Privacy Policy

1. Overview

Pallacor provides a cloud-based platform for retail loss prevention teams. In the course of providing the Service, we process two categories of data:

• Account and platform user data — information about the Customer organization and the individuals (employees, LP associates) who use the platform.
• Customer Data — loss prevention records, case files, incident reports, BOLO entries, audit results, and other data that Customer users input into the platform. This data is owned and controlled by the Customer. Pallacor processes it as a Processor on the Customer's behalf.

This policy focuses on Account and platform user data. For details on how we handle Customer Data on behalf of Customer organizations, see our Data Processing Agreement.

2. Data We Collect

Account & Registration Data

When a Customer organization subscribes to Pallacor, we collect information necessary to set up and manage the account, including:

• Organization name, billing address, and contact information;
• Billing contact name and email address;
• Payment information (processed by Stripe — Pallacor does not store full card numbers).

Platform User Data

When individuals are added as users to a Customer's Pallacor account, we collect:

• Name and work email address;
• Job title and role within the organization;
• Location assignments within the Customer's org hierarchy;
• Login credentials (passwords are hashed and never stored in plaintext).

Usage & Activity Data

We automatically collect technical and activity data as users interact with the Service, including:

• Log data: IP address, browser type and version, device type, operating system;
• Session data: pages visited, features used, timestamps of actions;
• Error logs and diagnostic information used to identify and fix issues.

3. How We Use Data

We use the data described above for the following purposes:

• Providing the Service: Account setup, authentication, feature access, billing, and customer support;
• Service improvement: Analyzing usage patterns to inform product development and improve the user experience;
• Security and compliance: Detecting and preventing unauthorized access, fraud, and other harmful activity;
• Communications: Sending transactional emails (receipts, renewal notices, security alerts) and, with your consent, product updates and announcements;
• Legal obligations: Complying with applicable laws, regulations, and lawful requests from government authorities.

We do not sell personal data. We do not use personal data for advertising or share it with third parties for their own marketing purposes.

4. Analytics & Cookies

The Pallacor application uses PostHog, a product analytics platform, to help us understand how users interact with the Service. PostHog collects usage events (e.g., feature clicks, page views within the app) associated with a pseudonymous user identifier. We use this data solely to improve the product.

PostHog data is not linked to your name or email address except where you are already logged in to the Service. You can review PostHog's privacy practices at their website.

The Service uses cookies and similar technologies for session management and authentication. These are essential to operating the Service and cannot be disabled without affecting your ability to use the platform.

5. Sharing & Disclosure

We share data only in the following circumstances:

• Service providers: We work with third-party vendors who help us operate the Service (e.g., cloud hosting, payment processing, email delivery, analytics). These providers process data on our behalf under contractual data protection obligations and may not use the data for their own purposes.
• Legal requirements: We may disclose data when required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of Pallacor, our customers, or the public.
• Business transfers: If Pallacor is involved in a merger, acquisition, asset sale, or similar transaction, Customer data may be transferred as part of that transaction. We will notify affected Customers by email or in-app notice before any such transfer and the new entity will be bound by this Privacy Policy.
• With your consent: In any other circumstance, we will only share your data with your explicit consent.

6. Security

We implement industry-standard security measures to protect your data, including encryption in transit and at rest, role-based access controls, multi-factor authentication for internal systems, and regular security reviews.

While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact [email protected] immediately.

For a detailed description of our security practices as they relate to Customer Data processing, see our Data Processing Agreement.

7. Data Retention

We retain account and platform user data for as long as your organization's subscription is active and for a period afterward as necessary to fulfill legal obligations, resolve disputes, and enforce agreements.

When a Customer account is cancelled or terminated, Pallacor retains Customer Data for 90 days. During this period, the Customer may request a data export. After 90 days, all Customer Data — including personal data associated with platform users — is permanently deleted or anonymized.

Aggregate, anonymized usage data that cannot be linked to any individual or organization may be retained indefinitely for product analytics and research purposes.

8. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you certain rights with respect to your personal information:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale: Pallacor does not sell personal information. No opt-out is required, but you may contact us to confirm.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to purposes necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, submit a verifiable request to [email protected]. We will respond within 45 days of receiving a verifiable request. If you are an authorized user of a Customer organization, note that your employer (the Customer) is the Controller of your data and we may need to coordinate with them to fulfill your request.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify the Customer's billing contact by email and post a notice in the Service at least 30 days before changes take effect.

Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, you must stop using the Service and notify us of your intent to terminate.