Privacy Notice
Training data: what we collect, who sees it, how long we keep it
This page explains how Pondral handles the optional consent you can give to let us use your audit data to improve our scoring. If you have not opted in, none of this applies. Your audit data is used only to deliver the audit you paid for.
1. Who is the controller
Pondral LLC (Florida LLC, registration number L26000173535, registered office: 11120 Bennett Dr #107, Bradenton, FL 34211, United States) is the data controller for your workspace data.
Contact: privacy@pondral.com.
If you are based in the European Economic Area or the United Kingdom, our designated representative under GDPR Article 27 / UK GDPR Article 27 is to be appointed. Until that representative is appointed, EU and UK data-subject rights requests should be sent to privacy@pondral.com and we will route them appropriately.
2. What we collect when you opt in
If you tick “Improve our scoring rubric” or “Train a future Pondral scoring model,” we use a pseudonymised copy of your audit data. Pseudonymised means:
- Your brand name is replaced with a generic sector tag like
[FINTECH_BRAND]. - Your domain name is removed.
- Your competitor names are removed.
- Query text and scores are retained.
Pseudonymised data is not anonymous data under GDPR. It remains your personal data and you keep all your rights over it.
3. Why we use it (purpose and lawful basis)
| Consent | Purpose | Lawful basis |
|---|---|---|
| “Improve our scoring rubric” | Refine how Pondral grades AI engine responses; generate test queries that check our scoring stays consistent across re-runs. | Your consent (UK GDPR / GDPR Article 6(1)(a)). |
| “Train a future Pondral scoring model” | Use your data as input to train a new Pondral-built scoring model. | Your consent (UK GDPR / GDPR Article 6(1)(a)). |
We do not use your data for any other purpose. Specifically, we do not share it with third parties, do not use it to train any third-party AI model (including ChatGPT, Claude, or Gemini), and do not use it for marketing.
4. Recipients
Internal Pondral engineering and AI team only. We do not sell, share, or transfer your training data to anyone outside Pondral.
5. International transfers
Pondral is based in the United States. Your training data is stored in our Supabase database in the United States (AWS us-east-1). To run audits we send pseudonymised query text to AI providers (Anthropic, OpenAI, Google, Perplexity, xAI). For data subjects in the EU or UK, transfers to the United States rely on Standard Contractual Clauses (and the UK International Data Transfer Agreement or the EU-US Data Privacy Framework where the recipient is certified). Full transfer detail at our privacy policy.
6. How long we keep it
| Data | Retention |
|---|---|
| Raw AI-engine response text (with redactions) | 30 days, then summarised to scored fields only |
| Scored fields (factor buckets, methodology score) | While your consent is active, plus 90 days for re-training stability |
| Aggregate model-training inputs after a model is trained | Indefinite within the trained model itself; individual records cannot be unlearned (UK GDPR / GDPR Article 17(3)) |
| Consent audit log (your IP and browser at consent time) | 24 months, then anonymised |
7. Your rights
You can:
- Withdraw either consent at any time from the workspace settings page at Data and Privacy. Withdrawal takes effect within 24 hours. Data already incorporated into a trained model cannot be unlearned (Article 17(3)) but no future use occurs.
- Access your personal data: email privacy@pondral.com.
- Correct or delete your personal data: same email.
- Restrict or object to processing.
- Port your data to another service.
- Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk, or with your local EU supervisory authority if you are in the EEA.
8. Identifiability safeguard (k-anonymity threshold)
Even after pseudonymisation, query text combined with sector and score may be identifying for niche brands in small markets. To protect against this, we only include a record in our training data if at least 5 distinct workspaces in the same sector have opted in. Below that threshold, the record is held back from the training pipeline.
9. Changes to this notice
If we update this notice in a way that materially changes how we use your training data, we will ask you to re-consent. Smaller wording updates are tracked in a public changelog. The version of this notice you saw when you opted in is recorded in our consent audit log so we can prove what we told you.
Last updated: 2026-05-10. Version: v2-2026-05-10. Author of legal copy: EU/UK Counsel.