Privacy Policy

This Privacy Policy describes how IntakeAIO, a subdivision of AIO Inc. ("Company," "we," "our," or "us"), collects, uses, and protects your personal information when you use our platform and services ("Service"). By using the Service, you agree to the collection and use of information as described in this Policy.

---

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a secure hash). For paid subscribers, we collect billing information through our payment processor.

1.2 Intake Form Data

Data submitted through intake forms — including client names, contact information, project details, and uploaded files — is collected and stored on your behalf as part of the Service.

1.3 Automatically Collected Information

We automatically collect certain technical information when you use the Service, including:

• IP address and general geographic location
• Browser type and version
• Pages visited and features used
• Date and time of access
• Session activity for security purposes

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process payments and manage subscriptions
• Send transactional emails (account confirmations, notifications, invoices)
• Respond to your support requests
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Analyze usage patterns to improve the Service (in aggregate, anonymized form)

3. How We Share Your Information

We do not sell your personal information. We may share your information only in the following limited circumstances:

3.1 Service Providers

We work with trusted third-party service providers who assist us in operating the Service, including hosting (Netlify), database services (Supabase), and email delivery (Google Workspace). These providers are contractually obligated to protect your data and may only use it to provide services to us.

3.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process (such as a court order or subpoena).

3.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to such transfer.

3.4 Protection of Rights

We may disclose your information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

4. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encrypted data transmission (HTTPS/TLS)
• Hashed password storage (PBKDF2-SHA512)
• Session-based authentication with automatic expiration
• Rate limiting and account lockout protections
• Optional two-factor authentication (TOTP)
• Full audit logging of account activity

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure.

5. Your Rights

5.1 Access and Correction

You may access and update your account information at any time through your account settings or by contacting us.

5.2 Data Deletion

You may request deletion of your account and associated personal data by contacting us at privacy@intake-aio.com. We will process deletion requests within 30 days, subject to our legal retention obligations.

5.3 Data Portability

You may request an export of your data in a structured, machine-readable format. Contact us at privacy@intake-aio.com to make this request.

5.4 Opt-Out of Communications

You may opt out of non-essential marketing communications at any time by clicking "unsubscribe" in any email or by contacting us directly. Transactional emails (such as account notifications and invoices) cannot be opted out of while you maintain an active account.

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt-Out of Sale: We do not sell personal information. However, you may submit an opt-out request at any time.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@intake-aio.com.

7. GDPR Rights (EU/UK Residents)

If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate personal data.
• Right to Erasure: You may request deletion of your personal data under certain circumstances.
• Right to Restrict Processing: You may request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: You may object to the processing of your personal data for certain purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact us at privacy@intake-aio.com. We will respond within 30 days.

Legal Basis for Processing

We process your personal data based on: (a) your consent; (b) the necessity to perform our contract with you (providing the Service); (c) our legitimate business interests; or (d) compliance with legal obligations.

8. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Policy:

• Account data: Retained for the duration of your account plus 90 days after deletion request.
• Intake form submissions: Retained for the duration of your subscription plus 90 days.
• Activity logs: Retained for 12 months for security purposes.
• Billing records: Retained for 7 years as required by tax law.

9. Cookies

We use only essential cookies necessary to operate the Service, including session authentication cookies. We do not use tracking cookies, advertising cookies, or third-party analytics cookies that identify you personally.

10. International Data Transfers

IntakeAIO is based in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States. We take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy when transferred internationally.

11. Children's Privacy

IntakeAIO is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at privacy@intake-aio.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised.

---

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

IntakeAIO — A subdivision of AIO, Inc.
Email: privacy@intake-aio.com
General Support: cheryl@intake-aio.com
Website: intake-aio.com

For data protection inquiries from EEA/UK residents, you may also contact us at the email above with the subject line "GDPR Request."