privacy@intexo.com] and we will respond within one month. You can also lodge a complaint with your supervisory authority — in Sweden, the Swedish Authority for Privacy Protection (IMY).
If your personal data appears in another organization's research content (for example, you were interviewed), that organization is the controller — we will forward your request to them.
10. Security
Data is encrypted in transit and at rest. Tenant data is isolated with Postgres row-level security, media files are private and served only through short-lived signed URLs, and internal access follows least-privilege principles. See the GDPR & DPA page for more detail.
11. Children
Intexo is a workplace tool and is not directed at children under 16.
12. Changes
We will update this policy as the service evolves and note the date at the top. For material changes we will notify organization owners by email.
13. Contact
[Company legal name] · [registered address] · [privacy@intexo.com]