Privacy Policy

Panery operates the Service described at https://www.panery.org. For privacy-related requests, contact us at contact@panery.org.

Where we process personal data on behalf of an organization (for example, data about that organization's members or vendors), we act as a processor for the organization's business purposes, and the organization remains responsible for its own compliance obligations toward those individuals.

This Policy applies to visitors, registered users, organization members, and billing contacts. It does not cover third-party websites, apps, or services linked from the Service (including OAuth providers, payment pages, or Discord)—those are governed by their own policies.

The Service is intended for business users, not children. We do not knowingly collect personal information from anyone under 18.

We collect information in the following categories:

We use personal information to:

• Provide, authenticate, and secure the Service (including MFA and CAPTCHA).
• Operate organizations, orders, settlements, and marketplace features you enable.
• Process subscriptions and payments through Razorpay.
• Send transactional communications via our email provider (e.g., Resend).
• Respond to support requests and improve documentation.
• Monitor, prevent, and investigate fraud, abuse, and security incidents.
• Comply with law, enforce our Terms, and protect rights and safety.
• Analyze aggregated usage to improve reliability and product design.

If you are in a jurisdiction that requires a legal basis (such as the EU/UK GDPR or India's Digital Personal Data Protection Act, 2023), we rely on one or more of the following as appropriate:

performance of a contract (providing the Service you requested); legitimate interests (security, fraud prevention, product improvement balanced against your rights); consent (where we ask for it explicitly, such as optional marketing if offered); and legal obligation (tax, accounting, or lawful requests).

We do not sell your personal information. We share information only as described below:

• Within your organization: members with appropriate roles can see operational data according to permissions.
• With other organizations: when you use marketplace or cross-organization features, you choose what business information to expose (e.g., catalog or contact details).
• Service providers ("subprocessors") who help us run the Service under contractual safeguards, including: Supabase (authentication and database hosting), Razorpay (payments), Uploadthing (file uploads), Resend (email delivery), hCaptcha (bot protection), Vercel (hosting and analytics), and OAuth providers you select (GitHub, Google).
• Professional advisers, auditors, or acquirers under confidentiality obligations.
• Authorities when required by law or to protect rights, safety, and integrity of the Service.
• With your direction or consent.

We and our subprocessors may process data in India and other countries where they operate. When transferring personal data internationally, we rely on appropriate safeguards permitted by law (such as standard contractual clauses or equivalent mechanisms offered by our providers).

We retain personal information for as long as your account or organization is active and as needed to provide the Service, then for periods required by law or legitimate business needs (billing records, dispute resolution, security logs).

Account deletion scheduled in settings typically executes after a 30-day grace period; organization termination may use a 14-day grace period before deletion of organization-scoped data.

After deletion, we may retain anonymized or aggregated data and minimal logs that no longer identify you, where permitted.

We implement technical and organizational measures appropriate to the nature of the data, including encryption in transit, access controls, row-level security in our database where applicable, and MFA support. No method of transmission or storage is completely secure; you are responsible for protecting your credentials and devices.

If you believe your account has been compromised, contact contact@panery.org promptly.

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability or withdrawal of consent where processing is consent-based.

You can update profile fields in account settings, manage MFA, cancel scheduled account deletion during the grace period, and control organization membership through authorized admin flows.

To exercise privacy rights, email contact@panery.org with sufficient detail to verify your identity. We will respond within timelines required by applicable law (including reasonable periods under India's DPDP Act where it applies).

You may lodge a complaint with a supervisory authority in your jurisdiction if you believe processing violates applicable law.

We use essential cookies and local storage for authentication sessions, security, and preferences (such as theme). Analytics cookies or scripts may be used in aggregate form to understand usage.

You can control non-essential cookies through browser settings; disabling essential cookies may prevent sign-in.

If you sign in with GitHub or Google, those providers receive information according to their policies and share profile identifiers with us as permitted by your authorization.

Payment flows may redirect to Razorpay-hosted experiences. Uploaded files are stored via Uploadthing. Review those providers' privacy policies for details beyond our control.

We may update this Privacy Policy. The "Last updated" date at the top will change, and material updates may be communicated by email or in-product notice. Continued use after the effective date indicates acceptance of the updated Policy.

Privacy questions or requests: contact@panery.org.

For organization-specific data about you held on behalf of an employer or partner organization, you may also contact that organization directly.