Privacy Policy

Last updated: March 2026

1. Who we are

itincai (“we”, “our”, “us”) is an Agentic AI engineering company operating at itincai.com. This policy sets out how we handle personal data collected through our website, platform, and services.

2. Data we collect

  • Account data: name, email address, password hash, OAuth tokens
  • Usage data: pages visited, feature interactions, timestamps
  • Payment data: handled exclusively by Stripe — we never store raw card details
  • Contact form data: name, email, message content
  • Technical data: IP address (anonymised after 30 days), browser type, device type

3. How we use your data

  • To deliver and improve our platform and services
  • To communicate order confirmations, invoices, and support responses
  • To send product updates (opt-in only, unsubscribe at any time)
  • To detect and prevent security incidents

4. Legal bases (GDPR)

We process personal data under the following legal bases: contract performance (delivering your order), legitimate interests (security, fraud prevention, product improvement), andconsent (marketing emails). You may withdraw consent at any time.

5. Data sharing

We never sell your personal data. We share it only with:

  • Stripe — payment processing
  • Resend — transactional email
  • AWS S3 — file storage (your uploads)
  • Vercel — hosting infrastructure

All sub-processors are GDPR-compliant and bound by data processing agreements.

6. Data retention

We retain account data for the duration of your relationship with us, plus 3 years for legal compliance. Contact form submissions are retained for 12 months. You may request deletion at any time (see Section 8).

7. Cookies

We use strictly necessary cookies (session, CSRF). No third-party tracking cookies are used without explicit consent. You may manage cookie preferences in your browser settings.

8. Your rights

Under GDPR you have the right to:

  • Access a copy of your personal data
  • Correct inaccurate data
  • Request erasure (“right to be forgotten”)
  • Object to or restrict processing
  • Data portability (export in machine-readable format)
  • Lodge a complaint with your local supervisory authority

To exercise any of these rights, email us at privacy@itincai.com. We respond within 30 days.

9. Security

We use TLS 1.3 in transit, AES-256 at rest, and follow OWASP security guidelines. We run regular penetration tests and maintain a responsible disclosure programme.

10. Changes to this policy

We will notify users by email of material changes at least 14 days before they take effect. The current version is always available at this URL.

11. Contact

Data controller: itincai Ltd.
Email: privacy@itincai.com