This Privacy Policy applies to all users of the Service worldwide. If you are located in the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland, please see Section 11 for additional information about your rights under the General Data Protection Regulation (“GDPR”). If you are a California resident, please see Section 12 for additional information about your rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”). If you are a Texas resident, please see Section 13 for additional information about your rights under the Texas Data Privacy and Security Act (“TDPSA”).
We collect information in the following categories:
When you create an account, we collect your name, email address, password (stored in hashed form), profile information, organizational affiliation, and role or title. If you create an organizational account, we also collect information about your organization’s name and structure.
The core function of the Service is to help you organize and manage your professional and personal life. Depending on your use of the Service, you may submit the following types of data:
Strategic and goal-related data: Areas of responsibility, objectives, key results, outcomes, projects, tasks, and their associated metadata (status, priority, deadlines, notes, dependencies).
Decision and commitment data: Decisions you track (including alternatives, stakeholders, rationale, and outcomes), commitments detected or manually entered, and their lifecycle information.
Relationship and contact data: Names, email addresses, phone numbers, job titles, company affiliations, relationship types, interaction history, and notes about people and organizations you track in the Service.
Meeting and calendar data: Meeting notes, agendas, action items, attendees, and calendar event details imported through authorized integrations or entered manually.
Communication data: Email content, threads, and metadata imported through authorized integrations (such as Google Gmail or Microsoft Outlook) that you explicitly connect.
Portfolio and business data: Company strategies, annual plans, financial metrics and targets (revenue, costs, KPIs), OKRs, risk registers, talent assessments, and market intelligence for portfolio companies you manage.
Travel and lifestyle data: Trip plans, hotel and restaurant preferences and reviews, and place information.
Dietary and health data: If you opt into the dietary tracking feature, food intake logs, nutritional analysis data, dietary preferences, and related health information.
Transcription data: Meeting and conversation transcripts you import into the Service, including speaker-attributed text, timestamps, and participant names. Pomegranate AI does not process raw audio or video files for transcription; it receives only pre-processed text transcripts.
Biometric data (video avatars): If you opt into the video avatar feature, we collect facial geometry and likeness data to generate a personalized AI video representation. This data constitutes biometric information and is collected only with your explicit consent. See Section 8.5 for additional details.
When you connect Third-Party Integrations to the Service, we receive data from those services based on the permissions you grant:
Google Workspace: Calendar events (titles, times, attendees, descriptions, recurrence), email messages (sender, recipient, subject, body, metadata), and contact information.
Microsoft 365: Similar calendar and email data as described above for Google Workspace.
Financial data providers (Finnhub, Marketaux): Market data, stock prices, news, and company financial information related to companies you track.
Nutrition databases (USDA FoodData Central, Edamam, Open Food Facts): Nutritional composition data matched against your food intake entries.
Usage and telemetry data: We collect information about how you interact with the Service, including features accessed, actions taken, pages visited, session duration, clicks, and interaction patterns.
Feature adoption data: We track which features you have used, adoption rates, deferral patterns, and friction points to improve the Service experience.
Device and browser information: Device type, operating system, browser type and version, screen resolution, and language preferences.
Log data: Server logs, IP addresses, access times, referring URLs, and error reports.
AI interaction data: Records of your interactions with AI Agents, including prompts, responses, tool usage, agent memory items created, and skill execution records.
AI-generated insights: The Service’s AI Agents analyze your data to generate insights, recommendations, behavioral patterns, commitment health scores, credibility assessments, and other analytical outputs.
Aggregated analytics: We compute behavioral summaries, adoption patterns, and engagement metrics.
Agent memory: AI Agents create and maintain memory items, observations, and knowledge items derived from your interactions and data to provide personalized assistance over time.
Processing and storing Customer-submitted content; synchronizing data with authorized Third-Party Integrations; powering AI Agents to generate insights, recommendations, and automated assistance; providing review cadences, decision support, commitment tracking, and portfolio management features; enabling relationship management and contact intelligence; and delivering travel, dietary, and lifestyle features.
We process your data through AI Agents using third-party large language model providers (currently Anthropic and OpenAI) to provide personalized analysis and recommendations, detect commitments and decisions from your communications, generate meeting preparation materials and briefings, provide strategic and operational coaching, create agent memories to improve the relevance and personalization of AI assistance over time, and generate content such as email drafts, battle cards, and reports.
Analyzing usage patterns and feature adoption to improve the Service; identifying and fixing bugs and performance issues; developing new features and capabilities; and conducting internal analytics and benchmarking using aggregated and de-identified data.
Sending transactional messages (account verification, password resets, subscription confirmations); providing Service notifications (review reminders, commitment alerts, decision deadlines); and communicating product updates, new features, and relevant information about the Service.
Protecting against fraud, unauthorized access, and other security threats; enforcing our Terms of Service; complying with applicable legal obligations; and responding to legal requests and preventing harm.
Depending on your location and the applicable data protection law, we process your personal information on the following legal bases:
Performance of a contract: Processing necessary to provide the Service under our Terms of Service (account management, data processing, AI features, integrations).
Consent: Where you have provided explicit consent, such as connecting Third-Party Integrations, enabling optional features (dietary tracking, health data processing), or opting into specific AI Agent capabilities. You may withdraw consent at any time.
Legitimate interests: Processing for our legitimate business interests, including Service improvement, security, fraud prevention, and analytics, where those interests are not overridden by your rights. Our legitimate interest assessment considers the nature of the processing, the reasonable expectations of users, and the safeguards we apply.
Legal obligation: Processing required to comply with applicable laws, regulations, or legal processes.
We share your information only in the following circumstances:
We use the following categories of third-party service providers to operate the Service:
Cloud infrastructure: Our Service is hosted on cloud infrastructure that provides computing, storage, and database services.
AI model providers: We transmit portions of your data to Anthropic (Claude) and OpenAI for processing by AI Agents. These providers process data according to their enterprise terms and do not use your data to train their general models.
Authentication providers: We use Supabase for user authentication and database management.
Data enrichment providers: We use financial data providers (Finnhub, Marketaux) and nutrition data providers (USDA, Edamam) to enrich your data.
Analytics infrastructure: We use analytics services for usage monitoring and Service improvement.
A current list of sub-processors is available upon request by contacting privacy@pomegranate.ai.
We may share your data when you explicitly direct us to, such as when you share content with other users through the Service’s sharing features or when you connect Third-Party Integrations.
We may disclose your information when required by law, regulation, or legal process; when necessary to protect the rights, property, or safety of Pomegranate AI, our users, or the public; and to enforce our Terms of Service.
In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. We do not use your Customer Data to train general-purpose AI models made available to other customers without your explicit written consent.
We retain your information for the following periods:
Account and profile data: Retained for the duration of your account and for thirty (30) days after account termination to allow for data export, after which it is deleted unless retention is required by law.
Customer-submitted content: Retained for the duration of your subscription plus thirty (30) days post-termination for data export purposes.
AI Agent memories and knowledge items: Retained for the duration of your subscription and deleted upon account termination.
Communication data (imported emails and calendar events): Retained for the duration of your subscription. Deleted or de-linked within thirty (30) days of disconnecting the relevant integration or terminating your account.
Usage and telemetry data: Retained in identifiable form for up to twenty-four (24) months, then aggregated and de-identified.
Server logs and security data: Retained for up to twelve (12) months for security and debugging purposes.
Imported transcription data: Meeting and conversation transcripts you upload are retained for the duration of your subscription. AI-generated analyses, extracted commitments, decisions, and inferences derived from transcripts are retained as part of your Customer Data for the duration of your subscription and deleted within thirty (30) days of account termination.
Biometric identifiers (video avatars): Facial geometry and likeness data captured for the purpose of generating video avatars are retained only for the duration of the video avatar feature’s activation on your account. Biometric identifiers are permanently destroyed within thirty (30) days of the user deactivating the video avatar feature or terminating their account. Pomegranate AI does not sell, lease, or otherwise profit from biometric identifiers. Biometric data is not shared with third parties except as strictly necessary to provide the avatar generation service, and any such third-party processor is contractually bound to the same retention and destruction obligations.
Aggregated and de-identified data: May be retained indefinitely as it cannot be used to identify you.
When deletion is required, we use commercially reasonable methods to render personal data unrecoverable. Backup copies may persist for a limited period in accordance with our backup retention schedules but will not be actively processed.
We implement and maintain administrative, technical, and organizational measures designed to protect your information, including:
Encryption: Data is encrypted at rest and in transit using industry-standard encryption protocols (TLS 1.2+ for data in transit; AES-256 for data at rest).
Multi-tenant isolation: Customer data is logically isolated using tenant-scoped access controls and row-level security policies enforced at the database layer.
Access controls: Role-based access controls limit access to personal data to authorized personnel who need it to perform their job functions.
Audit logging: All data mutations are logged with actor identification, timestamps, and correlation identifiers for security monitoring and incident investigation.
Vendor security: We require our sub-processors to implement appropriate security measures and to process data only according to our instructions.
While we strive to protect your information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
Depending on your location, you may have the following rights regarding your personal information:
Right to access: Request a copy of the personal information we hold about you.
Right to correction: Request correction of inaccurate or incomplete personal information.
Right to deletion: Request deletion of your personal information, subject to legal retention obligations.
Right to data portability: Request a copy of your data in a structured, commonly used, machine-readable format.
Right to restrict processing: Request that we restrict the processing of your personal information in certain circumstances.
Right to object: Object to the processing of your personal information based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.
Right to opt out: Opt out of the sale or sharing of personal information, targeted advertising, and certain profiling activities.
Right regarding automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, and to request human review of such decisions.
To exercise any of these rights, contact us at privacy@pomegranate.ai. We will respond within the timeframe required by applicable law (generally thirty (30) days, extendable to forty-five (45) days for complex requests). We will not discriminate against you for exercising your rights.
Given the central role of AI in the Service, we provide the following additional disclosures:
AI Agents analyze your Customer Data (including goals, tasks, communications, meetings, contacts, and strategic plans) using large language models to generate recommendations, detect patterns, and provide assistance. Your data is transmitted to third-party AI model providers (Anthropic and OpenAI) through their enterprise APIs for processing. These transmissions are encrypted and governed by data processing agreements with these providers.
Pomegranate AI does not use your Customer Data to train general-purpose AI models. The third-party AI model providers we use (Anthropic and OpenAI) process your data under enterprise terms that prohibit the use of your data for model training.
The Service does create personalized agent memories and knowledge items based on your interactions, which are used solely to improve the Service’s relevance and helpfulness for your account. These personalization artifacts are part of your Customer Data and are deleted when your account is terminated.
The Service uses AI to generate insights, scores, and assessments, including commitment health scores, relationship credibility assessments, behavioral pattern analysis, and strategic recommendations. These AI-generated outputs are advisory in nature and are intended to assist you in making your own decisions. The Service does not make fully automated decisions that produce legal or similarly significant effects on individuals without human involvement.
You may configure the level of AI autonomy (Manual, Semi-Autonomous, or Full Autonomous) for each AI Agent. Regardless of autonomy level, you retain the ability to review, override, and disregard any AI-generated output.
AI Outputs may contain errors, inaccuracies, or biases inherent in the underlying AI models. Pomegranate AI does not guarantee the accuracy of AI Outputs and recommends that you independently verify any AI-generated information before relying on it for important decisions.
The video avatar feature uses AI to generate a digital video representation based on your facial geometry and likeness. This involves the collection and processing of biometric identifiers as defined under applicable law, including the Illinois Biometric Information Privacy Act (BIPA) and the Texas Capture or Use of Biometric Identifier Act (CUBI).
Before activating the video avatar feature, you will be asked to provide explicit consent to the collection and processing of your facial biometric data. You may withdraw consent and deactivate the feature at any time through your account settings, at which point your biometric data will be permanently destroyed within thirty (30) days.
Video avatars and any other AI-generated content that depicts or resembles a real person are labeled as AI-generated in compliance with the EU AI Act (Article 50). Pomegranate AI does not use biometric data collected for avatar generation for any other purpose, and does not sell, lease, trade, or otherwise profit from biometric identifiers.
The Service allows you to import pre-processed text transcripts of meetings and conversations for AI analysis. Pomegranate AI does not process raw audio or video recordings and does not perform speaker identification, voice analysis, or diarization. The transcription analysis feature processes only text content. By importing a transcript, you represent that you had proper authorization to record and transcribe the original conversation and that you may share its contents with a third-party service for AI analysis.
The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at privacy@pomegranate.ai.
Pomegranate AI is based in the United States and processes data in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, which may have data protection laws that differ from those of your jurisdiction.
For transfers of personal data from the EEA, UK, or Switzerland, we rely on the following transfer mechanisms:
Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses as the primary mechanism for lawful data transfers.
Adequacy decisions: Where applicable, we rely on adequacy decisions issued by the European Commission.
Supplementary measures: We implement additional technical and organizational safeguards, including encryption, access controls, and contractual commitments, to ensure that transferred data receives an adequate level of protection.
You may obtain a copy of the transfer safeguards we use by contacting privacy@pomegranate.ai.
Pomegranate AI, Inc. is the data controller for account data, usage data, and any data processed for our own purposes. When we process Customer-submitted content on your behalf (including data imported through integrations), we act as a data processor under your instructions.
We process your personal data under the legal bases described in Section 3 above.
In addition to the rights described in Section 7, you have the right to lodge a complaint with your local supervisory authority if you believe your rights have been violated. A list of supervisory authorities is available at edpb.europa.eu.
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to your rights and freedoms, including AI-based profiling and the processing of sensitive data categories.
For GDPR inquiries, you may contact our data protection point of contact at dpo@pomegranate.ai.
Pursuant to Article 27 of the GDPR, Pomegranate AI has appointed a representative in the European Union. Contact details are available upon request at dpo@pomegranate.ai.
In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA/CPRA:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Personal information under Cal. Civ. Code § 1798.80 | Name, address, telephone number, employment information | Yes |
| Protected classifications | May be present in Customer-submitted content (e.g., contacts) | Yes |
| Commercial information | Subscription records, purchasing history | Yes |
| Internet or electronic network activity | Browsing/feature usage, interaction with Service | Yes |
| Geolocation data | Approximate location from IP address; place data if entered | Yes |
| Professional or employment information | Job titles, company affiliations, professional contacts | Yes |
| Inferences | AI-generated insights, behavioral patterns, scores | Yes |
| Biometric information | Facial geometry for video avatars (if opted in) | Yes (with consent) |
| Sensitive personal information | Email content, calendar data, health/dietary data (if opted in), precise geolocation (if entered), biometric data (if opted in) | Yes |
We collect each category for the business purposes described in Section 2 above.
We disclose the above categories of personal information to our service providers and contractors (as described in Section 4.1) for the business purpose of providing, maintaining, and improving the Service.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
We retain personal information for the periods described in Section 5. The retention period for each category is determined based on the business or commercial purpose for which it was collected, as described in Section 2, and applicable legal requirements.
As a California resident, you have the right to know what personal information we collect, disclose, and sell; the right to request deletion of your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information (note: we do not sell or share your information); the right to limit the use of sensitive personal information to purposes necessary to provide the Service; and the right to non-discrimination for exercising your rights.
To exercise your California privacy rights, contact us at privacy@pomegranate.ai. We will verify your identity using information associated with your account. You may designate an authorized agent to make a request on your behalf by providing a signed written authorization.
In compliance with CCPA/CPRA regulations effective 2026, we conduct privacy risk assessments for processing activities that present significant risks to consumer privacy, including AI-based profiling and automated decision-making.
We honor Global Privacy Control (GPC) signals as a valid opt-out request. We will provide visible confirmation that opt-out requests, including GPC signals, have been processed.
As a Texas resident, you have the right to confirm whether we are processing your personal data; access your personal data; correct inaccuracies in your personal data; delete your personal data; obtain a copy of your data in a portable format; and opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
We process the following categories of sensitive data as defined under TDPSA: precise geolocation data (if you enter place data), health-related data (if you opt into dietary tracking), and communication content (emails, if you connect email integrations). We process sensitive data only with your consent, which you provide by affirmatively enabling the relevant features or integrations.
We recognize universal opt-out mechanisms, including Global Privacy Control (GPC), for requests to opt out of the sale of personal data and targeted advertising.
To exercise your TDPSA rights, contact us at privacy@pomegranate.ai. We will respond within forty-five (45) days. If we decline your request, you may appeal by contacting us at appeals@pomegranate.ai, and we will respond to the appeal within sixty (60) days.
We comply with applicable state privacy laws in jurisdictions where we operate or have users, including but not limited to the Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, and other state comprehensive privacy laws as they take effect.
For users in jurisdictions with specific data protection requirements not addressed above, please contact us at privacy@pomegranate.ai to learn about your rights and our compliance measures.
The Service uses the following types of tracking technologies:
Essential cookies: Required for authentication, security, and core Service functionality. These cannot be disabled.
Analytics cookies: Used to understand how users interact with the Service, track feature adoption, and identify areas for improvement. You may opt out of non-essential analytics through your account settings.
Integration tokens: OAuth tokens and API keys stored securely to maintain connections with Third-Party Integrations you have authorized. These persist until you disconnect the integration.
We do not use third-party advertising cookies or trackers. We do not engage in cross-site tracking or retargeting.
We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days in advance via email to the address associated with your account or through a prominent notice within the Service. The “Last Updated” date at the top of this Policy indicates when it was most recently revised.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service before the updated Policy takes effect.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Pomegranate AI, Inc.
Austin, Texas
General privacy inquiries: privacy@pomegranate.ai
Data protection officer / point of contact: dpo@pomegranate.ai
TDPSA appeal requests: appeals@pomegranate.ai
Sub-processor list requests: privacy@pomegranate.ai