The full picture of your data.

1. Categories of data

• Identity data — name, email, account identifier.
• Practice data — journals, reflections, session records, domain scores.
• Usage data — page views, feature events, device and browser metadata.
• Support data — messages you send to our team, including attachments you share.
• Billing data — processed by our payments provider; we store only the receipt and the last four digits of your card.

2. The Integro Analytics Program

The Integro Analytics Program is opt-in and collects de-identified metadata to improve the Platform. Public Site analytics and similar third-party tracking technologies are disabled unless and until you affirmatively consent. Through this program, we may collect:

• Device type, operating system, browser type, and app version
• General usage statistics (feature usage, session duration, navigation flow)
• Performance, diagnostic, and crash logs
• Aggregated interaction data
• General geographic region (country or state level only — not precise location)

We do not collect direct identifiers (name, email, precise location) as part of metadata analytics under this program. Participation is opt-in; you will be given the opportunity to consent when you create an account.

3. What “de-identified” means

De-identified metadata means information that:

• Cannot reasonably be used to infer information about, or be linked to, a specific individual or household
• Has had direct and indirect identifiers removed
• Is subject to technical safeguards and internal policies designed to prevent reidentification
• Is not used by us to attempt to reidentify any individual

We maintain de-identified data in compliance with applicable law, and we prohibit reidentification except for testing or validation of our deidentification processes.

4. Reidentification risk

No deidentification method can guarantee zero risk in all theoretical scenarios. We reduce reidentification risk by removing direct identifiers, limiting data granularity (general geographic region instead of precise location), aggregating data where feasible, applying technical controls and access restrictions, and maintaining internal policies that prohibit intentional reidentification.

5. How de-identified data is used

We use de-identified metadata solely for legitimate business purposes, including:

• Improving Platform functionality and performance
• Debugging and error resolution
• Security monitoring and fraud prevention
• Internal analytics and product development
• Research and feature enhancement

6. No sale or advertising use

We do not sell personal data or de-identified metadata. We do not share, disclose, rent, or provide data to advertisers for cross-context behavioral advertising or targeted advertising. We do not use metadata for advertising profiling.

If we ever decide to sell data or use it for advertising, we will update this policy with clear advance notice and obtain your affirmative opt-in consent. You will have the opportunity to decline without penalty.

7. Subprocessors

We use the following vetted providers to operate the service. Each is bound by a data-processing agreement and handles data only as we instruct.

• Amazon Web Services — application hosting and backup storage (US regions).
• Anthropic — the AI model provider behind Tegra.
• Stripe — subscription billing and card processing.
• Postmark — transactional email (sign-in links, receipts, safety notices).
• Sentry — error and crash reporting.
• Plausible — optional privacy-respecting, cookieless analytics, loaded only after opt-in where enabled.

When we add or replace a subprocessor, we update this page and post a notice in-app at least 30 days before the change takes effect.

8. How data flows

Practice data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access within Integro is limited to a small set of engineers and support staff, governed by role-based controls and logged centrally.

9. Exports & deletion

You can request a full export of your data at any time from Me → Data & Privacy → Your Data. Exports are delivered as a zipped JSON archive with an accompanying HTML reader. Deletion follows the timeline described in our Privacy Policy.

10. Data retention

We retain de-identified metadata only as long as reasonably necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

11. Legal bases (EEA/UK)

For users in the European Economic Area and the United Kingdom, our lawful bases for processing are: (a) contract, to deliver the service you signed up for; (b) legitimate interests, to keep the service safe and improve it; and (c) consent, for optional marketing emails, non-essential cookies, and Analytics Program participation.

12. Your rights

Depending on where you live, you may have rights regarding your personal data, including the right to know what is collected, access or correct it, request deletion, opt out of its sale, and not be discriminated against for exercising your rights. Contact us at privacy@integro.today to exercise any of these rights.

Questions about this document? Reach us at legal@integro.today.