Privacy Policy

Last Updated: May 3, 2026 | Effective Date: May 3, 2026

Your Privacy Matters: This policy describes exactly what data Incertive collects, how it is used, and who receives it. We have written it to be accurate and direct — if something is unclear, please email us at [email protected].

Table of Contents

1. Introduction

Incertive ("Incertive," "we," "us," or "our") is a web-based project risk management platform that helps teams analyze uncertainty in project plans using AI-powered risk analysis. This Privacy Policy explains how Incertive, Inc., a Delaware corporation, collects, uses, stores, and shares information when you use our website at incertive.com and our platform (collectively, the "Service").

Incertive is a web-only platform. We do not offer mobile applications at this time. The Service does not integrate with external tools such as Jira, Asana, Slack, or similar products; any such integrations that may be developed in the future will be disclosed in an updated version of this policy.

By using the Service, you agree to the collection and use of your information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect only the information necessary to provide the Service. The categories below describe what we collect and why.

2.1 Account Data

When you create an account, we collect:

  • Name — used to identify you within the Service.
  • Email address — used for authentication, transactional emails, and account communications.
  • Password — stored as a bcrypt hash. We never store or transmit your plaintext password.

2.2 Subscription Data

When you subscribe to a paid plan, we record your subscription tier and a Stripe customer ID that links your account to your Stripe profile. Stripe, not Incertive, stores your payment card details. We never receive or store full card numbers, CVVs, or banking credentials.

2.3 Analysis Data

The core function of Incertive is analyzing project plans for risk. When you use the analysis features, we collect and store:

  • Project plan text — the text you enter describing your project plan. This text is sent to Anthropic's Claude API to generate risk analysis results. See Section 4 for details on how Anthropic handles this data.
  • Analysis results — the uncertainties, variants, and probability estimates generated in response to your plan text.

You control what you enter. Do not include sensitive personal information, financial account numbers, passwords, or confidential third-party data in your project plan text.

2.4 Usage Data

We record usage metrics to operate and improve the Service, including:

  • Number of analyses performed
  • Last login date and time
  • Feature usage patterns (e.g., which tools within the platform are used)

2.5 API Access Data

If you create Personal Access Tokens (PATs) for API usage, we collect and store:

  • Token metadata — token name, creation date, expiration date, scopes, and last-used timestamp. Used to display and manage tokens in your account settings.
  • Token hash — a one-way bcrypt hash (12 rounds) of the token secret. We never store the plaintext token after initial creation. Only a short prefix (e.g., incertive_pat_ab...) is retained for identification purposes.

We do not currently log individual API requests (timestamps, endpoints, IP addresses, or status codes) to a persistent store. Rate limiting is enforced in-memory per server instance. We may introduce API request logging in the future and will update this policy accordingly.

API requests that include project plan text are subject to the same data handling described in Section 2.3 (Analysis Data). Plan text submitted via the API is processed identically to plan text submitted through the web interface.

2.6 Technical Data

When errors occur, our error monitoring provider Sentry automatically collects technical information to help us diagnose the problem. This may include:

  • IP address
  • Browser type and version
  • Operating system
  • Stack traces and error context

This data is used solely for diagnosing and fixing software errors.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: Creating and managing your account, processing your subscription, authenticating your sessions, and delivering analysis results.
  • AI-powered risk analysis: Transmitting your project plan text to Anthropic's Claude API to generate uncertainty and risk analysis. Your plan text is processed to produce results and is not used by Incertive for any other purpose.
  • Billing and payments: Communicating with Stripe to manage subscriptions, process payments, and handle billing inquiries.
  • Service communications: Sending transactional emails such as account confirmations, password resets, and subscription notices.
  • Platform improvement: Analyzing aggregated usage patterns to understand how the Service is used and to identify areas for improvement.
  • Error diagnosis and reliability: Using technical data collected by Sentry to identify, reproduce, and fix software errors.
  • Legal compliance: Retaining records as required by applicable law and responding to lawful requests from public authorities.

We do not sell your data. We do not share your data with advertisers. We do not use your data to build advertising profiles or for behavioral targeting.

4. Third-Party Service Providers

We use a small number of third-party providers to operate the Service. Each provider is described below, including exactly what data they receive.

Anthropic (Claude API)

Purpose: AI-powered risk analysis

Data shared: The project plan text you enter when running an analysis. No account data (name, email, etc.) is sent to Anthropic.

Important note: Your project plan text is transmitted to Anthropic's API to generate analysis results. Anthropic's data handling for API customers is governed by their Privacy Policy and API usage terms. Anthropic states that it does not use API inputs to train its models by default.

Location: United States

Stripe

Purpose: Payment processing and subscription management

Data shared: Your name, email address, and subscription details. Stripe collects your payment card information directly and is PCI DSS Level 1 compliant. Incertive stores only a Stripe customer ID to reference your subscription; we never receive or store your card number, expiry date, or CVV.

Location: United States (global infrastructure). Stripe's privacy policy is at stripe.com/privacy.

Sentry

Purpose: Error monitoring and crash reporting

Data shared: Technical error data including IP address, browser information, operating system, and error stack traces. Sentry does not receive your analysis data or account credentials.

Location: United States. Sentry's privacy policy is at sentry.io/privacy.

We do not use any other third-party data processors beyond those listed above. We do not integrate with Jira, Asana, Slack, Microsoft Teams, or any other external project management or collaboration tools. If we add new service providers in the future, we will update this policy before doing so.

5. Data Storage & Security

Your data is stored in a PostgreSQL database hosted in the United States. We implement the following security measures:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
  • Encryption at rest: Database storage is encrypted at rest.
  • Password hashing: Passwords are hashed using bcrypt before storage. We cannot recover your plaintext password.
  • Access controls: Access to production systems and user data is restricted to authorized personnel only.
  • Session management: Authentication sessions are managed via secure, HttpOnly cookies with appropriate expiry.

No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable security measures, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at [email protected].

6. Data Retention

We retain data for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:

  • Active accounts: Account data, analysis data, and usage data are retained for the duration of your account. You may request deletion at any time (see Section 7).
  • Guest analyses: Analyses performed without a registered account expire and are permanently deleted after 24 hours.
  • Deleted accounts: When you request account deletion, we will delete your personal data within 30 days, except where we are required to retain it by law (e.g., billing records may be retained for tax and legal compliance purposes for up to 7 years).
  • Error logs: Technical error data in Sentry is retained according to Sentry's default retention settings (typically 90 days).

7. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

  • Access: You may request a summary of the personal data we hold about you.
  • Correction: You may update your name and email address at any time from within your account settings. For other corrections, contact us.
  • Deletion: You may request that we delete your account and associated personal data. We will process deletion requests within 30 days.
  • Data export: You may request an export of your analysis data and account information in a machine-readable format (JSON or CSV).
  • Opt-out of non-essential communications: You may unsubscribe from marketing or product update emails at any time by clicking the unsubscribe link in any such email. You will continue to receive transactional emails necessary to operate your account.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you are located in the European Economic Area (EEA) or United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

8. Cookies & Tracking

We use a minimal number of cookies. We do not use advertising or cross-site tracking cookies.

Required Cookies

  • Session cookie (NextAuth): A secure, HttpOnly cookie that maintains your authenticated session. This cookie is required for the Service to function. It expires when you log out or after a period of inactivity.

Optional Analytics

We may use privacy-focused analytics to understand aggregate patterns in how the Service is used (for example, which features are most commonly accessed). If analytics are active, they are configured to avoid collecting personally identifiable information and do not involve cross-site tracking. We do not use Google Analytics or similar advertising-network analytics products.

Most browsers allow you to control cookies through their settings. Disabling the session cookie will prevent you from logging in to your account.

9. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at [email protected] and we will delete it promptly.

10. International Users

Incertive is operated from the United States and your data is processed and stored in the United States. If you are located outside the United States, your use of the Service involves the transfer of your personal data to the United States, which may have different data protection laws than your home country.

We are aware of the rights established under GDPR (for users in the EEA and UK) and CCPA (for California residents) and have designed our data practices to respect the core principles of those frameworks: data minimization, purpose limitation, transparency, and individual rights. We honor access, deletion, and data portability requests from all users regardless of location.

We do not make formal claims of certification under any specific international compliance framework at this time. If you have questions about cross-border data transfer, contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — such as adding new data collection practices or new third-party providers — we will notify you by email and by posting a notice on the Service before the changes take effect. The "Last Updated" date at the top of this page reflects when the policy was most recently revised.

Your continued use of the Service after a policy update constitutes your acceptance of the revised policy. If you do not agree to the updated policy, you should stop using the Service and may request deletion of your account.

12. Contact Information

If you have questions about this Privacy Policy or want to exercise your data rights, please contact us:

Incertive, Inc.
A Delaware Corporation
Privacy inquiries: [email protected]

We aim to respond to all privacy-related inquiries within 5 business days and to fulfill data rights requests within 30 days.