Privacy Policy
Effective date: June 24, 2026
1. Who We Are
IntoPact ("we," "us," "our") operates the IntoPact platform — a deal page tool for B2B sales teams. This policy explains how we collect, use, store, and share personal data when you visit our website, use our application, or interact with a deal page as a buyer or stakeholder.
Contact: legal@intopact.com
2. Data We Collect
2.1 Account Data (Sellers)
When you create an account, we collect:
- Email address (required for authentication)
- Name, job title, phone number (optional, entered by you)
- Organization name and branding assets (logo, colors)
2.2 Buyer & Stakeholder Data
When a seller adds you to a deal or you submit a form, we collect:
- Email address and name
- Role, department, phone (if provided by the seller or by you)
- Discovery responses — answers you provide to prompts on deal pages
- Comments you post on deal page sections
Buyers do not need an account. Access is via magic link or direct URL. We do not require passwords.
2.3 Usage & Analytics Data
When you visit a deal page or our website, we automatically collect:
- IP address (used for country-level geolocation — not stored beyond session close on deal pages)
- Browser user agent string
- Pages/sections viewed, time spent per section, exit section
- Referrer URL and UTM parameters
- Session duration and engagement patterns
We use Microsoft Clarity on our marketing website for heatmaps and session recordings. Clarity does not collect personal identifiers and is subject to Microsoft's Privacy Statement.
2.4 Payment Data
Payments are processed by Stripe. We never see or store your full card number. We store only your Stripe customer ID and subscription status. Stripe's privacy policy applies to payment data: stripe.com/privacy.
2.5 Acceptance Records
When a buyer accepts a deal, we record the IP address, user agent, timestamp, and a snapshot of the accepted terms. This is retained as a legal record and cannot be deleted while the deal exists.
3. How We Use Your Data
- Provide the service — authenticate users, deliver deal pages, send notifications
- Analytics for sellers — engagement metrics, stall detection, stakeholder mapping (shown only to the deal owner's organization)
- AI features — generate deal page content, summarize engagement, and draft follow-ups. We configure our AI providers to process inputs for service delivery rather than model training.
- Transactional emails — magic links, deal notifications, comment alerts, stall nudges
- Billing — manage subscriptions, enforce seat limits
- Security — rate limiting, abuse detection, audit logging
4. Third-Party Services
We share data with these processors only as needed to operate the service:
- Amazon Web Services (SES) — transactional email delivery
- Microsoft Azure (OpenAI Service) — AI content generation
- Microsoft Azure (Blob Storage) — file/media storage
- Microsoft Clarity — marketing website analytics (heatmaps, session recordings)
- Stripe — payment processing
- Redis (hosted) — session caching, rate limiting, and job queues
We do not sell your personal data. We do not share personal data with advertisers for cross-context behavioral advertising.
If your organization requires a Data Processing Agreement (DPA), we provide one upon request at legal@intopact.com.
5. Cookies
We use the following cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
intopact_token | Seller authentication (JWT) | 7 days | Strictly necessary |
intopact_viewer | Buyer deal page session (JWT) | 30 days | Strictly necessary |
Core authentication cookies are set as httpOnly and secure in production. They are strictly necessary for the service to function and do not require consent under GDPR/ePrivacy.
Microsoft Clarity sets its own cookies for analytics. You can opt out via your browser's cookie settings or by using a "Do Not Track" signal.
6. Data Retention
- Account data — retained while your account is active and for a reasonable period afterward for account recovery, legal compliance, and security.
- Deal page sessions — typically retained for analytics and product operations, then deleted or aggregated.
- Acceptance records — retained as needed to document transaction history and satisfy legal obligations.
- Audit and auth logs — retained for security, fraud prevention, and compliance purposes for a limited period.
- Media uploads — retained while associated content is active, and removed through product deletion flows or cleanup processes.
7. Your Rights
Depending on your jurisdiction (GDPR, UK DPA, CCPA), you may have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Restrict processing — limit how we use your data while a dispute is resolved
To exercise any of these rights, email legal@intopact.com. We aim to respond within applicable legal timeframes.
8. Data Security
We protect your data with: encrypted connections (TLS), organization-isolated database queries, httpOnly secure cookies, rate limiting, input validation, parameterized queries (no SQL injection), and role-based access controls. Media files are stored in encrypted Azure Blob Storage.
While we use reasonable safeguards and review our controls periodically, no method of transmission over the Internet or method of electronic storage is 100% secure.
9. International Transfers
We use cloud infrastructure and service providers that may process data in different jurisdictions. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses or equivalent safeguards.
10. Children
IntoPact is a B2B platform. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it promptly.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The "Effective date" at the top indicates the latest revision.
12. Contact
For privacy-related questions or requests:
legal@intopact.com