01 · What we collect
In plain English: we collect what we need to run the service. Account info to log you in. Lead data you upload because that's the input. BYOK keys because the LLM call needs them. Usage data because something has to render the dashboard.We collect the following categories of personal data:
- Account information. Name, work email, company, role, password hash, and billing address. Provided by you at signup or in account settings.
- Lead and account data you upload. Contact names, email addresses, company URLs, job titles, and any custom fields you import or paste into the Service. This data is your input — we process it on your behalf.
- Generated drafts and approval signals. The drafts the model produces, the edits you make, and your accept/reject decisions. We use these to improve quality on your account; we do not pool them across customers.
- BYOK API keys. When you connect a third-party LLM provider, we store the API key encrypted at rest and use it only to make calls on your behalf.
- Usage data. Pages visited within the app, features used, draft counts, error logs, and timestamps. Tied to your account.
- Communications. Emails you send to
support@paitho.ai, in-app chat threads, and survey responses. - Technical data. IP address (for session security and abuse detection), browser user-agent string (for compatibility), and approximate geolocation derived from IP at the country/region level.
02 · What we don't collect
In plain English: no cross-site tracking. No fingerprints. No precise location. No biometrics. No selling your data. We mean it.We deliberately do not collect, use, or transmit:
| Category | Status | Why |
|---|---|---|
| Third-party tracking cookies | Never | We do not embed Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, or any cross-site tracking script on our marketing site or in-app. |
| Browser fingerprinting | Never | We do not collect canvas, font, audio, or device-fingerprint signals to identify visitors. |
| Precise geolocation | Never | We use IP-based country/region only for residency routing and abuse detection. We do not request browser geolocation API access. |
| Biometric data | Never | We do not collect facial, fingerprint, or voiceprint data of any kind. |
| Sale of personal data | Never | We do not sell, rent, or trade personal data to advertisers, data brokers, or any third party. |
03 · How we use data
In plain English: we use your data to run the product, bill you, support you, and keep things secure. That's the entire list.We use the data described above to:
- Provide the Service: authenticate you, render dashboards, run research and drafting workflows, route drafts for your review.
- Process billing and account administration.
- Provide customer support and respond to your questions.
- Detect, investigate, and prevent fraud, abuse, and security incidents.
- Improve product quality on your account using your accept/reject feedback.
- Comply with legal obligations.
We do not use your account data, lead data, or drafts to train shared, cross-customer models.
04 · Data sharing with sub-processors
In plain English: we use a small set of vetted vendors to host, send, and bill. We name every one of them on the security page. Nobody else.We share personal data only with the following categories of recipients:
- Sub-processors. Third-party vendors we engage to host infrastructure, process payments, send transactional email, and provide error monitoring. The current list is published at /security#sub-processors and is updated when we add or remove a sub-processor (see DPA Section 7 for notice obligations).
- Upstream LLM providers (BYOK). When you use BYOK, prompts and lead context required to fulfill your draft are transmitted to the provider you selected (e.g. OpenAI, Anthropic) under your API key and the provider's terms.
- Legal and compliance. Where required by law, court order, or to protect the rights, property, or safety of Paitho, our customers, or the public.
- Business transfers. In connection with a merger, acquisition, or sale of substantially all assets, with notice to you and continued protection consistent with this policy.
We do not share personal data with advertising networks, data brokers, or analytics platforms that aggregate cross-site profiles.
05 · Data residency
In plain English: pick US or EU when you sign up. We keep your data in that region.Customers may choose between two data-residency regions at account creation:
- United States — primary infrastructure in
us-eastwith backups inus-west. - European Union — primary infrastructure in
eu-central(Frankfurt) with backups ineu-west(Dublin).
Your account data, lead data, and drafts will be stored and processed in the region you selected. Some metadata required for global service operation (account email, billing records, audit logs) may be replicated to a single global control plane; this is documented at /security.
06 · Retention
In plain English: we keep your data while your account is active, plus a 90-day window after cancellation so you can export. Then we delete it.We retain personal data for the periods described in our security page retention table. Summary:
| Data type | Active retention | Post-termination |
|---|---|---|
| Account information | Life of account | 90 days, then deleted |
| Lead & account data | Life of account | 90 days, then deleted |
| Drafts & approval signals | 24 months rolling | 90 days, then deleted |
| BYOK API keys | Until you remove them | Deleted immediately on cancellation |
| Usage / audit logs | 13 months rolling | 13 months from termination |
| Billing records | 7 years (tax law) | 7 years (tax law) |
| Backups | 35-day rolling | Purged via rotation within 35 days |
The full table with technical detail lives at /security.
07 · Your rights
In plain English: you can see your data, fix it, export it, delete it, or tell us to stop processing it. Email privacy@paitho.ai and we'll do it within 30 days.Subject to applicable law (including GDPR, UK GDPR, CCPA/CPRA, and similar regimes), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — request that we correct inaccurate or incomplete data.
- Deletion — request that we delete your personal data, subject to legal retention requirements.
- Export (data portability) — receive your data in a machine-readable format (CSV/JSON).
- Objection & restriction — object to or restrict certain processing.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
- Lodge a complaint — with your local data protection authority.
To exercise any of these rights, email privacy@paitho.ai. We will verify your identity and respond within thirty (30) days. There is no fee for routine requests.
Where you are exercising rights on behalf of a data subject contained in lead data you uploaded (i.e. you are the Controller and Paitho is your Processor), the Data Processing Addendum governs.
08 · Cookies
In plain English: one cookie keeps you logged in. That's it. No tracking. No third parties. No banner spam.We use one (1) essential first-party cookie to maintain your authenticated session. We do not use:
- Third-party advertising or social cookies.
- Analytics cookies that profile your behaviour across sites.
- Persistent identifiers other than your authenticated session token.
Because we set only strictly-necessary cookies, no consent banner is required under GDPR or ePrivacy. If you clear your session cookie you will be logged out.
09 · Children's data
In plain English: this product is for adults running B2B outbound. Not for anyone under 18.The Service is not directed to or intended for use by children under the age of eighteen (18). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@paitho.ai and we will delete it.
10 · International transfers
In plain English: when EU data has to cross a border, we use the EU's Standard Contractual Clauses to keep your protections in place.If your account residency region is the European Union and we transfer personal data to recipients in countries that have not received an adequacy decision from the European Commission, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. We perform transfer impact assessments and implement supplementary measures (encryption in transit and at rest, access controls, contractual restrictions) as recommended by the EDPB.
You can request copies of the SCCs in force for your transfers at privacy@paitho.ai.
11 · Changes to this policy
In plain English: if we change this, we'll bump the version, update the date, and email you for material changes.We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the document and bump the version. For material changes that adversely affect your rights, we will give at least thirty (30) days' notice via email or in-app message. You can review prior versions by request.
For data-subject rights requests: privacy@paitho.ai. For security incidents: security@paitho.ai. We respond within two business days.