Privacy Policy

1. Introduction

Pranan ('we', 'us', 'our') operates the pranan.ai platform. This policy describes how we collect, use, and protect your information when you use our service.

---

2. Information We Collect

We collect the following types of information to provide and improve our service:

• Account information: name, email address, and payment details
• Content you provide: voice recordings, writing samples, documents, and links you upload
• Communication data: emails, messages, and calendar events you connect through integrations
• Usage data: how you interact with the platform, features used, and engagement patterns

---

3. How We Use Your Information

We use your information for the following purposes:

• To create and maintain your personal AI identity
• To process communications on your behalf across connected channels
• To improve and personalize your experience
• To send you service updates, security alerts, and communications

Important: We do NOT use your personal data to train general AI models. Your data is used exclusively for your personal AI identity and is never used to improve our general models.

---

4. Data Storage and Security

We take your privacy and security seriously:

• All data is encrypted at rest using AES-256 encryption
• Data in transit is protected using TLS 1.3
• Infrastructure is hosted on SOC 2 compliant providers
• We conduct regular security audits and penetration testing
• Access to your data is restricted to authorized personnel only

---

5. Your Rights

You have the following rights regarding your data:

• Access: Request a copy of your data at any time
• Correction: Update or correct your information
• Deletion: Delete your account and all associated data
• Portability: Export your data in standard formats
• Opt-out: Disable any channel connection at any time

---

6. Third-Party Services

We integrate with Gmail, Google Calendar, and Slack to provide our service. We only access data you explicitly authorize through OAuth or similar authentication methods. You can revoke access to any third-party service at any time through your account settings.

---

7. Data Retention

We retain your data as long as your account is active. Upon account deletion, all data is permanently removed within 30 days, except where retention is required by law.

---

8. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes via email or in-app notification at least 30 days before the changes take effect.

---

9. Google API Services User Data Policy

Pranan's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What Google data we access

When you connect your Google account, Pranan requests these scopes:

• gmail.readonly — to read your sent mail (so we can learn your writing voice) and your incoming mail (so we know which threads need a draft).
• gmail.modify — to create draft replies as Gmail Drafts inside your account, and to apply Smart Labels (To Respond, FYI, Awaiting Reply, etc.) for inbox triage. We never send mail on your behalf; you review and send every draft yourself.
• gmail.labels — to create the Pranan label set in your Gmail and apply those labels to threads.
• calendar.readonly — to read your upcoming events so meeting context can inform drafts and your daily briefing. We do not write to, modify, or delete calendar events.
• userinfo.email, userinfo.profile, openid — to identify which Google account is connected and display your name in the app.

How we use Google data — Limited Use commitment

Pranan's use of Google user data is strictly limited to providing and improving the user-facing features described above. Specifically:

• We do not use Google user data to serve ads, retarget users, or build advertising profiles.
• We do not sell, rent, or share Google user data with third parties for marketing, advertising, data brokerage, or any other purpose.
• We do not use Google user data to train, fine-tune, or improve generalized or shared AI/ML models. Your voice fingerprint is built solely from your own data, used only to draft replies for your own account, and is never combined with other users' data.
• We do not allow humans to read your Google user data, except (a) with your explicit consent, (b) to comply with a valid legal request, (c) for security investigations into abuse or violations of our terms, or (d) where the data has been aggregated and de-identified for internal operations metrics.

How we store and protect Google data

• All Google OAuth tokens are encrypted at rest with AES-256-GCM before being stored.
• Email and calendar data fetched from Google APIs is stored in encrypted Postgres tables with row-level security enforced per user.
• Data in transit between Pranan and Google is protected with TLS 1.3.
• Access to production data is restricted to a small number of authorized engineers, logged, and reviewed regularly.

How to disconnect and delete

You can disconnect your Google account at any time from Pranan settings. When you disconnect, we delete your stored Google OAuth tokens immediately and purge cached email and calendar data within minutes. You can also revoke Pranan's access from your Google Account at myaccount.google.com/permissions.

---

10. Team Memory

If you use Pranan's Pro, Max, Team Pro, or Team Max plans, our system extracts structured information from emails you receive ("memory entries") to help you respond more effectively. These entries may include:

• Facts about your contacts (their role, company, project context)
• Commitments they've made to you, or you've made to them
• The trajectory of your relationship (deal stage, escalations, milestones)
• Personal context they've shared with you
• Sentiment signals captured from email tone

Lawful basis (GDPR Article 6(1)(f)): We rely on legitimate interests for this processing. The data subject (you, the user) has a legitimate interest in reading your own inbox more efficiently and maintaining accurate context about your professional relationships. Processing is necessary because manual note-taking does not scale. We balance this against the contact's reasonable expectations through visibility gating, confidence thresholds, and post-extraction filtering for special categories.

Visibility: Memory entries are visible only to you (solo plans) or your team (team plans). They are never shared outside your organization, sold to third parties, or used for advertising. Sentiment entries are private to the user who captured them. Personal-context entries are visible only to inner-circle and team relationships.

Your contacts' rights: Anyone whose information appears in our system can request access, correction, or deletion by emailing privacy@pranan.ai. We respond within 30 days as required by GDPR Article 12(3). We honor:

• Access (Article 15): full copy of all entries about the contact
• Rectification (Article 16): corrections to inaccurate entries
• Erasure (Article 17): removal of entries plus suppression to prevent re-extraction
• Restriction (Article 18): equivalent to erasure for our use case
• Portability (Article 20): structured JSON export
• Objection (Article 21): permanent suppression list

Retention: Memory entries have type-specific retention. Commitments expire when their date passes. Sentiment entries decay after 90 days. Facts and personal context persist until you delete them or the contact requests deletion. You can delete any entry at any time from the Team tab on the Memory page.

Special categories: We do not intentionally process special-category data (health, religion, political views, sexual orientation). The extraction prompt explicitly instructs the model to skip such content, and a post-extraction filter screens entries before they are written. Any special-category entry created despite mitigations is deleted upon discovery.

Cross-border transfers: Pranan data is hosted in Tokyo (ap-northeast-1). For EU and UK contacts, we rely on Standard Contractual Clauses and apply equivalent protections to all transfers.

---

11. Contact

Questions about privacy or how we handle your data? Email us at privacy@pranan.ai and we'll respond within 48 hours.

---

12. Thai Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Thailand, without regard to its conflict of law provisions. You irrevocably submit to the exclusive jurisdiction of the courts located in Bangkok, Thailand for the resolution of any disputes arising from or relating to this Privacy Policy.