Privacy Policy
This Privacy Policy explains how HumanOps B.V. (“we”, “us”, the “Company”) processes personal data when you use intakto (the “Service”). It is written to meet the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and Dutch data protection law.
1. Data controller
The data controller for the personal data described here is:
HumanOps B.V., Amsterdam, 1091EE, Netherlands. KvK number: [KvK number - to be added]. VAT/BTW number: [BTW number - to be added]. Contact for privacy matters: hello@intakto.eu.
2. Two roles: our data and your data
2.1. For data we collect to run the Service and your account (for example your name, email, and payment-related information), we are the controller.
2.2. For personal data of other people that you choose to enter into your persistent memory or expose through connected services (for example details about your own clients or contacts), you are the controller and we act as your processor, processing that data on your instructions to operate the Service. You are responsible for having a lawful basis for that data and for meeting your own controller obligations toward those people. Our obligations as your processor are set out in the Data Processing Agreement.
3. What we process and why
| Category | Examples | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | name, email, WhatsApp identifier, access links | create and run your account, authenticate you, support | performance of a contract (Art. 6(1)(b)) |
| Payment data | billing details, transaction records, invoices | take payment, issue invoices, handle refunds, prevent fraud | performance of a contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c)) |
| Memory content | messages, documents, facts, decisions you store | provide Hermes and persistent memory | performance of a contract (Art. 6(1)(b)); for third-party data you enter, you are controller (see Section 2) |
| Connected-service content | data you let Hermes read or act on in connected tools | carry out the tasks and actions you instruct | performance of a contract (Art. 6(1)(b)); your instruction |
| Usage and technical data | logs, device and connection data, security events, action/audit log | keep the Service secure, reliable, and accountable | legitimate interests in a secure, functioning, auditable Service (Art. 6(1)(f)) |
| Communications | emails and support requests | answer you and keep records | legitimate interests (Art. 6(1)(f)); contract (Art. 6(1)(b)) |
| Compliance and protection | the categories above, as relevant | comply with law, respond to lawful requests, establish, exercise, or defend legal claims, and prevent fraud or abuse | legal obligation (Art. 6(1)(c)); legitimate interests in protecting our rights and the Service (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object as described in Section 7.
4. AI processing and our no-training commitment
4.1. To answer you and carry out tasks, the Service sends relevant content to an AI model provider that performs the inference. The provider acts as our processor, under a data processing agreement, and processes the content only to return a result to you. The current provider and the location of processing are listed in the Sub-processor List.
4.2. We do not use the content of your memory or your conversations to train AI models, and we contract with our model provider so that your content is not used to train their models. Where any feature would ever rely on such use, we would ask for your separate, opt-in consent first.
4.3. We do not make decisions producing legal or similarly significant effects on you by solely automated means (see Section 8). Hermes acts on your instruction and presents meaningful actions for your review.
5. Where your data is hosted
5.1. Your account data and memory are hosted in the European Union (Germany), on infrastructure provided by Hetzner Online GmbH.
5.2. Our position is to keep your data in the EU. Some processing by sub-processors (for example AI inference, or the WhatsApp channel operated by Meta) may take place outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on a lawful transfer mechanism under the GDPR (an adequacy decision or Standard Contractual Clauses, with supplementary measures where appropriate). The Sub-processor List states, for each processor, its role and the location of processing.
6. Processors we use
We use a small number of processors who act only on our instructions and under a data processing agreement. The authoritative, up-to-date list — including each processor’s role, location, and transfer mechanism — is the Sub-processor List. In summary:
| Processor | Role | Location |
|---|---|---|
| Hetzner Online GmbH | hosting of the Service, your account data, and your memory | European Union (Germany) |
| Lemon Squeezy | payments, billing, invoicing, refunds (Merchant of Record) | see the Sub-processor List |
| AI model provider | AI inference to generate responses and carry out tasks | see the Sub-processor List ([inference provider - to be confirmed]) |
| Meta Platforms (WhatsApp) | the WhatsApp messaging channel, where you use it | see the Sub-processor List |
Lemon Squeezy acts as Merchant of Record for your purchase and is the seller of record to you; see the Cross-Border Payment Terms.
7. How long we keep data
7.1. We keep account data for as long as your account is active and for a reasonable period afterward to handle queries and disputes.
7.2. We keep payment and invoice records for as long as required by Dutch tax and accounting law.
7.3. Memory content stays available to you while your subscription is active. On cancellation or termination, you may request an export (your server and your data stay yours); after the retention period described in the Terms of Service, we delete or return your data.
7.4. We keep security and audit logs only as long as needed for security, accountability, and legal duties.
8. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- rectification of inaccurate or incomplete data;
- erasure (“right to be forgotten”), where the conditions apply;
- restriction of processing in certain cases;
- data portability: receive your data in a structured, common, machine-readable format;
- object to processing based on legitimate interests;
- withdraw consent at any time where we rely on consent, without affecting earlier processing.
To exercise any right, email hello@intakto.eu. We respond within one month, as the GDPR allows, and may extend this for complex requests with notice. We may need to verify your identity. Exercising your rights is free unless a request is manifestly unfounded or excessive.
9. Automated decision-making
We do not use your personal data to make decisions that produce legal or similarly significant effects on you by automated means alone. Hermes generates content and proposes actions at your request; you remain responsible for decisions you make and actions you approve (see the Terms of Service and the AI Policy).
10. Security
We apply appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest, EU-based hosting of your memory, and an action/audit log. No system is perfectly secure, but we work to keep risk low and to respond to incidents responsibly, including notifying the Dutch DPA and affected people where the law requires.
11. Children
The Service is not intended for people under 18. We do not knowingly process the personal data of children.
12. Complaints
If you have a concern, contact us first at hello@intakto.eu so we can try to resolve it. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (https://www.autoriteitpersoonsgegevens.nl), or with the supervisory authority in your EU country of residence or work.
13. Changes to this Policy
We may update this Policy. For material changes we will notify you by email and update the “Updated” date above.
14. Contact
HumanOps B.V., Amsterdam, 1091EE, Netherlands. Email: hello@intakto.eu. KvK number: [KvK number - to be added]. VAT/BTW number: [BTW number - to be added].
This document is provided for information and is not legal advice.