Privacy Policy
Integracio — AI Agents as a Service
Effective Date: March 25, 2026
Last Updated: March 25, 2026
Data Controller: Space IT sp. z o.o., registered in Poland
Contact: info@integrac.io
This Privacy Policy explains how Space IT sp. z o.o. ("we", "us", "Integracio") collects, uses, stores, and protects your personal data when you use the Integracio platform ("Service"), in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Data Controller
Space IT sp. z o.o.
Registered in Poland
Email: info@integrac.io
We are the data controller for personal data processed in connection with operating the Service. Where a Client uses the Service to process their own customers' data, the Client acts as the data controller and Integracio acts as the data processor under a separate Data Processing Agreement.
2. Personal Data We Collect
2.1. Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication (OTP), communication | Contract performance (Art. 6(1)(b)) |
| Name (if provided) | Account personalization | Contract performance (Art. 6(1)(b)) |
| Billing information | Payment processing (via Stripe) | Contract performance (Art. 6(1)(b)) |
2.2. Profile Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Industry, role, interests | Agent personalization and recommendation | Contract performance (Art. 6(1)(b)) |
| Language and timezone preferences | Service delivery | Contract performance (Art. 6(1)(b)) |
| Onboarding questionnaire responses | Agent configuration, lead qualification | Contract performance (Art. 6(1)(b)) |
2.3. Conversation Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Messages sent to agents | AI inference, response generation | Contract performance (Art. 6(1)(b)) |
| AI-generated responses | Service delivery | Contract performance (Art. 6(1)(b)) |
| Conversation history (last 90 days) | Context for AI agents, service quality | Legitimate interest (Art. 6(1)(f)) |
2.4. Integration Data
| Data | Purpose | Legal Basis |
|---|---|---|
| OAuth tokens (Google Calendar, Zoom, etc.) | Agent access to third-party services | Consent / Contract performance |
| Email metadata (for Daily Briefing agent) | Content aggregation | Contract performance (Art. 6(1)(b)) |
| Meeting recordings (for Meeting Processor) | Transcription and summarization | Contract performance (Art. 6(1)(b)) |
2.5. Usage and Technical Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Interaction counts, tokens used | Billing, usage limits enforcement | Contract performance (Art. 6(1)(b)) |
| Agent performance metrics | Service quality monitoring | Legitimate interest (Art. 6(1)(f)) |
| Channel identifiers (Telegram user ID, etc.) | Message routing | Contract performance (Art. 6(1)(b)) |
| IP address, request metadata | Security, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
3. How We Use Your Data
We process personal data exclusively for:
- Service delivery — operating AI agents, processing your requests, delivering responses
- AI inference — sending your prompts and context to large language models to generate responses
- Billing — processing payments, enforcing subscription limits, invoicing
- Service improvement — analyzing aggregate usage patterns (anonymized) to improve agent quality
- Communication — transactional emails (OTP, billing notifications, agent alerts)
- Security — preventing abuse, detecting unauthorized access, rate limiting
- Legal compliance — responding to lawful requests, maintaining legally required records
We do not:
- Sell your personal data to third parties
- Use your data for advertising or profiling beyond service delivery
- Train our own AI models on your personal data without explicit consent
4. AI Inference and Data Processing
4.1. How AI Processing Works
When you interact with an AI agent, your message (along with relevant context such as your profile data, recent conversation history, and any connected integration data) is sent to a large language model (LLM) for processing. The LLM generates a response which is delivered back to you.
4.2. Hybrid Inference Architecture
We use a hybrid infrastructure for AI inference:
| Component | Location | Data Handling |
|---|---|---|
| Google Cloud (Vertex AI / Gemini) | EU regions (europe-west3) | Data processed in-transit; not stored by Google for model training (Vertex AI enterprise terms) |
| Anthropic (Claude) | EU-accessible endpoints | Data processed per Anthropic's data processing terms; zero-retention API usage |
| Self-hosted (vast.ai GPU) | EU region instances | Data processed in-memory; not persisted after inference; ephemeral compute |
| Self-hosted (Mac mini) | Poland (office) | Data processed locally; not transmitted externally |
4.3. No Model Training
Your data is not used to train or fine-tune any AI models. All inference is performed via API calls (cloud providers) or self-hosted models where data remains in our infrastructure.
5. Sub-Processors
We engage the following sub-processors to deliver the Service:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform | Infrastructure (Cloud Run, Firestore, GCS, Secret Manager) | All service data | EU (europe-west3, europe-west4) |
| Google (Vertex AI / Gemini) | AI inference (primary) | Prompts, conversation context | EU regions |
| Anthropic | AI inference (fallback) | Prompts, conversation context | EU-accessible |
| Stripe | Payment processing | Billing data, email | EU/EEA |
| Postmark / SendGrid | Transactional email | Email address, email content | EU/US (Privacy Framework) |
| vast.ai | GPU compute for self-hosted AI inference | Prompts (ephemeral, in-memory only) | EU region instances |
We will notify you of any material changes to sub-processors via email at least 30 days in advance. An up-to-date sub-processor list is maintained in this Privacy Policy.
6. Data Storage and Security
6.1. Data Locations
| Storage | Location | Encryption |
|---|---|---|
| Firestore (client profiles, conversation history, agent state) | Google Cloud EU (europe-west3) | AES-256 at rest (automatic) |
| Google Cloud Storage (documents, recordings, exports) | Google Cloud EU | AES-256 at rest (Google-managed keys) |
| Secret Manager (OAuth tokens, API keys, credentials) | Google Cloud EU | AES-256, access-controlled |
| Qdrant (vector embeddings for Knowledge Base) | vast.ai EU instance | Encrypted disk, collection-level isolation |
| Mac mini (backup inference) | Poland | Full-disk encryption |
6.2. Security Measures
- In transit: TLS 1.3 for all public connections; WireGuard (Tailscale) for internal infrastructure
- At rest: AES-256 encryption across all storage systems
- Access control: Role-based access; no Integracio personnel access to client data in plain text
- Multi-tenancy isolation: Per-client Firestore paths, per-client vector DB collections, per-client GCS prefixes
- Credential management: All secrets stored in Google Secret Manager; never in application logs or code
- Network isolation: AI inference endpoints (vast.ai, Mac mini) are not publicly accessible; reachable only via private VPN mesh
7. Data Retention
| Data Type | Retention Period | After Retention |
|---|---|---|
| Account data (email, profile) | Duration of active subscription | Deleted within 30 days of account termination |
| Conversation history | Last 90 days (rolling) | Older conversations archived, then deleted |
| Meeting recordings | Deleted after processing (transcription + summarization) | Not retained |
| OAuth tokens / credentials | Duration of active integration | Revoked and deleted on disconnection or account termination |
| Usage metrics | Duration of subscription + 12 months (for billing disputes) | Anonymized or deleted |
| Billing data | As required by tax law (typically 5-7 years) | Retained per legal obligation |
After account termination, all Client Data (except billing records required by law) is permanently deleted within 30 days. You may request a data export before deletion.
8. Your Rights (GDPR Articles 15–22)
As a data subject in the EU, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data | Email info@integrac.io |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Email info@integrac.io or update in settings |
| Erasure (Art. 17) | Request deletion of your personal data | Email info@integrac.io |
| Restriction (Art. 18) | Restrict processing in certain circumstances | Email info@integrac.io |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format | Export via dashboard or email info@integrac.io |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email info@integrac.io |
| Withdraw consent | Withdraw consent for consent-based processing at any time | Email info@integrac.io |
We will respond to data subject requests within 30 days, as required by GDPR. If a request is complex, we may extend this period by an additional 60 days with prior notice.
8.1. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Space IT sp. z o.o. is:
Prezes Urzędu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
https://uodo.gov.pl
9. International Data Transfers
All primary data processing occurs within the EU/EEA. Where sub-processors process data outside the EEA (e.g., Postmark/SendGrid US infrastructure), we ensure adequate protection through:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Sub-processor data processing agreements with GDPR-compliant terms
10. Children's Data
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we discover that we have collected data from a child under 16, we will delete it promptly.
11. Automated Decision-Making
AI agents process your data using automated means (large language models) to generate responses. This processing:
- Does not produce legal effects or similarly significant effects on you
- Is performed solely for service delivery under your subscription contract
- Can be reviewed or overridden by you at any time (you choose whether to act on AI outputs)
You have the right to request human review of any automated processing under Article 22 GDPR.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The "Last Updated" date at the top of this document reflects the most recent revision.
13. Contact
For privacy-related questions, data subject requests, or complaints:
Space IT sp. z o.o.
Email: info@integrac.io
This Privacy Policy is provided as a template and should be reviewed by qualified legal counsel before use in production.