Privacy Policy

This policy covers four groups of people who interact with Pawlo:

• Website visitors — anyone who browses www.pawlo.ai
• API users — developers and companies who access the Pawlo MCP API to build AI-powered applications
• Listed businesses — local businesses, event organizers, and wholesale suppliers who submit data to the Pawlo platform
• BIA/BRZ partners — organizations that contract for district-level AI readiness services and submit member directories on behalf of their businesses

We use collected information for the following purposes:

• To operate the platform — processing API queries, routing buyer intent to matched businesses, and maintaining the intelligence layer
• To manage accounts — issuing and managing API keys, communicating about access, billing, and support
• To build and improve business profiles — structuring submitted business data into queryable intelligence
• To communicate — sending transactional messages (account approvals, billing receipts) and, with consent, product updates
• To analyze platform performance — understanding usage patterns to improve the product
• To comply with legal obligations — responding to lawful requests, preventing fraud, and enforcing our Terms of Service
• To comply with anti-spam legislation — maintaining consent records and honouring unsubscribe requests as required by Canada's Anti-Spam Legislation (CASL)

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following lawful bases under the GDPR:

• Contract — processing necessary to deliver the services you've signed up for (API access, business listing)
• Legitimate interests — analytics, fraud prevention, platform improvement, and direct outreach to businesses where we have a reasonable basis to believe the service is relevant
• Consent — marketing communications and analytics cookies (where consent is required)
• Legal obligation — compliance with applicable laws

We share data with the following trusted third parties who process it on our behalf:

• Cloudflare — CDN, security, DNS, and edge infrastructure (cloudflare.com)
• Google Analytics 4 — website analytics (analytics.google.com). Data is stored on Google servers, primarily in the United States
• Anthropic — AI model processing for conversational onboarding flows (anthropic.com). Queries are processed transiently; we do not authorize Anthropic to train on your data
• Twilio — SMS messaging for business deal-signal interactions (twilio.com)
• Postmark — transactional email delivery and inbound email processing (postmarkapp.com)
• Google Places API — business enrichment: ratings, reviews, address, phone verification (google.com)

We do not sell your personal information to third parties. We do not share personal data with advertisers.

Data contributed by listed businesses — including specializations, availability, deal signals, and contact details — is used to power the Pawlo intelligence layer. This data is made available to API users (AI builders and agents) in structured form to answer buyer queries.

Contact information (phone, email) is not exposed directly through API responses. It is used internally for Pawlo to communicate with you about your listing.

By submitting data to Pawlo, you grant us a non-exclusive licence to index, structure, and serve that data via the Pawlo API for the duration of your listing.

Menu data you submit (dishes, prices, descriptions, dietary tags, allergens) is structured and made available to AI agents via the Pawlo MCP API. This data is designed to help AI agents answer consumer queries accurately.

Pawlo may also collect and structure business data from publicly available sources (websites, directories, review platforms). This data is normalized, classified, and tagged to create structured profiles. If your business data has been collected from public sources and you wish to correct or remove it, contact [email protected].

Information served through the Pawlo API, including allergen tags, dietary labels, pricing, and hours, should be confirmed directly with the business before being relied upon for health, safety, or purchasing decisions.

We use the following cookies and similar technologies:

• Google Analytics cookies (_ga, ga*) — session tracking and analytics. Retained for 2 years
• Cloudflare cookies (cf_clearance, __cf_bm) — bot protection and performance. Session-scoped or short-lived

You can opt out of Google Analytics tracking at any time via Google's opt-out browser add-on or by adjusting your browser settings.

Where required by applicable law, Pawlo will request consent before placing non-essential cookies or similar technologies on your device.

• API user data — retained for the duration of the account plus 12 months after termination
• Business profile data — retained for the duration of the listing. You may request deletion at any time by emailing [email protected]. Business profile data is removed from active systems within 14 days. Related data such as cached derivatives, logs, and backups may take up to 30 days to be fully removed. Data already returned in prior API responses may persist in downstream systems outside our control
• API usage logs — retained for 90 days for debugging and billing, then deleted
• Analytics data — retained by Google Analytics per their standard retention period (2 years)
• BIA partner data — retained for the duration of the district agreement plus 12 months
• Restaurant menu data — retained while the restaurant listing is active. Deleted within 30 days of a removal request

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your data (subject to legal retention requirements)
• Portability — request your data in a structured, machine-readable format (GDPR)
• Objection — object to processing based on legitimate interests (GDPR)
• Withdrawal of consent — withdraw consent at any time where processing is consent-based
• Lodge a complaint — you may lodge a complaint with your local data protection authority (for EEA users) or the Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Pawlo is operated from Alberta, Canada. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, be aware that your data may be transferred to and processed in Canada and the United States (by our service providers listed above).

Canada is recognized by the European Commission as providing an adequate level of data protection for most commercial transfers. For transfers to the United States (Google, Anthropic, Cloudflare), we rely on standard contractual clauses and the data processing agreements with those providers.

Pawlo is not intended for children, and we do not knowingly collect personal information from children without appropriate authorization where required by law. If you believe we have inadvertently collected information from a child, please contact us and we will delete it promptly.

Pawlo uses commercially reasonable technical and organizational measures to protect the information we collect and store. These measures include encryption in transit (TLS), access controls, regular security reviews, and secure credential management.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Pawlo after changes constitutes acceptance of the revised policy.

For privacy-related questions, data requests, or concerns: