Intutiv (intutiv.ai) is a content-first search engine. It is operated by Diduce Technology Pvt. Ltd, an Indian company with its registered office at 3A, 7th Floor, Ecospace, Plot No. 2F/11, New Town, Rajarhat, Kolkata-700156, India.
In this policy, "we", "us", "Intutiv" mean Diduce Technology Pvt. Ltd. "You" means anyone visiting intutiv.ai or using the service.
For the purposes of EU/UK GDPR we act as controller for the limited personal data described below. For the purposes of India's Digital Personal Data Protection Act 2023 (DPDPA) we are the data fiduciary.
When you type into the Intutiv search box, the query is sent to our servers and forwarded to the search and AI providers we use (see section 5) so we can build a result page. Each query is briefly logged in our server logs and in our error-tracking system (Sentry) along with technical metadata (timestamp, anonymised IP, browser type, response time, error codes). We use this only to debug, fix bugs and keep the site fast.
The following are kept in your browser's localStorage and never sent to our servers unless you choose to submit a debug report:
Clearing your browser data for intutiv.ai deletes all of this immediately. We cannot recover it because we never had a copy.
If you join the waitlist, sign in with an OAuth provider, or email us, we collect and store the email address you provide. Waitlist emails are stored in Vercel KV (a managed key-value store) so we can send you an invite when access opens up.
If you choose to sign in with Google and grant Gmail, Calendar or YouTube access via OAuth, we request the following scopes only when you explicitly opt in:
openid, email, profile — for identity (name, email, profile picture).gmail.readonly — read-only access to Gmail messages, if you connect Gmail.calendar.readonly — read-only access to Calendar events, if you connect Calendar.youtube.readonly — read-only access to your YouTube subscriptions, if you connect YouTube.We use these to display your messages, events and subscriptions on your Intutiv home page in real time. We do not store the contents of any Gmail message, Calendar event or YouTube data on our servers. We fetch them live from Google each time you load the page.
Your Google OAuth refresh token (the credential that lets us re-fetch your data) is AES-256-GCM encrypted using a server-side key and then placed inside a signed JWT stored in an HttpOnly, Secure, SameSite=Lax cookie with a 30-day maximum age. The cookie is set on your browser only; we do not duplicate the token in any server-side database. Signing out or clearing the cookie deletes the token.
If you sign in with LinkedIn, we request the OIDC scopes openid, profile, email. We receive your name, email, locale and profile picture only. We do not read your LinkedIn messages, connections or feed.
Like every web service, we receive standard technical data with each request: IP address (we read it via the cf-ipcountry header from Cloudflare to localise results, e.g. show ₹ vs $), user-agent string, referrer, and request timing. We do not run any advertising or third-party tracking pixels.
| Data | What it is used for | Legal basis (GDPR) / lawful purpose (DPDPA) |
|---|---|---|
| Your search query | Fetch search results, rank them, summarise them, debug errors. | Performance of a contract / legitimate interest in providing the service / consent (you typed it). |
| localStorage history, favourites, settings | Personalise your home page and ranking. Never leaves your browser. | Not personal data we process — stays on your device. |
| Waitlist email | Send you an invite when access opens. | Consent. |
| OAuth identity (name, email, picture) | Show you that you are signed in. | Consent / performance of a contract. |
| OAuth refresh token (encrypted) | Re-fetch Gmail / Calendar / YouTube data when you reload. | Consent. |
| IP address, user-agent, timing | Security, abuse prevention, debugging, regional formatting. | Legitimate interest. |
To run the site we share the minimum data needed with the following processors:
| Provider | What we send | Why |
|---|---|---|
| Vercel | All site traffic (host, serverless functions, Vercel KV). | Hosting and waitlist email storage. |
| Cloudflare | All site traffic (CDN, DDoS). | Performance and protection. Cloudflare provides the country header we read. |
| Serper (serper.dev) | Your search query. | Web, news and image search results. |
| Anthropic (Claude API) | Your query and small fragments of fetched search results. | Result summarisation, classification, intent detection. |
| OpenAI | Same as above, when Claude is unavailable or for specific features. | Same as above. |
| Google AI (Gemini API) | Same as above, when used. | Same as above. |
| Perplexity API | Your query, when used for live-web grounded answers. | Real-time grounded responses. |
| Google APIs (Gmail / Calendar / YouTube / OAuth) | Your OAuth token and the request your browser triggered. | Only if you connect Google. |
| Sentry | Server errors, including query text and stack traces. | Error tracking. We strip OAuth tokens and Gmail/Calendar content from error payloads. |
| Resend | Your email address. | Sending waitlist invites and the operator notification. |
| Future: Stripe and/or Razorpay | Payment data you enter at checkout. | Only when paid plans launch and only if you start a checkout. |
Each provider acts as our processor and is bound by its own privacy policy and data-processing terms. We do not allow any provider to use your personal data for their own marketing.
Some answers and rankings are produced by large language models. When that happens, we send the AI vendor your query and small fragments of the fetched search results. The vendor returns a response and the conversation ends.
Crucially, none of the AI vendors we use train their models on this data by default. The applicable vendor terms today say:
If a vendor changes these terms in a way that materially affects you, we will update this page and either route around them or move to a vendor that still honours the no-training default.
| Data | Retention |
|---|---|
| Server logs (query text, timestamp, IP, user-agent) | Up to 30 days, then deleted. |
| Sentry error reports | 90 days, then auto-deleted by Sentry. |
| Vendor-side logs (Serper, Anthropic, OpenAI, Google, Perplexity) | Governed by each vendor's policy; typically 30 days for abuse monitoring. |
| Waitlist email in Vercel KV | Kept until you ask us to delete it, or until you sign in and the waitlist row is superseded. |
| OAuth refresh token (encrypted, in your cookie) | 30 days from your last sign-in. The cookie expires automatically. |
| Stuff in your browser's localStorage | Until you clear browser data for intutiv.ai. We never see it. |
Intutiv runs on Vercel's globally distributed infrastructure. Serverless functions may execute in any of Vercel's regions (today: US East, US West, India / Mumbai, and EU regions). Vercel KV (where the waitlist sits) is regionally hosted; the region depends on the Vercel project configuration and may be in the EU or US. By using Intutiv you understand and consent to your personal data being processed in countries outside India and outside your home country, including the US and EU.
We do not claim military-grade security. We do follow these baseline practices:
HttpOnly, Secure, SameSite=Lax signed cookie on your device.HttpOnly so they cannot be read by JavaScript and are signed so they cannot be tampered with.No internet service is perfectly secure. If we ever discover a breach affecting your data we will notify you and the relevant regulators within the timeframes the law requires (72 hours under GDPR; reasonable time under DPDPA).
Wherever you live, you have the right to:
Self-serve deletions you can do right now:
intutiv.ai and click "Clear data" — or DevTools → Application → Local Storage → intutiv.ai → "Clear All".For anything that needs us to act (delete a waitlist email, revoke server-side tokens, export your data, ask a question about what we hold) email [email protected] with subject DELETE MY DATA, ACCESS MY DATA or PRIVACY QUESTION from the email address you want us to act on. We respond within 30 days as required by GDPR and DPDPA, and usually much sooner.
We only set strictly-necessary cookies and a few preference items in localStorage. We do not set advertising cookies, third-party tracking cookies or analytics cookies that profile you across sites.
| Name | Where | Purpose | Lifetime |
|---|---|---|---|
ii_user | Cookie (HttpOnly, Secure) | Signed JWT containing your identity and encrypted OAuth refresh token, if signed in. | 30 days, refreshed on use |
ii_theme, ii_flag_*, ii_history, ii_favourites, ii_widgets | localStorage | UI preferences, history, favourites, feature flags. | Until you clear browser data |
Intutiv is not directed at children. Per India's DPDPA 2023, a "child" is any person under 18 years. We do not knowingly collect personal data from anyone under 18 and we do not run behavioural advertising, behavioural monitoring or tracking aimed at children. If you believe a child has provided us with personal data, email [email protected] and we will delete it.
For users in the EU, UK and US the minimum age to use Intutiv on your own consent is 13 (or the higher local age of digital consent). Users between 13 and 17 in India require a parent's or lawful guardian's consent under the DPDPA.
EU / UK residents. Our lawful bases for processing are (a) consent (waitlist, OAuth, optional connectors), (b) performance of a contract (delivering the result you asked for), and (c) legitimate interest (security, abuse prevention, debugging). You have all the rights listed in section 10 plus the right to lodge a complaint with your local Data Protection Authority. We do not currently appoint an EU Article 27 representative because we do not target the EU market. If we begin to, we will appoint one and update this page.
California residents (CCPA / CPRA). The categories of personal information we collect and the purposes for collection are listed in sections 2 and 4. We do not sell or share personal information for cross-context behavioural advertising. You have the right to know, delete, correct and limit. Submit any request to [email protected].
We comply with the Digital Personal Data Protection Act, 2023 ("DPDPA") and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021").
In accordance with Rule 3(2) of the IT Rules 2021, the Grievance Officer for Intutiv is:
The Grievance Officer will acknowledge any complaint within 24 hours and resolve it within 15 days of receipt, as required by Rule 3(2)(a). If your grievance concerns unlawful or harmful content, please include the URL and a clear description.
For DPDPA purposes, you (a "Data Principal") may exercise your rights of access, correction, erasure, nomination and grievance redressal by emailing the same address.
We may update this policy as the product changes or the law changes. When we make a material change we will update the "Last updated" date at the top, surface a notice on the home page, and — if we have your email — email you. Continued use after the effective date means you accept the updated policy.
Privacy questions, data requests, grievances and anything else: [email protected].
Postal mail: Diduce Technology Pvt. Ltd, 3A, 7th Floor, Ecospace, Plot No. 2F/11, New Town, Rajarhat, Kolkata-700156, India.