Pallio AI ("we," "our," "us," or "Pallio") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, including our website (https://pallioai.com), mobile applications, and related services (collectively, the "Service").
2. Information We Collect
2.1 Google Account Information
When you sign in with Google, we collect and store the following information from your Google account:
Email address — Used for authentication and account identification
Full name (display name) — Used for personalization and identification
Profile picture — Used for profile display and visual identification
Unique Google ID — Used internally for authentication
Scope Requested: We request basic Google profile data (email, name, photo) via Firebase Authentication. We do NOT request access to your Google Drive, Calendar, Gmail, or other Google services.
2.2 Profile Information
You may provide additional personal information when you create or update your Pallio profile:
First name, last name, username
Headline, bio, profile picture
Social media links (optional)
Industry, use cases, interests
2.3 Chat & Conversation Data
When you use Pallio to chat with AI personas, we collect:
Messages you send — The text content of your questions and inputs
AI responses — Generated responses from the AI service
Conversation metadata — Including which AI model was used, tokens consumed, timestamp, and engagement (helpful/unhelpful ratings)
Attachments — Files you upload (documents, images) and extracted text content
Search queries — Search terms used within the Service
Document chunks — Portions of documents referenced to generate responses
2.4 Usage & Analytics Data
We collect information about how you use the Service:
Timestamps — When you send messages, create personas, upload documents
Feature usage — Which features you access (chat, quiz, image generation, etc.)
Tokens consumed — For quota tracking and billing
API calls made — For usage monitoring
Error logs — Technical information when errors occur
2.5 Technical Data
IP address — For rate limiting and abuse detection (automatically purged after 48 hours)
Device information — Browser type, operating system, device type (from HTTP headers)
Timestamps — Server-side request logs (retained for 12 months)
2.6 Payment Information
When you subscribe to Pallio, we collect:
Stripe tokens — Encrypted payment method information (handled by Stripe, not stored directly)
Subscription status — Active, canceled, past due, or trial status
Billing records — For invoicing and subscription management
Note: Payment data is processed and stored by Stripe, our PCI-compliant payment processor. We do not directly store credit card information.
3. How We Use Your Information
3.1 To Provide the Service
We use your information to:
Authenticate your account and maintain your session
Store and retrieve your chat histories
Deliver AI-generated responses to your queries
Track your usage for quota and billing purposes
Store and manage your created AI personas
Save documents you upload for knowledge base creation
Generate embeddings for semantic search (via Pinecone)
3.2 To Improve the Service
We use your information to:
Analyze usage patterns to identify features users need
Debug errors and improve system reliability
Monitor system performance and capacity
Improve response quality and model accuracy
Understand which use cases are most valuable to users
3.3 To Communicate With You
We use your email address to:
Send service notifications (new features, status updates)
Notify you of subscription changes (billing, renewal dates)
Respond to support inquiries
Send account security alerts
3.4 To Detect Abuse & Ensure Security
We use technical data to:
Rate-limit requests to prevent abuse (20 msgs/hour per user)
Detect and block spam or malicious behavior
Log security events for compliance auditing
Implement prompt injection detection
Monitor for unauthorized access
What We Do NOT Use Your Information For
We explicitly do NOT:
❌ Sell your personal data to third parties or data brokers
❌ Use your conversations to train or fine-tune AI models
❌ Use your data for targeted advertising or personalized ads
❌ Retarget you with ads across other websites
❌ Determine your creditworthiness or eligibility for loans
❌ Share your Google account credentials with any third party
❌ Create marketing databases or contact lists from your data
4. How We Share Your Information
4.1 Sharing With AI Providers (ESSENTIAL FOR SERVICE)
To generate responses, we send your conversations to third-party AI providers. This is necessary to provide the core functionality of Pallio. The data shared includes:
Google (Gemini API) — Your message text, conversation history, and context documents
HuggingFace — Limited API calls for specific inference tasks
Used for: Optional specialized model inference
Data: Specific input data (not full conversation history)
Pinecone — Document embeddings and semantic search queries
Used for: Retrieving relevant documents for context
Data: Document text embeddings (dense and sparse vectors), search queries
4.2 Data NOT Shared With Third Parties
We do NOT share with AI providers:
✓ Your Google account identity (email, name, photo)
✓ Your payment information
✓ Your other chat histories (only the current conversation)
✓ Your IP address or device information
✓ Your profile information (unless explicitly included in your question)
4.3 Legal & Compliance Disclosures
We may disclose your information if required by law:
In response to valid legal processes (subpoena, court order)
To comply with regulations (GDPR, CCPA, etc.)
To enforce our Terms of Service
To protect against fraud, security threats, or legal liability
To protect the rights, property, and safety of Pallio, our users, and the public
4.4 Service Providers
We use service providers to operate the Service:
Firebase/Google Cloud — For hosting, authentication, database services
Stripe — For payment processing
Cloud storage providers — For document and image storage (Google Cloud Storage)
These service providers are contractually obligated to use your information only as necessary to provide services to Pallio.
4.5 Aggregated & De-identified Data
We may use aggregated, de-identified data for analytics, research, and benchmarking. This data cannot identify you individually and is not subject to this privacy policy.
5. Data Retention & Deletion
5.1 How Long We Keep Your Data
Data Type
Retention Period
Chat histories & messages
Indefinite (until you delete)
User account profile
While account is active
Uploaded documents
Until you delete or account deleted
AI personas created
Until you delete or account deleted
Payment records
Per accounting standards (7 years)
Technical/access logs
12 months
IP addresses (rate limiting)
48 hours
Email notifications (read)
30 days
Widget sessions
24 hours
Messaging bot sessions
7 days
Backup copies (in case of accidents)
Up to 90 days
5.2 How to Delete Your Data
Delete Specific Chats:
Go to your chat history in the Pallio app
Click the delete button on any conversation
The conversation is immediately deleted from our database
Data Protection Officer: You may contact us regarding data protection concerns
Right to Lodge a Complaint: If you believe your rights are violated, you may file a complaint with your national data protection authority
Data Transfers: Your data may be transferred to the US (where our servers are located). We rely on standard contractual clauses to ensure adequate protection
8.2 California Users (CCPA)
If you are in California:
Right to Know: You can request to know what personal data we collect
Right to Delete: You can request deletion of your data (with limited exceptions)
Right to Opt-Out: You can opt out of data sales (we do not sell data, so this is N/A)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Shine the Light Law: You can request information about third-party disclosures
How to Request: Email privacy@pallioai.com with your request. We will verify your identity and respond within 45 days.
8.3 Other Jurisdictions
We comply with applicable privacy laws in all jurisdictions where we operate. If your region has specific privacy protections, we honor those rights.
9. Third-Party Links & Services
The Service may contain links to third-party websites and services (social media, documentation, external tools). This Privacy Policy does not apply to third-party services. We recommend reviewing their privacy policies before providing information.
Third-party services we link to:
Google Workspace & Google Cloud (for OAuth, hosting)
Pallio is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13:
We will immediately delete the information
We will notify the parent or guardian
If you believe we have collected information from a child under 13, contact us at privacy@pallioai.com.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
Posting the updated policy on our website
Sending an email to your registered address
Prominently displaying a notice in the app
Material changes will be communicated at least 30 days before becoming effective. Your continued use of the Service after changes indicates your acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact:
For data requests (access, deletion, export), please provide:
Your email address associated with Pallio
Description of your request
Proof of identity (for security)
We will respond to your request within 30 days.
Data Protection Officer: If you need to reach our DPO or compliance team, email privacy@pallioai.com with "Data Protection Officer" in the subject line.
13. Appendix: Technical Details
OAuth Flow
You click "Sign in with Google"
Firebase redirects you to Google's authentication page
You authorize Pallio to access your basic profile (email, name, photo)
Google redirects back to Pallio with an authentication token
We store your email, name, and photo in our database
Your Google account credentials are never sent to us—only the token
AI Response Generation Process
You send a message in Pallio
Your message is sent to our secure backend via HTTPS
We may add context from your chat history and uploaded documents
The message is sent to an AI provider (Google, Anthropic, Azure, etc.)
The AI provider generates a response
The response is sent back to you
Both your message and the AI's response are stored in your chat history in Firestore
Document Embedding Process
You upload a PDF or document
We extract text and split it into chunks
We generate embeddings (dense vectors) using text-embedding-3-large (3072 dimensions)
We generate sparse embeddings using SPLADE
Embeddings are stored in Pinecone (vector database)
When you ask a question, we search embeddings to find relevant document chunks
Relevant chunks are included in the context sent to the AI provider
Data Residency
Primary Storage: Google Cloud Platform (US-central region by default)
Backup Storage: Google Cloud multi-region backup (within North America)
Payment Processing: Stripe (US-based servers)
Vector Database: Pinecone (US regions)
If you require EU-specific data residency, please contact privacy@pallioai.com to discuss options.