Panda — AI App Generator

This policy explains how Panda collects, uses, stores, and shares personal data when you use our website and Service at panda.new.

We never sell your data.
Paid plan projects are private by default. Free plan projects are public.
Your prompts go to third-party AI providers to generate your app. They are not used to train AI models.
Delete your account any time. Projects are gone within 30 days.
We send product updates by email. Unsubscribe any time via the link in any email.

1. Information We Collect

Account data: name, email, hashed password, and profile preferences.
Sign-in data: if you sign up via Google or GitHub, we receive your name, email, and profile picture from that provider.
Billing data: subscription plan, billing name and address, and tokenised payment identifiers (stored by Stripe — we never hold full card numbers).
Usage data: pages visited, features used, credit consumption, error logs, IP address, browser type, and session duration.
AI generation data: prompts you submit and the app outputs generated from them.
Communications: support messages and feedback you send us.
Marketing identifiers: Meta Pixel identifiers (_fbp, _fbc) if you accept marketing cookies.

2. How We Use Your Data

Provide and operate the Service, including account management, app generation, and billing.
Send transactional emails (receipts, password resets, security alerts) and product updates. You can unsubscribe from product updates at any time via the link in any email or from your account settings.
Improve the Service through aggregated usage analysis and bug fixing.
Detect and prevent fraud, abuse, and violations of our Terms of Service.
Comply with our legal obligations.

We do not sell your data and we do not use your content to train AI models.

3. Lawful Bases (UK GDPR)

We process your personal data on the following grounds:

Contract: to deliver the Service you signed up for.
Legitimate interests: to improve the Service, ensure security, and send product communications. A Legitimate Interests Assessment is available on request at privacy@panda.new.
Legal obligation: to meet UK tax and financial record-keeping requirements.
Consent: for non-essential cookies. You can withdraw consent at any time.

4. Who We Share Your Data With

We share data only with service providers who process it on our behalf under binding agreements. We do not sell it.

Provider	Data shared	Purpose
OpenAI, Inc.	Prompts and content you submit	AI app generation
Anthropic, PBC	Prompts and content you submit	AI app generation
Google LLC (Gemini)	Prompts and content you submit	AI app generation
Stripe, Inc.	Billing name, address, tokenised payment method	Payment processing
Twilio SendGrid	Email address and email content	Email delivery
Cloud infrastructure provider	Account and project data	Hosting and storage
Analytics provider	Anonymised usage events	Product analytics
Meta (Facebook)	Pixel identifiers (marketing cookies only)	Ad campaign measurement

International transfers: several providers are US-based. Transfers are protected by UK International Data Transfer Agreements (IDTAs) or the ICO-approved Addendum to EU Standard Contractual Clauses. Copies available at privacy@panda.new.

Legal disclosures: we may share data if required by law or court order. Where permitted, we will notify you first.

Business transfers:if Panda is acquired or merges, data may transfer as part of that transaction. We will give at least 30 days' notice before your data becomes subject to a different privacy policy.

5. Cookies

We use cookies under the Privacy and Electronic Communications Regulations 2003 (PECR). Strictly necessary cookies keep the Service running and cannot be disabled. Analytics and marketing cookies require your consent and can be managed via the cookie banner or your browser settings. Full details at panda.new/cookies.

6. Data Retention

Account and project data: retained while your account is open, then deleted within 30 days of account deletion.
Billing records: 7 years, as required by HMRC and the Companies Act 2006.
Analytics data: up to 24 months, in anonymised form.
Support communications: 2 years.

We may retain anonymised or aggregated data that cannot identify you for longer periods.

7. Security

We use encryption in transit (TLS 1.2+), encryption at rest (AES-256), hashed and salted passwords, and role-based access controls. No transmission over the internet is perfectly secure. If a breach is likely to affect your rights, we will notify the ICO within 72 hours and inform you promptly. Report vulnerabilities to security@panda.new.

8. Your Rights

Under the UK GDPR and Data Protection Act 2018 you have the right to access, correct, erase, restrict, or port your personal data, and to object to processing based on legitimate interests. All rights are free to exercise and we will respond within one calendar month.

To exercise any right, or to delete your account, email privacy@panda.new. You can also delete your account directly from your account settings.

Complaints:you can lodge a complaint with the Information Commissioner's Office at ico.org.uk or on 0303 123 1113. We'd welcome the chance to resolve things directly first.

California residents:you have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing. We do not sell personal information. Contact privacy@panda.new with the subject line "CCPA Request".

9. Children

Panda is not for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child under 13 has signed up, email privacy@panda.new and we will delete the account promptly.

10. Changes to This Policy

We will email you at least 30 days before any material change takes effect and display a notice in the app. The effective date at the top of this page reflects the current version.

11. Contact

Privacy enquiries: privacy@panda.new

Security disclosures: security@panda.new

We aim to acknowledge all enquiries within 5 business days.

Privacy Policy