InterPegasus — Privacy Policy

Effective Date: May 22, 2026 Last Updated: May 22, 2026

This Privacy Policy describes how [InterPegasus, Inc.] (a [Washington] corporation; "InterPegasus," "we," "our," or "us") collects, uses, discloses, retains, and protects personal information when you access or use our websites, mobile applications, application-programming interfaces, and related online products and services (collectively, the "Services"), and the rights you have regarding that information.

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, see Section 12 for additional GDPR/UK-GDPR/Swiss FADP information. If you are a California resident, see Section 13 for additional CCPA/CPRA information. If you are a Washington resident, see Section 14 — including specific disclosures required by Washington's My Health My Data Act (if applicable to your interactions) and the Washington Biometric Privacy Act.

1. Scope

This Privacy Policy covers personal information about:

  • End users of the Services (consumer accounts);
  • Business users, including representatives of organizations that subscribe to paid Services;
  • Visitors to our marketing sites; and
  • Job applicants, where applicable (see Section 15).

It does not cover information collected by third-party websites, applications, or services, even when linked from the Services. Each of those is governed by the operator's own privacy policy.

2. Information We Collect

We collect three categories of personal information.

2.1 Information You Provide Directly

| Category | Examples | Where Collected | |---|---|---| | Account information | Name, email, password (stored hashed), phone, profile photo, organization name, role | Signup, profile edits | | Payment information | Billing address, last 4 digits of payment method, transaction history. Full card numbers go directly to our PCI-compliant payment processor and are not retained by InterPegasus | Subscriptions, paid features | | User Content | Text, images, files, datasets, AI Prompts, AI Output you save | Service use | | Support communications | Email content, chat logs, attachments, screenshots | Contacting support | | Marketing preferences | Newsletter opt-ins, communication channel selections | Settings, signup | | Survey and research data | Voluntary feedback, interview transcripts | Optional research |

2.2 Information Collected Automatically

| Category | Examples | |---|---| | Device and connection | IP address (and approximate location derived from it), device type, OS, browser, language, time zone, screen size, referring URL | | Usage | Pages and features accessed, click paths, dwell time, search queries within the Services, error reports, crash logs, performance metrics | | Cookies and similar technologies | Session cookies, persistent preference cookies, security tokens, analytics identifiers, advertising identifiers (only with consent) — see Section 6 | | Authentication signals | Login timestamps, originating IP, multi-factor-authentication events |

We do not collect precise geolocation (GPS coordinates) unless you grant device-level permission for a specific feature that requires it.

2.3 Information from Third Parties

| Source | Examples | |---|---| | Identity providers (Google, Apple, Microsoft SSO) | Email, name, profile photo, OAuth token — only the scopes you authorize | | Payment processors (Stripe, PayPal, Apple Pay, Google Pay) | Tokenized payment method, billing status, fraud signals | | Analytics and product-telemetry providers (e.g., Google Analytics in privacy-preserving mode, our internal pipelines) | Aggregated or pseudonymous usage | | Anti-abuse and fraud-prevention providers | Risk scores, suspected-bot signals, reCAPTCHA assertions | | Public sources | When you publish User Content publicly, that User Content is by definition public |

3. How We Use Information

We use personal information for the following purposes:

  1. Service operation — authenticate you, provision your Account, deliver requested features, render User Content, route Prompts to AI providers, store and back up Content.
  2. Service improvement — diagnose bugs, measure latency and error budgets, evaluate new features, refine AI quality. We use de-identified or aggregated data for these purposes wherever feasible.
  3. Security and abuse prevention — detect and block fraud, unauthorized access, spam, harassment, and policy violations.
  4. Customer support — respond to your inquiries, troubleshoot, and operate our help-desk systems.
  5. Communications — send transactional messages (e.g., billing receipts, password resets, security alerts) and, with consent where required, marketing messages.
  6. Personalization — remember your preferences and adapt the interface (does not include third-party advertising targeting in the default configuration).
  7. AI model training and evaluationonly if you have opted in (or have not opted out where opt-out is the legal default), we use de-identified Prompts and AI Output to evaluate and improve our Services and AI features. See Section 7.
  8. Legal compliance — comply with our legal obligations, respond to lawful government requests, and enforce our Terms.
  9. Corporate transactions — facilitate or evaluate merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality.

We do not use your personal information to:

  • Sell it to data brokers for cross-context behavioral advertising;
  • Profile you for high-stakes decisions (credit, employment, insurance, housing) without your explicit, separate consent;
  • Train third-party large language models in a way that exposes your Prompts or User Content to those third parties for their independent benefit.

4. Legal Bases (GDPR / UK-GDPR / Swiss FADP)

Where the GDPR or analogous law applies, we rely on the following legal bases:

| Purpose | Legal Basis | |---|---| | Account creation, Service delivery, billing | Performance of a contract (Art. 6(1)(b)) | | Security, abuse prevention, fraud detection | Legitimate interests (Art. 6(1)(f)) | | Service improvement, analytics (aggregated) | Legitimate interests (Art. 6(1)(f)) | | Marketing emails (where consent is required) | Consent (Art. 6(1)(a)) | | Cookies for advertising or non-essential analytics | Consent (Art. 6(1)(a)) | | Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | | AI training using personal Prompts | Explicit consent (Art. 6(1)(a)); we do not rely on legitimate interests for this purpose |

You may withdraw consent at any time without affecting the lawfulness of prior processing. See Section 11 for how to exercise rights.

5. How We Share Information

We share personal information in the following limited circumstances and only with contractual safeguards required by applicable law (e.g., data-processing agreements, SCCs).

| Recipient Category | Purpose | Safeguards | |---|---|---| | Cloud-infrastructure providers (Google Cloud Platform) | Hosting, compute, storage, database | DPA, SCCs, encryption-in-transit and at-rest | | AI model providers (e.g., OpenAI) | Routing Prompts to model APIs and receiving AI Output. We send only the inputs you submit and disable provider-side training where the provider supports it | DPA, contractual prohibition on the provider training models on our data | | Payment processors (Stripe, PayPal, etc.) | Authorize and settle payments | PCI-DSS compliance, tokenization | | Analytics and observability vendors | Crash reporting, performance monitoring, error tracking | DPA, IP truncation where supported | | Customer-support and email vendors (e.g., Mailgun) | Deliver transactional and (with consent) marketing email | DPA, encryption in transit | | Anti-abuse providers (e.g., reCAPTCHA) | Bot detection, fraud scoring | DPA, minimum-necessary signals | | Professional advisors (auditors, attorneys, accountants) | Audits, legal compliance, advice | Professional confidentiality, NDAs | | Affiliates under common ownership | Operational support | Internal data-handling standards | | Legal compliance | Respond to subpoenas, court orders, lawful government requests; protect rights, property, and safety | Validity review; pushback on overbroad requests; transparency where lawful | | Corporate transactions | Due diligence, post-closing operation | Confidentiality; successor entity must honor this Privacy Policy or provide notice and opt-out for material changes | | With your direction | Integrations, public sharing | As configured by you |

We do not sell personal information for money. We do not engage in cross-context behavioral advertising as defined by CCPA/CPRA in the default configuration. If we ever change either of these positions, we will give clear notice and, where required by law, obtain consent or provide opt-out.

6. Cookies and Similar Technologies

We use cookies and similar technologies (web beacons, local storage, SDK identifiers) in three categories:

  1. Strictly necessary — authentication, security, load balancing. Cannot be disabled without breaking the Service.
  2. Functional — remember your preferences (language, theme). Set by default.
  3. Analytics and performance — measure usage and detect errors. Where the law requires opt-in consent (EEA, UK, Switzerland, California for non-essential analytics), we obtain consent through our cookie banner.

We do not use advertising cookies by default. If we add an advertising-cookie feature, we will update this Privacy Policy, present the choice in the cookie banner, and honor browser-level Global Privacy Control (GPC) signals as an opt-out.

You can manage cookie preferences via the cookie banner (after first visit) and by clearing cookies in your browser. Note that opting out may degrade functionality.

7. AI Features — Specific Privacy Practices

7.1 Prompts and AI Output

When you submit a Prompt, we route the Prompt (with any attached files) to the AI model provider configured for the feature. We disable provider-side training on our account's data wherever the provider supports it. AI Output is returned to your Account and stored consistent with our retention schedule.

7.2 Prohibited Inputs

You agree not to submit prohibited inputs as described in our Terms of Service Section 7.1, including PHI under HIPAA, biometric or consumer-health data, information of children under 13, government identifiers, full payment-card numbers, or third-party confidential information.

7.3 Training on Your Data

We do not train AI models on your Prompts or User Content by default. If we offer opt-in training in the future, we will (a) ask for explicit consent, (b) describe what data is used and how, (c) provide a meaningful opt-out, and (d) honor your withdrawal of consent prospectively.

7.4 Human Review

A limited number of authorized InterPegasus personnel and contractors (each under confidentiality obligations) may review Prompts and AI Output to investigate abuse, debug critical issues, and improve safety filters. This review is logged and audited.

8. Children's Privacy

The Services are not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If we learn that we have collected such information without verified parental consent in accordance with the Children's Online Privacy Protection Act (COPPA) and its implementing regulations, we will promptly delete it.

For users between 13 and the age of majority in their jurisdiction, certain features may require parental or guardian permission. In jurisdictions where 16 is the digital-consent age (e.g., EU/EEA, U.K., several U.S. states), we do not knowingly process personal information of users under 16 without verified parental consent for purposes that require consent.

If you are a parent or guardian and believe your child has provided personal information without your consent, contact [privacy@interpegasus.com] and we will delete it.

9. Data Retention

We retain personal information only as long as needed to fulfill the purposes for which it was collected, plus any period required by law. Specific retention windows:

| Data | Default Retention | |---|---| | Account profile | Lifetime of Account; deleted within 30 days of Account closure | | User Content (active) | While in your Account; deleted within 30 days of Account closure or User Content deletion | | Backups containing User Content | Rolling 90 days, then irreversibly deleted | | Prompts and AI Output | 30 days for free-tier; 90 days for paid plans by default, or per your retention setting; subject to "abuse review" hold up to 12 months for flagged content | | Billing records | 7 years (tax / audit) | | Server logs (truncated IP) | 90 days | | Security incident records | As long as the matter remains open, plus 3 years after closure | | Marketing-consent records | While the consent is active, plus 3 years after withdrawal | | Support tickets | 3 years | | Legal-hold data | Until the hold is released |

You can request earlier deletion via Section 11 — we will honor it unless required to retain by law.

10. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. Controls include:

  • TLS 1.2+ encryption in transit; AES-256 at rest;
  • Multi-factor authentication for all production access;
  • Least-privilege access controls, audit logging, and quarterly access reviews;
  • Vulnerability scanning, dependency updates, secret scanning, and pre-commit secret detection (gitleaks);
  • Coordinated vulnerability disclosure with researchers (see Terms of Service Section 12);
  • Annual penetration testing;
  • Vendor security assessments for processors handling sensitive data;
  • Incident-response runbooks with defined SLAs.

No security control is perfect. If we determine that a security incident materially affected your personal information, we will notify you and the relevant authorities as required by applicable law (e.g., Washington's breach-notice statute, RCW 19.255 et seq.; the CCPA/CPRA notice rules; GDPR Art. 33–34; and equivalent statutes).

11. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

  • Access / Know — request a copy of the personal information we hold about you;
  • Correction / Rectification — correct inaccurate or incomplete information;
  • Deletion / Erasure — request that we delete personal information about you;
  • Portability — receive your personal information in a portable, machine-readable format;
  • Restriction / Object — restrict or object to certain processing, including direct-marketing processing;
  • Withdraw consent — withdraw a consent you previously gave;
  • Opt-out of sale or sharing — though we do not sell personal information for money and do not engage in cross-context behavioral advertising in the default configuration, you may submit a verifiable request to confirm this;
  • Opt-out of automated decision-making with legal or similarly significant effects — we do not engage in such automated decision-making in the default configuration;
  • Non-discrimination — we will not penalize you for exercising any of these rights;
  • Appeal — if we deny a rights request, you may appeal as described in our response.

How to submit a request:

  • Email [privacy@interpegasus.com] with the subject "Privacy Request"; or
  • Use the in-product privacy controls in your Account settings (where available).

We verify identity proportionate to the sensitivity of the request. For Account-based requests, we typically verify via signed-in session and email confirmation. For more sensitive requests, we may require additional identity proofing. Authorized agents may submit requests with written authorization, subject to the agent-verification provisions of CCPA/CPRA (California) and analogous state laws.

We respond within 45 days (or 30 days for Washington and EEA/UK/Swiss requests where shorter periods apply), extendable by an additional 45 days where reasonably necessary, with notice.

12. EEA, U.K., and Swiss Residents (GDPR / UK-GDPR / FADP)

If you are located in the EEA, U.K., or Switzerland:

  • Controller: [InterPegasus, Inc.] is the controller of your personal information in connection with the Services.
  • EU Representative: [InterPegasus EU Representative, B.V., Address] (Art. 27 GDPR); contact [eu-rep@interpegasus.com]. (Required only if we offer Services to EEA users without an EU establishment — confirm before publication.)
  • UK Representative: [Same / different — confirm].
  • Lead Supervisory Authority (for one-stop-shop, where applicable): [TBD — confirm with counsel based on EU establishment].
  • International Transfers: We transfer personal information to the United States and other countries that may not provide an equivalent level of protection. We rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework and the U.K. Extension and Swiss Data Privacy Framework. A copy of the SCCs we use is available on request.
  • Complaints: You may lodge a complaint with your local supervisory authority. We request that you contact us first so we can attempt to address the issue.

13. California Residents (CCPA / CPRA)

This section is required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). Capitalized terms not defined here have the meanings given in the statute.

13.1 Categories Collected in the Last 12 Months

| Statutory Category | Examples | Sources | Purposes | |---|---|---|---| | Identifiers | Name, email, IP, account ID | Direct, automatic | Service operation, security | | Personal information (Cal. Civ. Code § 1798.80(e)) | Billing address, payment-method last 4 | Direct, processors | Billing | | Protected classifications (limited) | Voluntary self-ID in research surveys only | Direct, optional | Research | | Commercial information | Subscription history, purchase records | Direct, processors | Billing, support | | Internet activity | Pages viewed, click paths, error logs | Automatic | Service improvement | | Geolocation (approximate) | City-level derived from IP | Automatic | Localization, fraud | | Audio/visual | Support call recordings (if you opt in) | Direct | Support QA | | Professional/employment | Job-applicant data (Section 15) | Direct | Recruiting | | Education | Voluntary in profile | Direct | Personalization | | Inferences | Feature-usage patterns | Derived | Personalization | | Sensitive personal information (SPI) | Account credentials, precise geolocation (only if device permission granted) | Direct, automatic | Authentication; only retained as long as necessary |

We retain each category per the schedule in Section 9.

13.2 Sale and Sharing

We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. If we ever change either practice, we will update this Privacy Policy and provide an opt-out via a clearly labeled "Do Not Sell or Share My Personal Information" link.

13.3 Use of Sensitive Personal Information

We use SPI only for the purposes permitted by Cal. Civ. Code § 1798.121(a) (i.e., to provide the goods or services reasonably expected, security, integrity, etc.). You have the right to limit our use of SPI; submit such requests as described in Section 11.

13.4 California Shine the Light

California Civil Code § 1798.83 permits California residents to request a notice disclosing the categories of personal information shared with third parties for the third parties' direct-marketing purposes. We do not share personal information for such purposes, so no such notice is required.

14. Washington Residents

14.1 My Health My Data Act (RCW 19.373)

Applicability: The MHMDA applies to "consumer health data," defined to include personal information that identifies a consumer's past, present, or future physical or mental health status, and a broad set of related signals (e.g., location data identifying a visit to a health-care facility).

Our position: InterPegasus does not, in the default configuration, collect data intended to identify your physical or mental health status. If you submit content that includes health information (for example, by including health data in a Prompt or User Content), we do not knowingly use, share, or sell that information, and we direct you to delete such inputs.

If, in the future, we add a feature that materially processes consumer health data (as defined by MHMDA), we will: (a) update this Privacy Policy with the disclosures MHMDA requires; (b) obtain affirmative consent before collection beyond what is necessary to provide the feature; (c) obtain a separate affirmative authorization before any sharing; and (d) offer a clearly accessible Consumer Health Data Privacy Policy as required by RCW 19.373.020.

14.2 Biometric Information (RCW 19.375)

We do not enroll, collect, or capture biometric identifiers (fingerprints, voiceprints, faceprints, retina or iris scans, or DNA) in the default configuration. If we add a feature that does so, we will obtain prior notice and consent as required by RCW 19.375.020.

14.3 Washington Breach Notice (RCW 19.255)

If we suffer a breach of the security of unencrypted personal information of a Washington resident, we will notify the affected individuals and, where required, the Washington Attorney General within the statutory timeframe.

14.4 Washington Rights Generally

Washington residents may exercise the rights described in Section 11. Effective dates for any future Washington consumer-data-protection statute will be honored on the applicable effective date.

15. Job Applicants

If you apply for a position with InterPegasus, we collect the information you provide on your application (resume, CV, cover letter, references) plus information from authorized third parties (background-check provider, after consent; references you nominate). We use this information solely to evaluate your application, communicate with you, and comply with employment laws. We retain applicant data for the period required by law (and no longer than four years after the close of the relevant recruitment) unless you have agreed to retention for future opportunities.

For California-resident applicants, your CCPA/CPRA rights as described in Section 13 apply to applicant data with the limitations stated in the statute.

16. Do-Not-Track and Global Privacy Control

Our websites currently do not respond to browsers' Do-Not-Track ("DNT") signals because there is no industry consensus on how DNT should be implemented. We do honor the Global Privacy Control (GPC) signal as an opt-out of sale and sharing where applicable law treats GPC as such an opt-out.

17. Notice of Material Changes

We will post any changes to this Privacy Policy with an updated "Last Updated" date. For material changes that expand the use or sharing of personal information beyond what was previously disclosed, we will provide at least 30 days' advance notice (by email, in-product notice, or homepage banner) and, where required by law, obtain consent before the change takes effect for your data.

18. Contact and Data Protection Officer

| Role | Contact | |---|---| | Privacy / Data Subject Requests | [privacy@interpegasus.com] | | Data Protection Officer | [dpo@interpegasus.com] | | Security incidents (researchers) | [security@interpegasus.com] | | General Legal | [legal@interpegasus.com] | | Mail | InterPegasus, Inc., Attn: Privacy, [STREET ADDRESS, SEATTLE, WA ZIP] |

We aim to respond to privacy inquiries within 5 business days.

This Privacy Policy is also available at interpegasus.com/privacy. By using the Services, you acknowledge that you have read and understood this Privacy Policy.