Pandata
PandaOSby Pandata
← Back

Privacy Policy

Last updated: March 16, 2026

Imprint (Angaben gemäß § 5 TMG)

Pandata GmbH
Köpenicker Str. 126, 10179 Berlin, Germany
Managing Directors: Marco Szeidenleder, Wolfgang Bernecker, Krisztina Kodó
Tel.: +49 030 555723270
Email: info@pandata.de
Amtsgericht Charlottenburg, HRB 176198

1. Introduction

In the following, we provide information about the processing of personal data when using our website pandaos.ai. Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1. Contact details

The controller within the meaning of Art. 4 para. 7 EU General Data Protection Regulation (GDPR) is Pandata GmbH, Köpenicker Str. 126, 10179 Berlin, Germany, email: info@pandata.de. We are legally represented by Wolfgang Bernecker, Marco Szeidenleder and Krisztina Kodó.

Our data protection officer is heyData GmbH, Gormannstr. 14, 10119 Berlin, www.heydata.eu, email: info@heydata.de.

1.2. Scope of data processing, processing purposes and legal bases

We detail the scope of data processing, processing purposes and legal bases below. In principle, the following come into consideration as the legal basis for data processing:

  • Art. 6 para. 1 s. 1 lit. a GDPR — serves as our legal basis for processing operations for which we obtain consent.
  • Art. 6 para. 1 s. 1 lit. b GDPR — is the legal basis insofar as the processing of personal data is necessary for the performance of a contract or pre-contractual measures.
  • Art. 6 para. 1 s. 1 lit. c GDPR — applies if we fulfill a legal obligation by processing personal data.
  • Art. 6 para. 1 s. 1 lit. f GDPR — serves as the legal basis when we can rely on legitimate interests to process personal data.

1.3. Data processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, the security of the data during the transfer is guaranteed by adequacy decisions of the EU Commission (Art. 45 para. 3 GDPR), where they exist.

If no adequacy decision exists (e.g. for the USA), the legal basis for the data transfer are usually standard contractual clauses. These are a set of rules adopted by the EU Commission and are part of the contract with the respective third party. According to Art. 46 para. 2 lit. b GDPR, they ensure the security of the data transfer.

1.4. Storage duration

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and no legal obligations to retain data conflict with the deletion. If the data are not deleted because they are required for other legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for other purposes.

1.5. Rights of data subjects

Data subjects have the following rights with regard to their personal data:

  • Right of access
  • Right to correction or deletion
  • Right to limit processing
  • Right to object to the processing
  • Right to data portability
  • Right to revoke a given consent at any time

Data subjects also have the right to lodge a complaint with a data protection supervisory authority.

California residents (CCPA/CPRA) additionally have the right to:

  • Know what personal information we collect and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale or sharing of personal information. We do not sell your personal data.
  • Non-discrimination for exercising your rights.

1.6. Obligation to provide data

You only need to provide the personal data that is necessary for the establishment of a relationship with us (e.g. signing up for the waitlist) or that we are legally obliged to collect. Mandatory data are marked as such.

1.7. No automatic decision-making

We do not use fully automated decision-making in accordance with Article 22 GDPR.

2. Data processing on our website

2.1. Informative use of the website

During informative use of the website, i.e. when you do not separately transmit information to us, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This is our legitimate interest, so the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

These data are:

  • IP address
  • Date and time of the request
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Amount of data transferred
  • Website from which the request comes (referrer)
  • Browser type and version
  • Operating system

This data is also stored in log files and deleted when no longer necessary, at the latest after 14 days.

2.2. Web hosting and provision of the website

Our website pandaos.ai is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA (Privacy Policy). The provider processes personal data transmitted via the website, such as content, usage, and meta/communication data. The legal basis is our legitimate interest in providing a website (Art. 6 para. 1 s. 1 lit. f GDPR). Data transfer to the USA is secured by standard contractual clauses.

2.3. Waitlist signup

When you sign up for the PandaOS waitlist, we collect and store:

  • Email address — to contact you about early access and product updates.
  • UTM parameters (source, medium, campaign, term, content) — to understand which channels bring visitors to our site.
  • Referrer URL and landing page URL — to understand how you found us.
  • Browser user agent — to understand device and browser usage.
  • Timestamp — when the signup occurred.

This data is stored in Supabase (database hosted in the EU by Supabase Inc., 970 Toa Payoh North #07-04, Singapore; Privacy Policy). The legal basis is Art. 6 para. 1 s. 1 lit. b GDPR (performance of pre-contractual measures) and our legitimate interest in managing the waitlist (Art. 6 para. 1 s. 1 lit. f GDPR).

We do not sell your email address or share it with third parties for their own marketing purposes. We retain waitlist data for as long as necessary to manage access to PandaOS, or until you request deletion.

2.4. Cookies, analytics and advertising

Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to manage tracking tags on our website. Google Tag Manager itself does not collect personal data or set cookies, but it triggers other tags that may do so. The legal basis is our legitimate interest in efficient tag management (Art. 6 para. 1 s. 1 lit. f GDPR).

Google Analytics 4

We use Google Analytics 4 (Measurement ID: G-4DEED3KHHF) provided by Google Ireland Limited to analyze website traffic and user behavior. Google Analytics uses cookies and collects data such as pages visited, time spent on pages, device and browser information, and approximate location (based on IP address). IP addresses are anonymized.

Google Consent Mode v2

We implement Google Consent Mode v2 to respect your cookie preferences:

  • For visitors in the EU/EEA: All analytics and advertising cookies are blocked by default until you give explicit consent via our cookie banner. Only essential cookies are set. The legal basis for analytics after consent is Art. 6 para. 1 s. 1 lit. a GDPR.
  • For visitors in the US: Analytics and advertising cookies are enabled by default in accordance with US privacy law (opt-out model). You can manage your preferences through our cookie banner at any time. The legal basis is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR).

Cookie consent banner

We use an open-source cookie consent manager (Silktide Consent Manager) loaded via Google Tag Manager to give you control over your cookie preferences. The banner allows you to accept or reject the following cookie categories:

  • Necessary — Required for the site to function. Cannot be disabled.
  • Analytics — Help us understand how visitors use the site (Google Analytics 4).
  • Advertising — Used to measure advertising campaign effectiveness.

Conversion tracking

When you successfully sign up for the waitlist, we send a conversion event (“generate_lead”) to Google Analytics 4 to measure the effectiveness of our marketing campaigns. This event contains no personal data beyond what Google Analytics already collects. The legal basis is consent (EU) or legitimate interest (US) as described above.

For more information about Google's data processing, see: Google Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

2.5. Making contact

When contacting us, e.g. by email, the data provided to us (e.g. names and email addresses) will be stored by us in order to answer questions. The legal basis is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) to answer inquiries directed to us. We delete the data when storage is no longer necessary, or restrict processing if there are legal retention obligations.

3. Third-party services

We use the following third-party services to operate pandaos.ai:

  • Vercel (USA) — website hosting. Secured by standard contractual clauses.
  • Google Tag Manager / Google Analytics 4 (Ireland/USA) — tag management and website analytics. Secured by standard contractual clauses.
  • Supabase (EU region) — database for waitlist signups.
  • SMTP email service — for sending waitlist notification emails to our team.

4. Social media

We maintain profiles on social media networks to present PandaOS and our services. The operators of these networks regularly process their users' data for advertising purposes, including creating user profiles from online behavior. If you contact us via our social media profiles, we process the data provided to us to respond to your inquiries. The legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Privacy Policy.

7. Data processing in the PandaOS desktop application

7.1. Overview

PandaOS is a native desktop application that runs locally on the user's device. Content, files, code and knowledge base entries created or stored by the user within PandaOS remain on the user's local device and are not collected, transmitted or processed by Pandata.

The data processing described below relates exclusively to data required for the operation of the application, authentication and product improvement.

7.2. Authentication

Use of PandaOS requires the creation of a user account. Authentication is handled via Supabase Auth using the following sign-in methods:

  • Google (OAuth 2.0)
  • GitHub (OAuth 2.0)
  • Microsoft Azure AD (OAuth 2.0)
  • Email (magic link / one-time password)

The following data is processed and stored: user ID, email address, authentication provider and last sign-in timestamp.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

7.3. Usage analytics

During the Beta Program, PandaOS collects anonymised usage events for the purpose of product improvement. Only metadata is collected — message content, source code, file contents or user-generated text is never collected.

The following events are recorded:

EventMetadata
Application openedApp version
Message sentModel name (count only)
Chat startedModel name
Project createdFramework type
Project deleted
Integration enabled/disabledIntegration name
Setting changedSetting key

Data is stored in a Supabase database and linked to the authenticated user ID.

Opt-out: Users can disable usage analytics entirely via a toggle in Settings.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product improvement). Where consent is obtained, Art. 6(1)(a) GDPR applies.

7.4. LLM request logging

AI requests are routed through a self-hosted LiteLLM proxy. The following data is logged:

Collected: Model name, token count (input/output), latency and status codes, timestamp and user ID.

Not collected: Prompt content, response content, any message text.

Purpose: Cost accounting, rate limiting and model usage analytics.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in operation and cost management).

7.5. Third-party AI providers

PandaOS routes AI requests to third-party providers selected by the user (e.g. Anthropic, OpenAI, Google). When using these integrations, prompts and related data are transmitted to the respective provider. Data processing by these providers is governed by their own privacy policies and terms of service and is outside the control of Pandata.

The user is solely responsible for the selection and configuration of AI providers.

7.6. No third-party analytics services

PandaOS does not use any third-party analytics services (e.g. Google Analytics, Mixpanel, Segment). No advertising trackers, fingerprinting or cross-site tracking are employed. All first-party data is stored on Pandata's own infrastructure (Supabase, LiteLLM proxy).

7.7. Data explicitly not collected

The following data is not collected by PandaOS:

  • Message or prompt content
  • Source code or file contents
  • Project names or file paths
  • Browsing history
  • Device fingerprinting
  • Precise location data

Data is not sold or shared with third parties.

7.8. Storage and infrastructure

All data collected by PandaOS (authentication, usage events, LLM logs) is stored on infrastructure operated by Pandata (Supabase). Processing takes place within the EEA unless otherwise specified in Section 1.3 of this privacy policy.

8. Changes to this privacy policy

We reserve the right to change this privacy policy with effect for the future. A current version is always available on this page.

9. Contact

For any privacy-related requests or questions, contact us at: info@pandata.de

Data protection officer: heyData GmbH, Gormannstr. 14, 10119 Berlin, email: info@heydata.de