Privacy Policy

1. Information we collect

We collect information you provide directly, information generated by your use of the service, and limited technical information to keep intake running.

Account information: When you register, we collect your email address and any profile details you provide (name, avatar). This is used to identify your account and communicate with you.

Form data: The forms you build, the settings you configure, and the responses your respondents submit are stored on our servers. Respondents may provide personal information (names, emails, etc.) depending on the questions you include in your forms.

Usage data: We collect anonymised logs of actions taken within the app (pages viewed, features used, errors encountered) to improve the product. These logs do not include form response content.

Integration credentials: When you connect Notion or Google Sheets, we store OAuth tokens securely to enable ongoing syncing. We never see your Notion or Google account passwords.

2. How we use your information

We use the information we collect to:

- Provide, maintain, and improve the intake service - Authenticate you and keep your account secure - Sync your form responses to connected integrations (Notion, Google Sheets) - Send transactional emails such as password resets and submission notifications (when enabled) - Respond to support requests you submit - Detect and prevent abuse, fraud, and spam - Comply with legal obligations

We do not use your form response data to train AI models. Gemini API calls are made with your prompt and response data in-flight but are not retained by us for training purposes.

3. Data storage and security

Your data is stored on Supabase-managed PostgreSQL databases and Cloudinary (for file uploads). We use industry-standard encryption in transit (TLS 1.2+) and at rest.

Access to production data is limited to authorised personnel only. We do not sell, rent, or share your personal information with third parties except as described in this policy.

Form response data is logically isolated per workspace. Members only see responses to forms within workspaces they have been granted access to.

4. Third-party services

intake integrates with the following third-party services:

Google Gemini API — Used to power AI form generation, response analysis, translation, and block suggestions. Your prompts and response data are sent to Google's API. Google's data processing terms apply.

Supabase — Authentication and database hosting. Supabase's privacy policy applies to data stored on their infrastructure.

Cloudinary — File and image hosting. Files you upload (form covers, logos, file upload responses) are stored on Cloudinary's CDN.

Notion / Google Sheets — When you connect these integrations, response data is sent to those services subject to their own privacy policies.

We are not responsible for the privacy practices of these third-party services. We recommend reviewing their policies.

5. Data retention

We retain your data for as long as your account is active. If you delete a workspace, all associated forms and responses are permanently deleted immediately.

If you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

You can export your response data at any time from the Responses page in CSV or JSON format before deletion.

6. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

- Access: Request a copy of the personal data we hold about you - Correction: Ask us to correct inaccurate data - Deletion: Request that we delete your data (subject to legal obligations) - Portability: Receive your data in a machine-readable format - Objection: Object to certain types of processing

To exercise any of these rights, contact us at privacy@intake.io. We will respond within 30 days.

7. Cookies

intake uses session cookies to keep you logged in and preference cookies to remember settings such as sidebar state. We do not use advertising or tracking cookies.

We do not use third-party analytics trackers (e.g. Google Analytics) on the intake application. Usage data is collected directly by our own backend services.

8. Children's privacy

intake is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@intake.io and we will delete it promptly.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the application at least 14 days before the changes take effect.

Your continued use of intake after the effective date of a revised policy constitutes your acceptance of the changes.

10. Contact

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: privacy@intake.io Support: intake.io/support