Privacy Policy

Intellisha, Inc. ("Intellisha," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our autonomous AI legal contract review platform (collectively, the "Services"). We operate under the principle of Privacy by Design — meaning data protection and security are embedded into our platform architecture from the ground up, not added as an afterthought. This policy is written in clear language to help you make informed decisions about your data. By using the Services, you consent to the data practices described in this Privacy Policy.

We collect information in the following ways: 2.1 Information You Provide Directly • Account Registration: Name, email address, company name, job title, and password when you create an account. • Customer Data: Contracts, legal playbooks, and any other documents or data you upload or process through the Services. • Communications: Messages, inquiries, and feedback you send to our team via email or our Contact form. • Payment Information: Billing address and payment details (processed by our PCI-compliant payment provider; we do not store full card numbers). 2.2 Information Collected Automatically • Usage Data: Pages visited, features used, session duration, click-stream data, and error logs. • Device & Technical Data: IP address, browser type, operating system, device identifiers, and timezone. • Cookies & Tracking Technologies: See our Cookie Policy for details. 2.3 Information from Third Parties • Single Sign-On (SSO) providers (e.g., Google, Microsoft) may share your profile information when you choose to authenticate via those services.

We use the information we collect for the following purposes: • Service Delivery: To authenticate your identity, operate the platform, process your contracts, and provide AI-generated redlining and analysis. • Product Improvement: To understand how users interact with the platform and identify areas for enhancement. We use aggregated, anonymized analytics — never raw Customer Data. • Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance. • Security & Fraud Prevention: To monitor for unauthorized access, detect anomalous activity, and protect the integrity of the Services. • Communications: To send essential service notifications, security alerts, and — with your consent — product updates and marketing communications. • Legal Compliance: To comply with applicable laws, regulations, and lawful government requests. • Billing: To process payments and send invoices. We will never: • Sell your personal data to third parties. • Use your Customer Data (contracts, playbooks) to train our AI models. • Share your data for advertising purposes.

For users in the European Economic Area (EEA) and other applicable jurisdictions, we process your personal data on the following legal bases: • Contractual Necessity: Processing required to fulfil our obligations to you under the Terms of Service (e.g., delivering the Services, processing payments). • Legitimate Interests: Processing for fraud prevention, security monitoring, and product analytics, where our interests do not override your fundamental rights. • Consent: Processing for marketing communications and non-essential cookies, where we have obtained your explicit prior consent. You may withdraw consent at any time. • Legal Obligation: Processing required to comply with applicable law, court orders, or regulatory requirements.

We do not sell, rent, or trade your personal information. We may share your data in the following limited circumstances: Service Providers (Sub-processors) We engage trusted third-party companies to assist in operating our Services. These include: • Amazon Web Services (AWS) & Amazon Bedrock — Cloud infrastructure, AI model inference, and data storage. All data processed via Bedrock is subject to AWS's enterprise data isolation commitments. • Payment Processors — Stripe or equivalent PCI-DSS-certified processors for billing. • Analytics Providers — Aggregated, anonymized usage analytics tools. • Communication Tools — Email delivery services for transactional notifications. All sub-processors are bound by data processing agreements (DPAs) that require them to maintain the confidentiality and security of your data. Legal Requirements We may disclose your information if required to do so by law, subpoena, or regulatory order, or to protect the rights, property, or safety of Intellisha, our users, or the public. We will notify you to the extent permitted by law before complying. Business Transfers In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, who will remain bound by this Privacy Policy.

We implement technical and organizational measures designed to protect your personal information from unauthorized access, disclosure, alteration, or destruction: • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. • Encryption at Rest: All Customer Data stored on AWS is encrypted using AES-256. • Access Controls: Role-based access control (RBAC) ensures that only authorized personnel can access systems containing personal data, on a strict need-to-know basis. • Security Audits: We conduct regular penetration testing and third-party security assessments. • Compliance: Our infrastructure is designed to support SOC 2 Type II and ISO 27001 compliance standards. No security system is impenetrable. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

We retain your personal data only for as long as necessary to provide the Services and fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. • Account Data: Retained for the duration of your subscription and for up to 90 days after account termination to allow for data export. • Customer Data (Contracts & Playbooks): Deleted within 30 days of account termination or upon your explicit request, whichever is sooner. • Usage & Analytics Data: Retained in aggregated, anonymized form for up to 24 months for product improvement purposes. • Financial Records: Retained for 7 years as required by applicable tax and accounting regulations. You may request deletion of your account and associated data at any time by contacting us at legal@intellisha.com.

Depending on your jurisdiction, you may have the following rights regarding your personal data: • Right to Access: Request a copy of the personal data we hold about you. • Right to Rectification: Request correction of inaccurate or incomplete data. • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations. • Right to Restriction: Request that we limit the processing of your data in certain circumstances. • Right to Portability: Receive your data in a structured, commonly used, machine-readable format. • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes. • Right to Withdraw Consent: Withdraw consent to marketing communications at any time via the unsubscribe link in any email or by contacting us. To exercise any of these rights, please contact us at legal@intellisha.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Intellisha is headquartered in India. If you access our Services from outside India, your data may be transferred to, stored, and processed in India or other countries where our service providers operate, including the United States (via AWS). For transfers of personal data from the EEA or United Kingdom, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission. By using our Services, you acknowledge and consent to the transfer of your information to countries that may have different data protection laws than your own.

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete such information. If you believe a child has provided us with personal information, please contact us at legal@intellisha.com.

The Services may contain links to third-party websites or integrations with third-party services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by displaying a prominent notice in the Services at least 15 days before the changes take effect. The date of the most recent revision is indicated at the top of this page. We encourage you to review this Policy periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Intellisha, Inc. — Privacy Team Email: legal@intellisha.com Address: Pune, Maharashtra, India We are committed to working with you to resolve any concerns about your privacy. If you are not satisfied with our response, you have the right to contact your local data protection authority.