Privacy Policy
PAL Privacy Notice
Effective: August 16, 2025
TL;DR We collect in‑app interaction data to operate, secure, and improve PAL and to personalize learning. We do not run ads in PAL. We do not sell or license your data to third‑party advertisers. We do not track you across third‑party sites/apps. The data we collect is used only to deliver and continually improve your learning experience. You control your data through in‑product settings and by contacting us.
1) Who we are
Controller/Provider: PAL Technologies, Inc. ("PAL," "we," "us").
Services covered: PAL web app, mobile apps, and related APIs (the "Services").
Contact (all users): privacy@palt.co
EEA/UK: PAL Technologies, Inc. is the controller. You can contact us at privacy@palt.co; if we appoint an EU/UK representative or DPO, we will update this Notice.
2) Scope
This Notice explains how we handle personal information when you use PAL. It does not cover third‑party sites/services you access outside our apps.
3) What we collect
We collect only what we need to run and improve PAL. Categories and examples:
- Account & identity: name, email, organization/tenant, role, authentication IDs.
- In‑app interaction events: screens/pages viewed, clicks/taps, scroll/hover, time on task, feature use, completion status, search queries, quiz responses, and feedback you provide.
- Device & technical: app version, OS/browser, device type, language, IP‑derived coarse location, crash/diagnostic logs.
- Derived learning signals: progress, proficiency estimates, recommended next steps, and learning‑graph edges.
- Support & communications: issue reports, chat with support, and content of emails.
We do not collect your phone contacts, SMS contents, microphone/camera data (unless you use a feature that clearly requires it), precise GPS, or background location.
If you connect third‑party accounts (e.g., SSO), we receive limited identifiers to authenticate you. If you use enterprise features, we may receive data from your organization necessary to provision your account.
4) How we use your data (purposes)
PAL uses your data solely to provide, secure, and improve the Service and your learning experience. We do not use your data to build advertising profiles or to target advertising. - Operate the Service (create accounts, deliver content, process results, remember settings). - Personalize learning (recommendations, pacing, difficulty adjustment, content ordering). - Analytics (usage patterns, feature adoption, funnel analysis, product decisions). - Security & abuse prevention (fraud detection, incident response, auditing, rate limiting). - Reliability & quality (debugging, crash analytics, performance monitoring, A/B tests). - Compliance (legal obligations, record‑keeping, enforcing terms). - Research & development (improve algorithms and the learning graph; see §8 on model training).
5) Legal bases (EU/UK)
Where GDPR/UK GDPR applies, our legal bases are: Contract (to provide the Service), Legitimate Interests (analytics, security, improvement), Consent (where required for optional cookies/SDKs or marketing), and Legal Obligation (compliance).
6) Cookies, SDKs, and similar tech
We use first‑party cookies/local storage and in‑app SDKs strictly for auth, preferences, analytics, performance, and security. A current list of analytics/telemetry providers and SDKs is maintained at palt.co/legal/vendors. Material provider changes will be reflected there and here.
No advertising on PAL. No sale to advertisers. We do not run third‑party ads in PAL, we do not embed third‑party ad pixels/SDKs for advertising, and we do not sell or license personal information to third‑party advertisers.
We do not use third‑party ad networks for cross‑context behavioral advertising, and we do not advertise on our platform. If that changes, we will provide required disclosures and opt‑out/consent controls.
7) Sharing
We share personal information only with: - Service providers/Processors who help us operate the Service (hosting, analytics, customer support). They must follow our instructions and cannot use data for their own purposes. - Enterprise/School customers (if you access PAL through an organization): we may provide usage and learning progress information to your organization per our contract. - Legal & safety: to comply with law, enforce terms, or protect rights/safety. - Business transfers: as part of a merger, acquisition, or asset sale with appropriate safeguards.
We do not sell personal information, we do not sell or license personal information to third‑party advertisers, and we do not share it for cross‑context behavioral advertising (as those terms are defined by applicable law, including California law).
8) Model training & de‑identification
We may use de‑identified and/or aggregated interaction data to improve our recommendation systems, content quality, and learning graph. We maintain technical and organizational measures to prevent re‑identification and prohibit it contractually. Where required by law, you can opt out of this use; see Your rights below.
9) Your choices & rights
9.1 Self‑serve controls
Use in‑product Privacy & Data settings to manage certain collection, personalization, and communication preferences.
9.2 U.S. state privacy rights (e.g., CA, CO, CT, VA, UT)
Depending on your state, you may have rights to access, correct, delete, port, and opt out of targeted advertising, sale, share, or certain profiling. We do not sell or share your personal information for cross‑context behavioral advertising. To make a request or exercise an opt‑out, use in‑product settings or email privacy@palt.co. We will verify your request and respond within the statutory timeframes. Authorized agents may act on your behalf where permitted.
Global Privacy Control (GPC): Our web app honors GPC signals in supported browsers to apply relevant opt‑out preferences automatically.
California “Notice at Collection”: This Notice serves as our notice at collection. See §§3–4 for categories and purposes and §11 for retention.
9.3 EEA/UK rights
Where GDPR/UK GDPR applies, you have rights to access, rectify, erase, port, object, and restrict processing, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your supervisory authority.
10) Automated decision‑making & profiling
PAL uses automated processing to recommend content and adjust difficulty. You can limit certain personalization in settings. Limiting personalization may reduce functionality or learning efficacy.
11) Data retention
We keep data only as long as needed for the purposes above, then delete or de‑identify it. Default periods (unless a longer period is required by law or for security/defense):
| Category | Examples | Default retention |
|---|---|---|
| Account | name, email, org, auth IDs | Life of account + 24 months |
| Interaction events | views, clicks, time on task, searches | 18 months |
| Device/diagnostics | crash logs, performance metrics | 12 months |
| Derived learning signals | proficiency estimates, graph edges | Life of account or until you delete |
| Support & communications | emails, chat transcripts | 24 months |
We publish material changes to these periods in this Notice or in‑app.
12) Security
We use reasonable administrative, technical, and physical measures to protect data, including encryption in transit, network segregation, access controls, and logging. No system is perfectly secure; if we learn of a breach affecting you, we will notify you as required by law.
13) Children & education
PAL is not directed to children under 13, and we do not knowingly collect their personal information without appropriate consent. If your access is provided by a school or district, we act as a school service provider under the contract (and, where applicable, comply with COPPA/FERPA requirements). Parents/guardians seeking to exercise rights should contact the school or us.
14) International transfers
If we transfer personal information internationally, we use appropriate safeguards (e.g., Standard Contractual Clauses, UK addendum, or other approved mechanisms). Details are available upon request.
15) Changes to this Notice
When we make material changes, we will notify you via the app or email and update the "Effective" date.
16) Contact
Questions or requests: privacy@palt.co.
Additional contact options: palt.co/legal/contact.
Appendix A — Data Inventory (for transparency)
Maintain internally and keep in sync with the vendor list at palt.co/legal/vendors.
| Category | Specific fields | Source | Purpose(s) | Lawful basis | Retention | Processor(s) |
|---|---|---|---|---|---|---|
| Interaction events | screen_view, click, quiz_submit | In‑app | Analytics, improvement | Legitimate interests/Consent | 18 months | See vendor list |
| Derived learning | proficiency score, mastery estimate | In‑app | Personalization | Contract/Legitimate interests | Life of account | In‑house |
| Device/diagnostics | OS, app version, crash traces | In‑app | Reliability, security | Legitimate interests | 12 months | See vendor list |
Notes for enterprise deployments - Offer a Data Processing Addendum (DPA), SCCs/UK Addendum, and security schedule upon request. - Provide organization‑level controls for retention, export, and deletion. - Provide audit logs of admin actions.