Privacy Policy

This policy explains what data Panda collects, why we collect it, who we share it with, and how you control your data. Panda is operated under Saudi Arabia's Personal Data Protection Law (PDPL).

1. What we collect

We only collect what's needed to run the product:

• Account info — email, mobile number (when you provide it for WhatsApp ads), preferred language.
• Brand inputs — your store URL, scraped brand data (logo, colors, fonts, copy), product details and uploaded images.
• Generated content — the ads we create for you, edits you make, prompts and reference images you submit.
• Billing — payment metadata via Stripe (we never see card numbers), plan, credit history.
• Usage — basic logs (IP, timestamps, errors) for debugging and abuse prevention.

2. Why we collect it

To generate your ads, run your campaigns, charge for the service, debug failures, and prevent abuse. We do not sell your data, run third-party advertising on your data, or train external AI models on your private content.

3. Who we share it with (sub-processors)

Panda is a small product built on top of trusted services. The following process your data on our behalf:

• Stripe — payment processing. Your billing email, address, and card data live with Stripe — we never store card numbers.
• Supabase — user authentication and the application database. Your account and brand data is stored in Supabase Postgres in the AWS ap-south-1 region (Mumbai).
• Kie.ai — AI generation provider (Nano Banana / Gemini). Your prompts and reference images are sent to Kie.ai when you generate or edit an ad. Kie.ai's terms govern their handling.
• Meta (Facebook / Instagram / WhatsApp) — ad campaign creation and delivery, plus optional WhatsApp lead destinations. When you connect a Meta ad account, Meta receives your campaign details, creatives, and targeting.
• Zernio — Meta connection broker. Tokens for your connected Meta accounts are managed by Zernio on our behalf.
• Vercel — application hosting and edge runtime. Vercel sees standard request metadata (IP, user agent).

4. Where we store it

Application database in AWS ap-south-1 (Mumbai). Cookies and session data on your device. Stripe stores billing data per Stripe's regional infrastructure. Generated images are stored in Supabase Storage with signed URLs.

5. Your rights

Under PDPL and similar laws (GDPR for visitors from the EU), you have the right to:

• Access — see what we have about you. Use the Export button on /dashboard/settings.
• Correct — fix inaccurate data. Most fields are editable directly on the dashboard.
• Delete — irrevocably erase your account and all data tied to it. Use the Delete button on /dashboard/settings.
• Object / withdraw consent — disconnect Meta accounts, cancel your subscription, or delete your account at any time.

All rights are exercisable from /dashboard/settings without contacting us — no waiting on a support ticket. If you can't reach the dashboard, message us on WhatsApp.

6. Retention

Account data is kept while your account is active. When you delete your account, data is removed immediately from our database (cascade delete) and Supabase auth. Stripe retains billing records per its own retention rules required by law. Backups age out within 30 days.

7. Security

All traffic is HTTPS. Auth tokens are HTTP-only cookies. Supabase RLS and our application code enforce per-user data isolation. Service role keys live in environment variables, never in client code. We do not have a SOC 2 certification yet — Panda is early-stage.

8. Children

Panda is not for users under 18. We don't knowingly collect data from children.

9. Contact us

Privacy questions, deletion help, or PDPL data subject requests — reach us on WhatsApp Business at +966 56 083 3541.