I
Initium
Start Free Trial
Legal

Privacy Policy

Last updated: March 19, 2026

1. Overview

Initium, Inc. (“Initium”, “we”, “us”, or “our”) is committed to protecting the privacy of the businesses and individuals who use our platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

Initium operates at initiumapp.com. Privacy questions can be directed to privacy@initiumapp.com.

2. Data We Collect

We collect the following categories of data:

  • Account data: Your name, work email address, password (hashed with bcrypt before storage — the plaintext is never stored), company name, and workspace URL slug.
  • Workspace data: Hire records, onboarding plans, tasks, milestones, comments, and team member information that you create or import within the platform.
  • Usage data: Log data, page views, feature usage events, and product activation analytics. These are stored in our own infrastructure and used only to improve the product.
  • Device and technical data: IP address, browser type, and other standard log data generated when you access the platform. This data is used for security, rate limiting, and abuse prevention.
  • Communications data: Emails we send you in connection with your trial and subscription (such as welcome, activation, and trial expiry emails), and any replies or direct communications you send us.

We do not collect payment card data directly. Billing for paid subscriptions is currently handled manually — we will contact you by email to arrange payment when you upgrade. We do not have an embedded payment processor or store card details on our servers.

3. How We Use Your Data

We use your data to:

  • Create and maintain your workspace and account
  • Generate AI-powered onboarding plans from role and company context you provide
  • Send lifecycle emails related to your trial and subscription (you may opt out at any time)
  • Detect and prevent abuse, fraud, and security incidents
  • Analyse aggregate, anonymised usage trends to improve the product
  • Respond to your support or privacy requests
  • Comply with applicable legal obligations

We do not sell your data to third parties. We do not use your workspace content (onboarding plans, hire records, or team data) to train AI models without your explicit consent.

4. Tenant Isolation

Every workspace on Initium is fully isolated. Your data is stored under a tenant-scoped namespace in our infrastructure. No other organisation can access your hire records, plans, or team data. Our architecture enforces this at the storage layer, not just the application layer.

5. Data Retention

Your data is retained for the duration of your active account or subscription.

  • Trial expiry: If your 30-day trial expires without upgrading, your workspace enters a read-only state. Your data is preserved — it is not automatically deleted — giving you time to upgrade and resume without data loss.
  • Account deletion requests: If you request deletion of your account, we will permanently delete your data within 30 days of that request.
  • Terms violations: If we close your account for a violation of our Terms of Service, your data will be permanently deleted within 30 days of account closure.

You may request immediate deletion of your account and data at any time by emailing us at privacy@initiumapp.com. We will confirm deletion within 30 days.

Certain data (such as audit logs or records required by applicable law) may be retained beyond the periods above where legally required or necessary for fraud and abuse prevention. We will inform you of any such retention where required.

6. Third-Party Services

We use the following third-party services to operate the platform:

  • Upstash Redis: Primary data storage and caching. Your workspace data and usage analytics are stored here. Upstash offers EU and US hosting regions.
  • Vercel: Application hosting, serverless function execution, and edge delivery. Your requests are processed on Vercel's infrastructure.
  • Resend: Transactional and lifecycle email delivery. Your email address is passed to Resend to send product emails on our behalf.
  • OpenAI: AI plan generation. When you create an onboarding plan, we send role context (job title, company type, tool stack, and milestone descriptions) to the OpenAI API. We do not send personally identifiable employee data such as individual names or contact details in these prompts.

Each of these providers processes data only to the extent necessary to provide their services to us and is bound by their own privacy and security obligations.

7. Security

We implement industry-standard security controls, including: JWT-based session authentication with short-lived access tokens (1 hour) and rotating refresh tokens (7 days); bcrypt password hashing; httpOnly, Secure, and SameSite=Strict cookie flags on all authentication cookies; rate limiting on all public-facing endpoints; and HTTPS encryption in transit. We conduct periodic security reviews.

No system is completely immune to security risks. We cannot guarantee absolute security, but we take reasonable and appropriate technical and organisational measures to protect your data.

8. Cookies and Local Storage

We use strictly necessary cookies to maintain your authenticated session. These cookies are httpOnly, Secure, and SameSite=Strict — they cannot be read by JavaScript and are not accessible to third-party scripts. We do not use tracking cookies, advertising cookies, or third-party analytics pixels.

We do not use local storage or session storage to persist personal data. Because we only use strictly necessary authentication cookies, no consent banner is displayed.

9. Your Rights

Depending on your jurisdiction and applicable data protection law, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your personal data
  • Receive a copy of your data in a portable format
  • Object to or restrict certain processing
  • Opt out of marketing and lifecycle communications (every email we send includes an unsubscribe link)

To exercise any of these rights, email privacy@initiumapp.com. We will acknowledge your request within 5 business days and aim to respond in full within 30 days. We are an early-stage company and handle rights requests directly — there is no automated portal at this time.

10. Children's Privacy

Initium is a business-to-business (B2B) SaaS product intended for use by businesses and working professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us at privacy@initiumapp.com and we will delete it promptly.

11. International Data Transfers

Initium is operated from the United States. Our infrastructure providers (Vercel, Upstash, Resend, OpenAI) may process data in the United States or other countries. If you are accessing the platform from outside the United States, your data may be transferred internationally. We rely on our providers' data processing agreements and applicable transfer mechanisms. We do not claim formal certification under any specific international framework at this stage.

12. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law provisions. Nothing in this section limits rights you may have under applicable consumer or data protection laws in your jurisdiction.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. For material changes, we will notify you by email and with an in-product notice at least 14 days before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision.

14. Contact

Questions or concerns about this Privacy Policy or how we handle your data? Contact our privacy team at privacy@initiumapp.com. We take privacy seriously and will respond promptly.

Terms of ServiceBack to signup →