Privacy Policy

This Privacy Policy describes how AB Foundry LLC dba Intentra ("Intentra", "we", "us") collects, uses, and protects your information when you use the Intentra platform, CLI tools, and related services ("Services").

1. Information We Collect

1.1 Scan Metadata (What We Store)

When you use the Intentra CLI, we store metadata necessary for cost tracking and anomaly detection. Examples of stored metadata include:

• Timestamps: When interactions occurred
• Token metrics: Input, output, and thinking token counts
• Cost estimates: Calculated costs based on token usage
• Tool and model identifiers: Which AI tools and models were used
• Detection results: Detected anomalies with severity and confidence scores
• Session and device identifiers: Anonymized identifiers for grouping scans
• Usage metrics: LLM calls, tool calls, retries, and duration
• Session trace data: Tool call inputs and outputs (opt-in via organization settings)
• AI agent hierarchy: Subagent relationships including parent session, agent name, role, and nesting depth
• Context window composition: Token distribution across system prompts, user messages, tool outputs, thinking, and context files, including compaction events

The specific metadata collected may evolve as we improve our services. We will update this policy to reflect material changes.

1.2 Git Integration Data (Enterprise)

When you connect a git platform (GitHub or GitLab), we store:

• Repository metadata: Repository name, visibility, default branch, and web URL
• Pull request metadata: PR number, state, review status, and branch name (cached, refreshed periodically)
• Encrypted access tokens: Platform tokens encrypted with AWS KMS (never stored in plaintext)
• HMAC hashes: Hashed repository URLs used for matching scans to repositories
• Diff statistics: Aggregate counts only — additions count, deletions count, and files changed count for merged pull requests. Actual diff content, filenames from diffs, and code patches are never stored or retained.

When Code Graph is enabled, source code is accessed for parsing but never persisted. Only structural metadata is stored. Raw file contents, commit diffs, and AI responses are never retained. All integration data is deleted when you disconnect the integration. See our integration documentation for full details.

1.3 Email Integration Data (Optional)

When you connect a personal email account (Gmail or Microsoft Outlook) for send-as-user dispute emails, we store:

• Email address: The email address of your connected account
• Encrypted OAuth refresh token: Encrypted with AWS KMS using per-user encryption context (never stored in plaintext)
• Connection metadata: Provider name, connection status, and timestamps

What we explicitly never access or store:

• Inbox contents, sent mail, or email history
• Contacts or address book
• Calendar data
• Any data beyond the minimal "send email" permission

We request only the gmail.send scope (Google) or Mail.Send permission (Microsoft). All integration data is deleted when you disconnect, including revocation of the OAuth token at the provider. Integration data is also deleted as part of account deletion (GDPR right to erasure).

1.4 What We Never Store

While our CLI securely transmits encrypted data for real-time anomaly detection, we explicitly never store:

• Prompts or Instructions: What you ask AI tools to do
• AI Responses: Code, text, or other content generated by AI
• Raw File Contents: Actual source code, document text, or file contents (Code Graph stores only structural metadata, not raw content)
• Conversation History: Chat logs or interaction sequences

Session metadata is encrypted and retained for up to 90 days for analysis, then automatically deleted. Only metadata and detection flags are retained beyond that window.

1.5 Account Information

When you create an account, we collect:

• Email address
• Organization name (if applicable)
• Payment information (processed by Stripe, not stored by us)

2. How We Use Your Information

We use the collected metadata to:

• Calculate and display your AI coding costs
• Detect and report anomalies in AI tool behavior
• Generate cost analytics and usage reports
• Provide team-level aggregated insights (for organization accounts)
• Improve our anomaly detection algorithms
• Send service-related communications

3. How Anomaly Detection Works

Our CLI securely transmits encrypted scan data to our servers for real-time anomaly detection. The analysis identifies potential anomalies (such as retry loops or excessive thinking) by examining patterns in token usage, timing, and content. After processing, only metadata and boolean detection flags are stored—the actual prompts, code, and responses are never retained. Session metadata is encrypted and retained for up to 90 days, then automatically deleted.

4. Data Storage, Security, and Retention

Scan metadata is stored in secure cloud infrastructure with encryption at rest and in transit. We implement industry-standard security measures including access controls, monitoring, and regular security assessments.

We retain different categories of data for specific periods:

5. Data Sharing

We do not sell your data. We may share information only in these limited circumstances:

• Service Providers: With vendors who help operate our Services (e.g., hosting, payment processing), under strict data protection agreements
• Legal Requirements: When required by law or to protect our legal rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you explicitly authorize sharing

6. Your Rights

You have the right to:

• Access: Request a copy of the data we hold about you
• Correction: Update inaccurate account information
• Deletion: Request deletion of your account and associated data
• Export: Download your scan data in a portable format
• Opt-out: Unsubscribe from marketing communications
• Disable rich traces: You can disable rich trace data collection at any time in your organization settings

To exercise these rights, contact us at [email protected].

7. Cookies, Tracking, and Analytics

Our website and application use cookies and similar technologies for authentication, analytics, error tracking, and marketing. We categorize these as follows:

Essential Cookies (Always Active)

Auth0 session cookies are required for authentication and session management. These cookies are strictly necessary for the Services to function and cannot be disabled.

Analytics (Requires Consent)

We use PostHog for usage analytics, feature flags, and user identification. PostHog stores data in your browser's localStorage with a retention period of up to one year. You may opt out of analytics tracking through the cookie consent banner or by contacting us.

Marketing (Requires Consent)

We use Google Ads (AW-17929414121) for conversion tracking on our signup page. This pixel tracks when a visitor completes registration. The tracking cookie has a duration of up to 90 days. You may opt out of marketing tracking through the cookie consent banner.

Functional

Sentry is used for error tracking and diagnostic reporting. Sentry collects session data to help us identify and resolve application errors. Theme preference (dark or light mode) is stored in localStorage and persists across sessions.

When you first visit our website, a cookie consent banner allows you to accept or reject non-essential cookies. You may change your preferences at any time. For full details on all cookies and tracking technologies we use, please see our Cookie Policy.

8. Children's Privacy

Our Services are not intended for children under 13. We do not knowingly collect information from children under 13. If you believe we have collected information from a child, please contact us immediately.

9. International Data Transfers

Data may be processed in the United States. By using our Services, you consent to the transfer of your information to the United States, which may have different data protection laws than your country.

10. Your California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA).

Categories of Personal Information Collected

• Identifiers: Email address, account name, device identifiers, IP address
• Commercial Information: Billing records, subscription plan, payment history
• Internet or Electronic Network Activity: Browser type, pages visited, interaction data, scan metadata
• Professional Information: Organization name, team membership, role

Business Purposes for Collection

We collect personal information to provide and improve the Services, process transactions, communicate with you, ensure security, and comply with legal obligations.

Third Parties with Whom Personal Information Is Shared

• Auth0: Authentication and identity management
• Stripe: Payment processing
• PostHog: Product analytics (with consent)
• Google Ads: Conversion tracking (with consent)
• Sentry: Error tracking and diagnostics
• Amazon Web Services: Cloud infrastructure and hosting
• GitHub / GitLab: Git platform APIs for repository metadata and PR status (Enterprise, only when connected by customer)

Your CCPA Rights

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: Intentra does not sell personal information. We do not exchange personal information for monetary or other valuable consideration.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days.

11. European Economic Area Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply to you.

Lawful Basis for Processing

• Contract Performance: Processing necessary to deliver the Services you have subscribed to, including scan analysis, cost calculation, and anomaly detection.
• Legitimate Interests: Processing for product analytics and service improvement, where our interests do not override your fundamental rights.
• Consent: Processing for marketing cookies and non-essential tracking technologies. You may withdraw consent at any time through the cookie consent banner.

Data Subject Rights

Under the GDPR, you have the right to:

• Access: Obtain a copy of the personal data we process about you.
• Rectification: Correct inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
• Restriction: Request restriction of processing in certain circumstances.
• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.

Data Subject Access Requests

To make a data subject access request, contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

International Data Transfer Mechanism

For transfers of personal data from the EEA to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. These clauses provide appropriate safeguards to ensure your data is protected to the standards required by the GDPR.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy on our website with a new effective date. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or our data practices, contact us at:

Email: [email protected]

Data Protection Officer: [email protected]

Address: AB Foundry LLC dba Intentra, 1021 E Lincolnway Suite 9643, Cheyenne, WY 82001