Privacy Policy

1. About this Privacy Policy

Indago Solutions, LLC (“Indago,” “we,” “our,” or “us”) is a technology platform operated by Indago that provides forensic genetic genealogy (“FGG”) investigation tools and related analytical capabilities to authorized law enforcement agencies and government entities (collectively, “Agency Clients”). This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our website at indago.ai (the “Website”) and our proprietary software-as-a-service platform (the “Platform”).

We are committed to protecting the privacy and security of all information entrusted to us, and we recognize the heightened sensitivity of data involved in law enforcement investigations. This Privacy Policy is designed to be transparent about our practices and to comply with applicable federal, state, and local privacy and data protection laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), Cal. Civ. Code § 1798.100 et seq.

Important Distinction: Indago operates as a technology service provider and data processor. We provide tools that enable Agency Clients to conduct investigations using data sources for which the Agency Client maintains independent access, subscriptions, and legal authority. Indago does not independently collect, own, or control the underlying investigative data accessed through the Platform. The Agency Client retains sole responsibility for the lawful use of such data in accordance with applicable legal process requirements, agency policies, and governing law.

2. Scope of This Policy

This Privacy Policy applies to:

Visitors to the Indago.ai Website (“Website Visitors”)
Prospective clients and individuals who request information or demonstrations (“Prospects”)
Authorized users of the Indago Platform (“Authorized Users”)
Agency Clients that contract with Indago for Platform access and services

This Privacy Policy does not govern:

Data processed by Agency Clients through the Platform where Indago acts solely as a processor or service provider on the Agency Client’s behalf. Such processing is governed by the applicable service agreement, data processing addendum, or other contractual terms between Indago and the Agency Client.
Third-party websites, services, or data providers that may be accessed through or integrated with the Platform. Each third-party service is governed by its own terms of service and privacy policy.

3. Information We Collect

3.1 Information Collected Through the Website

Information You Provide Directly. When you contact us, request a demonstration, or submit an inquiry through the Website, we may collect your name, professional email address, telephone number, agency or organization name, job title, and the content of your communications with us.

Information Collected Automatically. When you visit the Website, we automatically collect certain technical information, including your IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and general geographic location (at the city or regional level). We collect this information through cookies, web beacons, server logs, and similar technologies.

3.2 Information Collected Through the Platform

Account and Access Information. To provision Authorized User accounts, we collect the user’s name, professional email address, agency affiliation, role or rank (as applicable), and authentication credentials. Where Agency Clients utilize or elect to implement single sign-on (SSO) integration, we may receive authentication tokens and associated user identifiers from the Agency Client’s identity provider.

Platform Usage Data. We collect information about how Authorized Users interact with the Platform, including features accessed, search queries submitted, timestamps of activity, session duration, and system performance metrics. This data is used for service improvement, security monitoring, and audit-trail purposes.

Investigative Data Processed Through the Platform. In the course of providing the Platform, Indago may process data that Agency Clients access through integrated third-party data sources, including genealogical data, public records, and licensed investigative databases. Indago processes, caches, and stores this data on behalf of and at the direction of the Agency Client to enable ongoing investigative workflows and case continuity. The Agency Client is the data controller and is responsible for ensuring it has the appropriate legal authority, subscription, and consent (where applicable) to access and use such data.

4. How We Use Information

4.1 Website Information

We use information collected through the Website to:

Respond to inquiries and requests for information or demonstrations
Communicate with Prospects regarding our products and services
Operate, maintain, and improve the Website
Analyze Website traffic and usage patterns to enhance user experience
Detect, prevent, and address security incidents or fraudulent activity
Comply with applicable legal obligations

4.2 Platform Information

We use information collected through or in connection with the Platform to:

Provision, operate, maintain, and secure the Platform
Authenticate Authorized Users and manage access controls
Process data on behalf of Agency Clients in accordance with applicable service agreements
Generate and maintain audit logs and access records as required by law, regulation, or contract
Monitor Platform performance, diagnose technical issues, and improve service quality
Comply with applicable legal obligations, including responses to valid legal process

4.3 Prohibited Uses

Indago does not and will not:

Sell, rent, or lease personal information or investigative data to any third party
Use investigative data processed through the Platform for any purpose other than providing the Platform services to the Agency Client
Use genetic or genealogical data accessed through Platform integrations for any purpose other than facilitating the Agency Client’s authorized investigative activities
Attempt to re-identify de-identified or anonymized data

5. Genealogical and Genetic Data

The Platform integrates with third-party genealogical databases and data sources to facilitate forensic genetic genealogy investigations conducted by Agency Clients. Given the sensitive nature of genealogical and genetic data, Indago implements the following safeguards:

Processor Role. Indago accesses and stores genealogical data as a technology intermediary acting at the direction of the Agency Client, including caching query results and retaining genealogical match data to support ongoing investigative workflows. Indago does not independently query or collect genetic profiles for its own purposes.
Agency Client Responsibility. The Agency Client is responsible for ensuring that its use of genealogical data through the Platform complies with applicable federal and state genetic privacy laws, the terms of service of the applicable genealogical database, and the Agency Client’s own policies governing the use of FGG in criminal investigations.
Data Minimization and Retention. Indago collects and processes the genealogical data necessary to perform the requested Platform functions. The Platform caches genealogical query results and retains genealogical match data to support case continuity, historical analysis, and ongoing investigative workflows. Cached and retained genealogical data is held in accordance with the data retention terms specified in the applicable service agreement and the retention schedule set forth in Section 9 of this Privacy Policy. Upon termination of the applicable service agreement or upon the Agency Client’s written request, genealogical data will be securely deleted or returned in accordance with Section 9.
No Secondary Use. Genealogical data accessed through the Platform is never used for marketing, profiling, employment decisions, insurance underwriting, or any purpose unrelated to the Agency Client’s authorized law enforcement investigation.
Compliance with Applicable Genetic Privacy Laws. Indago’s processing of genealogical data is designed to comply with applicable genetic privacy laws, including but not limited to the Genetic Information Nondiscrimination Act (“GINA”), Cal. Civ. Code § 56.18 (Genetic Information Privacy Act), and comparable state statutes. Where there is a conflict between this Privacy Policy and the requirements of applicable genetic privacy law, the requirements of applicable law shall control.

6. Law Enforcement Data and Regulatory Compliance

Indago recognizes that data processed through the Platform may include sensitive law enforcement and investigative information subject to heightened security and handling requirements. Indago is committed to supporting Agency Clients’ compliance with applicable regulations, including:

Applicable Security Frameworks. Where an Agency Client’s use of the Platform involves data subject to specific regulatory security requirements, Indago will work with the Agency Client to implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data and the applicable regulatory framework, as further detailed in the applicable service agreement or security addendum.
Regulatory Cooperation. To the extent that the Platform is used to store or manage data subject to federal or state regulatory requirements governing criminal intelligence or investigative information, Indago will cooperate with Agency Clients to support compliance with applicable data handling, access restriction, review, and purge requirements.
Audit Trail Integrity. The Platform maintains comprehensive, tamper-evident audit logs of all user activity, including search queries, data access events, and administrative actions. These logs are available to Agency Clients for compliance, oversight, and internal affairs purposes in accordance with the applicable service agreement.
Personnel Security. Indago’s founding personnel maintain active security clearances. As the organization grows, personnel who may have access to sensitive law enforcement data in the course of providing Platform support will be subject to background screening requirements appropriate to the sensitivity of the data accessed and as further specified in the applicable service agreement.

7. Information Sharing and Disclosure

Indago does not sell personal information. We may share or disclose information in the following limited circumstances:

Service Providers and Subprocessors. We may engage trusted third-party service providers to assist in operating the Website or Platform (e.g., cloud infrastructure hosting). Platform data is processed within secured cloud environments and is not shared with third-party SaaS providers for analytics, customer support, or other secondary purposes. To the extent any service provider is engaged that may process or access Agency Client data, such providers are contractually obligated to process data only on our behalf and in accordance with our instructions, and they are subject to confidentiality obligations and security requirements no less protective than those described in this Privacy Policy.
Third-Party Data Integrations. The Platform integrates with third-party data providers at the direction and on behalf of Agency Clients. Data transmitted to or received from these providers is governed by the applicable provider’s terms of service and the Agency Client’s subscription agreement with that provider. Indago acts as a technical conduit and does not independently control the terms under which such data is provided.
Legal Obligations. We may disclose information if required to do so by law, regulation, subpoena, court order, or other valid legal process. Where legally permissible, we will provide notice to the affected Agency Client before disclosing information related to the Platform.
Protection of Rights. We may disclose information where we believe disclosure is necessary to protect our rights, your safety, the safety of others, to investigate fraud, or to respond to a government request.
Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, information may be transferred as part of that transaction. We will notify affected Agency Clients of any such transfer and any resulting change in applicable privacy practices.

8. Data Security

Indago implements and maintains a comprehensive information security program designed to protect information against unauthorized access, disclosure, alteration, and destruction. Our security measures include, but are not limited to:

Encryption of data in transit using TLS 1.2 or higher and encryption of data at rest using AES-256 or equivalent industry-standard encryption
Multi-factor authentication (MFA) for all Platform access and all administrative access to Indago systems
Role-based access controls (RBAC) limiting data access to authorized personnel on a need-to-know basis
Regular vulnerability assessments, with independent penetration testing to be conducted on a recurring basis following initial assessment
Continuous security monitoring, intrusion detection, and logging of security-relevant events
Documented incident response procedures, maintained and updated as appropriate to reflect changes in the threat landscape and organizational operations
Security awareness practices appropriate to the size and nature of the organization, with formal training programs implemented as the organization scales

Where Agency Clients require compliance with specific regulatory security frameworks, additional technical and administrative controls will be implemented as specified in the applicable service agreement or security addendum.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable and industry-appropriate means to protect information, we cannot guarantee absolute security.

9. Data Retention

Indago retains personal information and other data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.

Website Data. Information collected through our Website, such as contact submissions and analytics data, is retained for as long as reasonably necessary for the purposes described herein. Website analytics data is generally retained for no more than twenty-four (24) months.

Platform Account Data. Authorized User account information is retained for the duration of the applicable Agency Client’s service agreement, plus a wind-down period not to exceed ninety (90) days, unless otherwise specified in the service agreement or required by law.

Investigative Data and Customer Data. Customer Data means data submitted to, ingested by, or processed through the Platform by or on behalf of an Agency Client, including investigative records, genealogical match data, and query results to the extent such data is identifiable or reasonably linkable to an individual, investigation, or Agency Client.

Customer Data is retained as follows:

Transient Data: Cached query results and transient processing data are deleted within thirty (30) days unless affirmatively saved to an active case file.
Case Data: Case-associated Customer Data is retained for the duration of the service agreement plus a wind-down period not to exceed ninety (90) days.
Post-Termination: Upon termination or expiration of the service agreement, Customer Data will be returned or securely deleted, at the Agency Client’s election, within thirty (30) days, including deletion from backups except where retention is required by law.

Platform-Generated Analytical Outputs. In the course of processing Customer Data, the Platform may independently generate predictive outputs, including inferred relationships, probabilistic associations, and analytical models derived from the application of Indago’s proprietary algorithms to genetic, genealogical, and public records data (collectively, “Analytical Outputs”). To the extent such Analytical Outputs (a) are generated by Indago’s own technology rather than directly extracted or copied from Customer Data, (b) have been de-identified such that they cannot reasonably be linked to a specific individual who is the subject of an investigation, a specific Agency Client, or a specific investigation, and (c) meet the de-identification standards of applicable law, including Cal. Civ. Code § 1798.140(m), such Analytical Outputs are not considered Customer Data and may be retained by Indago for lawful business purposes, including improving the accuracy and capabilities of the Platform. Indago will not attempt to re-identify de-identified Analytical Outputs or use them to reconstruct the investigative context from which they were derived.

CJIS and Law Enforcement Data. Where Customer Data includes Criminal Justice Information (“CJI”), Indago will work with the Agency Client to meet applicable requirements per the customer service agreement. Such data is processed solely for authorized law enforcement purposes and in accordance with Agency Client instructions. CJI is not retained in identifiable form beyond the periods described above except as required by law.

AI-Generated and Derived Data. The Platform may generate outputs, analytics, models, embeddings, logs, and related data (“Derived Data”) through operation of our artificial intelligence and machine learning systems.

De-Identified Derived Data. Derived Data that has been de-identified such that it cannot reasonably be linked to an individual, investigation, or Agency Client is not considered Customer Data and may be retained, used, disclosed, and commercially exploited for lawful business purposes, including improving, training, and operating the Platform, provided it complies with applicable law and is not re-identified.

Data Protection Roles (GDPR/CCPA). For purposes of applicable data protection laws:

The Agency Client acts as the “controller” (or “business”), and we act as the “processor” (or “service provider”/“contractor”) with respect to Customer Data.
We process Customer Data solely on documented instructions from the Agency Client and do not sell or share Customer Data as defined under applicable law.
We do not retain, use, or disclose Customer Data outside our direct business relationship with the Agency Client except as permitted by law or contract.
We provide reasonable assistance to support the Agency Client’s compliance with data subject or consumer rights requests.

De-identified Derived Data is not subject to these restrictions where it meets applicable legal standards.

Audit Logs. Platform audit logs are retained in accordance with industry standards and applicable regulatory requirements, with infrastructure-level logs archived for a minimum of one (1) year in active storage and up to seven (7) years in archival storage. Application-level audit logs are retained for the duration specified in the applicable service agreement or, in the absence of specific contractual terms, for a minimum of one (1) year.

Deletion and Return. Upon termination or expiration of an Agency Client’s service agreement, Indago will, at the Agency Client’s election: (a) return all Agency Client data in a commercially standard, machine-readable format; or (b) securely delete or destroy all Agency Client data, including all copies and backups (except as required to be retained by applicable law or regulation), and certify such deletion in writing within thirty (30) days.

10. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have certain rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.). The following disclosures apply to personal information that Indago collects in its capacity as a “business” (as defined under the CCPA/CPRA), such as information collected through the Website or in connection with Indago’s direct business relationships.

Note Regarding Agency Client Data: When Indago processes data on behalf of an Agency Client through the Platform, Indago acts as a “service provider” (as defined under the CCPA/CPRA). In such cases, requests from individuals regarding their personal information should be directed to the applicable Agency Client or government entity.

Subject to applicable exceptions and verification requirements, California residents may exercise the following rights:

Right to Know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information.
Right to Delete. You may request that we delete personal information we have collected from you, subject to certain exceptions provided by law.
Right to Correct. You may request that we correct inaccurate personal information that we maintain about you.
Right to Opt Out of Sale or Sharing. Indago does not sell personal information and does not share personal information for cross-context behavioral advertising purposes.
Right to Limit Use of Sensitive Personal Information. To the extent Indago collects sensitive personal information (as defined under the CCPA/CPRA), we use such information only for purposes authorized under Cal. Civ. Code § 1798.121.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.

To submit a request, please contact us using the information provided in Section 15 below. We will verify your identity before processing your request. We will respond to verifiable requests within forty-five (45) calendar days, or notify you if an extension is required (not to exceed an additional forty-five (45) days).

11. Cookies and Tracking Technologies

The Website uses the following categories of cookies and similar technologies:

Strictly Necessary Cookies. Required for the Website to function (e.g., session management, security). These cannot be disabled.
Analytics Cookies. Used to understand how visitors interact with the Website, including pages visited and traffic sources. We may use third-party analytics providers such as Google Analytics for this purpose.
Functional Cookies. Enable enhanced functionality and personalization, such as remembering your preferences.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect Website functionality. The Platform does not use advertising or tracking cookies.

We honor “Do Not Track” (DNT) signals transmitted by your browser. When we detect a DNT signal, we will not load non-essential tracking technologies on the Website.

12. Third-Party Services and Integrations

The Platform integrates with third-party data providers and services to deliver its functionality. These integrations may include genealogical databases, licensed investigative data providers, and cloud infrastructure providers.

Each third-party service is governed by its own terms of service and privacy policy. Indago is not responsible for the privacy practices of third-party providers. Agency Clients are responsible for reviewing and agreeing to the terms of service of any third-party provider whose data or services they access through the Platform.

Indago selects third-party subprocessors and infrastructure providers with due regard for their security posture, compliance certifications, and contractual commitments to data protection.

13. Children’s Privacy

The Website and Platform are not directed to individuals under the age of thirteen (13), and Indago does not knowingly collect personal information from children under thirteen (13). If we become aware that we have collected personal information from a child under thirteen (13), we will promptly delete such information. If you believe a child under thirteen (13) has provided personal information to us, please contact us using the information in Section 15.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Effective Date” at the top of this Privacy Policy and, where required by applicable law, provide notice through the Website or by other appropriate means. For Agency Clients, material changes to data processing practices will be communicated in accordance with the applicable service agreement.

We encourage you to review this Privacy Policy periodically to stay informed about our information practices.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, you may contact us at:

Indago

Attn: Privacy Inquiries

Email: privacy@indago.ai

Website: https://indago.ai

For CCPA/CPRA requests, please include “Privacy Rights Request” in the subject line of your communication and provide sufficient information for us to verify your identity.

16. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles. To the extent any dispute arises relating to this Privacy Policy, the parties consent to the exclusive jurisdiction of the state and federal courts located in Orange County, California.

Home