Legal
Last updated 5 June 2026
This Privacy Policy explains how Intigra ("Intigra", "the Service", "we", "us" or "our") collects, uses, stores, discloses and protects information in connection with the Intigra software-as-a-service platform available at intigra.app and app.intigra.app, including the web application, the desktop application and the mobile application (together, the "Service"). It also describes the choices and rights available to you with respect to that information.
Intigra is a multi-tenant business-management platform used by businesses (each, a "Firm") to manage their enquiries, quotations, customers, suppliers, contacts, inventory, procurement, human-resources records and related communications, including sending business email from email accounts the Firm or its users choose to connect.
Please read this Policy carefully. By creating an account, accessing or using the Service, or by connecting a third-party account (such as a Google account) to the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, you must not access or use the Service. This Policy forms part of, and should be read together with, our Terms & Conditions.
This Policy applies to information processed through the Service. It does not apply to any third-party website, product, application or service that we do not own or control, even where the Service links to or integrates with it (for example Google, your email provider, or your own customers' systems). Your use of those third parties is governed by their own terms and privacy policies, and we are not responsible for their practices.
The Service is intended for use by businesses and their authorised personnel for business purposes. It is not directed to consumers acting in a personal capacity, and it is not intended for use by children.
Most of the information held in the Service is information that a Firm and its users enter or upload in order to run their own business — for example their own customers, suppliers, contacts, enquiries, quotations, orders, inventory and employee records. With respect to that business data, the Firm is the party that decides what information is collected and why. The Firm is therefore the data fiduciary / data controller for that data, and Intigra acts only as a data processor that stores and processes the data on the Firm's behalf and on its instructions, in order to provide the Service.
This distinction matters. Where the Firm is the controller, the Firm — and not Intigra — is responsible for ensuring that it has a valid legal basis and any required consent to collect and process the personal information of its own customers, suppliers, contacts and employees, including any sensitive identifiers (such as government-issued identity or tax numbers) the Firm chooses to store, and for responding to requests those individuals make about their data. Intigra processes such data only as instructed by the Firm through the features of the Service.
With respect to a limited set of information — such as account-registration details, authentication data, security and audit logs, billing information (if any), and information submitted through our public website — Intigra acts as the controller. This Policy describes both situations.
When an account is created we collect information such as name, username, email address, role and permissions, a securely hashed password, profile image, and address details. A Firm administrator may additionally record information about its users that the Firm requires for its own operations, which can include identity or tax identifiers and related document images. Intigra does not require these latter identifiers to operate; where they are stored, they are stored at the Firm's direction.
We store the business records you create and upload, which may include customer and supplier records, contact-person details (names, email addresses, phone numbers, job titles), enquiries, quotations and their versions, purchase orders and procurement data, inventory and stock movements, human-resources records (such as attendance, leave, expenses and travel), notes, terms, and file attachments such as documents, images and PDFs.
When you use the Service to send business email (for example quotations, follow-ups, purchase orders, and delivery or arrival receipts), we store the message metadata and content needed to compose, send, queue, retry and audit that message — such as recipients, subject, body, attachments, the connected account used, send status, timestamps, and the resulting message identifier. See the section on Google user data below for how this works with a connected Google account.
Where your Firm enables the optional AI Features and connects a Google inbox with read-only permission, we process the incoming business email in that inbox — including the sender, recipients, subject, body and attachments — together with the structured information extracted from it (such as classification, products, quantities, prices, dates, terms and matches to your own records) and usage metrics such as the volume of content processed. How this works, and what is transmitted to third-party AI providers, is described in the Google User Data section and the Automated Processing and AI-assisted Features section below. This feature is optional and is off unless your Firm enables it.
To operate and secure the Service we process technical information such as session tokens, login and session events, IP address, browser and operating-system information, device type, online status and timestamps, and — for the mobile application — push-notification tokens used to deliver notifications. We also keep operational logs of requests to the Service for security, debugging, abuse-prevention and audit purposes.
The application uses a single, strictly-necessary session cookie (HttpOnly, SameSite) to keep you signed in and to protect your session. We do not use advertising or cross-site tracking cookies in the application. See the Cookies section below.
If you submit our public contact form, we collect the information you provide (such as name, email address and message) together with technical information about the submission — including IP address, browser and device characteristics and similar signals — which we use to respond to you and to detect and prevent spam and abuse.
Intigra offers an optional feature that lets you connect a Google account so that business email (such as quotations, follow-ups, purchase orders and receipts) can be sent from your own Gmail address through the Service. This feature is entirely optional. The Service works without it, and you may use a standard SMTP email account instead. The following describes exactly how we access, use, store and share Google user data, and it governs any conflict with the more general statements elsewhere in this Policy.
If, and only if, your Firm enables the AI Features and connects a Connected Inbox, Intigra uses the read-only Gmail permission to fetch new incoming messages in that inbox and process them through the Service's AI pipeline. To do this, the content of those messages and their attachments is transmitted to the third-party AI providers we have configured — which may include Google (Gemini), Anthropic (Claude), OpenAI,OpenRouter oe any other, depending on configuration — solely to classify the message, extract structured business details, and match them to your own records. Attachments (including images and PDFs) may be sent to these providers for text and image extraction. The results are stored within your tenant and staged for review by your Users. We do not delete or modify any message in your mailbox, we do not send email using this permission, and we do not use this data for advertising or to train our own generalised AI models. Each configured AI provider processes the transmitted content under its own terms; we choose providers and settings intended to limit their use of the content to performing this processing. You can disable the AI Features or disconnect the Connected Inbox at any time.
When you connect a Google account, Google provides Intigra with a refresh token. We store that refresh token in encrypted form (using strong, industry-standard encryption) so that, at the moment you send a message, we can obtain a short-lived access token from Google to transmit that message. Short-lived access tokens are used in memory for the send and are not persisted. We store only the minimum associated metadata needed to operate the feature, such as the connected email address, a display name, the provider, and the granted scope.
When you send a message through a connected Google account, the message you composed — including its recipients, subject, body and any attachments you selected — is transmitted to Google for delivery through the Gmail API, exactly as it would be if you had sent it from Gmail yourself. That information is then handled by Google under Google's own terms and privacy policy.
You can disconnect a connected Google account at any time from within the Service, and you can independently revoke Intigra's access from your Google Account security settings at https://myaccount.google.com/permissions. Once access is revoked, we can no longer send on your behalf, and the associated stored credential is rendered unusable and removed in accordance with our retention practices.
The Intigra application relies on a strictly-necessary session cookie to authenticate you and keep you signed in. Disabling it will prevent the Service from working. We do not use third-party advertising cookies or cross-site tracking technologies inside the application. Our public website may use minimal, privacy-respecting technologies required to operate the site and to protect it from abuse.
We use information for the following purposes:
We do not sell your information, and we do not use the contents of your business records or any Google user data for advertising or for training generalised AI models.
Where the law requires a legal basis for processing, we rely, as applicable, on: your consent (for example, when you connect a Google account or submit the contact form); the performance of a contract with you (to provide the Service you have signed up for); our legitimate interests in operating, securing and improving the Service in a way that is not overridden by your rights; and compliance with our legal obligations. Where a Firm is the controller, the Firm is responsible for ensuring an appropriate legal basis and any required consent for the personal data it processes through the Service.
We do not sell, rent or trade your information. We share information only in the limited circumstances below:
We rely on the following categories of infrastructure to operate the Service: a database service to store records; an in-memory cache and messaging service to operate real-time features and queues; an object-storage service to store uploaded files; and a push-notification service to deliver mobile notifications. Where you use the email-sending feature, your chosen email provider (such as Google) and any SMTP server you configure also process the messages you send. Where your Firm enables the optional AI Features, third-party AI/LLM providers — which may include Google (Gemini), Anthropic (Claude), OpenAI, OpenRouter or any other provider , depending on configuration — process the incoming email content and attachments solely to perform that processing on our instructions. These providers act on our or your instructions and, except as governed by their own terms for the processing we request, are not permitted to use the data for their own purposes.
We retain information for as long as your account is active and for as long as needed to provide the Service, and thereafter as required to comply with our legal obligations, resolve disputes, maintain security and audit records, and enforce our agreements. Business data entered by a Firm is retained under the Firm's control and is deleted or returned in accordance with the Firm's instructions and our Terms. Encrypted email credentials are retained only while the relevant account remains connected and are removed when the account is disconnected or access is revoked. Backups are retained for a limited period and are overwritten on a rolling basis.
We apply technical and organisational measures designed to protect information, including encryption of sensitive credentials, hashing of passwords, encryption in transit (HTTPS/TLS), tenant isolation so that one Firm's data is logically separated from another's, role-based access controls, session and device controls, and operational logging. However, no method of transmission or storage is completely secure. While we work hard to protect your information, we cannot and do not guarantee absolute security, and you provide and use the Service at your own risk to the extent permitted by law. You are responsible for keeping your credentials confidential and for the activity that occurs under your account.
Depending on our hosting configuration, information may be processed and stored on servers located in one or more countries that may have data-protection laws different from those of your country. Where we transfer information across borders, we take steps intended to ensure it remains protected consistent with this Policy and applicable law.
Subject to applicable law and to the role allocation described above, you may have the right to access the personal information we hold about you, to request its correction or deletion, to withdraw consent you have given (for example, by disconnecting a connected Google account), and to lodge a complaint with a supervisory authority. Because most business data is controlled by your Firm, requests relating to that data should ordinarily be directed to the Firm, which we will support as the processor. To exercise rights for which Intigra is the controller, or for any privacy question, contact us through the form at intigra.app/contact. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on a request.
Because Intigra acts as a processor for the business data you enter, you — and the Firm on whose behalf you act — represent and warrant that you have all necessary rights, consents and lawful bases to collect, upload and process within the Service the personal information of any third party (including your customers, suppliers, contacts and employees, and any identity or tax identifiers you choose to store), and that your use of the Service, including any email you send through it, complies with all applicable laws — including data-protection, privacy, anti-spam and electronic-communications laws. You are solely responsible for the content of the records you create and the messages you send, and for ensuring you are authorised to contact the recipients you choose. To the maximum extent permitted by law, Intigra is not responsible or liable for your collection or use of third-party data or for the content you transmit, and you agree to indemnify Intigra in accordance with our Terms in respect of any claim arising from it.
Some features of the Service use automated processing — for example to validate input, classify or structure data, pre-fill fields, or detect anomalies — in order to make the Service faster and more reliable. Much of this is deterministic and operates under server-side validation.
In addition, where your Firm enables the optional AI Features and connects an inbox, the Service uses third-party AI providers (such as Google, Anthropic, OpenAI, OpenRouter or DeepSeek, depending on configuration) to read incoming business email and its attachments and to extract and structure information from them, as described in the Google User Data section above. These Features produce draft results that are staged for review by your Users before any record is created or acted upon; they do not make legally or similarly significant decisions about any individual without human involvement, and they do not automatically reply to email or contact third parties. Automated output may be inaccurate and is intended to be reviewed.
We do not use the contents of your business records, or any Google user data, to train our own generalised AI models, and we do not permit our AI providers to use it for advertising. Where any AI-assisted feature is offered, it operates only to provide the user-facing functionality of the Service.
The Service is intended for businesses and their authorised personnel and is not directed to children. We do not knowingly collect personal information directly from children. If you believe a child has provided information to us, please contact us so we can take appropriate action.
The Service may link to or integrate with third-party websites and services that we do not control, including Google. We are not responsible for the privacy practices or content of those third parties. We encourage you to review their terms and privacy policies before using them. Your use of a connected Google account is also subject to Google's Terms of Service and Privacy Policy.
We may update this Policy from time to time to reflect changes to the Service, to our practices, or to legal requirements. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Policy.
To the maximum extent permitted by applicable law, the Service and all information made available through it are provided on an "as is" and "as available" basis without warranties of any kind. Nothing in this Policy limits any right you have that cannot be limited under applicable law, and nothing here is intended to exclude liability that cannot lawfully be excluded. Subject to that, our liability in connection with the processing of information is governed by, and limited as set out in, our Terms & Conditions.
If you have any question, concern or complaint about this Policy or about how information is handled in the Service — including any request relating to Google user data — please contact the Intigra Grievance Officer through the form at intigra.app/contact. We will acknowledge and address grievances within the timeframes required by applicable law, including India's Digital Personal Data Protection Act, 2023 and the rules made under it, where applicable.