Privacy Policy

At IntakePilot, we respect your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Services. IntakePilot is operated by Andrii Khokhlov, an individual (sole operator) resident in the Republic of Lithuania ("IntakePilot," "we," "our," or "us"). You can reach us using the contact details at the end of this policy.

Two roles, two controllers. For data relating to our Merchants (shop owners and staff who hold an IntakePilot account), IntakePilot is the data controller. For data relating to End Users (a Merchant's own customers, who interact with the booking page and AI intake chat), IntakePilot acts as a data processor, and the Merchant is the data controller. We process End User data strictly to provide the booking service on behalf of, and under the documented instructions of, the Merchant. If you are an End User and wish to exercise your data rights (e.g., to access or delete your data), please contact the Merchant directly; we will assist the Merchant in responding.

1. Information We Collect

Account Information: When you register for a Merchant account, we collect your name, email address, phone number, and shop details.

End User / Booking Information: When an End User uses a Merchant's booking page, we process the information they provide — typically name, phone number, email, the service requested, free-text notes, and the AI chat transcript — on the Merchant's behalf.

Payment Information: We use Paddle to process Merchant subscription payments. We do not store your full card number or CVV. Paddle acts as Merchant of Record and handles this information as a separate controller in accordance with its own privacy policy.

Usage Data and Cookies: We collect data about how you interact with our Services, including IP addresses, browser types, and operating systems. We use strictly necessary cookies to operate the Services, and — only where you have consented via our cookie banner — analytics and similar non-essential technologies. You can withdraw or change your cookie choices at any time.

2. How We Use Your Information & Legal Bases

Where the GDPR applies, we rely on the following legal bases (Article 6 GDPR):

• Performance of a contract — to provide, operate, and maintain the Services, manage your account, process transactions, and send confirmations and invoices.
• Legitimate interests — to secure the platform, prevent abuse and fraud, analyze usage, and improve the Services, balanced against your rights.
• Consent — for non-essential cookies and any optional marketing communications. You may withdraw consent at any time.
• Legal obligation — to comply with accounting, tax, and other legal requirements.

3. Sharing Your Information

We do not sell your personal information. We share information with third-party sub-processors who help us operate the Services, each bound by a data processing agreement and obligated to protect your data — including Supabase (database and authentication hosting), Anthropic and Google (AI processing), Resend and Twilio (email and SMS notifications), Paddle (payments), and Upstash (rate limiting and caching).

We may also disclose information where required by law, court order, subpoena, or other legal process, or to protect the rights, property, or safety of IntakePilot, our users, or the public.

4. Your Data Rights (GDPR / CCPA / PIPEDA)

EU / EEA / UK Residents (GDPR): You have the right to access, rectify, and erase your personal data; to restrict or object to processing; to data portability; and to withdraw consent at any time without affecting prior processing. To exercise these rights regarding your Merchant account, contact us using the details below. You also have the right to lodge a complaint with a supervisory authority — in Lithuania, the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt).

California Residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete your personal information, the right to correct inaccurate information, and the right to opt out of the "sale" or "sharing" of your personal information. IntakePilot does not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we do not discriminate against you for exercising your rights.

Canadian Residents (PIPEDA): You have the right to access your personal information and request corrections to inaccurate data.

If you are an End User, the Merchant is the controller of your data; please direct your request to them. We will assist the Merchant in fulfilling valid requests.

5. Data Retention and Security

We retain Merchant account data for as long as your account is active and for a reasonable period afterward to comply with legal, tax, and accounting obligations (typically up to the limitation periods required by Lithuanian law). End User booking data is retained on behalf of, and according to the instructions of, the relevant Merchant, and is deleted or returned when our processing agreement ends. We implement industry-standard technical and organizational measures — including encryption in transit, access controls, and row-level security — to protect your data. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

6. International Transfers

Some of our sub-processors are located outside the European Economic Area, including in the United States. Where we transfer personal data outside the EEA, we rely on an applicable safeguard under Chapter V of the GDPR — such as an adequacy decision of the European Commission or the European Commission's Standard Contractual Clauses — to ensure your data receives an equivalent level of protection. You may request a copy of the relevant safeguards using the contact details below.

7. Children's Privacy

The Services are not directed to children, and Merchant accounts are intended for users aged 18 or over. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last Updated" date above and, where appropriate, notify you by email or through the platform.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at forelox12@gmail.com.