Privacy Policy

Panterai Inc. ("Panterai," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website (panterai.com), use our platform, or interact with our services (collectively, the "Services"). This policy applies to all users, including visitors, registered users, and independent contractors.

By accessing or using our Services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please discontinue use of our Services immediately.

1. Information We Collect

We collect information in several ways depending on how you interact with our Services.

1.1 Information You Provide Directly

When you create an account, apply to our platform, or communicate with us, we may collect: your full legal name, email address, phone number, mailing address, date of birth, government-issued identification (where required for tax or compliance purposes), professional background information (education, work history, skills, certifications), tax identification numbers (SSN, EIN, or equivalent for your jurisdiction), payment information (bank account details, PayPal, or other payment method information), profile photographs, portfolio materials and work samples, responses to assessments, quizzes, and evaluations, and any other information you voluntarily provide. We collect government identification and tax numbers under the legal basis of legal obligation (tax reporting requirements under the Internal Revenue Code) and contract performance.

1.2 Information Collected Automatically

When you access our Services, we automatically collect: IP address and geolocation data, browser type and version, operating system, device identifiers, pages visited and time spent on each page, referring and exit URLs, clickstream data and interaction patterns, cookies and similar tracking technologies, and log data including access times and error reports.

1.3 Sensitive Personal Data

We generally do not collect sensitive personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless it is strictly necessary for compliance with applicable law or you voluntarily provide it. Where we process sensitive personal data, we do so only with your explicit consent or as required by law, and we apply additional safeguards to protect such data.

1.4 Information from Third Parties

We may receive information about you from third-party sources, including: identity verification services, background check providers (with your consent), public databases and professional networks, authentication partners (e.g., Google, GitHub single sign-on), and analytics providers.

2. How We Use Your Information

We use your personal information for the following purposes: to create and manage your account; to evaluate your qualifications and match you with appropriate projects; to facilitate communication between you and project stakeholders; to process payments and comply with tax reporting obligations; to improve, personalize, and optimize our Services; to detect, prevent, and address fraud, security issues, and technical problems; to enforce our Terms and Conditions and Community Conduct Policy; to comply with legal obligations and respond to lawful requests from authorities; to send you service-related communications, updates, and notifications; and to conduct research and analytics to improve our platform (using aggregated or de-identified data where possible).

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following: (a) Contract Performance, where processing is necessary to perform our agreement with you, including account management and payment processing; (b) Legitimate Interests, where processing is necessary for our legitimate business interests, such as fraud prevention, platform security, and service improvement, provided these interests are not overridden by your rights; (c) Consent, where you have given explicit consent for specific processing activities, such as marketing communications or processing of sensitive data; and (d) Legal Obligation, where processing is necessary to comply with applicable laws, regulations, or legal processes, including tax reporting and anti-money laundering requirements.

3A. UK GDPR and UK-Specific Rights

If you are located in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) as retained in UK domestic law by the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (DPA 2018). The UK GDPR provides substantially the same protections as the EU GDPR, with the following UK-specific provisions:

Data Controller: For the purposes of the UK GDPR, Panterai Inc. is the data controller responsible for your personal data. Our contact details for UK data protection purposes are: [email protected].

UK Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. The ICO can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom; telephone: +44 (0)303 123 1113; website: ico.org.uk.

International Transfers from the UK: Where we transfer your personal data outside the United Kingdom, we rely on: (a) the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO under Section 119A of the Data Protection Act 2018; (b) the UK Extension to the EU-U.S. Data Privacy Framework, where applicable; (c) adequacy regulations made by the UK Secretary of State under Section 17A of the DPA 2018; or (d) other appropriate safeguards recognized under UK data protection law. We conduct transfer risk assessments in accordance with ICO guidance to ensure that your personal data receives an essentially equivalent level of protection after transfer.

UK Age of Digital Consent: Under the DPA 2018, the age of digital consent in the UK is 13. We do not knowingly collect personal data from individuals under 13 in the UK. Our Platform is intended for users aged 18 and over.

UK Cookie Compliance: We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) as amended, which implement the ePrivacy Directive in the UK. We obtain your consent before placing non-essential cookies on your device, and we provide clear information about the cookies we use and their purposes.

3B. Additional International Privacy Laws

Brazil — Lei Geral de Proteção de Dados (LGPD)

If you are located in Brazil, your personal data is also protected under the Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018). Under the LGPD, you have the right to: confirmation of the existence of processing; access to your data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; data portability; deletion of data processed with your consent; information about public and private entities with which your data has been shared; information about the possibility of not providing consent and the consequences thereof; and revocation of consent. To exercise these rights, contact us at [email protected]. We process your data under the legal bases recognized by the LGPD, including consent, contract performance, legitimate interests, and legal obligation. You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

Canada — Personal Information Protection and Electronic Documents Act (PIPEDA)

If you are located in Canada, your personal information is also protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial legislation including Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), Alberta's Personal Information Protection Act (PIPA), and British Columbia's Personal Information Protection Act (PIPA). Under PIPEDA, we collect, use, and disclose your personal information only for purposes that a reasonable person would consider appropriate in the circumstances. You have the right to access your personal information held by us, to challenge its accuracy, and to withdraw consent (subject to legal or contractual restrictions). You may lodge a complaint with the Office of the Privacy Commissioner of Canada.

Australia — Privacy Act 1988

If you are located in Australia, your personal information is also protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We comply with the APPs in relation to the collection, use, disclosure, storage, and security of your personal information. You have the right to access and correct your personal information, and to make a complaint about a breach of the APPs. Complaints may be directed to us at [email protected], and if not resolved to your satisfaction, to the Office of the Australian Information Commissioner (OAIC). We will not transfer your personal data outside Australia unless we take reasonable steps to ensure the overseas recipient handles your information in accordance with the APPs, or you consent to the transfer, or the transfer is required or authorized by Australian law.

Additional U.S. State Privacy Laws

In addition to the CCPA/CPRA (Section 7), Panterai complies with applicable state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act, and other state privacy laws as they come into effect. Residents of these states have rights similar to those described in Section 6, including the right to access, correct, delete, and port their personal data, and the right to opt out of targeted advertising and the sale of personal data. To exercise these rights, contact us at [email protected].

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances: with clients and project partners, to the extent necessary for project execution (limited to professional profile information and work product); with service providers who perform services on our behalf, including payment processors, cloud hosting providers, analytics services, and communication tools, all bound by contractual obligations to protect your data; with legal and regulatory authorities when required by law, subpoena, court order, or governmental regulation; in connection with a merger, acquisition, or sale of assets, where your information may be transferred as part of the transaction (you will be notified of any such change); and to protect rights and safety, where disclosure is necessary to protect the rights, property, or safety of Panterai, our users, or the public.

A current list of our key sub-processors and service providers is available upon request by emailing [email protected]. We require all sub-processors to enter into data processing agreements that provide at least the same level of protection as this Privacy Policy.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Services. Specific retention periods vary by data category:

When personal information is no longer needed, we will securely delete or anonymize it using industry-standard methods.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. If we are unable to fulfill your request due to a legal exception, we will explain the reason.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). You have the right to know what personal information we collect, use, disclose, and sell. You have the right to request deletion of your personal information. You have the right to opt out of the sale or sharing of your personal information. We do not sell personal information. You have the right to limit the use and disclosure of sensitive personal information. You have the right to non-discrimination for exercising your privacy rights. You may designate an authorized agent to make requests on your behalf.

To submit a verifiable consumer request or to exercise your right to opt out, please contact us at [email protected] or write to us at the address provided in Section 16. We will verify your identity by matching information you provide with information we have on file.

8. International Data Transfers

Panterai is based in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using our Services, you consent to the transfer of your information to the United States and other countries as described in this Privacy Policy.

For transfers from the EEA, UK, or Switzerland, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914); (b) the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as approved by the ICO; (c) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, where applicable; and (d) other lawful transfer mechanisms as recognized by applicable data protection authorities. We conduct Transfer Impact Assessments (TIAs) in accordance with the Schrems II judgment (Case C-311/18) and ICO guidance, evaluating the laws and practices of the destination country to ensure that your personal data receives an essentially equivalent level of protection. We also conduct Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35 and UK GDPR Article 35 for processing activities that are likely to result in a high risk to the rights and freedoms of individuals.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2+) and at rest (AES-256), access controls and multi-factor authentication requirements, regular security assessments, penetration testing, and monitoring, employee training on data protection practices, and incident response procedures. However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and UK GDPR Article 33; (b) for UK users, notify the Information Commissioner's Office (ICO) within 72 hours in accordance with the DPA 2018; (c) notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34 and UK GDPR Article 34; (d) provide notification to affected California residents as required by the California Civil Code Section 1798.82; (e) for Australian users, comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, notifying the OAIC and affected individuals of eligible data breaches; (f) for Canadian users, comply with breach notification requirements under PIPEDA and applicable provincial legislation; (g) for Brazilian users, comply with LGPD breach notification requirements, including notification to the ANPD; and (h) comply with all other applicable breach notification laws in every jurisdiction where affected individuals reside. Our notification will include a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, the measures taken or proposed to address the breach, and contact details for obtaining further information.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activity and to improve your experience on our Services. Essential cookies are required for the Platform to function and cannot be disabled. Analytics cookies help us understand how users interact with our Services so we can improve them. Functional cookies enable personalized features and preferences.

You can manage your cookie preferences through your browser settings or through our cookie consent banner when you first visit our website. Please note that disabling certain cookies may affect the functionality of our Services. For users in the EEA and UK, we obtain your consent before placing non-essential cookies, in compliance with the ePrivacy Directive (Directive 2002/58/EC).

12. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, our Platform does not currently respond to DNT browser signals. However, you can manage your tracking preferences through the cookie controls described in Section 11, and you may exercise your opt-out rights as described in Section 7 (for California residents) and Section 6 (for all users).

13. Use of AI and Algorithmic Processing

Panterai may use artificial intelligence, machine learning, and algorithmic tools to assist with skill assessment scoring, project matching and recommendation, quality assurance of work product, and fraud detection and platform security. These tools process your data to improve the accuracy and efficiency of our Services.

Where automated decision-making significantly affects you, you have the right to: (a) receive meaningful information about the logic involved in the automated decision; (b) express your point of view and contest the decision; (c) request human review of the automated decision; and (d) request that the decision be made by a human instead. To exercise these rights, contact us at [email protected]. We will respond within 30 days.

14. Marketing Communications

We may send you marketing communications about our Services, new features, and opportunities. You may opt out of marketing communications at any time by: (a) clicking the "unsubscribe" link in any marketing email; (b) contacting us at [email protected]; or (c) updating your communication preferences in your account settings. Please note that even if you opt out of marketing communications, we may still send you service-related communications (such as account notifications, security alerts, and payment confirmations) that are necessary for the operation of your account. We comply with the CAN-SPAM Act (15 U.S.C. 7701 et seq.) and Canada's Anti-Spam Legislation (CASL) for all commercial electronic messages.

15. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated or controlled by Panterai. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services before providing your personal information. The inclusion of a link to a third-party service does not imply endorsement by Panterai.

16. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at [email protected].

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Privacy Policy on this page with a revised "Last Updated" date. For material changes, we will provide additional notice, such as an email notification or a prominent notice on our Platform, at least fifteen (15) days before the changes take effect. Your continued use of our Services after any changes constitutes your acceptance of the updated Privacy Policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Supervisory Authorities: If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. Key contacts include: UK — Information Commissioner's Office (ICO), ico.org.uk; EU — your local Data Protection Authority (a list is available at the European Data Protection Board website, edpb.europa.eu); Brazil — Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd; Canada — Office of the Privacy Commissioner of Canada, priv.gc.ca; Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au. For California residents, you may also contact the California Attorney General's Office at oag.ca.gov.