v2.4Privacy Policy·last updated May 12, 2026·view diff
Legal · Privacy

Privacy Policy.

How VesperWise Labs, Inc. collects, uses, and protects your data. Written in plain English and mapped to the relevant GDPR clauses in our DPA.

EffectiveMay 12, 2026Versionv2.4Applies tointentiq.dev + the APIIn force
The short version. We collect what we need to run the product, bill you, and keep things secure. We never sell your data, never train models on it, and never share it with advertisers. Questions? Email Abdel-Rahaman directly.

01Overview

VesperWise Labs, Inc. (“VesperWise”, “we”, “us”) operates the VesperWise platform available at intentiq.dev and via the VesperWise API (collectively, the “Service”). This Privacy Policy explains what data we collect, why we collect it, and how we handle it.

You can use the marketing site without giving us any personal data. Once you create an account or call the API, this policy applies. Our Terms of Service and this policy together govern your use of the Service.

02What we collect

Account & identity

  • Name, work email, company name, job role, and password hash (via Clerk)
  • Profile photo (optional)
  • IP address, user-agent string, and MFA factors collected by Clerk during authentication

Customer data

  • Domains, company names, and watchlists you submit for scoring
  • Workflow definitions and Autopilot configuration
  • API request bodies you send to our scoring endpoints
  • Person-scoring inputs (name, LinkedIn URL, title) if you use the people-scoring feature

Billing

  • Your plan name and credit balance (stored in our database)
  • Card last 4 digits, expiry, and brand — held by Polar.sh; we receive event metadata only, never raw card data

Product telemetry

  • Page views, button clicks, and feature-usage events (via PostHog, self-hosted in EU)
  • API request metadata: endpoint, latency, status code — payloads are never logged

Communications

  • Support emails and in-product feedback you send us

03How we use it

We use your data only for the purposes below. Where GDPR applies, we identify the lawful basis for each:

  • Provide the Service — score companies, run Autopilot, serve the dashboard. Contract.
  • Bill you — process payments, apply credits, send invoices. Contract / Legal obligation.
  • Improve the product — analyse aggregate usage patterns to prioritise features and fix bugs. Legitimate interest.
  • Communicate with you — send transactional emails (receipts, expiry warnings), product updates you opt into. Legitimate interest / Consent.
  • Comply with law — retain billing records, respond to lawful requests. Legal obligation.

We do not sell your data, use it to train third-party machine-learning models, or share it with advertisers. Ever.

04Cookies & analytics

We use a small number of first-party cookies. We do not use Google Analytics, Meta Pixel, or any third-party ad-tracking scripts.

Cookie / storagePurposeLifetime
__clerk_sessionAuth session token7 days
__clerk_csrfCSRF protectionSession
iq_prefsUI preferences (theme, collapsed panels)1 year
_iq_anonAnonymous usage analytics30 days

Analytics are powered by PostHog, self-hosted in the EU. Event data never leaves EU infrastructure. You can opt out of product analytics in Settings → Privacy.

05Sharing & subprocessors

We share data only with the subprocessors listed on our Subprocessors page. These are companies that help us operate the Service (cloud infrastructure, auth, payments, email delivery, analytics). We give each subprocessor only the minimum data they need to perform their service.

We will notify you at least 30 days before adding a new subprocessor that processes personal data, via the email on your account and a notice in the product. You may object by terminating per Section 10 of the Terms.

06AI processing

When you request a score, the company domain and signal data are sent to Anthropic to generate a human-readable summary and recommended action. We:

  1. 1.Use Anthropic’s zero-data-retention API configuration — prompts and completions are not stored or used for training by Anthropic
  2. 2.Never include API keys, billing information, or user PII in prompts sent to Anthropic
  3. 3.Allow you to disable AI summaries entirely in Settings → AI; doing so replaces summaries with the raw signal data

Anthropic’s handling of any data that passes through their API is governed by their Privacy Policy and our DPA addendum with them.

07International transfers

VesperWise is operated from Egypt and the United States. Our production infrastructure runs on AWS us-east-1. If you are in the EEA or UK, your data is transferred to the US under the Standard Contractual Clauses (EU 2021/914) incorporated into our DPA.

We are targeting an EU-region deployment (Frankfurt, eu-central-1) in Q3 2026 to allow EEA customers to keep data on-continent. We will announce this in the product when available.

08Your rights

One-click delete. Settings → Account → Delete account triggers a full purge of your Customer Data within 30 days. No email required.

Depending on your location, you may have the right to:

  • Access — receive a copy of the personal data we hold about you
  • Correct — update inaccurate or incomplete data
  • Delete — request deletion; we’ll purge Customer Data within 30 days and retain only what law requires
  • Export — download your account data in JSON format from Settings → Account → Export
  • Object — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent (e.g. marketing emails), withdraw at any time
  • Lodge a complaint — with your local data protection authority if you believe we have mishandled your data

To exercise any right, email privacy@intentiq.dev. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

09Retention

We keep your data for as long as your account is active. After you close your account:

  • Customer Data (domains, watchlists, scores, workflows) — deleted within 90 days
  • Billing records — retained for 7 years to comply with tax and financial regulations
  • Aggregate analytics — retained indefinitely in non-identifying, aggregated form (e.g. “median latency in week X”)

10Security

We protect your data using industry-standard controls:

  • In transit — TLS 1.3 on all connections
  • At rest — AES-256 encryption via Supabase
  • API keys — SHA-256 hashed; we never store plaintext keys
  • Passwords — Argon2id hashed by Clerk; we never see your password
  • Access control — Row-Level Security in Postgres; employees access data only to resolve support issues

See our Security page for full details including penetration testing, incident response, and bug bounty information.

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

11Children

VesperWise is a B2B product intended for business professionals. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with data, please contact privacy@intentiq.dev and we will delete it promptly.

12Changes & contact

We may update this Privacy Policy from time to time. Material changes will be announced at least 30 days in advance by email to your account owner and notice in the product. The “last updated” date in the banner reflects the most recent revision.

Data controller

VesperWise Labs, Inc. · 340 Brannan St., 4th fl., San Francisco, CA 94107

Data Protection contact

privacy@intentiq.dev — replies come from Abdel-Rahaman directly. We aim to respond within 2 business days.

Questions? privacy@intentiq.dev
Terms →DPA →Security →