Privacy Policy

Intaklo ("Intaklo", "we", "us") operates the software-as-a-service platform at intaklo.com. This Privacy Policy explains how we collect, use, and share personal information when you use the Service or our marketing website.

For customers in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. For customers and data subjects in the United Kingdom or the European Economic Area, we handle personal data in line with UK GDPR and EU GDPR.

Our customers are typically law firms. When a law firm uses Intaklo to manage information about its clients, prospective clients, and matters, the law firm acts as the data controller for that information and Intaklo acts as the data processor(or, under PIPEDA, the "organization providing processing services"). The firm is responsible for obtaining any consents required to upload information about its clients, and for meeting its own professional-confidentiality obligations.

For account holders at a customer firm (administrators, lawyers, paralegals), and for visitors to our marketing site and help center, Intaklo is the controller of the data we collect directly from those individuals.

Account information

• Name, email address, firm name, role.
• Authentication credentials (passwords are hashed; we never see them in plain text).
• Billing contact information and subscription plan.

Customer Data (information your firm uploads)

• Lead records: names, phone numbers, email addresses, case descriptions, intake-chat transcripts, conflict-check results, communications.
• Case files: matter details, parties, notes, time entries, documents you upload, e-signatures, trust-ledger entries, invoices.
• Widget configuration: your logo, intake prompts, jurisdictional settings.

You control what you upload. Avoid uploading information that is not necessary for the purpose you are pursuing.

Payment information

Payments are processed by Stripe. We do not store your full payment-card number; Stripe returns only a token and a masked reference.

Usage and technical data

• Log data: IP address, browser type and version, operating system, pages visited, actions taken, time zone, error reports.
• Cookies and similar technologies for authentication and to remember preferences (see "Cookies" below).

Support and communications

• Emails, in-app messages, and help-center queries you send us.
• Conversations with our AI support assistant (used to answer your question; we review logs to improve accuracy).

• To provide, maintain, and improve the Service, including running AI-assisted intake, conflict checks, summaries, and reporting.
• To authenticate users and prevent unauthorized access.
• To process subscriptions and payments, issue receipts, and recover unpaid amounts.
• To send transactional emails (password resets, payment receipts, critical service notices) — these are not marketing.
• To send product updates and occasional marketing with your consent (you can opt out from any marketing email).
• To monitor service health, investigate abuse, and comply with applicable law.
• To enforce our Terms of Service and protect our rights, property, and users.

We do not sell personal information. We do not use Customer Data to train third-party AI models.

• Contract: to provide the Service you or your firm signed up for.
• Legitimate interests: to secure the Service, prevent fraud, and improve features, where those interests are not overridden by your rights.
• Legal obligation: to meet tax, accounting, and regulatory requirements.
• Consent: for optional marketing communications; you can withdraw at any time.

We use the following sub-processors to operate the Service. Each has agreed to protect personal information consistent with our obligations to you.

We will update this list when we add or remove sub-processors. Material changes may be notified by email to the account owner.

Depending on the sub-processor, personal information may be transferred to and processed in the United States or other countries. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect those transfers.

• Active accounts: we retain Customer Data for as long as your firm maintains an account.
• After termination: when an admin deletes the firm account, we automatically generate a JSON snapshot of your data and (a) return it to you as a download in the same request, and (b) retain a server-side copy for 30 days so we can restore on request if the deletion was accidental. Back-up copies age out on their usual rotation (up to 90 days). Audit logs and other security-relevant records may be retained longer where required by law.
• Billing records: retained as required by applicable tax and accounting law (typically six years in Canada).
• Audit logs: retained while the corresponding account is active, then archived consistent with our security obligations.
• Marketing contacts: retained until you unsubscribe or for two years of inactivity, whichever comes first.

Depending on where you live, you may have rights to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your information (subject to our legal retention obligations).
• Port your data to another service.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority (for example, the Office of the Privacy Commissioner of Canada, or your EU/UK data-protection authority).

To exercise these rights, contact privacy@intaklo.com. If you are a client of one of our customer law firms, please contact that firm directly — they are the data controller for information about you.

We use industry-standard safeguards, including:

• TLS 1.2+ in transit; encryption at rest for databases, storage, and backups.
• Row-level security in our database so firms only see their own data.
• Hashed passwords, minimum-strength requirements, and common-password blocklisting.
• Role-based access within each firm, with admin/lawyer/paralegal permissions.
• Logging and review of administrative actions.
• Regular dependency scans and timely patching.

No system is perfectly secure. Report suspected vulnerabilities to security@intaklo.com — we investigate promptly and will credit responsible disclosures on request.

We use a small number of cookies and similar storage technologies:

• Session cookies to keep you signed in.
• Preference storage (local storage) for theme and user settings.
• Security cookies to protect against forged requests.

We do not use third-party advertising cookies. Disabling cookies in your browser may prevent the Service from working.

The Service is not directed at children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

Intaklo uses third-party large-language-model providers (currently OpenAI) to power features including intake-chat triage, conflict-check summaries, and the in-app assistant. When you or a prospective client uses these features, content is transmitted to the model provider for the sole purpose of generating a response. We have contractual commitments from our provider that Customer Data sent to them is not used to train their public models.

We keep transcripts of AI conversations for the operation of the Service (for example, so a lead's intake chat remains visible on the matter). You can delete individual transcripts from within the product.

When you connect your Google account in Settings → Integrations, Intaklo accesses a limited set of Google user data through the Google Calendar API. This section describes that access in the specific terms Google requires.

What Google data we access

• Your Google account email and unique account identifier (via the openid and email OpenID Connect scopes) — used only to label the connected account in the Settings UI ("Connected as you@example.com").
• Calendar event metadata from your primary Google Calendar (via the https://www.googleapis.com/auth/calendar.events scope) — including event title, description, start and end times, location, attendees, recurrence rule, and Google-assigned event identifiers.
• OAuth refresh and access tokens issued by Google, so that we can re-read your calendar on the daily background sync without prompting you again.

How we use it

• To display your Google Calendar events inside Intaklo's calendar view (/calendar), alongside court dates, consultation appointments, and matter deadlines that you create in Intaklo.
• To run a daily background sync (and a manual "Sync now" button) that pulls updates, additions, and cancellations from Google into Intaklo.
• That is the only use today. Intaklo's current integration is read-only — we do not create, modify, or delete events in your Google Calendar.

How we store it

• OAuth refresh and access tokens are encrypted at rest with AES-256-GCM using a per-deployment master key before they are written to our database. The plain-text tokens never appear in our logs.
• Event records are stored in our Postgres database under row-level security so that only your user account can read them.
• Tokens and events are stored in the same Supabase region as the rest of your Intaklo data.

Who we share it with

• Intaklo does not sell, rent, or transfer Google user data to third parties.
• We do not use Google user data for advertising, ad personalization, or credit-worthiness determinations.
• We do not use Google user data to train AI models, ours or any third party's.
• Google user data is processed only by the infrastructure sub-processors listed in Section 6 (currently Supabase for storage and Vercel for application hosting), to the extent strictly necessary to operate the Service.
• No human at Intaklo reads your calendar events except (a) with your explicit consent (for example, if you ask support to debug a sync issue), (b) where required by law, or (c) to investigate a confirmed security incident affecting the integration.

How to disconnect and delete your data

• Go to Settings → Integrations and click Disconnect. This immediately revokes Intaklo's refresh token with Google and deletes the stored tokens.
• You can also revoke Intaklo's access directly at myaccount.google.com/permissions; on the next sync attempt Intaklo will detect the revocation and mark the integration as disconnected.
• Synced calendar events stored in Intaklo are deleted within 30 days of disconnection. Aggregate audit-log entries (which record that a sync ran and how many events were touched, without event content) are retained on the schedule described in Section 8.

Limited Use disclosure

Intaklo's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We may update this Privacy Policy to reflect changes in our practices, sub-processors, or legal requirements. Material changes will be notified by email to the account owner or by an in-app notice at least 14 days before they take effect. The "Last updated" date at the top indicates when the current version became effective.

For privacy questions or to exercise your rights, email privacy@intaklo.com.