Back to Internalize

Privacy Policy

Last updated: April 19, 2026

Privacy Policy

This Privacy Policy describes how Internalize ("we", "us", "our") collects, uses, and shares personal data in connection with the Internalize website and service (the "Service"). It applies to visitors, registered users, and account administrators.

Contact: [email protected]

1. Who is the Data Controller

Internalize is the data controller for personal data processed through the Service, except where we process customer data on your behalf, in which case we act as a processor and you are the controller. See our GDPR page for details on the processor relationship.

2. What We Collect

We try to collect only what we need to operate the Service.

Account data. Email address, name (optional), password credentials (magic link tokens only — we do not store passwords), authentication timestamps, organization membership, and role.

Billing data. Billing email, plan and subscription details, invoices, and payment history. Card numbers and bank details are handled directly by our payment processor (Stripe) and are not stored on our servers.

Service configuration. The flows, requests, assertions, variables, schedules, environments, secrets, API keys, webhook URLs, and alert destinations you create. Secrets are stored encrypted.

Service usage data. Run history, request/response captures you opt to retain, timings, status codes, logs, error messages, and alert history. Retention depends on your plan (typically 7–90 days for runs).

Device and log data. IP address, browser/user-agent, timestamps, referrer, approximate location derived from IP, and basic diagnostics. We retain these logs for a limited period for security, fraud prevention, and debugging.

Support communications. Emails and messages you send us, and our replies.

Cookies and local storage. Strictly necessary cookies for authentication and session management, and local-storage items for UI preferences. We do not use advertising cookies. We may use minimal privacy-respecting analytics to understand aggregate usage.

We do not intentionally collect special-category personal data. Do not submit such data through the Service (see our Terms).

3. How We Use Personal Data

We use personal data to:

  • provide, operate, secure, and improve the Service;
  • authenticate you and prevent unauthorized access;
  • bill you and manage subscriptions;
  • send service-related emails (receipts, alerts, security notices, material changes);
  • respond to support requests;
  • detect, investigate, and prevent abuse, fraud, and violations of our Terms;
  • comply with legal obligations and enforce our agreements;
  • aggregate and anonymize data to produce non-identifying statistics.

We do not sell personal data. We do not use your data to train machine-learning models for third parties. We do not use service configuration or run data for marketing.

4. Legal Bases (EU/UK/EEA users)

Where GDPR or similar laws apply, we rely on:

  • Contract — to provide the Service you subscribed to;
  • Legitimate interests — to secure the Service, prevent abuse, and improve the product, balanced against your rights;
  • Consent — where required (you can withdraw consent at any time);
  • Legal obligation — where we must retain or disclose data by law.

See the GDPR page for your rights and how to exercise them.

5. Sharing and Sub-processors

We share personal data only as described below.

  • Service providers ("sub-processors") that help us run the Service, bound by confidentiality and data-protection obligations. A non-exhaustive list:
    • Stripe — payment processing and billing
    • Postmark — transactional email (magic links, alerts, receipts)
    • Cloudflare — CDN, DDoS protection, and R2 object storage (where enabled)
    • Cloud hosting provider — application and database hosting
    • Anthropic / OpenAI — only if you use AI features; prompts are sent to the selected provider
  • Professional advisors such as lawyers and accountants, under confidentiality.
  • Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to customary confidentiality.
  • Legal compliance — when required by law, legal process, or to protect rights, safety, or property.

We do not sell personal data to third parties.

6. International Transfers

Personal data may be processed in countries other than your own, including the United States and the European Union. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or adequacy decisions.

7. Retention

We retain personal data for as long as needed to provide the Service and to comply with legal and contractual obligations. After account closure, we delete or anonymize account and configuration data within a reasonable period (typically up to 90 days), subject to legal retention requirements (for example, invoicing records retained for up to 10 years where required by tax law). Backup copies may persist for a limited period until they roll off.

8. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, port, or object to processing of your personal data, and to withdraw consent. See our GDPR page for details, or contact [email protected].

9. Security

We use commercially reasonable technical and organizational measures, including encryption in transit (HTTPS/TLS), encryption of stored secrets, access controls, and regular patching. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for the scope and sensitivity of credentials you configure (see Terms §9).

If a breach affects your personal data and is likely to result in risk to your rights, we will notify you without undue delay in accordance with applicable law.

10. Children

The Service is not intended for anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, email [email protected] and we will delete it.

11. Cookies

We use only cookies that are strictly necessary for the Service (authentication and session state). If we introduce optional analytics cookies in the future, we will ask for consent where required.

12. Changes

We may update this Privacy Policy. If changes are material, we will notify users by email or in-app notice before they take effect, where practicable. The "Last updated" date reflects the most recent change.

13. Contact

For privacy questions or to exercise your rights, email [email protected]. If you believe we have not adequately addressed your concern, you may have the right to lodge a complaint with your local data protection authority.