Privacy Policy
Effective date: May 25, 2025 · Last updated: May 25, 2025
1. Who we are
IntakeAI ("we", "our", "us") provides an AI-powered legal intake service for law firms. We are a data processor acting on behalf of subscribing law firms (the data controllers). Questions: privacy@getintake.ai
2. What data we collect and how
Audio
Caller audio is streamed in real-time to AssemblyAI's voice AI and processed entirely in memory. Audio is never written to disk or stored in any database — by IntakeAI or AssemblyAI. No recordings exist after the call ends.
Transcripts
The text transcript of each call is stored in IntakeAI's encrypted database and transmitted to the subscribing firm's Clio or MyCase account as an intake note. Transcripts are retained for 90 days and then permanently deleted.
Lead data
Caller name, phone number, case type, case summary, urgency level, and preferred callback time are collected during the intake call and stored in IntakeAI's database for the subscribing firm's access. This data is never sold or shared beyond the firm's connected CRM.
Firm account data
Law firm contact email, phone number, practice areas, and business hours are stored to configure the AI receptionist. OAuth access tokens for Clio, MyCase, Google Calendar, and Microsoft Calendar are stored encrypted and used only to sync lead data on the firm's behalf.
3. How we use your data
- Conducting AI-powered legal intake calls on behalf of subscribing firms
- Syncing lead data to the firm's CRM (Clio, MyCase)
- Booking calendar consultations via Google or Microsoft Calendar
- Sending SMS follow-ups to callers via Twilio on behalf of the firm
- Operating and improving the IntakeAI service
We do not use caller data for advertising, sell data to third parties, or train AI models on call content.
4. Third-party processors
| Provider | Role | Data |
|---|---|---|
| Vercel | Web hosting (US) | Web traffic, no call data |
| Railway | WebSocket server (US) | Real-time call routing |
| Neon PostgreSQL | Database (US) | Leads, transcripts, firm config |
| AssemblyAI | Voice AI (US) | Audio stream — real-time only, no retention |
| Twilio | Telephony & SMS (US) | Phone numbers, SMS messages |
| Resend | Transactional email (US) | Magic-link login emails |
| Google / Microsoft | Calendar (if connected) | Calendar event data per firm auth |
| Clio / MyCase | CRM (if connected) | Lead data per firm auth |
All data residency: United States.
5. Data retention
- Audio: Never stored — zero retention
- Transcripts: 90 days, then permanently deleted
- Lead data: Retained while firm account is active; deleted within 30 days of account closure
- Firm account data: Retained while account is active; deleted on request
6. Your rights (CCPA)
California residents and callers have the right to:
- Know what personal data we hold about you
- Delete your personal data from our systems
- Opt out of sale of your data (we do not sell data)
- Non-discrimination for exercising these rights
To exercise these rights, contact privacy@getintake.ai. We respond within 45 days.
7. Security
We use HTTPS everywhere, encrypted databases, secrets stored in platform environment variables (never in source code), and follow OWASP secure coding guidelines. See our Security Policy for full details.
8. Changes to this policy
We will notify subscribing firms of material changes via email at least 14 days before they take effect. Continued use constitutes acceptance.
9. Contact
Privacy inquiries: privacy@getintake.ai
IntakeAI · Morris County, NJ