Privacy Policy

PennyLane, Inc. ("PennyLane," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, services, APIs, and websites (collectively, the "Services").

By using the Services, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, do not use our Services.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly, including:

• Account Information: Name, email address, password, phone number, company name, and billing information when you create an account.
• Profile Information: Business details, website URL, product catalog, and other information you add to your profile.
• Communications: Messages, support requests, and feedback you send us.
• Payment Information: Credit card numbers, bank account details, and billing addresses processed through our payment providers.

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers, and mobile network information.
• Usage Information: Pages visited, features used, click patterns, search queries, and interaction data.
• API Usage Data: Request logs, endpoints accessed, timestamps, response times, and error logs.
• Cookies and Tracking: Cookies, web beacons, and similar technologies (see Section 6).

1.3 Agent and Transaction Data

When AI agents interact with our Services, we collect:

• Agent Identifiers: Agent name, version, operator information, and API credentials.
• Transaction Records: Products searched, purchases made, order details, and transaction amounts.
• Interaction Logs: Queries submitted, responses received, and approval workflow data.
• Performance Metrics: Request success rates, latency, and error patterns.

1.4 Information from Third Parties

We may receive information about you from:

• Identity verification services;
• Payment processors and financial institutions;
• Business partners and integration providers;
• Publicly available sources.

2. How We Use Your Information

We use the information we collect to:

2.1 Provide and Improve Services

• Operate, maintain, and improve the Services;
• Process transactions and facilitate agent commerce;
• Provide customer support and respond to inquiries;
• Develop new features and functionality;
• Personalize your experience.

2.2 Safety and Security

• Detect, investigate, and prevent fraud and abuse;
• Verify user identities and agent credentials;
• Enforce our Terms of Service and policies;
• Protect the security and integrity of our Services.

2.3 Communications

• Send transactional emails and notifications;
• Provide updates about the Services;
• Send marketing communications (with your consent);
• Respond to your requests and inquiries.

2.4 Analytics and Research

• Analyze usage patterns and trends;
• Conduct research to improve agent commerce;
• Generate aggregated, de-identified insights;
• Measure the effectiveness of our Services.

2.5 Legal Compliance

• Comply with applicable laws and regulations;
• Respond to legal requests and court orders;
• Protect our legal rights and interests.

3. How We Share Your Information

We may share your information in the following circumstances:

3.1 With Your Consent

We share information when you direct us to or provide explicit consent.

3.2 Service Providers

We share information with third-party vendors who perform services on our behalf, including:

• Cloud hosting and infrastructure providers;
• Payment processors and financial institutions;
• Analytics and monitoring services;
• Customer support platforms;
• Email and communication services.

These providers are contractually bound to use your information only to provide services to us and protect your information.

3.3 Transaction Parties

When you engage in transactions through the Services, we share necessary information with:

• Merchants to fulfill orders;
• AI agent operators to complete transactions;
• Payment processors to process payments;
• Shipping providers to deliver products.

3.4 Legal Requirements

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes;
• Respond to lawful requests from government authorities;
• Protect the rights, property, or safety of PennyLane, our users, or the public;
• Detect, prevent, or address fraud, security, or technical issues.

3.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, or other sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information.

3.6 Aggregated and De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for any purpose, including research, analytics, and marketing.

4. Data Retention

We retain your information for as long as necessary to:

• Provide the Services and maintain your account;
• Comply with legal obligations;
• Resolve disputes and enforce our agreements;
• Support business operations and improve our Services.

Specific retention periods include:

• Account Data: Retained while your account is active and for up to 5 years after deletion.
• Transaction Records: Retained for at least 7 years for tax and legal compliance.
• API Logs: Retained for 90 days, with aggregated metrics retained longer.
• Marketing Preferences: Retained until you update your preferences.

5. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256);
• Multi-factor authentication for account access;
• Regular security audits and penetration testing;
• Access controls limiting employee access to personal data;
• Incident response procedures for data breaches;
• SOC 2 Type II compliance (in progress).

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

• Essential Cookies: Required for basic site functionality, authentication, and security.
• Functional Cookies: Remember your preferences and settings.
• Analytics Cookies: Help us understand how you use our Services.
• Marketing Cookies: Used to deliver relevant advertisements (with consent).

6.2 Your Cookie Choices

You can control cookies through your browser settings. Most browsers allow you to:

• Block all cookies;
• Block third-party cookies;
• Clear cookies when you close your browser;
• Receive alerts before cookies are stored.

Note that blocking certain cookies may affect the functionality of our Services.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

You have the right to request a copy of the personal information we hold about you and to receive it in a portable, machine-readable format.

7.2 Correction

You have the right to request correction of inaccurate or incomplete personal information.

7.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal compliance requirements or ongoing transactions).

7.4 Restriction of Processing

You have the right to request that we limit how we use your personal information in certain circumstances.

7.5 Objection

You have the right to object to processing of your personal information for direct marketing or when we rely on legitimate interests.

7.6 Withdraw Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time.

7.7 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@pennylane.dev. We will respond to your request within 30 days. We may need to verify your identity before processing certain requests.

8. International Data Transfers

PennyLane is based in the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses approved by the European Commission;
• Your explicit consent where appropriate;
• Other lawful transfer mechanisms as required.

9. Regional Privacy Rights

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect and how we use it;
• The right to delete your personal information;
• The right to opt out of the sale or sharing of personal information (we do not sell personal information);
• The right to non-discrimination for exercising your privacy rights;
• The right to limit use of sensitive personal information.

9.2 European Union Residents (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR), including those described in Section 7 above. Our legal bases for processing include contract performance, legitimate interests, legal compliance, and consent.

9.3 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where we operate. If you have questions about your specific rights, please contact us.

10. Children's Privacy

The Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under 18, we will delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. For significant changes, we will provide additional notice via email or through the Services.

Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For complaints related to our handling of your personal information, you may also have the right to lodge a complaint with your local data protection authority.