Privacy Policy

Introduction

Intelloro is a product owned and operated by Sultan Consulting Firm, a registered business in Bangladesh. Intelloro (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website intelloro.com.

For all privacy-related inquiries, contact our data protection team at info@intelloro.com.

This Privacy Policy covers your rights under the laws of: European Union (GDPR), United Kingdom (UK GDPR & DPA 2018), United States (federal + state laws including California, Texas, Virginia, Colorado, Connecticut, Oregon, Utah), Canada (PIPEDA + Quebec Law 25), Brazil (LGPD), and Bangladesh (PDPO 2025). Jurisdiction-specific sections appear below.

Information We Collect

Personal Information

We may collect personal information that you voluntarily provide when you:

• Create an account or sign up for our newsletter
• Submit a tool for review
• Contact us through our contact form
• Leave reviews or comments
• Participate in surveys or promotions

This information may include your name, email address, and any other information you choose to provide.

Automatically Collected Information

When you visit our website, we automatically collect certain information, including:

• IP address and browser type
• Pages visited and time spent on pages
• Referring website addresses
• Device information

How We Use Your Information

We use the information we collect to:

• Provide and maintain our services
• Personalize your experience
• Send you newsletters and updates (with your consent — see Newsletter section below)
• Respond to your inquiries and support requests
• Analyze usage patterns to improve our platform
• Prevent fraud and ensure security

Lawful Basis for Processing (GDPR Art. 6) — Per Activity

Under the GDPR (and equivalent UK GDPR, LGPD, and PDPO 2025 frameworks), each processing activity is mapped to a specific lawful basis:

Where consent is the basis, you may withdraw it at any time without affecting prior lawful processing.

Newsletter & Email Communications

When you subscribe to our newsletter by entering your email address, you consent to receiving the following communications:

• Weekly Digest — a summary of newly added AI tools, agents, and blog posts, sent once per week
• Sponsored Content — occasional featured tools from our advertising partners, clearly labeled as “Sponsored”

We use a single opt-in process: entering your email and clicking “Subscribe” constitutes your consent. You can unsubscribe at any time by:

• Clicking the “Unsubscribe” link at the bottom of any email we send
• Emailing us at info@intelloro.com with a request to remove your email

We do not share your email address with third parties for their own marketing purposes. Emails are sent via Resend, our email service provider.

Cookies, Targeted Advertising, and Profiling

We use cookies and similar tracking technologies to enhance your experience. You can control cookies, opt out of targeted advertising, and opt out of profiling through our cookie consent banner (accessible via the “Cookie Settings” link in the footer). We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request. Essential cookies are required for the website to function properly. See our Cookie Policy for full details.

Third-Party Services & Subprocessors

We engage the following subprocessors to operate the Service. Each subprocessor publishes its own Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) which govern any transfer of personal data — we accept and operate under those published terms.

For an updated subprocessor list or to receive notice of additions, email info@intelloro.com with the subject “Subprocessor List Request”.

Payment Processing

All payments on Intelloro are processed by Paddle.com, who acts as the Merchant of Record. When you make a purchase:

• Paddle collects your payment information (card details, billing address) directly — Intelloro never sees or stores your full payment details
• Paddle processes your payment, handles tax compliance, and issues invoices
• Paddle may share your name, email, and transaction details with us for order fulfillment
• Paddle's handling of your payment data is governed by Paddle's Privacy Policy

Data Security

We rely on industry-standard security measures provided by our infrastructure subprocessors, including TLS encryption in transit (provided by Vercel) and encryption at rest (provided by MongoDB Atlas). Access to administrative systems is limited to authorised personnel. We are progressively building out additional formal controls (audit logging, vulnerability management, penetration testing) as the platform scales. No method of transmission over the Internet is 100% secure.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33; UK GDPR Art. 33; Quebec Law 25 § 3.5; LGPD Art. 48)
• Notify affected users without undue delay when the breach poses a high risk to individuals (GDPR Art. 34)
• Provide details including the nature of the breach, likely consequences, and measures taken to address it
• Bangladesh PDPO 2025 — notify the Bangladesh Data Protection Authority within the timeline required by the implementing regulations
• US state laws — notify residents per state-specific timelines (e.g., California 45-day rule; Texas immediate; Virginia within 30 days)

AI & Automated Processing

Intelloro uses artificial intelligence systems to collect and analyze publicly available information about AI tools and agents. This includes:

• AI-powered extraction of tool data from vendor websites
• Algorithmic scoring of tools based on publicly available data (Trust Score, Task Scores, Dimension Scores)
• AI-assisted cross-referencing with third-party review platforms (G2, Capterra, Trustpilot)

These AI systems process publicly available data about AI products — not your personal data. Your personal information (account details, preferences) is not processed by AI scoring systems. For full details on our AI methodology, transparency obligations under EU AI Act Articles 4 and 50, and risk-tier classification, see our dedicated AI Disclosure page.

Right to opt out of automated decision-making (GDPR Art. 22; Quebec Law 25 § 12.1; ColoPA & CTDPA profiling rights): Where automated decisions produce legal or similarly significant effects, you have the right to request human review. Email info@intelloro.com to exercise this right.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specifically:

• Active account data: retained until you request deletion
• Inactive accounts: we plan to implement an automatic inactivity-based deletion process (target threshold: 24 months of no login). Until that automation is in place, you may request deletion at any time via info@intelloro.com or our account deletion endpoint.
• Usage analytics: retained for up to 24 months, then anonymised
• Cookie preferences: retained for up to 12 months
• Support correspondence: retained for up to 36 months
• Payment records: retained by Paddle (Merchant of Record) for the period required by applicable tax law (typically 7 years)
• DSAR records: we retain records of rights requests for the period required by applicable law to evidence compliance

You may request deletion of your data at any time by contacting info@intelloro.com.

International Data Transfers

Intelloro is hosted on Vercel (United States) and uses MongoDB Atlas for data storage. If you access our Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For EU/EEA and UK users (Schrems II compliance): Transfers to the United States rely on a combination of (a) the EU–US Data Privacy Framework (DPF) where the recipient subprocessor is self-certified, (b) the European Commission's Standard Contractual Clauses (SCCs) published by our subprocessors, and (c) the UK International Data Transfer Addendum (IDTA) where applicable. We will conduct a formal Transfer Impact Assessment (TIA) documenting US surveillance laws (FISA 702, Executive Order 12333) and the supplementary technical measures applied. The completed TIA will be made available to supervisory authorities and EU/UK data subjects on request via info@intelloro.com.

Your Rights

Depending on your location, you may have the right to:

• Access your personal information
• Correct inaccurate data
• Request deletion of your data
• Opt out of marketing communications
• Opt out of targeted advertising and profiling (US state laws + GDPR)
• Data portability
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority
• Object to or limit automated decision-making

Response Timeline: We respond to all Data Subject Access Requests (DSARs) within 30 days of receipt (GDPR Art. 12(3); UK GDPR; LGPD; PDPO). For California (CCPA): 45 days. For Texas (TDPSA): 45 days. For complex requests, this may be extended by up to 60 additional days, in which case we will inform you within the original window. To exercise your rights, email info@intelloro.com or use our data export and account deletion tools (login required).

California Privacy Rights (CCPA / CPRA / Delete Act)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) and the California Delete Act (SB 362), grants you specific rights regarding your personal information:

• Right to Know — what personal information we collect, use, disclose, and sell about you
• Right to Delete — request deletion of your personal information
• Right to Correct — correct inaccurate personal information
• Right to Opt-Out of Sale or Sharing — opt out of the sale or sharing of your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights

Categories of personal information collected: identifiers (email, IP address), internet/network activity (browsing data, cookies), commercial information (tools saved/compared), and inferences drawn from this data.

Do Not Sell or Share My Personal Information: Intelloro does not sell personal information for monetary value. However, the use of third-party analytics and advertising cookies may constitute “sharing” under CPRA. To opt out, disable Marketing cookies in our cookie preferences or visit our dedicated Do Not Sell My Personal Information page.

California Delete Act (SB 362): Intelloro is not currently registered with the California Privacy Protection Agency (CPPA) as a Data Broker, as our processing of personal information is incidental to our directory service and we do not collect personal information from sources other than directly from consumers. We monitor this status and will register with the CPPA if our processing scope changes. California residents may still exercise full CCPA / CPRA rights via the methods above.

To exercise any CCPA right, email info@intelloro.com with the subject line “CCPA Request”. We will verify your identity and respond within 45 days as required by law.

Other US State Privacy Rights

Beyond California, the following US state laws grant you specific privacy rights. To exercise any of these, email info@intelloro.com with the subject line “State Privacy Request — [Your State]”.

All states above: response within 45 days (single 45-day extension for complex requests). We honor the Global Privacy Control (GPC) browser signal as a valid universal opt-out under all applicable state laws.

United Kingdom (UK GDPR & Data Protection Act 2018)

For users in the United Kingdom, we process personal data in accordance with the UK GDPR and Data Protection Act 2018. Your rights mirror those granted under EU GDPR, including access, rectification, erasure, restriction, portability, and objection.

UK Age Appropriate Design Code (Children's Code): The ICO's Age Appropriate Design Code applies to UK users under 18. Where we have reason to believe a user is a minor, we will apply the Code's standards (data minimisation, reduced profiling, high-privacy defaults). As a beta-stage platform we do not currently deploy age-detection technology and rely on the COPPA-aligned 13+ self-declaration at signup. We do not knowingly allow accounts for users under 13 (see Children's Privacy section below).

To exercise your rights, contact info@intelloro.com. You also have the right to lodge a complaint with the UK's Information Commissioner's Office (ICO) at ico.org.uk.

UK Representative (UK GDPR Art. 27): Intelloro is currently in the process of evaluating and appointing a formal UK Representative. Pending appointment, all UK data subjects may exercise their rights by contacting info@intelloro.com directly. The UK Representative's details will be published on this page once the appointment is finalized. UK users may also lodge complaints directly with the ICO regardless of Representative status.

European Union (GDPR + EU AI Act)

For users in the European Union, we process personal data in accordance with the General Data Protection Regulation (GDPR, Regulation 2016/679) and the EU AI Act (Regulation 2024/1689 where applicable). Your rights are detailed throughout this Policy and in the “Your Rights” section above.

EU Representative (GDPR Article 27): Intelloro operates outside the European Union (Bangladesh) and is currently in the process of evaluating and appointing a formal EU Representative as required under GDPR Article 27. Pending appointment, all EU data subjects may exercise their rights by contacting info@intelloro.com directly. The EU Representative's details will be published on this page once the appointment is finalized. EU users also have the right to lodge a complaint with their local supervisory authority regardless of Representative status.

EU AI Act compliance: Intelloro's AI systems (data extraction, scoring, recommendation) are classified as limited-risk under the AI Act and are subject to the transparency obligations of Article 50. We are not currently a provider or deployer of high-risk AI systems as defined in Annex III. AI-generated content is labelled at the point of consumption on tool pages. For full AI Act risk-tier classification, governance, and incident-reporting procedures, see our AI Disclosure page.

Brazil (LGPD + ECA Digital Law)

For users in Brazil, we comply with the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) and the ECA Digital (Law 15.211/2025, effective March 2026 — Digital Statute for Children and Adolescents). You have the right to:

• Confirmation of the existence of processing
• Access to your data
• Correction of incomplete or outdated data
• Anonymization, blocking, or deletion of unnecessary data
• Data portability
• Information about public and private entities with which we share your data
• Revocation of consent

Data Protection Officer (DPO / Encarregado): Sultan Mahamud, Head of Operations, serves as the contact for Brazilian data subjects. Email info@intelloro.com with the subject “LGPD Request”. We will register the DPO with the Brazilian National Data Protection Authority (ANPD) when our processing of Brazilian personal data reaches the threshold defined by ANPD's implementing regulations.

ECA Digital (Law 15.211/2025): For Brazilian users we have reason to believe are under 18, we will apply “Privacy by Design” defaults consistent with the ECA Digital (disabled profiling, no behavioural advertising). We do not knowingly allow accounts for users under 13. We do not currently use age-verification technology and rely on the COPPA-aligned 13+ self-declaration at signup. Parents/guardians may request deletion of a minor's data via info@intelloro.com.

You may also lodge a complaint with the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd.

Canada (PIPEDA + Quebec Law 25)

For users in Canada, we comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (e.g., Quebec Law 25 / Bill 64, Alberta PIPA, BC PIPA). Your rights include access to, correction of, and withdrawal of consent for the use of your personal information.

Privacy Officer (Quebec Law 25 § 3.1 / § 119): Sultan Mahamud, Head of Operations, serves as the Privacy Officer for Quebec data subjects. Contact info@intelloro.com with the subject “Quebec Law 25 Request”.

Privacy Impact Assessment (PIA): Where Quebec Law 25 § 3.3 requires, we will conduct Privacy Impact Assessments before launching new processing activities that involve sensitive personal information, large-scale data, or automated decision-making affecting Quebec residents. PIA documentation will be made available to the Commission d'accès à l'information (CAI) on request.

Automated decision-making (Quebec Law 25 § 12.1): Intelloro's tool recommendations and rankings are advisory only and do not produce legal or similarly significant effects on individuals. If we ever introduce a feature that relies on automated decisions producing such effects, we will disclose that fact, the principal factors leading to the decision, and your right to request a human review. To exercise this right or ask a question about our automated processing, email info@intelloro.com.

You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or with the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.

Bangladesh (Personal Data Protection Ordinance 2025)

Intelloro is operated by Sultan Consulting Firm, registered in Bangladesh. As a Bangladesh-based controller, we comply with the Personal Data Protection Ordinance 2025 (PDPO) and any subsequent amendments. The PDPO grants Bangladesh residents the following rights:

• Right to be informed of processing
• Right of access to personal data
• Right to rectification
• Right to erasure (where permitted by law)
• Right to withdraw consent
• Right to lodge a complaint with the Bangladesh Data Protection Authority (when established)

Lawful basis (PDPO Sections 12–13): We collect and process personal data only with explicit, freely-given, specific, informed, and unambiguous consent, except where another lawful basis under PDPO applies (contract, legal obligation, vital interests, public task, legitimate interests).

Data Protection Officer (PDPO): Sultan Mahamud, Head of Operations, serves as our Data Protection Officer for PDPO compliance. Contact info@intelloro.com with the subject “PDPO Request”.

Cross-border transfers: Where personal data of Bangladesh residents is transferred outside Bangladesh (to our subprocessors in the USA and elsewhere), we rely on the safeguards published by those subprocessors (Standard Contractual Clauses, encryption in transit, encryption at rest) — the same safeguard stack we apply for GDPR Schrems II purposes.

Risk-based security measures (PDPO): Our current technical measures include TLS encryption in transit and encryption at rest (provided by Vercel and MongoDB Atlas respectively) and limited administrative access. We are progressively building out additional formal controls (audit logging, vulnerability management programme, documented breach-response procedure) as the platform scales.

Children's Privacy (COPPA + GDPR Art. 8 + UK Children's Code)

Intelloro is not directed to children under 13. We do not knowingly collect personal information from children under 13 in compliance with the U.S. Children's Online Privacy Protection Act (COPPA). If we become aware that we have collected such information, we will delete it promptly. Parents or guardians who believe their child has provided personal information should contact info@intelloro.com.

EU GDPR Article 8 (Information Society Services): For users in the EU/EEA between the ages of 13 and the national-law age threshold (typically 16), GDPR Art. 8 requires parental consent. We do not currently use age-verification technology and rely on the COPPA-aligned 13+ self-declaration at signup. Where we have reason to believe a user falls in this age range, we will require parental confirmation before continuing to process the account.

UK Age Appropriate Design Code: For UK users we have reason to believe are minors, we will apply the ICO's Children's Code standards, including data minimisation, reduced profiling, and high-privacy defaults. As a beta-stage platform we do not currently deploy age-detection technology.

California Age-Appropriate Design Code (CA AADC): For California users we have reason to believe are under 18, we will apply the CA AADC's privacy-by-default standards. As a beta-stage platform we do not currently deploy age-detection technology.

Brazil ECA Digital (Law 15.211/2025): See the “Brazil” section above for parental supervision and Privacy by Design defaults applied to Brazilian minors.

Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please contact us at:

Data Protection Contact: info@intelloro.com

Operations Lead / DPO / Privacy Officer: Sultan Mahamud, Head of Operations

Postal Address: Sultan Consulting Firm, Bangladesh (full address available on request).