Privacy Policy

Intake

Effective Date: March 29, 2026

Intake Security, Inc. ("Intake Security," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Intake platform, including our website, cloud-hosted service, APIs, and documentation (collectively, the "Service").

By creating an account, submitting a vulnerability report, or otherwise using the Service, you agree to this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization.

If you do not agree, do not use the Service.

1. Information We Collect

We collect information that identifies, relates to, or could reasonably be linked to you ("Personal Information") in the following ways:

A. Information You Provide to Us

• Account Data: When you register for an account, we collect your name, email address, and password (stored as a bcrypt hash — we never store plaintext passwords).
• Organization Data: If you create or join an organization, we collect the organization name, program configuration, and team member information you provide.
• Billing Data: If you purchase a subscription, payment is processed by Stripe. We receive your name, billing address, and a payment method token from Stripe. We do not directly collect or store your full credit card number.
• Vulnerability Report Data: If you submit a vulnerability report, we collect the report title, description, severity assessment, and any attachments (such as proof-of-concept files) you upload. Reports are submitted to the organization operating the relevant program, not to Intake Security.
• Communication Data: Information you provide when you contact support, respond to surveys, or communicate through the Service (including inbound email submissions and in-platform comments).

B. Information We Collect Automatically

• Usage Data: We collect data about your interactions with the Service, such as pages visited, features used, actions taken (e.g., report status changes, triage decisions), and timestamps.
• Device and Technical Data: We collect your IP address, browser type and version, operating system, device identifiers, and referring URL.
• Cookies and Similar Technologies: We use cookies and similar technologies to authenticate your session, remember your preferences, and analyze how the Service is used. See Section 7 (Cookies) for details.
• Audit Logs: The Service generates immutable audit logs of significant actions in Open Cybersecurity Schema Framework (OCSF) format. These logs record the action type, the user who performed it, the affected resource, and a timestamp. Audit logs are retained for compliance and security purposes.

C. Information We Receive from Third Parties

• Single Sign-On (SSO) and OAuth Providers: If you sign in through a third-party identity provider (such as GitHub, Google, or Microsoft via OIDC), or if your organization configures SSO, we receive your name, email address, and authentication tokens from your identity provider.
• Inbound Email: If a reporter submits a report via email, we process the email headers, sender address, and message content.
• Slack (When Connected): If your organization connects a Slack workspace, we receive your Slack workspace ID, workspace name, bot user ID, the installing user's Slack user ID, and a list of channel IDs and names. We store workspace metadata and encrypted OAuth tokens to deliver notifications. Our Slack Events API endpoint may receive event payloads from Slack (including event type, channel ID, user ID, and message text); these payloads are acknowledged but not stored or processed — the data is discarded immediately after the HTTP response.
• Jira (When Connected): If your organization connects a Jira Cloud workspace, we receive OAuth tokens from Atlassian, a list of accessible projects, and issue type metadata. We store connection details and encrypted tokens to enable issue creation. When a team member syncs a report to Jira, report data (title, description, severity) is sent to Atlassian's API to create an issue.
• API Webhooks (When Configured): If your organization configures webhook subscriptions, report event data (report ID, title, program name, severity, status changes, assignee, and actor names) is sent via signed HTTP POST to URLs specified by your organization. Webhook payloads leave Intake's infrastructure and are delivered to external endpoints that your organization controls.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service — operate, maintain, and improve the platform.
• Process Reports — receive, store, and route vulnerability reports between reporters and organizations.
• Authenticate and Secure — verify your identity, manage sessions, enforce role-based access controls, and protect against unauthorized access.
• Process Payments — manage subscriptions and billing through Stripe.
• Communicate — send product updates, technical notices, security alerts, and respond to support inquiries.
• Deliver Notifications — if your organization connects a Slack workspace, send notification messages to configured Slack channels when vulnerability reports are submitted or updated. These messages may include report titles, severity levels, and reporter display names.
• AI-Powered Features — if enabled by an organization administrator, process relevant portions of vulnerability report data (such as titles, descriptions, and metadata) through third-party large language model (LLM) providers for triage assistance and response drafting. See Section 5 (AI Features and Data Processing) for details.
• Audit and Compliance — generate and retain audit logs for security, compliance, and forensic purposes.
• Analyze and Improve — understand usage patterns and improve the Service's functionality and user experience.
• Legal Obligations — comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.

3. How We Share Your Information

We do not sell your Personal Information, and we do not share it for cross-context behavioral advertising. This applies to all users, including California residents under the CCPA/CPRA. We may share your information in the following situations:

A. With Organizations (for Reporters)

When you submit a vulnerability report, the receiving organization can access your report content, your display name, and your email address (if provided). Organizations control their own program policies and data handling practices.

B. Service Providers

We share data with trusted third-party service providers who perform services on our behalf, subject to contractual obligations to protect your data:

| Provider | Purpose | Data Shared | |----------|---------|-------------| | Railway (on Google Cloud Platform) | Application hosting and database | All Service data (encrypted at rest and in transit) | | Stripe | Payment processing | Billing name, email, payment method token | | Resend | Email delivery and inbound email processing | Recipient/sender email addresses, message content, attachments | | Amazon S3 (or S3-compatible storage) | File attachment storage | Uploaded files (encrypted at rest) |

C. AI/LLM Providers (When Enabled)

If an organization enables AI features, relevant vulnerability report data is sent to a third-party LLM provider for processing. Supported providers include OpenAI, Anthropic, and Google (Gemini). API keys are managed by Intake Security — organizations do not need to provide their own. See Section 5 for details.

D. Legal Requirements

We may disclose your information if required by law, court order, subpoena, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Intake Security, our users, or the public.

E. Business Transfers

If Intake Security is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice before your data becomes subject to a different privacy policy.

4. Data Security

We implement security measures designed to protect your Personal Information, including:

• Encryption in transit — all data transmitted between you and the Service is encrypted using TLS.
• Encryption at rest — sensitive data, including organization secrets and API keys, is encrypted using AES-256-GCM envelope encryption with per-organization key isolation.
• Multi-tenant isolation — organization data is logically isolated using PostgreSQL Row-Level Security (RLS) and application-level access controls.
• Access controls — role-based access control (RBAC) with owner, admin, triager, and viewer roles.
• Password security — passwords are hashed using bcrypt. We never store plaintext passwords.
• Audit logging — all significant actions are logged in OCSF v1.3.0 format.

While we implement industry-standard security practices, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at [email protected].

Data Breach Notification

In the event of a data breach that affects your Personal Information, we will notify affected users and, where required, applicable regulatory authorities, in accordance with applicable law. Where GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach. We will provide details of the nature of the breach, the data affected, and the steps we are taking in response.

5. AI Features and Data Processing

A. How AI Features Work

The Service includes optional AI-powered features that use third-party LLM providers to assist with report triage, response drafting, and analysis. When AI features are enabled, relevant portions of vulnerability report data (such as titles, descriptions, and metadata) may be sent to the configured LLM provider for processing.

B. Your Control

• AI features are enabled by default. AI report synthesis (structuring) is available on all plans. During the 14-day free trial, all AI features — including triage, action proposals, and insights — are active at Pro level. After the trial, available AI features depend on your plan tier (see Section 4 of the Terms of Service for plan details).
• API keys for third-party LLM providers are managed by Intake Security and encrypted at rest. Organizations do not need to provide or manage their own keys.
• Organizations can configure synthesis mode (manual or automatic) from their AI settings. Auto-triage can be disabled from the triage settings.

C. Third-Party Provider Data Handling

When AI features are enabled, your use of third-party LLM providers is subject to those providers' terms of service and privacy policies. We recommend reviewing your chosen provider's data retention and training policies. Intake Security is not responsible for how third-party providers process data sent to their APIs.

D. Automated Decision-Making

The Service's AI features may perform automated processing of vulnerability reports, including severity classification and triage prioritization. These outputs are recommendations only — all triage decisions are subject to human review by the organization's team before any action is taken.

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Under applicable US state privacy laws (including the CCPA/CPRA), you may have the right to opt out of automated decision-making technology.

Because Intake's AI features produce recommendations subject to human review (not autonomous decisions), they do not constitute solely automated decision-making. If you have concerns about how AI features process your report data, contact us at [email protected].

6. Data Retention

We retain your Personal Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law.

| Data Type | Retention Period | |-----------|-----------------| | Account data | Until you delete your account, plus 30 days | | Vulnerability reports | Controlled by the organization; retained while the organization's account is active | | Audit logs | Minimum 1 year, or longer as required by applicable law or regulation | | Billing records | As required by tax and accounting laws (typically 7 years) | | Backups | Encrypted backups are purged within 90 days of data deletion | | Slack integration data | Workspace metadata and encrypted tokens are retained while the integration is connected; deleted immediately when the organization disconnects | | Jira integration data | Connection metadata and encrypted tokens are retained while the integration is connected; deleted when the organization disconnects | | Webhook delivery logs | Delivery attempt metadata (status code, timestamp, duration) retained for 7 days; webhook signing secrets deleted when the subscription is removed |

When you delete your account:

• Your Personal Information is deleted or anonymized within 30 days.
• Vulnerability reports you submitted remain accessible to the receiving organization (as they are part of the organization's security records), but your personally identifiable information in those reports may be anonymized upon request.

When an organization cancels its subscription:

• Organization data remains available for export for 30 days after the subscription ends, after which it may be deleted.

7. Cookies and Tracking Technologies

A. Cookies We Use

| Cookie | Purpose | Type | Duration | |--------|---------|------|----------| | Session cookie | Authenticates your session | Essential | Session (expires on logout or after inactivity) | | CSRF token | Prevents cross-site request forgery | Essential | Session |

We use browser local storage (not cookies) for UI preferences such as theme settings. Local storage data does not leave your browser and is not transmitted to our servers.

B. What We Do NOT Do

• We do not use third-party advertising cookies.
• We do not use cross-site tracking pixels.
• We do not sell data collected through cookies.

C. Your Choices

Essential cookies are required for the Service to function. You can configure your browser to reject non-essential cookies, though this may affect your experience.

D. Do Not Track and Global Privacy Control

Do Not Track (DNT). Some browsers send a "Do Not Track" signal. Because there is no accepted standard for how to respond to DNT signals, we do not currently respond to them. However, we do not engage in cross-site tracking.

Global Privacy Control (GPC). We honor Global Privacy Control opt-out preference signals. Because we do not sell your Personal Information or share it for cross-context behavioral advertising, a GPC signal does not change how we process your data — but we recognize and respect the signal as a valid opt-out request under applicable state privacy laws (including the CCPA/CPRA, CPA, CTDPA, and similar laws).

8. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights:

A. Rights Available to All Users

• Access — request a copy of the Personal Information we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete your Personal Information ("right to be forgotten").
• Export — request your data in a portable, machine-readable format.
• Opt-Out of Marketing — unsubscribe from marketing emails at any time by clicking the "unsubscribe" link.

B. Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you also have the right to:

• Restrict Processing — request that we limit how we use your data.
• Object to Processing — object to our processing of your data based on legitimate interests.
• Withdraw Consent — withdraw consent at any time where we rely on consent as the legal basis.
• Lodge a Complaint — file a complaint with your local data protection authority.

Legal Bases for Processing (GDPR Article 6):

| Purpose | Legal Basis | |---------|-------------| | Providing the Service | Performance of a contract | | Security and fraud prevention | Legitimate interest | | Billing and payments | Performance of a contract | | AI features (when enabled) | Consent (opt-in by org admin) | | Audit logging | Legitimate interest / legal obligation | | Marketing communications | Consent |

C. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know — request disclosure of the categories and specific pieces of Personal Information we have collected.
• Correct — request that we correct inaccurate Personal Information.
• Delete — request deletion of your Personal Information.
• Non-Discrimination — we will not discriminate against you for exercising your privacy rights.
• Opt-Out of Sale — we do not sell your Personal Information. No opt-out is necessary, but you may still submit a request.

CCPA Categories of Information Collected:

| Category | Examples | Collected | |----------|----------|-----------| | Identifiers | Name, email, IP address | Yes | | Commercial information | Subscription and billing records | Yes | | Internet activity | Usage data, feature interactions | Yes | | Professional information | Organization name and role | Yes | | Geolocation | IP-derived approximate location | Yes | | Inferences | AI-derived severity classifications, triage priorities (when AI features enabled) | Yes (when enabled) |

Sensitive Personal Information. We do not collect sensitive personal information as defined by the CPRA, such as Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, health data, or biometric information.

To exercise any of these rights, you may:

• Email: [email protected]
• In-app: Submit a request from your account settings under Privacy.

We will verify your identity before processing your request. We will respond within the timeframe required by applicable law (30 days for GDPR, 45 days for CCPA).

9. International Data Transfers

Intake Security is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate.

For transfers from the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Service provider agreements that include appropriate safeguards.

If you have questions about international data transfers, contact us at [email protected].

10. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect Personal Information from minors.

If we become aware that we have collected data from anyone under the age of 18, we will take steps to delete it promptly. If you believe a child has provided us with Personal Information, please contact us at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of those changes. If you do not agree, you must stop using the Service and delete your account.

We review this Privacy Policy at least once every 12 months to ensure it remains accurate and compliant with applicable law.

The "Effective Date" at the top of this document indicates when this Privacy Policy was last updated.

12. Data Processing Addendum (DPA)

For organizations that require a Data Processing Addendum for GDPR compliance or other regulatory purposes, we offer a DPA as a separate agreement. Contact us at [email protected] to request one.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

• Privacy inquiries: [email protected]
• Security issues: [email protected]
• General legal: [email protected]

This Privacy Policy was last updated on March 29, 2026.