Plain-English risk rating: 2 of 5
Intercom Fin is the most-documented AI customer-service agent in this database from a privacy posture perspective. Intercom has published explicit commitments on its blog and in its Additional Product Terms: third-party LLM providers operate under zero-data-retention arrangements, customer data is not used for model training or fine-tuning, and the Fin AI Engine is designed with retrieval-and-validation architecture rather than training-on-conversations. Intercom holds SOC 2 Type II certification and supports HIPAA via BAA for qualifying customers, with EU Data Residency available.
The risk picture is dominated less by Fin-specific concerns and more by the broader category challenge for any AI customer-service agent: prompt injection through customer-submitted content, hallucinated responses that could create legal exposure for the merchant, and the operational discipline required to keep Fin's knowledge sources accurate.
Recommended for
- Sole proprietor: Fin is overkill for sole proprietors with low support volume. Use Intercom Inbox without Fin if you're below ~30 tickets per month.
- Small team (2-10 people): Fin at $0.99/resolution makes sense if your support team is genuinely overloaded. The privacy posture is strong enough that the deliberate decision is feature-value, not safety.
- Regulated industry: Fin with BAA, EU Data Residency where applicable, and strict configuration of which Custom Data Attributes Fin can access. Healthcare and finance customers should restrict Fin's knowledge sources to non-PHI/non-financial content.
- The honest answer for most 1-10 employee businesses doing customer support at scale: Fin is one of the best-engineered AI customer-service products as of mid-2026 from a privacy-design perspective. The cost model ($0.99 per autonomous resolution) aligns vendor incentive with actual value delivered. Configure carefully, audit responses regularly, and treat Fin as a tier-1 agent rather than a full replacement.
Data retention default
- Customer conversation content: standard Intercom retention applies per workspace configuration
- LLM provider retention: zero — contractually enforced across providers
- Knowledge sources (articles, content used to train Fin's retrieval): retained while integrated
- Fin generates an audit log of each conversation including which sources were referenced
Training opt-out
NO TRAINING ON CUSTOMER DATA BY DEFAULT across all Fin tiers. Intercom's Additional Product Terms explicitly state: "Intercom contractually restricts Third Party AI Providers from using Customer Data for training or otherwise improving Third Party AI Provider's services."
This is contractual rather than user-toggle, consistent with the strongest Embedded Productivity AI products in this database (Notion AI, Asana AI).
Zero Data Retention availability
- Default across tiers: Zero-retention API arrangements with LLM providers (OpenAI primarily; Anthropic for some features)
- EU Data Residency for qualifying customers; AU workspace data processing migrating to AU per Intercom roadmap
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | Fin pricing | Suitable for |
|---|---|---|---|
| Essential | $39/seat/month | $0.99/resolution add-on | Small teams |
| Advanced | $99/seat/month | $0.99/resolution included | Growing teams |
| Expert | $139/seat/month | $0.99/resolution included | Larger teams needing SLAs |
| Proactive Support Plus | Add-on | N/A | Outbound messaging |
Fin Voice (the voice AI agent) has separate fair-use limits per the Additional Product Terms (7-minute average call length, 100 concurrent calls before overage charges apply).
Jurisdiction
- Primary processor: Intercom Inc., San Francisco, California, USA (with Dublin, Ireland EU entity)
- Cloud infrastructure: AWS
- Third-party AI subprocessors: OpenAI (primary), Anthropic (some features) — all under zero-retention and no-training contractual terms
- SOC 2 Type II, ISO 27001 certified
- HIPAA available with BAA at qualifying tiers
- EU Data Residency available; AU Data Residency on roadmap
Breach history (public incidents)
No major direct breach of Intercom infrastructure publicly disclosed as of May 2026.
Intercom has published a transparency document acknowledging that "over the past year, we've observed very few successful attempts at bypassing the safeguards put in place to protect our AI-powered features. None of these attempts constituted a reputational threat to our customers, and all incidents were mitigated in a timely fashion." This level of public acknowledgement of attempted bypasses is uncommon and reflects a relatively mature security posture.
Category-level risk: As with any AI customer-service agent, prompt injection via customer-submitted content (a customer typing instructions intended to manipulate Fin) is the dominant attack class. Intercom's retrieval-and-validation architecture reduces this risk compared with pure-LLM-response systems, but does not eliminate it.
What this means in plain English for SMB owners
Three honest takeaways:
- Intercom Fin's privacy and security documentation is among the best in this database. The combination of zero-retention contracts with LLM providers, no-training-default, SOC 2 Type II, HIPAA availability, and EU residency is a defensible enterprise-grade posture at SMB pricing.
- The $0.99-per-resolution pricing model genuinely aligns Intercom's incentive with delivered value. Compare this with seat-based AI pricing where the vendor benefits from heavy usage regardless of resolution quality. Audit your monthly Fin resolution rate against escalations to track whether Fin is actually resolving or merely punting to humans.
- Operational discipline matters more than vendor choice for AI customer service. Whatever AI agent you use, the determinants of safety and quality are (a) how accurate your knowledge sources are, (b) which Custom Data Attributes you let the AI access, and (c) how clearly you have configured escalation rules for sensitive topics (refunds, cancellations, regulated data). Fin makes these configurable; the configuration is the work.
Sources
- Intercom Additional Product Terms: https://www.intercom.com/legal/terms-and-policies/additional-product-terms (verified 2026-05-24)
- Intercom blog: How Intercom ensures data privacy and safety in the age of AI (February 2025)
- Intercom Help: The Fin AI Engine documentation
- Intercom Help: Fin AI Agent FAQs
- Fin.ai: HIPAA & GDPR Compliant AI Agents guide (April 2026)
- My AskAI: Intercom Fin AI Agent Complete Guide (March 2026)
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Intercom Fin stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Intercom Fin can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.