Skip to content

Legal

Privacy Policy

Effective date: March 22, 2026 · Last updated: April 17, 2026

1. Overview

This Privacy Policy describes how Intended, Inc. ("Intended", "we", "us", or "our") collects, uses, and protects information when you use our website (intended.so), APIs, SDKs, CLI tools, and platform services (collectively, the "Services"). Intended processes minimal data required for AI authority evaluation, audit integrity, and compliance evidence generation. This policy applies to all users of the Services, including visitors to our website, customers, and AI agents authorized by customers.

1A. EU legal representative and GPAI deployer status

Intended has designated a representative in the European Union pursuant to Article 27 of the GDPR and a representative in the United Kingdom pursuant to the UK GDPR. The designated representative and contact details will be published at intended.so/legal/representatives. Until the representative is published, EU and UK data subjects may contact eu-privacy@intended.so.

2. Lawful bases for processing

In accordance with GDPR Article 6, Intended processes personal data under the following lawful bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Services you have subscribed to, including authority evaluation, token issuance, audit trail generation, and account management
  • Legitimate interests (Article 6(1)(f)): Processing necessary for platform security, fraud prevention, abuse detection, service improvement, and aggregated analytics, where such interests are not overridden by your data protection rights
  • Consent (Article 6(1)(a)): Where we process data based on your consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or lawful government requests, including tax, accounting, and regulatory retention requirements

3. Data we collect

Account data

  • Name and email address for account creation and communication
  • Company name and role for enterprise account provisioning
  • API keys (hashed) for authentication and access control

Authority decision data

  • Intent metadata: action type, target system, environment, and risk parameters as classified by the Open Intent Layer
  • Risk evaluation results: 8-factor scores, risk tier classification, and policy outcomes
  • Authority tokens: signed JWT claims (action, target, scope, expiry, nonce)
  • Audit records: hash-chained decision entries with SHA-256 integrity
  • Escalation records: approver identity, rationale, and timestamp
  • Runtime integration artifacts: generated policy bundles, inferred presets, endpoint metadata, and related configuration produced when customers use runtime adapter workflows such as the OpenShell integration

Usage data

  • API request metadata (endpoint, method, status code, latency)
  • Decision volume and connector utilization metrics
  • Error logs for debugging and service reliability

Website analytics

  • Standard web analytics (page views, referrer, browser type) — no third-party tracking pixels
  • Form submissions (contact, demo requests) — processed by Intended directly
  • Cookie data as described in our Cookie Policy

4. Data minimization

Intended adheres to the principle of data minimization. We collect and process only the personal data that is strictly necessary for the purposes described in this policy. Authority decision data is limited to the intent metadata required for policy evaluation and the minimum claims needed for token issuance. We do not collect or store the underlying content of actions executed through connectors — only the authorization metadata. We regularly review our data collection practices to ensure continued compliance with minimization principles.

4A. Data NOT used for model training

Intended does NOT use your personal data, authority decision data, policies, or audit trails to train, fine-tune, evaluate, or improve any machine learning models, large language models, foundation models, or internal analytics systems, whether operated by Intended or by sub-processors (including OpenAI or Anthropic). LLM sub-processors (OpenAI, Anthropic) are contractually prohibited from using your data for model improvement. Intended will not relax this restriction without 90 days' advance notice and your explicit written consent. You may review our data flow with LLM providers at intended.so/legal/ai-subprocessors-data-flow.

5. How we use data

  • Provide, maintain, and improve the Authority Runtime and related Services
  • Evaluate AI intents, calculate risk scores, and enforce policy decisions
  • Generate and maintain hash-chained audit trails for compliance evidence
  • Issue and verify cryptographically signed authority tokens
  • Handle escalation workflows and record human oversight decisions
  • Communicate with you about your account, support requests, and product updates
  • Monitor platform health, security, and performance
  • Comply with legal obligations and respond to lawful requests

6. Third-party runtime integrations

Some Intended features generate artifacts or configuration intended for customer-operated third-party runtimes and systems. For example, Intended may generate policy YAML or scoped integration output for a runtime such as NVIDIA OpenShell / NVIDIA NemoClaw. In those cases, Intended processes the data required to generate the artifact and preserve auditability within Intended. Once that artifact is exported or applied in a customer-operated third-party runtime, the customer's direct relationship with that runtime or provider governs the subsequent processing. Customer-configured third-party runtimes are not Intended sub-processors solely because Intended generated a policy artifact for them.

7. Automated decision-making

The Intended Authority Engine makes automated decisions when evaluating AI agent intents. These decisions include risk scoring, policy matching, and the issuance or denial of authority tokens. Important disclosures about automated decision-making:

  • Automated decisions are made by the Authority Engine based entirely on policies, risk thresholds, and rules configured by the customer (Controller) — not by Intended
  • Intended does not unilaterally determine the outcome of authority decisions. The customer defines all policies, risk thresholds, escalation triggers, and approval workflows
  • Customers may configure escalation workflows that require human review for high-risk decisions, providing meaningful human oversight
  • Authority decisions do not constitute decisions that produce legal effects or similarly significantly affect natural persons within the meaning of GDPR Article 22, as they govern AI agent actions rather than decisions about individuals
  • If you believe an automated authority decision has adversely affected you, contact your organization's administrator who controls the policy configuration, or contact us at privacy@intended.so

8. Data protection

  • Encryption at rest: AES-256-GCM for all sensitive data including signing keys and connector credentials
  • Encryption in transit: TLS 1.3 enforced for all API, database, and cache connections
  • Per-tenant isolation: Every query scoped to tenant ID. No cross-tenant data access surface
  • Key isolation: Per-tenant RSA key pairs with encrypted private key storage
  • Audit integrity: SHA-256 hash chain prevents tampering. Any modification is immediately detectable
  • Evidence bundles: HMAC-SHA-256 signed packages verifiable without database access
  • Nonce protection: Single-use nonces consumed on first verification. Replay attacks impossible

9. Data retention

Authority decision data and audit records are retained according to your plan tier. Free plans retain audit data for 30 days. Team plans retain for 1 year. Enterprise plans support custom retention up to 7 years with S3 Object Lock (Compliance mode) for immutable long-term storage. Account data is retained for the duration of your active account plus 30 days after deletion. Usage and analytics data is retained for 90 days for operational purposes.

9A. Cross-context data isolation and CPRA 'sharing' disclosure

Intended operates two separate data contexts: intended.so (marketing website): collects visitor cookies, analytics, contact form data, and apps.intended.so console (product): collects account data, authority decisions, policy data, audit logs. Intended does NOT link, combine, or cross-reference data between these contexts for behavioral advertising, profiling, or targeting purposes. Each domain maintains separate analytics, separate retention schedules, and separate access controls. Under California Consumer Privacy Act (CPRA), "sharing" means selling or sharing personal information for behavioral advertising. Intended does NOT sell or share your information. Cross-context data isolation ensures no behavioral profiling across marketing/product domains.

10. Global privacy control and do not sell or share

Intended respects Global Privacy Control (GPC) signals sent by your browser or device. Users who have enabled GPC will not be subject to: behavioral tracking or cross-site profiling, sale or sharing of personal information for commercial purposes, or targeted advertising based on browsing history. California residents may opt out of the sale or sharing of personal information by selecting "Do Not Sell or Share My Personal Information" in your account privacy settings or by visiting intended.so/privacy/do-not-sell. Requests are processed within 45 days and do not incur a service fee.

11. Data sharing

Intended does not sell personal data. We do not share personal data for cross-context behavioral advertising. We share data only in the following circumstances:

  • Service providers: Infrastructure providers (AWS) necessary to operate the platform, under contractual data protection obligations
  • Connector execution: When you configure connectors, Intended transmits scoped authority tokens to target systems (GitHub, Atlassian, ServiceNow, etc.) to execute authorized actions
  • Runtime integrations: When you use policy compilation for customer-operated runtimes (including NVIDIA OpenShell / NVIDIA NemoClaw integration paths), Intended processes only the metadata required to generate artifacts and preserve governance lineage in Intended
  • Legal compliance: When required by law, regulation, legal process, or governmental request
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

11A. Automated decision-making and GDPR Article 22

When Intended is deployed to authorize decisions about natural persons (employment approvals, credit decisions, law enforcement actions, benefits eligibility, insurance underwriting), you (the Customer/Controller) must ensure compliance with GDPR Article 22 (right to human review) and equivalent laws in other jurisdictions. Intended's audit trails, evidence bundles, and decision rationale exports enable human review and contestation of automated decisions. You are responsible for: communicating to affected individuals that their data is used in automated decision-making, providing opportunity for human review of decisions, allowing individuals to contest Intended's authority decisions, and documenting any impact assessment for high-risk automated decisions. Intended does not operate as a decision-maker on your behalf and makes no guarantees about decision outcomes. You retain full responsibility for compliance with GDPR Art. 22 and equivalent laws.

12. Do Not Sell My Personal Information

Intended does not sell your personal information. We do not sell, rent, or trade personal data to third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. This applies to all users regardless of jurisdiction. If you are a California resident and wish to exercise your rights under the CCPA/CPRA, please see Section 13 below or contact us at privacy@intended.so.

13. Cookies

Intended uses strictly necessary cookies to operate the Services (session management, CSRF protection, and user preferences). We do not use third-party advertising or tracking cookies. For detailed information about the cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy at intended.so/legal/cookies.

14. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with additional rights regarding your personal information:

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information
  • Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal retention obligations, ongoing service provision, security purposes)
  • Right to correct: You have the right to request correction of inaccurate personal information
  • Right to opt-out of sale/sharing: Intended does not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary, but you may submit a request for confirmation at privacy@intended.so
  • Right to limit use of sensitive personal information: To the extent we process sensitive personal information, you may request that we limit its use to purposes necessary to provide the Services
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different quality of service
  • To exercise these rights, contact privacy@intended.so. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf

15. Additional U.S. state privacy rights

Residents of certain U.S. states have additional privacy rights under their respective state privacy laws:

  • Virginia (CDPA): Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or profiling. To appeal a denial of a privacy request, contact privacy@intended.so with the subject line "VCDPA Appeal"
  • Colorado (CPA): Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, or profiling. Universal opt-out mechanisms are honored
  • Connecticut (CTDPA): Connecticut residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or profiling
  • Intended does not engage in targeted advertising, does not sell personal data, and does not profile consumers for decisions that produce legal or similarly significant effects. These rights are provided as a matter of transparency

16. Your rights (GDPR and general)

  • Access: Request a copy of your personal data and authority decision history
  • Correction: Update inaccurate personal data through your account settings or by contacting support
  • Deletion: Request deletion of your account and associated personal data (subject to legal retention obligations)
  • Export: Export authority decision data and audit records via the API or evidence bundle export
  • Objection: Object to specific data processing activities where legitimate interest is the legal basis
  • Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
  • Restriction: Request restriction of processing in certain circumstances, such as while a correction request is pending
  • Withdraw consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing

17. Data breach notification

In the event of a personal data breach, Intended will follow these notification procedures:

  • GDPR: Notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk
  • CCPA/CPRA: Notify affected California residents in accordance with California Civil Code Section 1798.82
  • Other U.S. states: Comply with applicable state breach notification laws, which generally require notification within 30 to 60 days depending on the jurisdiction
  • Customer notification: Notify affected customers via email and the platform dashboard within 72 hours of confirming a breach affecting their data
  • All notifications will include: the nature of the breach, categories of data affected, approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach

18. Sub-processors

Intended maintains a current list of sub-processors used to provide the Services. The list is available upon request by contacting dpa@intended.so. We provide advance notice of changes to our sub-processor list in accordance with our Data Processing Agreement. Current sub-processors include Amazon Web Services (AWS) for infrastructure hosting. Customer-configured connector targets and customer-operated third-party runtimes are not Intended sub-processors solely because Intended interoperates with them or generates artifacts for them.

19. International transfers

Intended processes data in the United States using AWS infrastructure. For customers in the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions, we rely on Standard Contractual Clauses (SCCs) and supplementary security measures as described in our Data Processing Agreement. Supplementary Measures for Schrems II Compliance: In addition to Standard Contractual Clauses, Intended implements supplementary technical and organizational measures to address post-Schrems II requirements: (a) Encryption: Personal data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Encryption keys are managed per-tenant and are not accessible to US government authorities without decryption by Intended (key derivation from customer-controlled master key). (b) Isolation: Per-tenant data isolation at application and database levels prevents aggregation of EU data with other datasets, limiting exposure in government access requests. (c) Fail-Closed Architecture: Unresolvable policy evaluations result in authorization denial, not default approval. This prevents over-inclusive government access. (d) Government Access Notification: Intended will notify the Controller of any government access requests for personal data, unless Intended is legally prohibited from doing so. Intended publishes annual transparency reports on government requests. (e) Objection Rights: Upon notification of government access requests, the Controller retains the right to object to processing and may terminate Services if objection is not accommodated. These measures do not eliminate the risk that US authorities may compel Intended to disclose personal data, but they substantially reduce that risk and provide Controller with remedies and visibility. Enterprise customers requiring data residency restrictions should contact us to discuss deployment options.

20. Children's privacy

Intended Services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@intended.so.

21. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will provide notice of material changes through the Services or by email at least 30 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy. Previous versions of this policy are available upon request.

22. Contact

For privacy-related inquiries, data subject requests, or complaints, contact us at privacy@intended.so or by mail at Intended, Inc., 2261 Market Street, San Francisco, CA 94114, USA. For EU representative inquiries, contact eu-privacy@intended.so. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

Privacy Policy | Intended