Privacy Policy

Effective Date: May 22, 2026  ·  Version 1.0

This Privacy Policy describes how Pandal Inc. (“Pandal,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with our services, including our website at pandal.ai (the “Site”), our hosted application (the “Service”), and any related products or features (collectively, the “Services”).

We have written this policy to be readable rather than exhaustive. Where regulatory specificity is necessary, we have included it. Where it isn’t, we have not.

1. Who we are and what this policy covers

Pandal Inc. is a Delaware corporation. We provide an AI platform for restaurant and retail operators. Our customers are businesses (“Merchants”) who use our Services to surface revenue and margin opportunities from their data.

This policy applies to personal information we process in three distinct roles:

  • As a controller, when we collect information directly from prospects, Merchant personnel using our Services, and visitors to our Site.
  • As a processor,when we handle data belonging to our Merchants’ own customers (for example, transaction data containing customer email addresses) on the Merchant’s behalf. Our handling of that data is governed by our Data Processing Addendum, not this policy. The Merchant is the controller of that data and is responsible for the lawful basis on which it is collected from the underlying data subjects.
  • As a controller for our own business operations, when we process information about our subprocessors, partners, vendors, and contractors.

If you are an end customer of a Merchant that uses Pandal and you have questions about how your information is used, please contact the Merchant directly. Your relationship is with them.

2. Information we collect

Information you provide directly

When you sign up for our Services, request a demo, join our waitlist, or contact us, we collect:

  • Name and email address
  • Company name and role
  • Number of locations operated
  • Information you include in messages, support requests, or sales conversations

When you become a Merchant, we additionally collect:

  • Billing contact name, address, and payment method (payment card details are handled by Stripe; we do not store card numbers)
  • Authentication credentials for connecting your data sources (POS systems, delivery platforms, marketing tools, reservation systems)
  • Configuration choices and preferences

Information collected automatically

When you use our Site or Services, we automatically collect:

  • IP address and approximate location derived from it
  • Browser type, operating system, and device characteristics
  • Pages visited, features used, and timestamps of activity
  • Referrer URL and exit URL
  • Error reports and performance telemetry

Information from third parties

When a Merchant authorizes Pandal to connect to a third-party system, we receive data from that system as permitted by the Merchant’s authorization and the third-party provider’s terms. The categories of data depend on the integration and may include transaction records, customer identifiers, menu and pricing configuration, marketing campaign performance, and reservation data.

3. How we use information

We use the information we collect to:

  • Provide, operate, and improve the Services
  • Authenticate users and secure accounts
  • Process transactions and send transaction-related notices
  • Respond to inquiries and provide customer support
  • Send service-related communications (security notices, billing notices, product updates relevant to your use of the Services)
  • Detect, investigate, and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and enforce our agreements
  • Send marketing communications about Pandal, where permitted by law and subject to your right to opt out

What we don't do with your information

Pandal does not:

  • Sell personal information to third parties
  • Use personal information for behavioral advertising
  • Use Merchant data or end-customer data to train generalized AI models that benefit other Merchants
  • Contact your end customers directly on our own behalf, market to them, or enrich their data with third-party sources, except as the Merchant explicitly authorizes
  • Share Merchant data with competitors of the Merchant

Aggregated and anonymized data

We may create aggregated and anonymized datasets derived from data processed through the Services. Aggregated and anonymized data is data that has been processed in a manner that means no individual Merchant, Merchant personnel, or end customer can be identified, directly or indirectly, by Pandal or any third party, and the data cannot be reversed to re-identify any individual.

We may use aggregated and anonymized data to operate, improve, and develop our Services, including to train and improve Pandal-internal models that serve all of our Merchants equally. We retain ownership of such aggregated and anonymized data. This use is consistent with our commitment that we do not train models on identifiable Merchant data.

4. How we share information

We share personal information only as described below:

  • With subprocessors who provide services to us. We engage trusted vendors to host our infrastructure, send transactional emails, monitor errors, process payments, and support our operations. Each subprocessor is contractually bound to confidentiality and to process data only on our instructions. Our current subprocessor list is published at pandal.ai/legal/subprocessors and is updated whenever a subprocessor is added, removed, or replaced.
  • With Merchants.If you are an authorized user under a Merchant account, that Merchant has access to information about your use of the Services. If you are a prospect or a contact at a Merchant, the Merchant’s authorized users may see information about your interactions with the Services.
  • With your direction or consent. When you authorize us to share information with a third party — for example, when you connect a third-party integration — we share the information you authorize.
  • To comply with law. We disclose information when required by valid legal process or to protect our rights, our customers, or the public. We will notify the affected party of any compelled disclosure unless legally prohibited from doing so.
  • In a business transaction. If Pandal is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality and to this Privacy Policy continuing to govern the information.

We do not share personal information with advertisers, data brokers, or other third parties for their independent commercial purposes.

5. How long we keep information

  • Account and Service data: retained for the duration of your relationship with Pandal, plus a reasonable period for legal and operational purposes after account closure.
  • Transactional data processed on behalf of a Merchant:governed by our Data Processing Addendum and by the Merchant’s retention instructions. Default behavior is described in the DPA.
  • Marketing communications data: retained until you unsubscribe, after which we retain the minimum necessary to honor your opt-out (typically a hashed record of your email address).
  • Aggregated and anonymized data: retained indefinitely, as it no longer identifies any individual.
  • Backup data: our database provider retains point-in-time backups for up to 14 days; deleted data may persist in backups for that period before being permanently removed.

When information is no longer needed, we delete or anonymize it.

6. How we protect information

We implement and maintain technical and organizational security measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit and at rest, access controls and least-privilege policies, multi-factor authentication for system access, and monitoring for security events.

No security system is perfect. We cannot guarantee that information will never be accessed or disclosed in a way that is inconsistent with this policy. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at info@pandal.ai.

Additional technical and organizational security details are described in Annex 2 of our Data Processing Addendum.

7. Your rights and choices

Depending on where you are located, you may have rights regarding your personal information, including:

  • Access. You may request a copy of the personal information we hold about you.
  • Correction. You may ask us to correct inaccurate or incomplete information.
  • Deletion. You may ask us to delete your personal information, subject to legal and contractual retention requirements.
  • Restriction. You may ask us to restrict processing of your personal information in certain circumstances.
  • Data portability. Where applicable, you may request a copy of your personal information in a structured, machine-readable format.
  • Objection. You may object to processing based on legitimate interests.
  • Opt out of marketing. You may unsubscribe from marketing communications at any time by following the unsubscribe instructions in any email we send or by contacting us.

If you are a California resident, you may also have rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, the right to delete, the right to opt out of sale or sharing, and the right to non-discrimination for exercising these rights. We do not sell personal information.

To exercise any of these rights, contact us at info@pandal.ai. We will respond within the timeframe required by applicable law. We may need to verify your identity before processing your request.

If you are an end customer of a Merchant and wish to exercise rights regarding data processed on the Merchant’s behalf, please contact the Merchant directly. We will cooperate with the Merchant to assist in fulfilling your request.

8. Cookies and tracking technologies

We use cookies and similar technologies as described in our Cookie Notice.

9. International data transfers

Pandal is based in the United States. If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data transfer restrictions, your personal information may be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Where such transfers occur, we rely on Standard Contractual Clauses approved by the European Commission (or equivalent mechanisms) as the legal basis for the transfer. For business-to-business transfers involving Merchant data, the relevant transfer mechanism is described in our Data Processing Addendum.

10. Children

The Services are intended for business users and are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify Merchants by email or through the Services and update the “Effective Date” above. Prior versions are archived at pandal.ai/legal/archive.

12. Contact

Pandal Inc.

2261 Market Street, STE 73222
San Francisco, CA 94114

Email: info@pandal.ai

We aim to respond to all inquiries within 5 business days.