Privacy Policy

1. Introduction

InstaThink ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered workflow automation platform ("Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us:

• Account Information: Name, email address, company name, phone number, and password
• Profile Information: Job title, department, and other professional details
• Payment Information: Billing address and payment method details (processed securely through third-party payment processors)
• Communication Data: Messages, feedback, and support requests you send to us
• Workflow Data: Data you input into workflows, automation configurations, and template customizations

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Usage Data: Pages viewed, features used, workflow executions, and time spent on the Service
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Access times, error logs, and performance metrics
• Cookies and Tracking Technologies: Session cookies, analytics cookies, and similar technologies

2.3 Information from Third-Party Integrations

When you connect third-party services (such as Clio legal practice management software) to the Service, we collect:

• Data you authorize us to access from those services (contacts, matters, billing information, calendar events, tasks, documents)
• OAuth tokens and authentication credentials necessary to maintain the connection
• Synchronization status and webhook event data

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Process workflows, sync data with third-party services, and deliver requested features
• Maintain and Improve: Monitor performance, diagnose technical issues, and enhance Service functionality
• Communicate: Send service updates, security alerts, support messages, and marketing communications (with your consent)
• Billing: Process payments, send invoices, and manage subscriptions
• Security: Detect fraud, prevent unauthorized access, and protect user data
• Analytics: Understand usage patterns, measure effectiveness, and inform product development
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Your Consent

We share information when you explicitly authorize us to do so, such as when connecting third-party integrations.

4.2 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Cloud Hosting: Vercel (application hosting), Supabase (database and authentication)
• Payment Processing: Stripe or similar payment processors
• Analytics: Google Analytics or similar analytics platforms
• Email Services: Transactional email providers
• Support Tools: Customer support and ticketing platforms

4.3 Third-Party Integrations

When you connect third-party services (like Clio), data flows between the Service and those platforms according to your authorization. These integrations are governed by the privacy policies of the respective third-party services.

4.4 Legal Requirements

We may disclose your information if required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to lawful requests from public authorities
• Enforce our Terms of Service
• Protect our rights, privacy, safety, or property, and that of our users or the public

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data in transit is encrypted using TLS 1.2+ with A+ SSL rating (verified by Qualys SSL Server Test)
• Database Security: Row-Level Security (RLS) and encrypted storage via Supabase
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA) support
• OAuth Tokens: Encrypted storage using AES-256-GCM for third-party integration credentials
• Monitoring: Continuous security monitoring, intrusion detection, and audit logging
• Data Backups: Regular automated backups with encryption

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods vary by data type:

• Account Data: Retained while your account is active and for 90 days after account deletion
• Workflow Data: Retained per your subscription plan and deleted upon request or account termination
• Usage Logs: Retained for 90 days for security and analytics purposes
• Billing Records: Retained for 7 years to comply with tax and accounting regulations

7. Your Rights and Choices

Depending on your location, you may have the following rights:

7.1 Access and Portability

You have the right to access your personal information and request a copy in a portable format.

7.2 Correction

You can update your account information at any time through your account settings. Contact us if you need assistance correcting inaccurate data.

7.3 Deletion

You can request deletion of your account and associated data by contacting us at privacy@instathink.io. Some information may be retained for legal or legitimate business purposes.

7.4 Opt-Out of Marketing

You can opt out of marketing communications by clicking the "unsubscribe" link in our emails or updating your communication preferences in your account settings.

7.5 Cookie Preferences

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

7.6 Do Not Track

We do not currently respond to "Do Not Track" browser signals, but you can control tracking through cookie preferences.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) with service providers
• Data Processing Agreements (DPAs) meeting GDPR and CCPA standards
• Regional data residency options for customers with specific compliance requirements

9. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete such information.

10. Third-Party Links

The Service may contain links to third-party websites or services that we do not own or control. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of your personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your rights

To exercise these rights, contact us at privacy@instathink.io.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent (where processing is based on consent)
• Right to lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@instathink.io.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification (for significant changes)

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at: dpo@instathink.io