Privacy Policy

1. Introduction

INTEGRO ("INTEGRO," "we," "our," or "us") is a digital exposure and protection platform that helps individuals and organizations understand, monitor, and reduce their digital footprint and exposure risk. We are committed to protecting your privacy and handling your personal data with transparency and care.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights and choices regarding your personal data. We encourage you to read this policy carefully.

By accessing or using INTEGRO's services — including our website, web application, mobile applications, APIs, and any related services (collectively, the "Services") — you acknowledge that you have read and understood this Privacy Policy.

2. Scope of This Policy

This Privacy Policy applies to:

• All visitors to the INTEGRO website (integroai.io)
• All registered users of the INTEGRO platform (web and mobile)
• Users of the INTEGRO API
• Recipients of INTEGRO communications (email, SMS, push notifications)

This policy does not apply to third-party websites, applications, or services that we do not own or control, even if they are linked from our Services.

3. Information We Collect

3.1 Information You Provide Directly

We collect information you provide when you interact with our Services, including:

• Account Information: Name, email address, username, and password when you create an account.
• Identity Information: Email addresses, usernames, phone numbers, social media profiles, and other identifiers you add for monitoring.
• Payment Information: Billing details and payment method data processed through our third-party payment providers (Flutterwave). We do not store full payment card numbers on our servers.
• Communication Data: Messages you send through our AI assistant, direct messages to other users, group chat messages, status updates, support inquiries, and any feedback you provide. All direct and group messages are encrypted using Fernet symmetric encryption before storage.
• Group Chat Data: Group names, descriptions, member lists, role assignments, message content (encrypted), file attachments, and panic alert records.
• Status Data: Text statuses, images, videos, captions, background color preferences, privacy settings, and viewer records for your 24-hour status updates.
• User Profile Data: Display name, bio, company, job title, location, website, profile photo, online/offline status, discoverability preferences, and messaging privacy settings.
• Verification Data: KYC verification status, verification documents submitted through our third-party provider (Sumsub), verification badges, and badge codes.
• Affiliate Data: Affiliate application details, referral tracking, commission records, payout preferences, and bank account information for affiliate payouts.
• Third-Party Search Data: Information submitted when conducting authorized searches about third parties, including justifications, consents, and declared relationships.
• Referral Data: Information related to our referral program, including referral codes and associated accounts.

3.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Device and Browser Data: IP address, browser type and version, operating system, device type, unique device identifiers.
• Usage Data: Pages and features accessed, actions taken, time and duration of visits, navigation paths.
• Log Data: Server logs including access times, error logs, and API request metadata.
• Location Data: Approximate geographic location inferred from your IP address.

3.3 Information from Third-Party Sources

To deliver our core service — identifying and monitoring your digital exposure — we collect publicly available information from external sources, including:

• Search engines and publicly indexed web pages
• Known data breach databases and leak repositories
• Social media platforms (publicly accessible data only)
• Public records, court filings, and government databases
• Dark web forums and marketplaces (for breach monitoring)
• Data broker and people-search websites
• Paste sites and code repositories

Important: We only collect third-party data that is publicly available or obtained from authorized breach intelligence sources. We do not purchase personal data from unauthorized or illegal sources.

3.4 Information from Authentication Providers

If you sign in using a third-party authentication service, we may receive your name, email address, and profile picture from that provider, subject to the provider's privacy settings and your consent.

4. How We Use Your Information

4.1 Providing and Operating Our Services

• Creating and maintaining your account
• Conducting digital footprint scans across multiple data sources
• Monitoring your identities for new data breaches and exposures
• Calculating and updating your digital risk score
• Generating personalized security findings and recommendations
• Processing wallet transactions and subscription payments
• Facilitating encrypted direct messaging and group conversations between users
• Managing group memberships, roles, and permissions
• Delivering and displaying 24-hour status updates to your contacts
• Processing KYC identity verification through our verification partner (Sumsub)
• Managing affiliate referrals, commissions, and payouts
• Operating business organization features including team management and candidate screening
• Enabling user discovery and profile visibility based on your privacy preferences

4.2 AI-Powered Features

• Providing security advice through our GODEYES AI assistant
• Analyzing scan results and categorizing findings
• Generating remediation recommendations
• Evaluating ethical compliance of third-party search requests

AI Data Handling: Conversations with our AI assistant are stored securely on our servers. We may use anonymized and aggregated interaction data to improve the quality of our AI responses. Your personal data is not shared with third-party AI model providers in identifiable form.

4.3 Communications

• Sending security alerts and breach notifications
• Delivering scan completion reports
• Providing service updates and maintenance notices
• Sending promotional content and newsletters (with your opt-in consent)

4.4 Safety, Security, and Compliance

• Detecting and preventing fraud, abuse, and unauthorized access
• Enforcing our Terms of Service and Acceptable Use Policy
• Complying with applicable laws, regulations, and legal processes
• Maintaining audit logs for security and accountability

4.5 Analytics and Improvement

• Understanding how users interact with our platform
• Identifying and fixing bugs, errors, and performance issues
• Developing new features and improving existing ones
• Conducting research and analysis (using anonymized and aggregated data)

5. Legal Bases for Processing

We process your personal data on the following legal bases under applicable data protection laws (including, where applicable, the GDPR and similar frameworks):

• Contract Performance: Processing necessary to perform our agreement with you and deliver our Services.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring platform security — provided these interests do not override your fundamental rights.
• Consent: Processing based on your explicit consent, such as marketing communications and optional data sharing.
• Legal Obligation: Processing necessary to comply with applicable laws, court orders, and regulatory requirements.

6. How We Share Your Information

We do not sell your personal data. We do not rent, trade, or otherwise monetize your personal information.

We may share your information in the following limited circumstances:

6.1 Service Providers

We engage trusted third-party service providers who assist us in operating our Services. These providers are contractually bound to use your data only for the purposes we specify. Our providers include:

• Cloud Infrastructure: Hosting and data storage providers
• Payment Processors: Flutterwave for subscription and wallet payments
• Email Delivery: Transactional and notification email services
• Analytics: Anonymized usage analytics platforms
• AI Model Providers: For powering our AI assistant (data is anonymized before sharing)
• Identity Verification: Sumsub for KYC document verification (subject to Sumsub's Privacy Policy)
• Real-Time Communication: Agora for voice/video call infrastructure in messaging

6.2 Legal and Safety Disclosures

We may disclose your information when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request
• Protect the safety, rights, or property of INTEGRO, our users, or the public
• Detect, prevent, or address fraud, security incidents, or technical issues
• Enforce our Terms of Service

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6.4 With Your Consent

We may share your information for purposes not described in this policy with your explicit prior consent.

6.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for any purpose, including research, analytics, and public reporting.

7. Data Retention

We retain your personal data in accordance with the following principles:

• Account Data: Retained for the duration of your active account plus 30 days after deletion.
• Scan Results and Findings: Retained according to your data retention preferences (configurable in Settings), or for the duration of your account.
• AI Chat History: Retained for the duration of your account. You may delete individual sessions at any time.
• Payment Records: Retained for up to 7 years as required by financial regulations.
• Audit Logs: Retained for up to 2 years for security and compliance purposes.
• Direct Messages: Retained in encrypted form for the duration of both participants' accounts, or until deleted by the user. Messages deleted by sender are hidden but may remain in the recipient's view.
• Group Chat Messages: Retained in encrypted form for the duration of the group's existence. Deleted groups have all messages permanently removed.
• Status Updates: Automatically deleted 24 hours after creation. View records are deleted when the status expires or is manually deleted.
• KYC Verification Data: Verification documents are processed by Sumsub and not stored on INTEGRO servers. Verification status and badge information are retained for the duration of your account.
• Affiliate Records: Commission and payout records are retained for up to 7 years as required by financial regulations.
• Anonymized Analytics: May be retained indefinitely in aggregate form.

When you delete your account, we initiate deletion of your personal data within 30 days. Some data may be retained longer where required by law or for legitimate business purposes.

8. Data Security

We implement robust technical and organizational measures to protect your personal data, including:

• Encryption: TLS 1.2+ encryption for data in transit; AES-256 encryption for data at rest; Fernet symmetric encryption for all direct messages and group chat messages.
• Authentication: Secure JWT-based authentication with token rotation and refresh mechanisms.
• Access Controls: Role-based access controls and the principle of least privilege for internal systems.
• Infrastructure: Secure cloud infrastructure with DDoS protection, firewalls, and intrusion detection.
• Monitoring: Continuous security monitoring, audit logging, and incident response procedures.
• Development Practices: Secure coding practices, dependency scanning, and regular security reviews.

While we take extensive measures to protect your data, no system is completely secure. In the event of a data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable law.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Access and Portability

You have the right to request a copy of the personal data we hold about you in a structured, commonly used, machine-readable format.

9.2 Correction

You may update your account information directly through the platform or request that we correct any inaccurate or incomplete personal data.

9.3 Deletion

You may delete your account and all associated data through your Settings. You may also request deletion of specific data such as scan history, findings, or AI chat sessions.

9.4 Restriction and Objection

You may request that we restrict or cease processing your personal data in certain circumstances.

9.5 Withdrawal of Consent

Where we rely on your consent to process your data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

9.6 Communication Preferences

You can manage your notification preferences (email, push, SMS) through your INTEGRO Settings. You may opt out of marketing communications at any time.

9.7 Exercising Your Rights

To exercise any of these rights, please contact us at info@integroai.io. We will respond to verified requests within 30 days.

9.8 Complaints

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with a data protection supervisory authority in your jurisdiction.

10. International Data Transfers

INTEGRO operates globally. Your personal data may be transferred to, stored in, and processed in countries other than your country of residence. Where we transfer data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Data processing agreements with all service providers
• Encryption of data during international transfers
• Assessment of data protection standards in recipient countries

11. Cookies and Tracking Technologies

11.1 Essential Cookies

Required for core functionality including authentication, session management, and security. These cannot be disabled.

11.2 Functional Cookies

Remember your preferences and settings to enhance your experience.

11.3 Analytics Cookies

Help us understand usage patterns and improve our Services. Data is aggregated and anonymized.

11.4 Managing Cookies

You can control non-essential cookies through your browser settings. Disabling certain cookies may impact the functionality of our Services.

12. AI and Automated Decision-Making

INTEGRO uses artificial intelligence and automated systems in several aspects of our Services:

• Risk Scoring: We calculate your digital risk score using automated analysis of scan findings, breach severity, and exposure patterns. Risk scores are informational and do not affect your access to our Services.
• AI Assistant (GODEYES AI): Our AI assistant provides personalized security advice. AI-generated responses are for informational purposes only and should not replace professional advice.
• Ethical Review: Third-party search requests are evaluated by an automated ethics scoring system. Requests that fail ethical review may be denied.
• Finding Classification: Scan findings are automatically categorized by severity and type using machine learning models.

You have the right to request human review of any automated decision that significantly affects you. Contact us at info@integroai.io to request a review.

13. Encrypted Messaging & Communication

INTEGRO provides end-to-end encrypted direct messaging and group chat features. Here is how we handle your communication data:

• Message Encryption: All direct messages and group messages are encrypted using Fernet symmetric encryption derived from a server-side key before being stored in our database. Messages are decrypted only when retrieved by authorized participants.
• File Attachments: Files shared in conversations (images, documents) are stored in encrypted cloud storage. File URLs are accessible only to conversation participants.
• Message Deletion: You can delete messages you have sent. Deleted messages are marked as hidden but may still be visible to the other participant until they also delete them.
• Read Receipts: We track whether messages have been read to provide read receipt indicators. You cannot opt out of read receipts at this time.
• Online Status: Your online/offline status is tracked via our presence system. You can control whether other users see your online status through your profile privacy settings.

Important: While we encrypt message content at rest, INTEGRO is not a zero-knowledge encryption system. Our server holds the encryption key and can technically access message content. We access message content only when required by law or to investigate reported abuse.

14. Group Chat & Collaboration

INTEGRO's Group Chat feature allows users to create and participate in group conversations with role-based access control. Here is how we handle group data:

• Group Information: Group names, descriptions, avatars, and settings are stored unencrypted. Message content within groups is encrypted using the same Fernet encryption as direct messages.
• Membership and Roles: We store records of group membership including join dates, roles (Owner, Admin, GFR, CTO, Moderator, Member), and activity status. This data is visible to other group members.
• Panic Alerts: When a group member triggers a panic alert, we store the alert details including optional location data (latitude, longitude, location text) that the triggering user voluntarily provides. This data is shared with group admins and GFR (Group First Responder) members, and may trigger email notifications.
• Invite Links: Group invite codes are generated and stored to enable link-based joining. Admins can revoke invite links at any time.
• Admin Actions: System messages recording admin actions (member additions, role changes, removals) are stored as part of the group message history.

15. Status System

INTEGRO's Status feature allows you to post text, image, or video updates that automatically expire after 24 hours. Here is how we handle status data:

• Status Content: Text content, media files (images and videos), captions, and background color preferences are stored on our servers.
• Automatic Expiry: All statuses are automatically deleted 24 hours after posting. A background task handles cleanup of expired statuses.
• View Tracking: We record which users have viewed each status, including the viewer's identity and timestamp. This information is available only to the status creator.
• Privacy Controls: You can set status privacy to Everyone, Contacts Only (users with existing conversations), or Nobody. We enforce these controls server-side.
• Media Storage: Status media files are stored in cloud storage and are deleted when the status expires or is manually deleted by the creator.

16. Identity Verification (KYC)

INTEGRO offers optional identity verification (Know Your Customer / KYC) to earn a Verified Badge. Here is how we handle verification data:

• Third-Party Processing: Identity verification is processed by our partner, Sumsub. When you initiate verification, you are redirected to Sumsub's verification flow. Documents and biometric data are processed and stored by Sumsub according to their privacy policy.
• Data We Store: INTEGRO stores only the verification result (approved/rejected), verification date, and a unique badge code. We do not store copies of identity documents, selfies, or other biometric data on our servers.
• Verified Badge: Upon successful verification, you receive a publicly visible Verified Badge with a unique verification URL. Other users can see your verified status when interacting with you.
• Eligibility: KYC verification is available to users on Starter plans and above. Verification results may be required to maintain active paid subscriptions.

17. Affiliate Program

INTEGRO operates an affiliate program that allows approved users to earn commissions by referring new subscribers. Here is how we handle affiliate data:

• Application Data: When you apply for the affiliate program, we collect and store your application details and review status.
• Referral Tracking: We track referrals using unique affiliate codes. We record which users registered through your referral link, their subscription status, and resulting commissions.
• Financial Data: Commission amounts, payout methods, bank account details (for bank transfers), and payout history are stored securely. Bank account information is encrypted at rest.
• Commission Transparency: Referred users' names and email addresses are visible to affiliates for commission tracking purposes. Referred users are informed that their referrer can see their subscription status.

18. Business & Organization Features

INTEGRO provides business and organization management features for team-based security operations. Here is how we handle business data:

• Organization Data: Company name, industry, size, website, location, and description are stored to create your organization profile.
• Team Management: Team member records including roles (Viewer, Security Analyst, HR Manager, Admin), invitation status, and activity logs are maintained.
• Candidate Screening: When you submit candidates for screening, we store their names, email addresses, phone numbers, positions applied for, and screening results. Candidate data is accessible only to authorized organization members.
• KYC Payments: Business-initiated KYC verification payments for candidates are tracked and recorded.
• Audit Logs: All significant actions within a business account are logged for accountability and compliance purposes.

19. User Profiles & Discovery

INTEGRO allows users to create profiles and discover other users on the platform. Here is how we handle profile and discovery data:

• Profile Information: Display name, bio, company, job title, location, website, and profile photo are stored and may be visible to other users based on your discoverability settings.
• Discoverability: You can control whether your profile appears in user search results through the "is_discoverable" setting. When discoverable, other users can find you by name, username, or company.
• Messaging Privacy: You can control who can message you: Everyone, Verified Users Only, or Nobody. These settings are enforced server-side.
• Online Status: Your online/offline status and last-seen timestamp are tracked. You can hide your online status through your profile settings.

20. Third-Party Services

Our Services may contain links to or integrations with third-party websites and services. This Privacy Policy does not apply to those third parties. Key third-party services we integrate with include:

• Payment Processing: Flutterwave (subject to Flutterwave's Privacy Policy)
• Cloud Services: Our hosting providers (subject to their respective data processing agreements)
• Identity Verification: Sumsub (subject to Sumsub's Privacy Policy)
• Real-Time Communication: Agora (subject to Agora's Privacy Policy)

21. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal data from a child, we will take prompt steps to delete such information. If you believe we may have collected information from a child, please contact us at info@integroai.io.

22. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Provide notice through our platform (in-app notification or email) for significant changes
• Where required by law, obtain your consent before applying material changes

Your continued use of our Services after changes are posted constitutes your acceptance of the updated policy.

23. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

• Email: info@integroai.io

We aim to respond to all privacy-related inquiries within 30 days.