Last updated: March 15, 2026 · Effective: March 15, 2026
Privacy Policy
This Privacy Policy describes how Intactus AI, LLC (“Intactus,” “we,” “us,” or “our”) collects, uses, and protects information in connection with our platform.
Key Points
We collect your account information and process evidence data at your direction as the attorney of record.
We never sell your data — to anyone, for any reason.
AI processing uses AWS Bedrock with zero data retention — your evidence never trains AI models and never leaves the private network.
We treat all case data as confidential and privilege-protected.
You can export or delete your data at any time.
Everything is encrypted in transit (TLS 1.3) and at rest (AES-256).
1. Information We Collect
1.1 Account and Contact Information
When you register for an Intactus account, we collect your name, email address, firm name, and role or title. We may also collect bar number or professional credentials for verification purposes. Billing information is processed by Stripe; Intactus does not store full payment card numbers. We use this information to provide access to our platform, verify attorney credentials, communicate with you about your account, and manage billing.
1.2 Evidence and Case Data
Our platform processes digital evidence that you or your clients submit, including text messages, emails, documents, web captures, images, audio, video, and other files. We also process evidence metadata such as file hashes (SHA-256), original timestamps, source information, and file characteristics, as well as chain-of-custody records including upload timestamps, access logs, verification events, and hash comparison results. Case data includes knowledge graph entities, relationships, facts, timelines, case metadata, and attorney notes. All Evidence and Case Data is processed under attorney direction. The attorney is the data controller; Intactus is the data processor.
1.3 Usage and Telemetry Data
We collect information about how you interact with the platform, including features accessed, pages viewed, session duration, and actions performed. We also collect browser type, device information, operating system, IP address, and approximate geographic location, as well as error logs and performance metrics. This data is used to improve the platform, diagnose technical issues, and maintain service reliability. We do not sell or share telemetry data with third parties for advertising purposes.
1.4 Client Portal Submissions
When your clients submit evidence through the Intactus client portal, we collect the submitted files and associated metadata on your behalf. You are the data controller for all client submissions; Intactus processes client submissions only at your instruction.
2. How We Use Information
2.1 Service Delivery
We use collected information to operate, maintain, and improve the Intactus platform, including processing evidence submissions, generating chain-of-custody documentation, providing AI-assisted analysis under attorney direction, managing knowledge graph data, and delivering notifications and communications about the service.
2.2 AI Processing
AI-assisted features in Intactus are powered by AWS Bedrock under a zero-data-retention (ZDR) agreement. The AI model provider does not retain any Customer Data after processing is complete — no inputs, outputs, or intermediate representations are stored. All data is transmitted via AWS PrivateLink and does not traverse the public internet during AI processing. Customer Data is never used to train, fine-tune, or improve any AI model. AI processing is limited to features initiated by the attorney, including evidence analysis, entity extraction, relationship identification, fact summarization, and classification. AI Outputs are stored within the Customer’s isolated tenant environment and are subject to the same security controls as other Customer Data.
2.3 Security and Fraud Prevention
We use account and usage information to detect and prevent unauthorized access, anomalous activity, and abuse of our platform. Security logs are retained consistent with industry standards and applicable law.
2.4 Platform Improvement
We analyze aggregate, de-identified usage data to improve platform features and performance. Platform improvement analytics are never derived from the content of Evidence Data or Case Data.
2.5 Legal Compliance
We may process and disclose information as required by applicable law, court order, or governmental authority. We will notify you of any such disclosure to the extent permitted by law. See Section 3.3 for our compelled disclosure protocol.
3. Attorney-Client Privilege and Confidentiality
3.1 Privilege Preservation by Design
Intactus is architected to preserve attorney-client privilege and work product protection. AI processing occurs through AWS Bedrock with zero data retention and PrivateLink — evidence data is not exposed to the public internet during analysis and is not retained by the AI provider. Multi-tenant isolation with row-level security prevents cross-firm data access. These controls are consistent with the technology competence and confidentiality requirements established by ABA Formal Opinion 512. Evidence integrity controls, including SHA-256 hashing and tamper-evident manifests, support chain-of-custody documentation requirements.
3.2 Attorney as Data Controller
Attorneys using the Intactus platform retain control of all Evidence Data and Case Data. Intactus processes data at attorney direction and does not independently analyze, share, or monetize confidential case information. Intactus is the data controller only for Account Data (registration, billing, usage telemetry). A Data Processing Agreement (DPA) is available upon request at legal@intactus.ai.
3.3 Compelled Disclosure Protocol
Intactus will not voluntarily disclose Evidence Data or Case Data to third parties. If legally compelled to disclose by subpoena, court order, or governmental authority, we will: notify the affected Customer within 72 hours, or as soon as legally permitted if a gag order or similar restriction applies; cooperate with Customer’s efforts to obtain protective orders or quash the legal process; disclose only the minimum information required to comply with the legal obligation; and provide Customer with a copy of the disclosure, to the extent legally permitted, for privilege log purposes.
4. Information Sharing and Disclosure
4.1 Service Providers
We share information with third-party service providers who assist us in operating the platform. These include Amazon Web Services (AWS) for cloud infrastructure and AI processing (via Bedrock), Stripe for payment processing, and providers for email delivery and error monitoring. All service providers are bound by data processing agreements with confidentiality, security, and data handling obligations no less protective than this policy. A current list of subprocessors is available upon request at legal@intactus.ai.
4.2 No Sale of Personal Data
Intactus does not sell personal information. We do not rent or trade personal data. We do not share information with advertising networks, data brokers, or marketing partners. We do not “share” personal information as defined under the California Consumer Privacy Act (CCPA/CPRA).
4.3 Legal Requirements
We may disclose information as required by valid legal process, including subpoenas, court orders, and governmental requests. We will challenge overbroad or legally deficient requests where appropriate. See Section 3.3 for our Customer notification and protective order cooperation commitments.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of substantially all of Intactus’s assets, personal information and Customer Data may be transferred as part of the transaction. We will notify Customers before their information becomes subject to a materially different privacy policy. The acquiring entity will be bound by the same data protection commitments for Customer Data existing at the time of transfer.
5. Data Retention
We retain different categories of data for different periods based on operational needs and legal requirements:
Data Category
Retention Period
Account information
Duration of subscription + 1 year
Evidence and Case Data
Per firm configuration + 90-day export period
Usage and telemetry data
90 days (rolling)
Security and audit logs
1 year
Billing records
7 years (tax and legal requirements)
AI processing inputs
Zero retention (ZDR)
AI processing outputs
Stored as Case Data (see above)
You may request deletion of your account and associated personal data at any time by contacting privacy@intactus.ai. Evidence Data deletion is subject to applicable legal hold requirements and your firm’s records retention obligations. We will confirm deletion in writing within 30 days of a valid request.
6. Security
6.1 Technical Safeguards
We implement and maintain comprehensive security measures to protect your data. All evidence is SHA-256 hashed upon ingestion and stored with tamper-evident manifests. Data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Multi-tenant data isolation is enforced through row-level security. Access controls follow least-privilege principles across all platform systems. We conduct regular security assessments and third-party penetration testing.
6.2 Incident Response
In the event of a security incident affecting your data, we will notify affected Customers within 72 hours of confirmation. Notification will include the nature of the breach, the categories of data affected, the estimated number of records affected, and the remediation steps taken or planned. Security incidents should be reported to security@intactus.ai.
7. Your Rights and Choices
7.1 Access and Correction
You may access and correct your account information at any time through the platform settings. Evidence Data access is controlled through your case management interface. You may request a copy of your personal data by contacting privacy@intactus.ai. We will respond within 30 days.
7.2 Deletion
You may request deletion of your account and personal information by contacting privacy@intactus.ai. Account deletion will be completed within 30 days. Evidence Data deletion is subject to applicable legal hold requirements and your firm’s records retention obligations.
7.3 Data Portability
You may export all Evidence Data and Case Data at any time through the platform’s export features. Data is provided in standard, machine-readable formats. Following subscription termination, you have a 90-day export window as described in our Terms of Service.
7.4 California Residents (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information (we do not sell or share), the right to limit use of sensitive personal information, and the right to opt out of automated decision-making technology. We will not discriminate against you for exercising any of these rights. To exercise your rights, contact privacy@intactus.ai.
7.5 Other State Privacy Laws
Similar rights may apply under privacy laws in Indiana, Kentucky, Rhode Island, and other states with consumer privacy legislation. We honor data subject rights under all applicable state and federal privacy laws. To exercise your rights under any applicable law, contact privacy@intactus.ai.
8. International Data Transfers
Customer Data is primarily processed and stored in the United States. If you are based in the European Union or European Economic Area, or if your Customer Data includes information about EU/EEA residents, international transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission. All subprocessors with access to EU/EEA personal data are bound by equivalent transfer protections. A Data Processing Agreement with EU/EEA transfer addendum is available upon request at legal@intactus.ai.
9. Cookies and Tracking Technologies
Intactus uses essential cookies only, for session management, authentication state, and user preferences. We do not use advertising cookies, behavioral tracking, or third-party tracking pixels. We do not share cookie data with advertising networks or data brokers. We honor Global Privacy Control (GPC) signals sent by your browser. Your browser cookie settings are respected; disabling essential cookies may affect platform functionality.
10. Children’s Privacy
The Intactus platform is designed for use by legal professionals and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that personal information from a minor has been collected, we will delete it promptly. Contact privacy@intactus.ai if you believe a minor has provided information through the platform.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. For material changes, we will provide email notification to the primary account contact and post a prominent notice in the platform at least 30 days before the effective date. The “Last Updated” and “Effective” dates at the top of this page will be updated accordingly. Continued use of the platform after the effective date constitutes acceptance of the updated policy. Previous versions of this policy are available upon request.
12. Contact Us
Questions, requests, or concerns about this Privacy Policy may be directed to:
Intactus AI, LLC
Attn: Privacy Officer
privacy@intactus.ai
For data subject access requests, we will respond within 30 days.