Privacy Policy

Words with initial capitalization have meanings defined below. Definitions apply whether the term appears in singular or plural.

For purposes of this Privacy Policy:

• Account means a unique account created for a Tenant to access the Service.
• Advertising ID means a resettable identifier associated with a mobile device, such as Apple's IDFA or Google Advertising ID.
• Business (under CCPA/CPRA) means the entity that determines the purposes and means of processing Personal Information.
• Company means Concert Capital Management, LLC, a Nevada limited liability company.
• Consumer (under CCPA/CPRA) means a natural person who is a California resident.
• Controller (or Data Controller) means the entity that determines the purposes and means of processing Personal Data (as defined by GDPR/UK GDPR and similar laws).
• Cookies means small files stored on your device that enable certain website features and tracking functionality.
• Data Subject Request (or DSAR) means a request to exercise privacy rights (e.g., access, deletion, correction).
• End Client means any individual who submits information through a Tenant's intake forms, signs documents, uploads files, or makes payments via the Service.
• Personal Data means information relating to an identified or identifiable natural person (terminology commonly used in the GDPR/UK GDPR).
• Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• Processor (or Data Processor) means an entity that processes Personal Data on behalf of a Controller.
• Sale (under CCPA/CPRA) generally means selling or disclosing Personal Information for monetary or other valuable consideration (as defined under applicable law).
• Service means the intake.link websites, applications, dashboards, APIs, and related services.
• Service Provider (under CCPA/CPRA) means an entity that processes Personal Information on behalf of a Business pursuant to a written contract.
• Share (under CCPA/CPRA) means disclosure of Personal Information for cross-context behavioral advertising, whether or not for monetary consideration (as defined under applicable law).
• Subprocessor means a third party engaged by the Company to process Personal Information on our behalf to provide the Service.
• Tenant means any individual, law firm, or organization that registers for and uses the Service.
• Tenant Data means all data uploaded, submitted, collected, generated, or otherwise processed through the Service by or on behalf of a Tenant, including End Client submissions.
• Usage Data means data collected automatically, either generated by the use of the Service or from the Service infrastructure (e.g., page views, feature usage, performance metrics).

When Tenants use intake.link to collect information from End Clients, intake.link generally acts as a Processor (GDPR/UK GDPR terminology) or Service Provider (CCPA/CPRA terminology) with respect to Tenant Data.

In this context:

• the Tenant is the Controller/Business and determines what data is collected and why
• the Company processes that Tenant Data only to provide the Service and as instructed/configured by the Tenant

With respect to:

• Tenant account information
• subscription/billing data
• and certain Usage Data generated to operate and secure the Service

the Company acts as a Controller/Business.

If you are an End Client and you want to exercise privacy rights (e.g., access, deletion, correction), you should contact the Tenant directly. Tenants are responsible for responding as Controller/Business.

We will assist Tenants with requests when required by law and contract.

When you create or administer an Account, we may collect:

• name
• email address
• organization/firm name
• phone number (optional)
• billing address
• payment metadata and subscription status
• authentication data via Clerk (identity provider)

We collect and store account configuration data such as:

• firm branding (name, logo, colors)
• intake form configurations and field definitions
• document templates and signing workflows
• payment presets and pricing settings
• webhook URLs and automation settings
• notification preferences

When End Clients interact with Tenant workflows, the Service may collect Tenant Data including:

• form submissions (including any data fields defined by Tenant)
• e-signature data (signature image, timestamp, IP address, audit trail)
• payment metadata (transaction confirmation, amount, partial payment details)
• uploaded files/documents (stored in Vercel Blob)
• device information and IP addresses

We may automatically collect:

• IP address (hashed for privacy in logs where feasible)
• browser type/version
• operating system
• device identifiers
• pages visited and features used
• timestamps and session duration
• referrer URL
• diagnostic/performance data

Electronic signatures are processed through DocuSeal, which may collect:

• signature image
• signing timestamps
• IP address
• audit certificate and completion details

We may store completed document references and audit trail metadata.

We use:

• cookies
• local storage
• pixels/SDKs (where applicable)
• log files and similar technologies

We may use:

• Strictly Necessary Cookies (authentication, security, session management)
• Functional Cookies (preferences/settings)
• Analytics Cookies (usage analytics and performance improvements)
• Advertising Cookies / Pixels (marketing measurement, remarketing, attribution)

You can control cookies through your browser settings. Some features may not function properly if cookies are disabled.

Where required by law, we will use consent mechanisms for certain cookies and provide choices through a cookie banner or preference center.

"Do Not Track" (DNT) is a browser setting. We do not currently respond to DNT signals.

We share data with service providers who help us deliver the Service (see Section 16).

We contractually require subprocessors to protect data and restrict use of data to authorized purposes.

Tenants may configure integrations and destinations, including:

• webhooks to Tenant endpoints
• Make.com or Zapier workflows
• CRMs and practice management systems
• analytics or internal systems

Information is shared per the Tenant's configuration and instructions.

We share data with Stripe for payment processing. Stripe's use of data is governed by Stripe's privacy policy.

We may use advertising/analytics partners to:

• attribute marketing campaigns
• measure performance
• run remarketing campaigns to people who have visited intake.link
• improve marketing effectiveness

Depending on implementation, these parties may set cookies/pixels and receive identifiers (e.g., IP address, cookie IDs, Advertising IDs).

You can opt out using tools provided in Section 12.

We may disclose information when required by law or when we believe disclosure is necessary to:

• comply with legal process
• respond to lawful government requests
• protect rights, property, safety, and security
• investigate fraud or security incidents
• enforce Terms of Service

Information may be transferred as part of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.

We may use and disclose aggregated or de-identified data for analytics, benchmarks, research, and reporting.

The Service uses the following infrastructure:

• Hosting: Vercel (United States)
• Database: Upstash Redis (encrypted at rest and in transit)
• File storage: Vercel Blob (encrypted)
• Authentication: Clerk
• Payments: Stripe (PCI-DSS compliant)
• E-signatures: DocuSeal
• Automations: Make.com (where configured by Tenant)

We use commercially reasonable safeguards such as:

• TLS/SSL for data in transit
• encryption at rest where supported
• access controls and least-privilege policies
• audit logging for sensitive operations
• monitoring and security review procedures

No method of transmission/storage is 100% secure. You use the Service at your own risk.

If we become aware of a security incident affecting Personal Information, we will notify impacted Tenants without undue delay consistent with applicable law and contractual obligations.

Tenants are responsible for notifying End Clients where legally required.

You may opt out of marketing emails by using the unsubscribe link or contacting us at inbox@intake.link.

You may be able to opt out of interest-based advertising via:

• Network Advertising Initiative (NAI): opt-out tools
• Digital Advertising Alliance (DAA): opt-out tools
• Your browser cookie settings

You may limit ad tracking by disabling advertising personalization:

• iOS: Settings → Privacy & Security → Tracking
• Android: Settings → Privacy → Ads

Where required by law, we will treat GPC signals as an opt-out of sale/sharing. We do not sell Personal Information.

The table below describes categories we may collect.

We may disclose Personal Information to:

• subprocessors/service providers
• payment processors (Stripe)
• infrastructure providers (Vercel, Upstash, Clerk)
• e-signature processor (DocuSeal)
• automation providers (Make.com) as configured

We do not sell Personal Information.

If we engage advertising measurement/remarketing technologies, those may constitute "sharing" under CPRA depending on implementation. Where applicable, you may opt out using controls described above.

California residents may have rights to:

• know/access
• delete
• correct
• opt out of sale/sharing
• limit use of sensitive PI (where applicable)
• non-discrimination

Submit requests via inbox@intake.link.