Privacy Policy

1. Who We Are

Transformation Diagnostics AI Ltd (Company No. 15358901), trading as Intriq AI, is a private limited company registered in England & Wales.

Registered Address: 20 Wenlock Road, London, N1 7GU, United Kingdom

We design and operate AI-driven platforms for data analysis, automation, and reporting. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the Data Controller for personal data described in this Policy.

Contact: security@intriq.ai

2. Scope of this Policy

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you:

visit or interact with any Intriq.AI website or mobile/desktop application;
create an account, upload content, or otherwise use our SaaS platform;
communicate with us via email, chat, social media, or other channels;
participate in events, webinars, research, or surveys hosted by us;
apply for employment or provide services to us.

It does not cover third-party websites or services that link to or from our properties.

3. What Data We Collect

Category	Typical Examples	Source
Identity & Contact	name, job title, postal address, email, phone, organisation	you, employer, business partners
Account & Authentication	username, hashed password, MFA secrets, social-login IDs, session tokens	you, identity providers
Financial & Transactional	subscription records, masked card details, invoices, purchase history	payment processors, you
Content & Uploaded Files	documents, datasets, images, audio, code, annotations you upload	you
Usage & Technical	IP address, browser/OS data, device identifiers, telemetry logs, crash reports	automated collection
Marketing & Communications	preferences, survey responses, event attendance, referral info	you, marketing partners
Third-Party Client Data	personal/financial data about end-customers uploaded by consulting clients	client uploads

We do not intentionally collect special-category data unless you voluntarily provide it and its processing is necessary for a described purpose.

4. How We Collect Data

Direct interactions - forms, chat, email, telephone, in-product input.
Automated technologies - cookies, SDKs, server logs, analytics tools.
Third parties - business partners, authentication providers, public sources, recruiters.

5. Legal Bases for Processing

Purpose	Legal Basis (UK GDPR Art.)
Account registration, platform operation	Art 6 (1)(b) - contract performance
Security, fraud prevention, system integrity	Art 6 (1)(f) - legitimate interests
Regulatory, tax, accounting obligations	Art 6 (1)(c) - legal obligation
Marketing by email/SMS & non-essential cookies	Art 6 (1)(a) - consent
Product analytics to improve service	Art 6 (1)(f) - legitimate interests (minimised/aggregated)

Where we rely on consent, you may withdraw it at any time without affecting processing performed before withdrawal.

6. How We Use Your Data

Provide, maintain, and personalise the Intriq.AI platform;
Authenticate users and authorise access (MFA, RBAC);
Process payments and manage subscriptions;
Detect, investigate, and prevent fraud, abuse, or security incidents;
Generate anonymised statistics and product insights;
Communicate service updates, security alerts, and marketing (where permitted);
Fulfil contractual or legal requirements (e.g. tax invoices, court orders).

We never sell personal data.

7. Automated Decision-Making & Profiling

Our services may employ automated scoring or anomaly-detection models to flag potential fraud or suspicious activity. These processes do not produce legal or similarly significant effects without human review. You may request human intervention, contest a decision, or express your viewpoint (Art 22 UK GDPR).

8. Data Retention

We retain personal data only for as long as necessary to:

deliver the service you requested,
satisfy legal, tax, audit, or regulatory requirements, or
resolve disputes and enforce agreements.

Data Type	Retention
Account data	life of the account + 6 years
Log files	12 months (unless required for security investigations)
Marketing opt-out records	indefinitely (suppression list)
Job-applicant data	12 months after decision

Upon expiry, data is securely deleted or irreversibly anonymised. We respect your Right to Erasure under UK GDPR and EU GDPR. Requests for deletion may be sent to privacy@intriq.ai.

9. How We Protect Your Data

Encryption - TLS 1.2+ in transit; AES-256 at rest.
Infrastructure - hosted in Supabase and Krystal Hosting UK (compute, networking) in UK/EU regions.
Access controls - least-privilege IAM, MFA, RBAC, row/column-level security.
Monitoring - real-time threat detection, immutable audit logs, SIEM alerting.
Compliance - SOC 2 (Type II), ISO 27001, and PCI-DSS certifications.
Data residency - all production data is stored and backed-up exclusively within the EU Central (Frankfurt, Germany) region.

A detailed Technical & Organisational Measures (TOMs) schedule is available on request.

10. Sub-Processors

Sub-Processor	Service	Location	Safeguards
Amazon Web Services (AWS)	Cloud infrastructure (compute, database, storage, auth, AI)	EU West (Ireland) - eu-west-1	SCCs + ISO 27001, SOC 2, GDPR DPA
Anthropic (via AWS Bedrock)	AI document analysis (Claude 3.5 Sonnet)	EU West (Ireland) via AWS Bedrock	SCCs + DPA; No foundational model training
Sentry, Inc.	Error tracking and performance monitoring	EU (Frankfurt) - de.sentry.io	SCCs + ISO 27001, SOC 2
PostHog, Inc.	Product analytics and session recording	EU (Frankfurt) - eu.i.posthog.com	GDPR compliant; EU hosting; SOC 2
GitHub (Microsoft)	Source code repository (internal only)	US (does not process customer data)	SCCs + ISO 27001; Internal development only

AI Vendors: Where AI models are used (AWS Bedrock Claude 3.5 Sonnet), we ensure no customer data is used for foundational model training. AWS Bedrock enforces strict data isolation.

Live Register: A complete and always up-to-date list is maintained online. Clients will be notified of material changes at least 30 days in advance.

11. International Data Transfers

All production customer data is stored in the EU Central (Germany) region and is not routinely transferred outside the EEA. Where limited transfers occur (e.g., to the US), safeguards are applied.

UK International Data Transfer Addendum (IDTA) to SCCs;
Adequacy regulations under UK/EU law;
Other lawful transfer mechanisms approved by ICO/EU Commission.

For details, see our Subprocessor Register or contact privacy@intriq.ai.

12. Disclosure & Sharing

to sub-processors listed above, strictly for service delivery;
to professional advisers under confidentiality;
when required by law, subpoena, or regulatory authority;
in connection with a merger, acquisition, or sale of assets (with notice);
with your explicit consent.

13. Cookies & Similar Technologies

We use cookies, pixels, and SDKs for functionality, analytics, and advertising. Full details and controls are set out in our Cookie Policy.

14. Your Rights (UK GDPR, Arts 15-22)

Access - obtain a copy of your personal data;
Rectify - correct inaccurate or incomplete data;
Erase - request deletion ("right to be forgotten");
Restrict - limit processing;
Port - receive data in machine-readable format;
Object - to legitimate interests or direct marketing;
Withdraw consent - at any time.

To exercise any right, email security@intriq.ai. We may need to verify your identity and will respond within one month.

If unresolved, you can complain to the UK Information Commissioner's Office (ICO): https://ico.org.uk Tel: +44 303 123 1113

15. Children's Privacy

Our services are not intended for individuals under 18. We do not knowingly collect data from minors.

If you believe a minor has accessed the service, contact security@intriq.ai so we can delete their data.

16. Breach Notification

If a breach risks your rights, we will notify the ICO within 72 hours and affected individuals without undue delay.

For details, see our Security & Bug Reporting Policy.

17. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or business developments. Material changes will be announced at least 14 days before they take effect.

18. Contact Us

Policy Owner: Head of Engineering - Chris Ward

Intriq.AI - Transformation Diagnostics AI Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom

📧 security@intriq.ai