Privacy Policy

Pathbound ("we", "us", "our") operates the Pathbound platform (app.pathbound.ai), the Pathbound website (pathbound.ai), the Pathbound Tracker service, and related services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Services.

We serve as both a data controller (for data we collect about our own users and website visitors) and a data processor (for data our customers process through our platform). This policy covers our controller activities. Our processing activities on behalf of customers are governed by our Data Processing Agreement (DPA).

1. Information We Collect

1.1 Account Information

When you create a Pathbound account, we collect:

• Email address
• First and last name
• Company name
• Role/job title
• Password (stored as a bcrypt hash, never in plaintext)

1.2 Customer Platform Data (Processor Role)

When our customers use the Pathbound platform, they may upload or generate data including contact records, company records, event data, and enrichment data. We process this data on behalf of our customers per their instructions. Our customers are the data controllers for this data and are responsible for ensuring they have a lawful basis for its collection and processing.

1.3 Pathbound Tracker Data

Our customers may deploy the Pathbound Tracker on their websites. When deployed, the tracker collects information about visitors to our customers' websites, including:

• Page URLs visited and referrer URLs
• Browser type and user agent
• Screen resolution and device information
• IP address (anonymized before storage)
• Cookies: a visitor identifier (365-day duration) and session identifier (1-day duration)
• Device fingerprint (a hashed combination of browser and device signals used for visitor recognition)
• Behavioral events (page views, clicks, form submissions)
• UTM parameters and referral source data

Our customers are the data controllers for tracker data collected on their websites. We process this data as a processor on their behalf. Customers are responsible for implementing appropriate consent mechanisms before deploying the tracker and for disclosing the tracker's data collection in their own privacy policies.

1.4 Website Analytics

We use Google Tag Manager and Google Analytics on our own websites (pathbound.ai, docs.pathbound.ai) to understand how visitors interact with our sites. This may collect:

• Pages visited, time on site, and navigation paths
• Browser type, device type, and operating system
• Approximate geographic location (derived from IP address)
• Referral source and campaign parameters

These analytics tools use cookies, which we load only after obtaining your consent where required by applicable law.

1.5 AI Processing

Pathbound uses third-party AI providers (including Anthropic, OpenAI, Google, and Mistral) to power AI agent features. Customers can use Pathbound's built-in AI or bring their own API key (BYOK). When AI features are used:

• Customer data (including contact properties, event summaries, and engagement data) is sent to the selected AI provider for real-time processing
• Data is used for real-time query processing only — it is not stored by AI providers or used for model training
• Customers control which AI provider is used, which model powers their agents, and what data agents can access

1.6 Enrichment Data

We integrate with third-party data providers (such as Apollo.io) to enrich contact and company records. When enrichment is used, we may send identifiers (such as email addresses or company domains) to these providers and receive additional business information in return, such as job titles, company size, industry, and publicly available professional information.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Services
• Authenticate users and secure accounts
• Process data on behalf of our customers (as a processor)
• Power AI agent features using third-party AI providers
• Enrich contact and company records with third-party data
• Analyze usage patterns to improve our Services
• Send transactional communications (account verification, password resets, security alerts)
• Comply with legal obligations

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds:

• Contract performance — processing necessary to provide the Services you have signed up for (account management, platform functionality)
• Legitimate interests — processing necessary for our legitimate business interests (security, fraud prevention, service improvement), where those interests are not overridden by your rights
• Consent — where we rely on your consent (e.g., non-essential cookies on our website), you may withdraw consent at any time
• Legal obligation — processing necessary to comply with applicable laws

4. How We Share Information

We share personal data with the following categories of third parties:

4.1 Sub-processors

We use third-party service providers to help operate our Services. These sub-processors process data on our behalf and are contractually bound to protect your data. Our current sub-processors include:

• AI providers — Anthropic, OpenAI, Google (Gemini), Mistral (AI agent processing)
• Data enrichment — Apollo.io (contact and company enrichment)
• Infrastructure — MongoDB Atlas (database), Redis (caching and job queues)
• Email — Resend (transactional email delivery)
• Analytics — Google Analytics (website analytics)

4.2 Customer Integrations

When our customers connect third-party integrations (such as HubSpot, Intercom, Pipedrive, Slack, or Gmail), data flows between Pathbound and those services are governed by the customer's instructions and the respective integration provider's terms.

4.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Pathbound, our users, or others.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising.

5. Cookies and Tracking Technologies

5.1 Cookies We Set

5.2 Third-Party Cookies

Google Tag Manager and Google Analytics may set their own cookies on our website. These are loaded only with your consent where required by applicable law.

5.3 Device Fingerprinting

The Pathbound Tracker uses device fingerprinting (a hashed combination of browser, screen, and device signals) to recognize returning visitors. This technique does not use cookies but creates a statistical identifier based on device characteristics. Where required by applicable law, our customers must obtain consent before the tracker collects fingerprint data.

5.4 Opt-Out

The Pathbound Tracker honors a pathbound_dnt=1 cookie. When this cookie is present, the tracker will not collect any data. Customers implementing the tracker can use this mechanism to respect visitor opt-out preferences.

6. Data Retention

• Account data — retained for the duration of your account, plus 30 days after deletion
• Customer platform data — retained per the customer's instructions and our DPA terms. Deleted upon account termination or customer request.
• Tracker event data — retained for 90 days, then automatically deleted
• Device fingerprints — retained for 90 days from last activity, then automatically deleted
• Session data — retained for 7 days, then automatically deleted
• Website analytics — governed by Google Analytics' retention settings (currently 14 months)

7. Your Rights

7.1 Rights Under GDPR (EEA/UK Residents)

If you are in the EEA or UK, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate personal data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we restrict processing of your data
• Portability — request your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent

7.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected
• Delete — request deletion of your personal information
• Correct — request correction of inaccurate personal information
• Opt-out of sale/sharing — we do not sell or share personal information for cross-context behavioral advertising
• Non-discrimination — we will not discriminate against you for exercising your rights

We do not sell personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

7.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA). If you are an end-user of a Pathbound customer's website (i.e., your data was collected via the Pathbound Tracker), please direct your request to that customer, who is the data controller for your information.

8. International Data Transfers

Pathbound is based in the United States. If you are accessing our Services from the EEA, UK, or other regions with data transfer restrictions, your data will be transferred to and processed in the United States.

We rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and other legally approved transfer mechanisms to ensure adequate protection for international data transfers.

9. Security

We implement industry-standard security measures to protect your data, including:

• Encryption at rest and in transit (AES-256-GCM, TLS)
• Secure password hashing (bcrypt)
• Multi-tenant data isolation
• CSRF protection and rate limiting
• Two-factor authentication support
• Security headers (HSTS, CSP, X-Frame-Options)

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

10. Children's Privacy

Our Services are not directed to individuals under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. For significant changes affecting how we process your data, we will provide additional notice (such as email notification for account holders).

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: [email protected]
• Security issues: [email protected]