Itura Privacy Policy

1. Who We Are and Our Role

• Data Controller vs. Data Processor: Under the General Data Protection Regulation (GDPR), it's important to understand our respective roles.
  • You (the User) are the Data Controller of the personal data you provide to Itura and the data within your connected third-party accounts (e.g., your emails, calendar events, project files). You determine the purposes and means of processing this data.
  • Itura is the Data Processor. We process this data on your behalf and strictly according to your instructions, which you provide by using the Service and as outlined in our Terms of Service.

2. Information We Collect

We collect information necessary to provide and improve our Service. This information is categorized as follows:

a) Information You Provide Directly:

• Account Information: When you create an Itura account, we collect your name, email address, and password.
• Payment Information: If you subscribe to a paid plan, our third-party payment processor (e.g., Stripe) will collect your payment card details. Itura does not store your full payment card information, but we may receive information like your billing address and transaction details.
• Communications: When you contact us for support, to provide feedback, or to exercise your data rights (e.g., by emailing contact@itura.ai or security@itura.ai), we collect the content of those communications.

b) Information from Connected Third-Party Services:

• Your Explicit Permission: The core functionality of Itura requires you to connect your accounts from other services like Gmail, Google Calendar, Microsoft Outlook, GitHub, Atlassian, and HubSpot (Third-Party Services).
• Data Accessed on Your Behalf: When you grant us access, we process data from these services to carry out your commands. Section 4 of this policy provides explicit detail on precisely what data we access and how we use it.
• Authentication Tokens: We securely store authentication tokens (not your passwords) that allow us to connect to your Third-Party Services. You can revoke this access at any time through your Itura account settings or directly within the respective Third-Party Service.

c) Information We Collect Automatically:

• Usage Data: We collect information about how you interact with the Service, such as the features you use, the commands you issue (your prompts), the AI-generated responses you receive, and timestamps of your activity. This helps us understand usage patterns and improve the Service.
• Device and Log Data: We may collect technical information like your IP address, browser type, operating system, and device information to ensure the security and reliability of our Service.

3. How We Generally Use Your Information

We use the information we collect for the following purposes:

• To Provide and Maintain the Service: To operate the Itura platform, execute your commands, connect to your Third-Party Services, and manage your account.
• To Improve and Develop the Service:
  • We analyze usage data to understand what works and what doesn't, allowing us to enhance features and user experience.
  • AI Model Training: As stated in our Terms of Service, we may use your prompts and the resulting AI-generated responses to train and improve our AI models. Crucially, we will never use any data retrieved from your connected Third-Party Services (such as the content of your emails, files, or calendar events) to train our AI models. You can opt out of this by emailing contact@itura.ai with the subject "Opt Out of AI Training Data".
• To Communicate With You: To send you service-related announcements, security alerts, and support messages.
• For Security and Fraud Prevention: To protect our Service, users, and the public from malicious or fraudulent activity.
• To Process Payments: To manage subscriptions, billing, and process payments for our paid plans.
• To Comply with Legal Obligations: To fulfill our legal requirements and respond to lawful requests from public authorities.

4. How Itura Accesses and Uses Data from Third-Party Services

This section provides explicit details on the actions Itura performs within your connected Third-Party Services.

Core Principle and Acknowledgment of AI Risk: Itura only initiates actions within your connected services in direct response to a command from you. The Service does not perform background actions autonomously without your explicit consent. The Service is designed to seek your explicit confirmation before executing potentially sensitive or destructive actions, such as sending an email, modifying critical data, or deleting a file. However, you must acknowledge that Itura is powered by generative artificial intelligence, a technology that is inherently probabilistic and prone to error.

This means there is a risk that the Service could misinterpret a command or, in some cases, fail to correctly prompt for confirmation, leading to an unintended action. While we make a best effort to build safeguards, this cannot be guaranteed. Therefore, the responsibility to manage this risk lies entirely with you. You must treat every interaction with Itura as provisional, and potentially leading to destructive and irreversible actions. It is your sole responsibility to carefully formulate your commands and to vigilantly review any action or content generated by the Service before you approve it, allow it to proceed, or rely on it. By using the Service, you understand and accept that Itura is not liable for unintended actions resulting from the inherent limitations of this technology, as detailed in our in our Terms of Service.

Below are examples of the permissions we request and why we need them, broken down by service type.

a) Email Services (e.g., Gmail, Microsoft Outlook)

• Purpose of Access: To read, search, summarize, draft, and send emails on your behalf based on your instructions.
• Actions Performed (based on your commands):
  • Read Email Content: To answer questions about or summarize an email. (e.g., "Summarize my last email from Jane Doe.")
  • Search Emails: To find specific information within your inbox. (e.g., "Find the email with the flight confirmation for my trip to London.")
  • Compose and Send Emails: To draft and send messages you dictate. (e.g., "Email my team and let them know I'll be 15 minutes late.") All AI-generated drafts require your review and explicit confirmation before being sent.
  • Modify Email Status: To archive, delete, or mark emails as read/unread. (e.g., "Archive all promotional emails from yesterday.")
• Data Used: Email body, subject line, sender, recipients, and timestamps.
• Google Gmail Specifics: Itura's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use your Gmail data for advertising, and we do not allow humans to read this data unless it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for the Service's internal operations with your explicit consent.

b) Calendar Services (e.g., Google Calendar, Microsoft Outlook Calendar)

• Purpose of Access: To create events, find available times, and manage your schedule as you direct.
• Actions Performed (based on your commands):
  • Read Calendar Events: To check your availability or get details about an event. (e.g., "What's on my schedule for tomorrow morning?")
  • Create Events: To add new events to your calendar. (e.g., "Schedule a meeting with David tomorrow at 3 PM to discuss the project budget.")
  • Modify and Delete Events: To update or cancel existing events. (e.g., "Move my 10 AM meeting to 11 AM." or "Cancel my dentist appointment on Friday.")
• Data Used: Event titles, times, attendees, descriptions, and locations.
• Google Calendar Specifics: Itura's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

c) Project Management & Code Repositories (e.g., Atlassian Jira, GitHub)

• Purpose of Access: To create, update, and manage tasks, issues, and code-related items.
• Actions Performed (based on your commands):
  • Read Issues/Tasks: To provide summaries or find specific items. (e.g., "Summarize the open high-priority bugs in the 'Mobile App' project.")
  • Create Issues/Tasks: To create new items from a prompt. (e.g., "Create a new Jira ticket to 'Fix the login button bug' and assign it to me.")
  • Update Issues/Tasks: To add comments, change status, or modify details. (e.g., "Add a comment to ticket #123 saying 'I am starting work on this now'.")
• Data Used: Issue titles, descriptions, assignees, project names, comments, and status.

d) CRM Services (e.g., HubSpot)

• Purpose of Access: To retrieve and update information about your customer relationships.
• Actions Performed (based on your commands):
  • Read Contact/Deal Data: To provide information about a customer or deal. (e.g., "What is the status of the Acme Corp deal?")
  • Create/Update Logs: To log activities like calls or meetings. (e.g., "Log a call with John Smith from Acme Corp about the contract renewal.")
• Data Used: Contact names, email addresses, company information, deal stages, and activity logs.

e) Cloud Storage Services (e.g., Google Drive, Microsoft OneDrive, Dropbox)

• Purpose of Access: To search for, summarize, and create files and documents on your behalf.
• Actions Performed (based on your commands):
  • Read/Download Files: To analyze or summarize the content of a document. (e.g., "Summarize the document named 'Q1 Report.docx'.")
  • Search for Files: To locate specific files within your storage. (e.g., "Find the presentation about the marketing plan.")
  • Create Files: To generate new documents based on your prompts. (e.g., "Create a new Google Doc with an outline for the new product launch.")
  • Manage Files/Folders: To organize your drive. (e.g., "Move the file 'draft.docx' to the 'Archive' folder.")
• Data Used: File content, filenames, metadata, and folder structure.
• Google Drive Specifics: Itura's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. How We Share Your Information

We do not sell your personal data. We only share your information with trusted third parties under the following limited circumstances:

• With Sub-processors: We use third-party vendors and services ("sub-processors") to provide the necessary hardware, software, networking, storage, and related technology required to run the Service. These sub-processors are contractually bound to protect your data and only process it according to our instructions.

  As of the Effective Date of this policy, our key sub-processors include:

  • Amazon Web Services (AWS): Cloud infrastructure and hosting (United States)
  • Google Cloud Platform (GCP): Cloud infrastructure and hosting (United States)
  • Microsoft Azure: Cloud infrastructure and hosting (United States)
  • Vercel: Web application hosting (United States)
  • OpenAI: AI model provider (United States)
  • Anthropic: AI model provider (United States)
  • Stripe: Payment processing (United States)
  • Amplitude: Analytics (United States)
• For Legal Reasons: We may disclose your information if we believe it is reasonably necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms of Service; to protect the security or integrity of the Service; or to protect the rights, property, or safety of Itura, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.

6. Data Retention

We retain your data only for as long as necessary to fulfill the purposes for which it was collected.

• Account Information: We retain your account information for as long as your account is active.
• Cached Data: Data retrieved from your Third-Party Services is often cached temporarily on our servers to improve performance and execute your commands. This cached data is deleted once it is no longer needed for the requested operation.
• Termination: When you delete your account, we will initiate a process to permanently delete your account information and any cached data from our live systems within 30 days. Encrypted backup copies may be retained in our disaster recovery archives for up to 90 days, after which they are permanently erased.

7. Your Data Protection Rights (GDPR)

As a user, you have specific rights regarding your personal data. If you wish to exercise any of these rights, please contact us at contact@itura.ai.

• Right to Access, Rectification, and Erasure.
• Right to Restrict Processing.
• Right to Data Portability.
• Right to Object.
• Right to Lodge a Complaint with a supervisory authority.

8. Security

We take the security of your data very seriously. We use a combination of technical, administrative, and physical controls to maintain the security of your data. These measures include:

• Encryption: Data is encrypted both in transit (using TLS/SSL) and at rest.
• Access Control: Access to personal data is strictly limited to personnel who require it to perform their job functions.
• Incident Response: We have a process for responding to security incidents. If you believe your account has been compromised, you must notify us immediately at security@itura.ai.

9. Use of Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Service.

• What are Cookies? Cookies are small text files stored on your device when you visit a website. They help us remember your preferences and session information, making your experience smoother.
• Essential Cookies: These cookies are necessary for the Service to function correctly. They are used for purposes like keeping you logged in and maintaining the security of your account. You cannot opt out of these cookies as the Service cannot be provided without them.
• Performance and Analytics Cookies: We use these cookies to collect information about how you interact with our Service, which helps us understand usage patterns and improve our features. For example, we use analytics services to understand which parts of the application are most used. This data is aggregated and anonymized wherever possible.
• Managing Cookies: Most web browsers allow you to control cookies through their settings. You can set your browser to block or alert you about these cookies, but please be aware that some parts of the Service may not function properly without them.

10. International Data Transfers

To provide you with the Service, your personal data may be transferred to, and processed in, countries other than the one you reside in. When we transfer your data outside the European Economic Area (EEA), we ensure a similar degree of protection is afforded to it by relying on legal mechanisms such as Adequacy Decisions or Standard Contractual Clauses (SCCs).

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such information, we will take steps to delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make a change that we believe is material, we will notify you through the Service or by email. Your continued use of the Service after any changes take effect constitutes your agreement to the new policy.

13. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact us.

Itura oy
(Finnish Business ID: 3493409-8)
Email: contact@itura.ai
For security-specific inquiries: security@itura.ai