Skip to content

Legal

Privacy Policy

Effective date: March 22, 2026 · Last updated: April 4, 2026

1. Overview

This Privacy Policy describes how Intended, Inc. ("Intended", "we", "us", or "our") collects, uses, and protects information when you use our website (intended.so), APIs, SDKs, CLI tools, and platform services (collectively, the "Services"). Intended processes minimal data required for AI authority evaluation, audit integrity, and compliance evidence generation. This policy applies to all users of the Services, including visitors to our website, customers, and AI agents authorized by customers.

2. Lawful bases for processing

In accordance with GDPR Article 6, Intended processes personal data under the following lawful bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Services you have subscribed to, including authority evaluation, token issuance, audit trail generation, and account management
  • Legitimate interests (Article 6(1)(f)): Processing necessary for platform security, fraud prevention, abuse detection, service improvement, and aggregated analytics, where such interests are not overridden by your data protection rights
  • Consent (Article 6(1)(a)): Where we process data based on your consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or lawful government requests, including tax, accounting, and regulatory retention requirements

3. Data we collect

Account data

  • Name and email address for account creation and communication
  • Company name and role for enterprise account provisioning
  • API keys (hashed) for authentication and access control

Authority decision data

  • Intent metadata: action type, target system, environment, and risk parameters as classified by the Open Intent Layer
  • Risk evaluation results: 8-factor scores, risk tier classification, and policy outcomes
  • Authority tokens: signed JWT claims (action, target, scope, expiry, nonce)
  • Audit records: hash-chained decision entries with SHA-256 integrity
  • Escalation records: approver identity, rationale, and timestamp
  • Runtime integration artifacts: generated policy bundles, inferred presets, endpoint metadata, and related configuration produced when customers use runtime adapter workflows such as the OpenShell integration

Usage data

  • API request metadata (endpoint, method, status code, latency)
  • Decision volume and connector utilization metrics
  • Error logs for debugging and service reliability

Website analytics

  • Standard web analytics (page views, referrer, browser type) — no third-party tracking pixels
  • Form submissions (contact, demo requests) — processed by Intended directly
  • Cookie data as described in our Cookie Policy

4. Data minimization

Intended adheres to the principle of data minimization. We collect and process only the personal data that is strictly necessary for the purposes described in this policy. Authority decision data is limited to the intent metadata required for policy evaluation and the minimum claims needed for token issuance. We do not collect or store the underlying content of actions executed through connectors — only the authorization metadata. We regularly review our data collection practices to ensure continued compliance with minimization principles.

5. How we use data

  • Provide, maintain, and improve the Authority Runtime and related Services
  • Evaluate AI intents, calculate risk scores, and enforce policy decisions
  • Generate and maintain hash-chained audit trails for compliance evidence
  • Issue and verify cryptographically signed authority tokens
  • Handle escalation workflows and record human oversight decisions
  • Communicate with you about your account, support requests, and product updates
  • Monitor platform health, security, and performance
  • Comply with legal obligations and respond to lawful requests

6. Third-party runtime integrations

Some Intended features generate artifacts or configuration intended for customer-operated third-party runtimes and systems. For example, Intended may generate policy YAML or scoped integration output for a runtime such as NVIDIA OpenShell / NVIDIA NemoClaw. In those cases, Intended processes the data required to generate the artifact and preserve auditability within Intended. Once that artifact is exported or applied in a customer-operated third-party runtime, the customer's direct relationship with that runtime or provider governs the subsequent processing. Customer-configured third-party runtimes are not Intended sub-processors solely because Intended generated a policy artifact for them.

7. Automated decision-making

The Intended Authority Engine makes automated decisions when evaluating AI agent intents. These decisions include risk scoring, policy matching, and the issuance or denial of authority tokens. Important disclosures about automated decision-making:

  • Automated decisions are made by the Authority Engine based entirely on policies, risk thresholds, and rules configured by the customer (Controller) — not by Intended
  • Intended does not unilaterally determine the outcome of authority decisions. The customer defines all policies, risk thresholds, escalation triggers, and approval workflows
  • Customers may configure escalation workflows that require human review for high-risk decisions, providing meaningful human oversight
  • Authority decisions do not constitute decisions that produce legal effects or similarly significantly affect natural persons within the meaning of GDPR Article 22, as they govern AI agent actions rather than decisions about individuals
  • If you believe an automated authority decision has adversely affected you, contact your organization's administrator who controls the policy configuration, or contact us at privacy@intended.so

8. Data protection

  • Encryption at rest: AES-256-GCM for all sensitive data including signing keys and connector credentials
  • Encryption in transit: TLS 1.3 enforced for all API, database, and cache connections
  • Per-tenant isolation: Every query scoped to tenant ID. No cross-tenant data access surface
  • Key isolation: Per-tenant RSA key pairs with encrypted private key storage
  • Audit integrity: SHA-256 hash chain prevents tampering. Any modification is immediately detectable
  • Evidence bundles: HMAC-SHA-256 signed packages verifiable without database access
  • Nonce protection: Single-use nonces consumed on first verification. Replay attacks impossible

9. Data retention

Authority decision data and audit records are retained according to your plan tier. Free plans retain audit data for 30 days. Team plans retain for 1 year. Enterprise plans support custom retention up to 7 years with S3 Object Lock (Compliance mode) for immutable long-term storage. Account data is retained for the duration of your active account plus 30 days after deletion. Usage and analytics data is retained for 90 days for operational purposes.

10. Data sharing

Intended does not sell personal data. We do not share personal data for cross-context behavioral advertising. We share data only in the following circumstances:

  • Service providers: Infrastructure providers (AWS) necessary to operate the platform, under contractual data protection obligations
  • Connector execution: When you configure connectors, Intended transmits scoped authority tokens to target systems (GitHub, Atlassian, ServiceNow, etc.) to execute authorized actions
  • Runtime integrations: When you use policy compilation for customer-operated runtimes (including NVIDIA OpenShell / NVIDIA NemoClaw integration paths), Intended processes only the metadata required to generate artifacts and preserve governance lineage in Intended
  • Legal compliance: When required by law, regulation, legal process, or governmental request
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

11. Do Not Sell My Personal Information

Intended does not sell your personal information. We do not sell, rent, or trade personal data to third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. This applies to all users regardless of jurisdiction. If you are a California resident and wish to exercise your rights under the CCPA/CPRA, please see Section 12 below or contact us at privacy@intended.so.

12. Cookies

Intended uses strictly necessary cookies to operate the Services (session management, CSRF protection, and user preferences). We do not use third-party advertising or tracking cookies. For detailed information about the cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy at intended.so/legal/cookies.

13. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with additional rights regarding your personal information:

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information
  • Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal retention obligations, ongoing service provision, security purposes)
  • Right to correct: You have the right to request correction of inaccurate personal information
  • Right to opt-out of sale/sharing: Intended does not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary, but you may submit a request for confirmation at privacy@intended.so
  • Right to limit use of sensitive personal information: To the extent we process sensitive personal information, you may request that we limit its use to purposes necessary to provide the Services
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different quality of service
  • To exercise these rights, contact privacy@intended.so. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf

14. Additional U.S. state privacy rights

Residents of certain U.S. states have additional privacy rights under their respective state privacy laws:

  • Virginia (CDPA): Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or profiling. To appeal a denial of a privacy request, contact privacy@intended.so with the subject line "VCDPA Appeal"
  • Colorado (CPA): Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, or profiling. Universal opt-out mechanisms are honored
  • Connecticut (CTDPA): Connecticut residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or profiling
  • Intended does not engage in targeted advertising, does not sell personal data, and does not profile consumers for decisions that produce legal or similarly significant effects. These rights are provided as a matter of transparency

15. Your rights (GDPR and general)

  • Access: Request a copy of your personal data and authority decision history
  • Correction: Update inaccurate personal data through your account settings or by contacting support
  • Deletion: Request deletion of your account and associated personal data (subject to legal retention obligations)
  • Export: Export authority decision data and audit records via the API or evidence bundle export
  • Objection: Object to specific data processing activities where legitimate interest is the legal basis
  • Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
  • Restriction: Request restriction of processing in certain circumstances, such as while a correction request is pending
  • Withdraw consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing

16. Data breach notification

In the event of a personal data breach, Intended will follow these notification procedures:

  • GDPR: Notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk
  • CCPA/CPRA: Notify affected California residents in accordance with California Civil Code Section 1798.82
  • Other U.S. states: Comply with applicable state breach notification laws, which generally require notification within 30 to 60 days depending on the jurisdiction
  • Customer notification: Notify affected customers via email and the platform dashboard within 72 hours of confirming a breach affecting their data
  • All notifications will include: the nature of the breach, categories of data affected, approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach

17. Sub-processors

Intended maintains a current list of sub-processors used to provide the Services. The list is available upon request by contacting dpa@intended.so. We provide advance notice of changes to our sub-processor list in accordance with our Data Processing Agreement. Current sub-processors include Amazon Web Services (AWS) for infrastructure hosting. Customer-configured connector targets and customer-operated third-party runtimes are not Intended sub-processors solely because Intended interoperates with them or generates artifacts for them.

18. International transfers

Intended processes data in the United States using AWS infrastructure. For customers in the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions, we rely on Standard Contractual Clauses (SCCs) and supplementary security measures as described in our Data Processing Agreement. Enterprise customers requiring data residency restrictions should contact us to discuss deployment options.

19. Children's privacy

Intended Services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@intended.so.

20. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will provide notice of material changes through the Services or by email at least 30 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy. Previous versions of this policy are available upon request.

21. Contact

For privacy-related inquiries, data subject requests, or complaints, contact us at privacy@intended.so or by mail at Intended, Inc., Attn: Privacy, Austin, Texas, USA. For EU representative inquiries, contact eu-privacy@intended.so. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.