Privacy Policy

Last updated: January 30, 2026

This Privacy Policy describes how PANOT (hereinafter, "we", "the application" or "the service") collects, uses and protects your personal information. By using PANOT, you accept the practices described in this policy. If you do not agree, please do not use the service.

1. Information we collect

We collect information solely to provide "Relational Intelligence" functionality and improve the service.

A. Information you provide

  • Account information: When you register, we collect your email address and authentication credentials (managed securely through Supabase).
  • Voice notes: Audio captured through the microphone, which is transcribed locally on your device without being sent to external servers.
  • Text and notes: Descriptions of contacts, interactions and personal details you write manually.
  • Contacts: Information from your address book (names and summaries) that you import or create is stored on our servers (Supabase). This data is kept encrypted. We do not process it for other purposes or share it with third parties; it is used solely to provide you with the service.

B. Automatically collected information

  • Usage and device data: We collect technical information about how you interact with the app (features used, errors, session time) and device data (model, iOS version, language) through PostHog to detect bugs and improve usability.
  • Server logs: Supabase generates technical API access logs for security purposes.
  • Push notifications: If you enable notifications, we store your device token to send you reminders and service updates.

2. How we use your information

  • Provide the service: Allow you to create an account, save your contacts and sync them across devices.
  • AI services: Audio transcription is performed locally on your device. The transcribed text is sent to OpenAI (GPT) to extract entities, summarize interactions and update your relationship graph.
  • Billing: Process payments and subscriptions through Stripe. We do not store your card number; Stripe handles that directly.
  • Communication: Send you transactional emails (account confirmation, policy changes) and push notifications if you have enabled them.

Important: We do not use your data to train public AI models.

3. Legal basis for processing

We process your personal data based on:

  • Contract performance: Processing is necessary to provide you with the service you have requested.
  • Consent: For audio processing and sending push notifications, which you can revoke at any time.
  • Legitimate interest: For product analytics, security and service improvement.

4. Data sharing

We do not sell your personal information. We only share data with providers necessary for the app to function:

SupabaseDatabase and authentication infrastructure. We store your email and contact data (encrypted) on it. Contact data is not processed or shared with third parties.
OpenAIAI processing (interaction text for semantic analysis).
StripePayment gateway (email, payment data).
PostHogProduct analytics (anonymous usage events, device type).

We may disclose information if required by law (for example, a court order).

5. Security

We implement the following security measures:

  • Encryption: Data is transmitted via TLS and stored encrypted at rest (AES-256) in Supabase.
  • Local-First architecture: A complete copy of your data resides locally on your device, giving you sovereignty over your information and enabling offline use.
  • Access control: We use row-level security policies (RLS) in the database, ensuring that only your authenticated user can access your data.

6. Data retention

  • Account data: Retained while your account remains active.
  • Audio: Processed and transcribed locally on your device. Audio files are never sent to external servers.
  • Technical logs: Retained for 90 days for security and diagnostic purposes.
  • Analytics data: Retained anonymously for 2 years.
  • Account deletion: If you delete your account from the app settings, your data will be permanently deleted from our servers within 30 days.

7. Your rights (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

AccessRequest a copy of the data we hold about you.
RectificationCorrect inaccurate data.
ErasureRequest deletion of your data ("right to be forgotten").
PortabilityReceive your data in a structured format (JSON/CSV).
RestrictionRequest that we limit the use of your data.
ObjectionObject to processing based on legitimate interest.

You can exercise these rights by sending an email to: [email protected]
You also have the right to lodge a complaint with the competent supervisory authority (in Spain, the Spanish Data Protection Agency - www.aepd.es).

8. International transfers

Our providers (OpenAI, Stripe, Supabase) may process data in the United States. By using the application, you accept this transfer. We use providers that adhere to the EU-US Data Privacy Framework (DPF) or use Standard Contractual Clauses (SCC) approved by the European Commission.

9. Minors

PANOT is not intended for children under 13 years of age. We do not knowingly collect personal information from minors under that age. If we detect that we have collected data from a minor without the required parental consent, we will delete it immediately.

10. Changes to this policy

We may update this policy occasionally. We will notify you of any significant changes through the application or by email before they take effect.

11. Consent

By using our website and mobile applications, you hereby consent to our Privacy Policy and agree to its Terms of Service.

PANOT