Privacy Policy

For personal data collected about visitors, prospects, and customers of the Panthena service (the “Service”), the controller is Panthena, Copenhagen, Denmark.

For personal data that our customers submit to the Service or that we collect when end users tap links operated through the Service, Panthena acts as a processor on behalf of the customer. The customer is the controller of that data and is responsible for the lawful basis, notices, and end-user rights relating to it. See section 4 below.

All privacy-related inquiries can be sent to matias.v.drejer@gmail.com. We have not appointed a Data Protection Officer because we are not required to under GDPR Article 37.

This policy covers personal data processed in connection with: (a) our marketing website; (b) customer account creation, authentication, administration, billing, and support; (c) the routing and analytics functionality of the Service itself; and (d) any communications you send us.

This policy does not govern the privacy practices of any third-party website, app, or service you may reach through a link routed by our customers using the Service. Those destinations are operated by our customers or by other third parties and have their own privacy policies. We have no control over, and accept no responsibility for, the content, policies, or practices of any third-party destination.

We collect and process only the personal data necessary to operate the Service. Depending on how you interact with Panthena, we may collect the following:

Account and contact data. Name, business email address, organization name, role, billing address, and authentication metadata. Authentication is provided by Clerk on our behalf.

Billing data. Tax identifier, invoice address, and payment status. Payment instrument details (e.g., card numbers) are collected and stored directly by our payment processor and never touch our servers.

Service configuration data. Deep link definitions, route metadata, branding assets, domain records, and integration credentials you provide (e.g., GitHub App installation tokens, Azure DevOps PATs).

Usage and diagnostic data. Dashboard interactions, feature usage, error logs, timestamps, approximate IP-derived location (country/region), browser, device type, and referrer. This data is used to operate, secure, and improve the Service.

Click and routing data (end users). When an end user taps a link operated through the Service, our edge routes the request and records: timestamp, coarse device classification (iOS, Android, desktop, bot), a truncated/anonymized IP address for country resolution, the tracking tag (the “ol” query parameter), and the outcome of the routing decision. For deferred deep linking, we temporarily generate and store a short-lived probabilistic fingerprint (derived from IP range, device characteristics, and user agent) so that we can reunite an end user with the intended destination after app installation.

Communications. Content of emails and messages you send us, including support requests and feedback.

What we do NOT collect. We do not collect precise GPS location, contacts, camera, microphone, biometric data, government identifiers, health data, or payment card numbers. We do not buy personal data from data brokers and we do not build behavioral profiles for advertising.

We act as a controller for account, contact, billing, usage, diagnostic, and communications data relating to our direct customers, prospects, and website visitors.

We act as a processor for Customer Data our customers submit to the Service, and for end-user click and routing data generated when their links are tapped. For that data, our customer is the controller and is solely responsible for: (a) having a valid lawful basis to collect and transmit the data to us; (b) providing any notices and obtaining any consents required from end users; (c) responding to data-subject requests directed to the controller; and (d) complying with all applicable privacy and electronic-communications laws. Our customer's written instructions are the Terms of Service and our Data Processing Addendum (available on request).

Under the GDPR, we rely on the following legal bases (Article 6(1)) for processing personal data in our capacity as controller:

(a) Performance of a contract. To create and manage your account, provide the Service, process payments, invoice you, and provide support. Legal basis: Art. 6(1)(b).

(b) Legitimate interests. To secure the Service, detect and prevent abuse and fraud, monitor service quality, analyze usage trends to improve Panthena, prevent and respond to security incidents, enforce our Terms, establish and defend legal claims, and communicate about product changes. We balance these interests against your rights and freedoms and have concluded the processing is proportionate. Legal basis: Art. 6(1)(f).

(c) Legal obligation. To comply with tax, accounting, anti-money laundering, export-control, and other legal obligations applicable to us. Legal basis: Art. 6(1)(c).

(d) Consent. Where we ask for it (for example, for optional marketing emails). You may withdraw consent at any time without affecting the lawfulness of processing done before withdrawal. Legal basis: Art. 6(1)(a).

We do not process special categories of personal data (Art. 9 GDPR) and we do not engage in any processing that has a legal or similarly significant effect on you based solely on automated decision-making (Art. 22 GDPR).

We collect personal data (a) directly from you when you sign up, use the Service, or contact us; (b) automatically through the Service (for example, usage and diagnostic logs); (c) from integrations you connect to your account (for example, your source-code repository); and (d) from trusted third parties such as our payment processor, our authentication provider, and public business-information sources used for anti-fraud checks.

We do not sell personal data, and we do not share it with any third party for cross-context behavioral advertising. We share personal data only with the following categories of recipients, and only to the extent necessary:

Subprocessors. We rely on the following subprocessors to operate the Service. Each is bound by a data processing agreement requiring confidentiality, security, and compliance with applicable data protection law:

• Clerk — authentication, user and session management. United States.
• Vercel — application hosting, edge compute for link routing, static asset delivery, blob storage for branding files. United States and European Union.
• Neon — managed Postgres database for account, configuration, and analytics data. European Union.
• Upstash — Redis edge cache for link routing, with a 24-hour TTL. Global edge locations.
• Cloudflare — DNS and DDoS protection for default subdomains. Global edge locations.
• Email delivery provider — transactional emails (account verification, magic links, billing notices, support replies).
• Payment processor — card handling, invoicing, tax calculation, and anti-fraud checks.

We maintain a current list of subprocessors on request. We will give reasonable prior notice before adding a new subprocessor that materially changes how personal data is handled.

Professional advisors. Auditors, accountants, insurers, and lawyers, bound by confidentiality obligations.

Authorities and legal successors. We may disclose personal data (i) to comply with applicable law, a valid court order, subpoena, or other legal process; (ii) to protect the safety, rights, or property of Panthena, our users, or the public; (iii) to investigate fraud, abuse, or security incidents; or (iv) in connection with a merger, acquisition, reorganization, financing, or sale of assets. We will make reasonable efforts to notify affected individuals of material disclosures unless prohibited by law.

Panthena is operated from Denmark. Some of our subprocessors are located outside the European Economic Area (EEA), including in the United States. When we transfer personal data outside the EEA to a country without an adequacy decision from the European Commission, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (2021/914), supplementary technical and organizational measures where required, and, where applicable, the EU-US Data Privacy Framework. A copy of the relevant safeguards is available on request.

We retain personal data only for as long as necessary for the purposes described in section 5. Our default retention periods are:

• Account and contact data — for the lifetime of your account, then deleted or anonymized within 30 days of account closure.
• Service configuration — for the lifetime of your account, then deleted within 30 days.
• Click and routing analytics — up to 24 months at event-level granularity, then aggregated or deleted.
• Deferred deep-link fingerprints — deleted after 7 days or immediately upon successful match, whichever is sooner.
• Billing and tax records — retained for the period required by applicable accounting and tax law (typically up to 5 years in Denmark, longer where specifically required).
• Support and communications — up to 24 months after the last contact.
• Backups and audit logs — up to 90 days after the underlying data is deleted from active systems.

We may retain personal data for longer periods where required by law, to establish, exercise, or defend legal claims, or to enforce our Terms.

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure. These include: TLS encryption for all data in transit; encryption at rest for database and backup storage; role-based access controls and least-privilege principles; multi-factor authentication for administrative access; logging and monitoring; secure development practices; regular security reviews of critical code paths; and selection of subprocessors with appropriate security certifications.

No security program can guarantee absolute security. You are responsible for keeping your own credentials, devices, and integrations secure, for promptly revoking access for departed Users, and for notifying us immediately of any actual or suspected security incident affecting your account at matias.v.drejer@gmail.com.

If we become aware of a personal data breach that affects personal data we process as a controller and that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours, and we will notify affected individuals where required by applicable law.

Where we process personal data as a processor, we will notify the affected customer without undue delay so the customer can meet its own notification obligations under applicable law.

Under the GDPR and similar laws, you have the rights listed below. These rights apply to personal data we process as a controller. For personal data we process as a processor (for example, data about end users who tap links operated by our customers), please direct requests to the relevant customer, who is the controller of that data. We will cooperate with the controller as required.

• Access — request confirmation of whether we process your personal data and a copy of that data (Art. 15 GDPR).
• Rectification — request that inaccurate data be corrected or completed (Art. 16 GDPR).
• Erasure — request deletion of your data where one of the grounds in Art. 17 GDPR applies.
• Restriction — request that we restrict processing in certain circumstances (Art. 18 GDPR).
• Portability — receive certain personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20 GDPR).
• Object — object to processing based on our legitimate interests, including profiling (Art. 21 GDPR).
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of earlier processing.
• Lodge a complaint — with your local supervisory authority. In Denmark, the authority is Datatilsynet (datatilsynet.dk).

To exercise any of these rights, email matias.v.drejer@gmail.com. We may need to verify your identity before acting on your request. We will respond within one month (extendable to three months for complex requests) as permitted by law. If we decline to act on a request, we will explain why. There is no fee unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act, as permitted by law.

Our marketing website and dashboard use a small number of strictly necessary cookies for session authentication, security (including CSRF protection), and preference storage. We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral analytics cookies on the marketing site or on branded fallback pages served to end users.

Most browsers let you control cookies through their settings. Blocking strictly necessary cookies will prevent the Service from functioning.

We do not respond to browser “Do Not Track” signals because no common industry standard has been finalized. We honor the preferences described above regardless of any such signal.

We do not use your personal data for solely automated decision-making that produces legal or similarly significant effects concerning you within the meaning of GDPR Article 22. Routing decisions within the Service (for example, whether to show the branded fallback page) are based on static rules configured by our customers and do not produce legal effects on end users.

The Service is a B2B tool. It is not directed to children, and we do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please email us and we will delete it promptly. Our customers are responsible for ensuring that their own apps and the end users of their links comply with applicable child-protection laws, including COPPA and the EU's age-of-consent rules.

We receive and respond to requests from governmental authorities only when they are validly issued under applicable law. Where permitted, we will notify the affected customer before disclosing personal data. We may challenge requests that we believe are unlawful, overbroad, or improperly issued. We do not voluntarily provide personal data to law enforcement.

We may generate aggregated, statistical, or de-identified information from personal data (for example, total number of links routed per day, aggregate device distribution, regional usage statistics). This information is not personal data and we may use and share it for any lawful purpose, including product research, marketing, and benchmarking, provided we do not re-identify individuals.

The Service routes end users to destinations specified by our customers. Those destinations may be operated by our customers or by unrelated third parties. This Privacy Policy does not apply to those destinations, and we have no control over their privacy practices. You should review the privacy policy of any destination before providing personal data.

This Privacy Policy describes Panthena's own privacy practices. It is not legal advice, and customers should not rely on it as a substitute for their own compliance review. Customers are solely responsible for their own compliance with applicable privacy law, including providing notices, obtaining consents, responding to data subject requests, and implementing appropriate technical and organizational measures for their own processing.

Customers who require a Data Processing Addendum (DPA) under GDPR Article 28 may request one by emailing matias.v.drejer@gmail.com. The DPA will incorporate the European Commission's Standard Contractual Clauses where applicable and forms part of the agreement between us.

We may update this Privacy Policy from time to time to reflect changes to the Service, our practices, or applicable law. When we make material changes, we will update the effective date above and notify you by email or through the dashboard at least 15 days before the changes take effect. Non-material changes (clarifications, typographical fixes, or updates to subprocessor addresses) may be made without notice. You are responsible for reviewing this Privacy Policy periodically.

Questions, corrections, requests to exercise your rights, or complaints about our privacy practices should be sent to:

matias.v.drejer@gmail.com

Panthena, Copenhagen, Denmark. You may also contact the Danish data protection authority (Datatilsynet) at datatilsynet.dk if you believe your rights have been violated.