Privacy Policy

Pathbound ("we", "us", "our") runs the Pathbound platform (app.pathbound.ai), this website (pathbound.ai), the Pathbound Tracker service, the Pathbound MCP server (mcp.pathbound.ai), and related services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Services.

We act in two capacities: as a data controller for data we collect about our own account holders, website visitors, and contacts who reach us directly; and as a data processor for data our customers route through the Services (contact records, company records, event streams, conversations imported from third-party systems). This policy primarily covers our controller activities. A separate Data Processing Agreement will govern processor activities; until that DPA is published, the processor commitments summarized in Section 4.4 apply.

1. Information We Collect

1.1 Account Information

When you create a Pathbound account, we collect:

Email address
First and last name
Company name
Role/job title
Password (stored as a salted hash; we never store passwords in plaintext)
Optional two-factor authentication secret (TOTP) and registered passkey credentials (WebAuthn)

1.2 Customer Platform Data (Processor Role)

When our customers use the Pathbound platform, they connect data sources (CRMs, email accounts, support tools, databases, the Pathbound Tracker on their websites) and Pathbound ingests contact records, company records, event data, and conversation data from those sources into a unified customer profile. We process this data on behalf of our customers per their instructions. Our customers are the data controllers for this data and are responsible for ensuring they have a lawful basis for its collection and processing.

1.3 Pathbound Tracker Data

Our customers may deploy the Pathbound Tracker on their own websites. When deployed, the tracker collects information about visitors to those websites, including:

Page URLs visited and referrer URLs
Browser type and user agent
Screen resolution and device information
IP address
Cookies: a visitor identifier (365-day duration) and session identifier (1-day duration)
A device fingerprint — a hashed combination of browser, screen, and device signals used to recognize returning visitors when cookies are unavailable
Behavioral events (page views, clicks, form submissions, custom events)
UTM parameters and referral source data
External contact identifiers passed by the customer's own cookies, where present, used to link an anonymous visitor to a known contact

IP addresses are stored to support fraud prevention, troubleshooting, and rate limiting. We are evaluating IP truncation/hashing for a future release; until then, full IPs are retained for the durations described in Section 6.

Our customers are the data controllers for tracker data collected on their websites. We process this data as a processor on their behalf. Customers are responsible for obtaining any consent required by law (including under GDPR, the ePrivacy Directive, UK PECR, and CCPA/CPRA) before deploying the tracker, and for disclosing the tracker's data collection — including device fingerprinting — in their own privacy policies.

1.4 Website Analytics

We use Google Tag Manager and Google Analytics on this website (pathbound.ai) to understand how visitors interact with our site. This may collect:

Pages visited, time on site, and navigation paths
Browser type, device type, and operating system
Approximate geographic location (derived from IP address)
Referral source and campaign parameters

These analytics tools use cookies. We do not load Google Tag Manager or Google Analytics until you click "Accept" on our cookie banner; if you click "Reject" (or do not interact with the banner), no analytics scripts run.

1.5 MCP and API Access by Your AI Clients

Pathbound exposes your data through the Pathbound REST API and the Pathbound MCP server (mcp.pathbound.ai). You may authorize clients of your choice — typically AI applications such as Claude.ai, Claude Desktop, ChatGPT, or Cursor, or your own backend code — via OAuth or API key to read and (with appropriate scopes) write data through these surfaces.

Pathbound does not embed or call any AI provider on its own. We do not send Customer Data to Anthropic, OpenAI, Google, Mistral, or any other model provider. When you connect an AI client to Pathbound, the AI client reads data from our API and may then forward that data to an AI provider for inference. That data flow is governed by your relationship with the AI client and the AI provider it uses, under their respective terms — Pathbound is not a party to it.

You can revoke any AI client's access to Pathbound at any time from your account settings.

1.6 Enrichment Data

We integrate with third-party data providers (such as Apollo.io) to enrich contact and company records. When enrichment is used, we may send identifiers (such as email addresses or company domains) to these providers and receive additional business information in return — for example, job titles, company size, industry, and publicly available professional information. For this processing we may act as an independent controller alongside the customer; the enrichment provider's own privacy policy governs their handling of the data they return.

2. How We Use Information

We use the information we collect to:

Provide, operate, and maintain the Services
Authenticate users and secure accounts
Process data on behalf of our customers (as a processor)
Enrich contact and company records with third-party data
Analyze usage patterns to improve our Services
Send transactional communications (account verification, password resets, security alerts)
Comply with legal obligations

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

Contract performance — processing necessary to provide the Services you have signed up for (account management, platform functionality)
Legitimate interests — processing necessary for our legitimate business interests (security, fraud prevention, service improvement), where those interests are not overridden by your rights
Consent — where we rely on your consent (e.g., non-essential cookies on our website), you may withdraw consent at any time
Legal obligation — processing necessary to comply with applicable laws

We share personal data with the following categories of third parties:

4.1 Sub-processors (controller-side)

The following third-party service providers process data on our behalf to deliver the Services. This list is the controller-side disclosure required by GDPR Article 13. A formal processor-side sub-processor list, with notification commitments for material changes, will be published alongside our Data Processing Agreement.

Database & cache — MongoDB Atlas (primary database), Redis (caching and job queues)
Hosting & infrastructure — our application servers run on Coolify-managed virtual machines hosted by an underlying cloud infrastructure provider; the current provider can be disclosed on request to [email protected]
Data enrichment — Apollo.io (contact and company enrichment when enrichment is requested)
Transactional email — Resend (account verification, password reset, and security notifications sent from Pathbound to account holders)
OAuth sign-in providers — Google and GitHub (used only when you choose to sign up or log in with one of these providers; the provider returns your profile information so we can create or look up your account)
Website analytics — Google Tag Manager and Google Analytics (loaded on pathbound.ai only after you click "Accept" on our cookie banner)

4.2 Customer-Initiated Integrations

Customers can connect third-party services through the Pathbound platform via OAuth or API key. The current list of supported integrations is: Apollo, Calendly, Gmail, HubSpot, Intercom, Pipedrive, Resend, and tl;dv. Customers can also configure their own external Postgres databases and external MCP servers as data sources.

When a customer connects an integration, Pathbound stores the OAuth tokens (encrypted at the application layer) and pulls data from that service into the customer's tenant on their instructions. The data flows between Pathbound and the integration provider are governed by the customer's instructions and the respective provider's terms. Those integration providers are sub-processors of the customer (not of Pathbound), and their own privacy policies apply to data they hold.

4.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Pathbound, our users, or others.

4.4 Processor Commitments (interim, pending DPA)

Until a Data Processing Agreement is published and signed, the following processor commitments apply to all Customer Data we process on behalf of customers:

We process Customer Data only on documented instructions from the customer (configured through the platform or expressed in writing)
Personnel with access to Customer Data are subject to confidentiality obligations
We will notify the customer without undue delay (and in any case within 72 hours of becoming aware) of any personal data breach affecting Customer Data
We will assist the customer with data subject requests received via the platform or referred to us
On termination, we will delete or return Customer Data within the periods described in Section 6
Sub-processor changes will be communicated to active customers in advance once a formal sub-processor list is in place

We do not sell personal data. We do not share personal data for cross-context behavioral advertising.

5. Cookies and Tracking Technologies

5.1 Cookies We Set

Cookie	Purpose	Duration	Type
`access_token`	Authentication (JWT session)	Session	Essential
`__Host-csrf`	CSRF protection	Session	Essential
`pb_consent`	Records your cookie-consent preference	365 days	Essential
`pathbound_visitor_id`	Visitor identification (Tracker, on customer sites)	365 days	Functional
`pathbound_session_id`	Session tracking (Tracker, on customer sites)	1 day	Functional

5.2 Third-Party Cookies

Google Tag Manager and Google Analytics may set their own cookies on this website. We do not load these scripts (and they do not set any cookies) until you click "Accept" on our cookie banner. Clicking "Reject" stores your preference and prevents analytics from loading.

5.3 Device Fingerprinting

The Pathbound Tracker uses device fingerprinting (a hashed combination of browser, screen, and device signals) to recognize returning visitors when cookies are unavailable or have been cleared. This technique does not itself use cookies but creates a statistical identifier based on device characteristics. Where required by applicable law, the Pathbound customer operating the website is responsible for obtaining the visitor's consent before the tracker collects fingerprint data.

5.4 Opt-Out

The Pathbound Tracker honors a pathbound_dnt=1 cookie. When this cookie is present, the tracker will not collect any data. Customers implementing the tracker can use this mechanism to respect visitor opt-out preferences.

6. Data Retention

We target the retention periods listed below. Automated enforcement of these windows is in active development; until it is fully in place, data may be retained slightly longer than the target period for operational reasons. You may request immediate deletion at any time by contacting [email protected].

Category	Target retention
Account data	Duration of your account, plus 30 days after deletion
Customer platform data (processor role)	Per the customer's instructions; deleted within 30 days of account termination or written deletion request, except where retention is required by law
Tracker event data	90 days from event date
Device fingerprints	90 days from last activity
Session data	7 days
Website analytics (Google Analytics)	Per Google Analytics' configured retention setting (currently 14 months)

7. Your Rights

7.1 Rights Under GDPR (EEA / UK / Switzerland)

If you are in the EEA, UK, or Switzerland, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate personal data
Erasure — request deletion of your personal data ("right to be forgotten")
Restriction — request that we restrict processing of your data
Portability — request your data in a structured, machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent
Lodge a complaint — with the data protection supervisory authority in your country of residence, place of work, or place of the alleged infringement (for the EU, the list is maintained by the European Data Protection Board; for the UK, the Information Commissioner's Office)

7.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

Know — request disclosure of the categories and specific pieces of personal information we have collected
Delete — request deletion of your personal information
Correct — request correction of inaccurate personal information
Opt-out of sale/sharing — we do not sell or share personal information for cross-context behavioral advertising
Non-discrimination — we will not discriminate against you for exercising your rights

We do not sell personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

7.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We currently fulfill these requests manually and will respond within 30 days (GDPR) or 45 days (CCPA). Self-service export and deletion are on our product roadmap. If you are an end-user of a Pathbound customer's website (i.e., your data was collected via the Pathbound Tracker), please direct your request to that customer, who is the data controller for your information; we will assist them in fulfilling your request.

8. International Data Transfers

Our application infrastructure operates in the United States. All data submitted to or collected through the Services — including account data, Customer Data ingested from connected sources, and tracker event data — is stored on US-based infrastructure (currently MongoDB Atlas and Redis, hosted on a US cloud region). If you are accessing our Services from the EEA, UK, Switzerland, or other regions with data transfer restrictions, your data is transferred to and processed in the United States.

We are not currently certified under the EU-US Data Privacy Framework. EEA, UK, or Swiss data subjects may contact [email protected] to request information about the transfer mechanism applied to their data.

9. Security

We implement security measures appropriate to the nature of the data we handle, including:

Encryption in transit (TLS) for all data exchanged with our Services
Encryption at rest provided by our database and cache providers per their default configuration; specific sensitive fields (such as third-party connection credentials) are additionally encrypted at the application layer
Salted password hashing, with optional two-factor authentication (TOTP and WebAuthn/passkeys)
CSRF protection on authenticated endpoints and rate limiting on public endpoints
Security headers (HSTS, Content Security Policy) on customer-facing properties
Tenant-scoped access control: each customer's data is logically isolated by tenant identifier in every query

We have not undergone a SOC 2, ISO 27001, or equivalent third-party audit. SOC 2 Type I readiness is on our roadmap. No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

10. Children's Privacy

Our Services are not directed to individuals under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting how we process your data, we will provide additional notice (such as email notification for account holders).

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Privacy: [email protected]
Security: [email protected]