1. Overview
whisc inc. dba TidyIntake, Inc. ("TidyIntake," "we") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our legal intake CRM platform ("Service").
We do not sell your personal information or Customer Data. We never use your data to train general-purpose AI models.
2. Information We Collect
2.1 Account Information
Name, email, phone, company/firm name, address, job title, payment info (processed by Stripe — we never store full card numbers).
2.2 Customer Data
Data you and your users submit: lead/client contact info, case details, incident descriptions, medical information, legal information, communications, and uploaded documents.
You are the data controller for Customer Data. We process it on your behalf as a data processor. You are responsible for obtaining consents from your clients.
2.3 Usage Data
IP address, browser type, OS, pages viewed, features used, time on page, referral URLs, device identifiers, error logs.
2.4 Communication Data
Content of support, sales, or feedback communications you send us.
3. How We Collect Information
| Method | Description |
|---|
| Direct | Account registration, form submissions, file uploads, support requests |
| Automated | Cookies, server logs, analytics tools, session recording |
| Third parties | Payment processors (Stripe), identity verification, integration partners |
| Your integrations | Data synced from Smokeball, Clio, Google Ads, Twilio, etc. |
4. How We Use Your Information
- Service delivery: Operating, maintaining, and improving the platform
- Account management: Creating accounts, processing payments, customer support
- AI processing: Generating case scores, summaries, risk assessments, copilot suggestions
- Communications: Service notices, billing, security alerts, product updates
- Analytics: Understanding usage to improve features and performance
- Security: Fraud detection, unauthorized access prevention
- Legal compliance: Fulfilling obligations, responding to lawful requests
- Marketing: With consent, promotional materials. Opt out anytime.
5. Information Sharing & Third Parties
- Service providers: Cloud hosting (AWS/Vercel), payments (Stripe), email (SendGrid), SMS (Twilio), analytics (Mixpanel), monitoring (Sentry)
- Integration partners: Only when you explicitly enable (Smokeball, Clio, DocuSign)
- AI providers: Anthropic (Claude). Processed per our DPA — not used to train their models
- Legal requirements: When required by law, court order, or authority
- Business transfers: In mergers/acquisitions — you'll be notified before transfer
All providers are contractually bound to protect your data.
6. AI Data Processing
Your data processed by AI is not retained by the AI provider. We never use Customer Data to train models.
- AI processes data in real-time — not stored beyond the session
- Anonymized aggregated data may improve our AI algorithms
- AI output is stored within your account as part of lead records
- Disable AI Features anytime via account settings
7. Cookies & Tracking
| Type | Purpose | Duration |
|---|
| Essential | Auth, security, sessions | Session / 30 days |
| Functional | Preferences, language | 1 year |
| Analytics | Usage patterns, performance | 2 years |
| Marketing | Ad attribution (with consent) | 90 days |
Manage preferences via our cookie banner, browser settings, or by contacting us. Essential cookies cannot be disabled.
8. Data Retention
- Account data: Active subscription + 30 days after termination
- Customer Data: Duration of subscription. 30-day export window after termination, then permanently deleted
- Usage data: Aggregated form, up to 3 years
- Billing records: 7 years (tax/accounting requirements)
- Support communications: 2 years after resolution
Request early deletion anytime, subject to legal retention requirements.
9. Data Security
- Encryption: TLS 1.3 (transit), AES-256 (at rest)
- Access: Role-based, MFA, least privilege
- Infrastructure: SOC 2 Type II compliant, regular pen testing
- Monitoring: 24/7, intrusion detection, automated alerts
- Incident response: 72-hour breach notification commitment
- Personnel: Background checks, security training, access-limited
10. Your Rights
Depending on location, you may have these rights:
- Access — request a copy of your data
- Correction — fix inaccurate information
- Deletion — request data removal
- Portability — receive data in machine-readable format
- Restriction — limit processing
- Objection — object to legitimate-interest processing
- Withdraw consent — at any time
- Non-discrimination — exercise rights without penalty
Contact privacy@tidyintake.com. We respond within 30 days.
11. California Privacy Rights (CCPA/CPRA)
California residents have additional rights:
- Right to know what data is collected, used, shared
- Right to delete
- Right to correct
- Right to limit sensitive data use
We do not sell or share personal information as defined by CCPA/CPRA. No opt-out necessary.
Verifiable requests: privacy@tidyintake.com or (312) 555-0001.
12. European Privacy Rights (GDPR)
For EEA/UK/Switzerland residents:
- Legal bases: Contract performance, legitimate interests, consent, legal obligations
- DPO: dpo@tidyintake.com
- Supervisory authority: Right to lodge complaints with your local DPA
- Transfers: Protected by EU-approved Standard Contractual Clauses
13. U.S. State Privacy Laws
We comply with all active state privacy laws including: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), New Hampshire SB 255, New Jersey SB 332, Tennessee (TIPA), Minnesota, Maryland, and Kentucky consumer data privacy acts.
Contact privacy@tidyintake.com to exercise state-specific rights.
14. Children's Privacy
The Service is not directed to individuals under 18. We do not knowingly collect children's data. If discovered, we will promptly delete it.
Note: Your firm's Customer Data may include minor information for legal cases — your firm is responsible for compliance.
15. International Data Transfers
TidyIntake is US-based. International access means data is transferred to and processed in the US. We use Standard Contractual Clauses, DPAs, and applicable transfer mechanisms.
16. Changes to This Policy
30 days' notice of material changes via email and/or in-app notification. The "Last updated" date above reflects the most recent revision.
17. Contact Us
TidyIntake, Inc.
Privacy: privacy@tidyintake.com
DPO: dpo@tidyintake.com
Phone: +1 312.450.7373
4223 W Lake St Ste 329, Chicago, IL 60624
For data subject requests, email privacy@tidyintake.com with "Data Subject Request" in the subject. Acknowledged within 5 business days, fulfilled within 30.