Privacy.

From you, the operator. Name, work email, organization name and slug, role assignment, last-seen timestamp. The minimum required to authenticate, route requests to the correct tenant, and assign permissions.

From your workflow. Illustration documents, ledger rows, policy metadata, generated review PDFs, audit-log entries, drafted text. This is your Customer Data; it stays yours.

Operational telemetry. Request identifiers, response timings, server-side error traces, feature usage counters. Used to keep the service fast and to know which features earn their existence. Stack traces are scrubbed of obvious PII before they are written.

We do not run third-party analytics on the marketing site or inside the application. No Google Analytics, no Segment, no Facebook pixel, no session-replay tooling. Visit counts are derived from server logs only.

We do not profile end clients (the high-net-worth insureds whose data your firm processes through Interline). Their data appears only inside your Customer Data and is never aggregated across tenants.

We do not sell, rent, or share Customer Data for the commercial benefit of any third party.

Interline relies on a small set of vetted third-party services to operate. Each receives only the data needed for the stated purpose and is bound by a written data-processing agreement. The current list, what each receives, and how to subscribe to change notifications lives at /legal/subprocessors. We notify workspace owners thirty days before a new subprocessor gains access to Customer Data.

Customer Data lives in production for the life of your subscription. On termination you have thirty days to export, then we delete from production within ninety days. Backups age out within twelve months.

Audit logs retain for the duration set in your tenant's compliance settings (default twelve months on Team, configurable up to seven years on Enterprise).

You can export Customer Data at any time via the workspace UI or the REST API. The export includes the audit-log hashes so the artifact can be independently verified after extraction.

You can request deletion of any specific record by emailing [email protected] and we will confirm within five business days.

For requests originating from your end clients under GDPR, the California Consumer Privacy Act, or analogous state laws, you remain the data controller and we act as the processor. Forward the request to us and we will execute within the regulatory window. Our DPA for processor roles lives at /legal/dpa.

Encryption at rest (AES-256) and in transit (TLS 1.2 or higher). Tenant-level data isolation enforced at the database row through a non-nullable tenant identifier and a session-scoped tenant filter. Append-only audit logging covering authentication, record access, and record modification, with hash chaining for integrity verification. Multi-factor authentication required on all personnel accounts that can access production systems. Field-level encryption is wired for highly-restricted PHI columns and turns active when a Business Associate Agreement is signed.

The full posture lives at /trust.

Customer Data is processed in the region selected by the tenant. Where data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a non-adequate country, we rely on the Standard Contractual Clauses incorporated into our Data Processing Addendum.

When we change anything material we email the workspace owner thirty days in advance and note the change in the changelog. Cosmetic edits we make silently.