Insites Studio®
PricingChangelogTerms

Legal

Privacy Policy

Effective date: 2026-05-07

This Privacy Policy explains what personal information Insites Pty Ltd ("Insites", "we", "us") collects when you use Insites Studio (the "Service"), how we use and share it, and the choices you have. It applies to the Service, our marketing site, and our customer support interactions.

1. Who we are

Insites Studio is operated by Insites Pty Ltd (ABN 00 000 000 000), an Australian company. We are the controller of personal information you provide to us through the Service. You can contact our privacy team at support@insites.io.

2. Information we collect

We collect the following categories of information:

  • Account information — name, work email, organisation, profile photo, and any authentication identifiers from your single sign-on provider (WorkOS).
  • Workspace content — projects, briefs, prompts, code, designs, deployment configuration, brand assets, and other content you create or upload to the Service.
  • Billing information — plan, seats, invoices, payment method last-4 and expiry. Card numbers are handled by Stripe and are not stored on our servers.
  • Product telemetry — page views, feature usage, performance traces, error reports, and (with consent) session replays. Captured via Sentry, PostHog and LogRocket.
  • Support conversations — messages, attachments and metadata from interactions with our support team via Intercom or email.
  • Technical data — IP address, browser, device and OS, set by request and used for security, abuse prevention and aggregated analytics.

3. How we use information

We use personal information to:

  • provide, operate, secure and improve the Service;
  • authenticate users and protect accounts from unauthorised access;
  • process payments, manage subscriptions and prevent fraud;
  • provide customer support and respond to enquiries;
  • send transactional and important service notifications;
  • with your consent, send product updates and marketing communications (you can unsubscribe at any time);
  • comply with legal obligations and respond to lawful requests.

We do not sell personal information and we do not run third-party advertising trackers.

4. AI processing

When you use Studio's AI features, the prompts you submit and the relevant project context (for example, brand assets, current files and brief details) are sent to our model providers (Anthropic and other foundation-model partners) to generate AI Output. Our providers are bound by data-processing agreements that prohibit using paying customers' inputs and outputs to train their foundation models. Providers process inputs in regions documented in their own privacy statements (typically the United States).

5. Sub-processors

We use the following sub-processors to operate Studio:

  • Vercel — application hosting and edge network.
  • Neon — managed Postgres for application data.
  • AWS — object storage and supporting infrastructure.
  • WorkOS — authentication and SSO.
  • Liveblocks — real-time collaboration presence and Yjs state.
  • Stripe — payment processing and invoicing.
  • Anthropic — large language model inference.
  • Sentry — application error reporting.
  • PostHog — product analytics.
  • LogRocket — session replay (consent-based).
  • Intercom — customer support messaging.
  • SendGrid — transactional email delivery.
  • Upstash — Redis for rate limiting.
  • GitHub — source-of-truth repository hosting for connected projects.

The current list is maintained at insites.io/legal/sub-processors.

6. Data location and transfers

Application data is stored in AWS regions in Australia (ap-southeast-2) and the United States (us-east-1, us-west-2). Telemetry and support tooling may be processed in the European Union and the United States. Where data is transferred from the EU/UK we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

7. Security

We use TLS 1.2+ for data in transit and AES-256 at rest. Access to production systems is restricted to authorised staff using single sign-on with hardware-backed multi-factor authentication, logged and reviewed. We run automated vulnerability scans on dependencies and our infrastructure. Our security overview lives at insites.io/security; report suspected issues to security@insites.io.

8. Retention

We retain workspace content for as long as your subscription is active. After cancellation we retain it for 30 days to allow recovery, then schedule it for deletion from active systems. Backups are rotated on a 90-day cycle. We retain billing records for the period required by Australian tax law (currently 7 years).

9. Your rights

Depending on where you live you may have the right to access, correct, delete, restrict or object to processing of your personal information, the right to portability, and the right to withdraw consent. You can exercise most of these rights from the in-product Settings screen, or by emailing support@insites.io. We respond to verified requests within 30 days. If you are in the EU/UK you can also lodge a complaint with your local supervisory authority.

10. Cookies and trackers

Studio uses three categories of cookies and similar technologies. You can accept or reject the optional categories from the cookie banner on first visit; your choice is remembered for 12 months and can be changed from Settings > Privacy.

  • Functional (always on) — session cookies, Sentry error reporting, Liveblocks real-time collaboration. Required for the Service to work.
  • Product analytics (opt-in) — PostHog and LogRocket, used to understand how the product is used and to replay error sessions.
  • Support chat (opt-in) — Intercom messenger so you can reach our team from inside the app.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact support@insites.io and we will delete it.

12. Changes to this policy

We may update this policy from time to time. If we make a material change we will notify you in-product and by email at least 14 days before the change takes effect. The effective date at the top of this page reflects the most recent revision.

13. Contact

Questions about this policy or your personal information can be sent to support@insites.io. Insites Pty Ltd, Sydney, NSW, Australia.