Privacy Policy

This Privacy Policy ("Policy") describes how POM ("POM," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the POM platform and related products and services (collectively, the "Service"). Capitalized terms not defined herein have the meanings ascribed to them in the POM Terms of Service ("ToS"), available at https://askpom.com/legal/terms.

By accessing or using the Service, you ("Customer," "you," or "your") acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not access or use the Service.

1. Information We Collect

1.1 Account Information

When you create an account or register for the Service, we collect information necessary to establish and maintain your account, including:

Full name
Email address
Organization name and billing address
Account credentials (hashed; we do not store plaintext passwords)
Subscription tier and billing plan selection

1.2 Customer Data

As defined in the ToS, "Customer Data" means all data, content, and materials that you submit to or through the Service, including:

Prompts and Instructions: Text inputs, task descriptions, and instructions you provide to AI agents through the Service
Files and Documents: Emails, documents, spreadsheets, images, code files, and any other files you share with or make accessible to agents
Agent Outputs: Text, files, actions, and other outputs generated by AI agents during sessions (referred to as "Outputs" in the ToS)

Customer Data is owned by you at all times, subject to the limited license granted in the ToS to provide the Service. Ownership of Agent Outputs is subject to the terms and conditions set forth in Section 8.3 of the ToS.

1.3 Usage Data

We automatically collect information about your use of the Service, including:

Session metadata (session identifiers, start and end timestamps, duration)
Token counts and associated costs per session
AI model provider selected for each session
Features and tools accessed during sessions
Budget utilization and approval events
Error logs and performance metrics

1.4 Device Information

We collect information about the devices you use to access the Service, including:

Operating system type and version
Application version
For mobile devices: device identifiers, device type, and mobile operating system version
For desktop: platform architecture (for daemon compatibility purposes only)

1.5 Pairing Data

If you use POM Mobile to pair with a POM Desktop daemon instance, we collect:

Mobile device pairing credentials (encrypted)
Pairing session state and connection metadata
Push notification tokens (for session event notifications)

1.6 Payment Information

If you subscribe to a paid tier of the Service, payment card information is collected and processed by Stripe, Inc. ("Stripe"), as listed on our Sub-processor List at https://askpom.com/legal/sub-processors. Stripe is PCI DSS Level 1 certified. Usage-based metering and invoice generation are handled by POM's self-hosted billing infrastructure. We do not directly collect, store, or process payment card numbers, bank account details, or other financial account information. We receive from Stripe only:

Confirmation of payment status
Subscription plan and billing cycle information
Transaction identifiers for support and reconciliation purposes

2. How We Use Information

2.1 Provide and Maintain the Service

We use the information we collect to:

Operate, maintain, and improve the Service
Route Customer Data to AI Sub-processors as necessary to fulfill agent session requests
Enforce budget controls, permission boundaries, and governance policies
Provide session history, usage analytics, and fleet management dashboards
Authenticate users and secure access to daemon and relay services

2.2 Process Payments and Manage Subscriptions

We use account and payment information to:

Process subscription fees and usage-based charges
Manage billing cycles, renewals, and cancellations
Send invoices and payment confirmations
Address billing disputes and process refunds

2.3 Communicate with Customers

We use your contact information to:

Send service-related notices (maintenance windows, security alerts, policy changes)
Respond to support requests and inquiries
Provide onboarding and product guidance
Notify you of material changes to these terms or the Service

2.4 Improve and Develop the Service

We use aggregate and anonymized data to:

Analyze usage patterns and feature adoption to improve the Service
Identify and resolve bugs, performance issues, and service disruptions
Develop new features and product capabilities
Conduct internal research and statistical analysis

We only use aggregate or anonymized data for Service improvement. Individual Customer Data is never used for this purpose in an identifiable form.

2.5 Comply with Legal Obligations

We use information as necessary to:

Comply with applicable laws, regulations, and legal processes
Respond to lawful requests from governmental authorities
Enforce our ToS, AUP, and other agreements
Protect the rights, safety, and property of POM, our Customers, and the public

2.6 What We Do NOT Do

We do NOT use Customer Data to train AI models. POM is an orchestration platform that routes Customer Data through third-party AI model providers and, in some cases, POM's own internal models to deliver the Service. No Customer Data is used — by POM or at POM's direction — for AI model training, fine-tuning, or improvement. POM may operate internal machine learning models for operational purposes such as model routing optimization, query classification, and cybersecurity (e.g., threat detection and content filtering). These internal models process Customer Data only as necessary to route, classify, or secure requests within the Service and do not retain Customer Data beyond the duration of the request.

We do NOT sell Customer Data. We do not sell, rent, lease, or otherwise make Customer Data available to third parties for monetary or other valuable consideration. For purposes of the California Consumer Privacy Act ("CCPA"), POM does not "sell" or "share" Personal Information.

3. How We Share Information

3.1 AI Sub-processors

To provide the Service, Customer Data (including prompts, documents, files, and related session inputs) is transmitted to third-party AI model providers ("AI Sub-processors") and may be processed by POM's internal models for routing, classification, and security purposes. This transmission is necessary for the core functionality of the Service — AI agent orchestration requires routing data to AI models for inference. Our current AI Sub-processors are listed in Section 4 below and at https://askpom.com/legal/sub-processors.

3.2 Infrastructure Providers

We use third-party infrastructure providers for hosting, content delivery, monitoring, and related operational services. Customer Data processed in cloud environments may be stored on infrastructure provider systems, subject to appropriate data processing agreements.

3.3 Payment Processors

We share necessary billing information with Stripe for payment card processing and subscription management. Stripe is contractually obligated to use your information solely for the purpose of processing payments on our behalf. Usage metering and invoicing are processed on POM's self-hosted infrastructure and are not shared with third parties. See our Sub-processor List at https://askpom.com/legal/sub-processors for details.

3.4 Legal Compliance

We may disclose information if we believe in good faith that disclosure is necessary to:

Comply with applicable law, regulation, or legal process (including court orders and subpoenas)
Protect the rights, property, or safety of POM, our Customers, or the public
Detect, prevent, or address fraud, security issues, or technical problems
Enforce our ToS, AUP, or other agreements

3.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will provide notice of any such transfer and any changes to applicable terms or privacy practices via the email address associated with your account and through the Service.

3.6 With Your Consent

We may share information with third parties when you have provided explicit consent to do so.

3.7 What We Do NOT Share

We do not share Customer Data for advertising or marketing purposes. We do not provide Customer Data to advertising networks, data brokers, analytics companies (other than our own internal analytics), or any other third party for the purpose of advertising, marketing, or behavioral targeting.

4. Third-Party AI Providers

4.1 Data Flow to AI Providers

POM operates as an orchestration layer between you and third-party AI model providers. When you initiate an AI agent session, the following data may be transmitted to the selected AI provider:

Your prompts and task instructions
Files, documents, and other content provided as context
Session context necessary for the AI model to generate responses
POM-added orchestration metadata (tool call definitions, permission parameters)

AI model responses are returned to POM, where they are subject to permission checks, budget enforcement, and output filtering before being delivered to you.

4.2 POM-Managed Providers

POM contracts with third-party AI model providers ("POM-Managed Providers") and maintains data processing agreements with each. POM-Managed Providers are listed on the Sub-processor List at https://askpom.com/legal/sub-processors, which includes each provider's data retention periods, no-training commitments, and key terms. POM selects only providers that offer commercial or API tiers where Customer Data is not used for model training.

POM-Managed Providers may retain Customer Data for limited periods as required by their respective data retention policies (for example, for safety monitoring, abuse detection, or regulatory compliance), even after Customer deletes such data from the Service. Specific retention periods and commitments for each provider are detailed on the Sub-processor List.

4.3 No-Training Commitments

POM contractually requires that all POM-Managed Providers commit to not using Customer Data submitted through paid API tiers for AI model training. POM exclusively uses commercial or paid API tiers that include such commitments. Specific no-training commitments and any applicable caveats (such as de-identification or aggregation provisions) for each POM-Managed Provider are detailed on the Sub-processor List at https://askpom.com/legal/sub-processors.

4.4 Customer-Configured Providers

The Service may allow you to configure connections to third-party AI model providers or model routing services not managed by POM ("Customer-Configured Providers"), including by supplying your own API keys, configuring third-party routing services, or connecting self-hosted models.

Important: When you configure a Customer-Configured Provider:

POM does not act as a data processor with respect to Customer Data transmitted to that provider. Your data is routed to the provider you selected, under the terms you accepted with that provider.
POM has no data processing agreement with Customer-Configured Providers and makes no representations regarding their data handling, training practices, retention policies, or security measures.
You are solely responsible for evaluating whether a Customer-Configured Provider meets your data protection, security, and compliance requirements, and for reviewing and accepting that provider's terms of service and privacy policy.
POM's no-training commitment (Section 2.6) does not extend to Customer-Configured Providers. You should independently verify each provider's training and data use policies.

POM acts solely as a technical pass-through when routing Customer Data to a Customer-Configured Provider.

4.5 Sub-processor List

A current list of all POM-Managed Providers and infrastructure sub-processors is maintained at https://askpom.com/legal/sub-processors. We will update this list and provide notice in accordance with Section 10 of this Policy and the applicable provisions of our Data Processing Agreement ("DPA"), available at https://askpom.com/legal/dpa, before adding new POM-Managed Providers. For information about how we process personal data on behalf of business Customers as a data processor, please see the DPA.

5. Data Security

5.1 Local Daemon Communication

In local deployments, POM restricts internal communication to the local machine and does not expose data over network interfaces. All requests require valid authentication to prevent unauthorized access.

5.2 Mobile Relay Encryption

Communication between POM Desktop and POM Mobile is facilitated through the POM Relay, which employs end-to-end ("E2E") encryption. POM's relay infrastructure cannot read, access, or decrypt the content of messages in transit between your devices. Only connection metadata and device pairing state are accessible to the relay service.

5.3 AI Provider Communication

All communication between the POM daemon and AI Sub-processors is transmitted over HTTPS using Transport Layer Security ("TLS") encryption. No Customer Data is transmitted to AI Sub-processors in unencrypted form.

5.4 Credential Storage

Sensitive credentials, including AI provider API keys and authentication tokens, are stored in your operating system's native secure credential store (e.g., macOS Keychain, Windows Credential Manager). API keys and authentication tokens are not stored in plaintext configuration files.

5.5 Authentication

An authentication token is required on every message sent to the POM daemon. No anonymous or unauthenticated access to daemon functionality is permitted. Mobile device pairing uses encrypted key exchange protocols.

5.6 Additional Measures

We implement reasonable administrative, technical, and physical safeguards designed to protect the information we collect and process. These measures include, but are not limited to:

Tool-level permission systems for agent actions with risk-level classification
Budget governance controls with per-agent spending limits
Session-level audit trails for agent actions
Regular security assessments and code review

No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

5.7 Cookies and Tracking Technologies

POM's desktop and CLI applications do not use cookies or web-based tracking technologies. POM Mobile does not use third-party advertising cookies or cross-app tracking identifiers.

Our website at askpom.com may use strictly necessary cookies required for site functionality (e.g., session management, authentication state). We do not use third-party advertising or behavioral tracking cookies on any POM property.

When web-based services are available (POM Cloud, POM Management Console), we may use essential first-party cookies to maintain session state and authentication. We will update this section to describe any additional cookies or similar technologies prior to their deployment. We will not deploy third-party advertising or behavioral tracking cookies.

6. Data Retention

6.1 Session Data

Session data (including prompts, agent outputs, file context, and related inputs) is retained for the duration of your use of the Service. In local deployments, session data is stored on your device and persists until you delete it. In POM Cloud deployments, session data is stored within POM's managed cloud infrastructure, encrypted at rest, and is retained until you delete it or your account is terminated.

6.2 Session Metadata

Session metadata (including timestamps, token counts, model identifiers, and cost information) is retained until you affirmatively delete it through the Service. In local deployments, this data is stored on your device. In POM Cloud deployments, this data is stored within POM's managed infrastructure.

6.3 Account Data

Account information is retained for the duration of your active account plus thirty (30) days following account deletion. After this retention period, account data is permanently deleted from our systems, subject to any legal obligation to retain specific records.

6.4 AI Sub-processor Retention

Customer Data transmitted to AI Sub-processors is retained by those providers in accordance with their respective terms, as described in Section 4.2 of this Policy. POM does not control or extend these retention periods.

6.5 Relay Traffic

Data transmitted through the POM Relay is in transit only and is not stored by POM's relay infrastructure. The POM Relay does not retain message payloads. E2E encryption ensures that POM cannot access the content of relay traffic.

6.6 Aggregate and Anonymized Data

We may retain aggregate or anonymized data (which cannot be used to identify you) indefinitely for analytical, research, and Service improvement purposes.

7. Your Rights

7.1 General Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

Access: Request confirmation of whether we process your personal information, and request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete personal information.
Deletion: Request deletion of your personal information, subject to certain exceptions (e.g., legal retention obligations).
Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
Objection: Object to our processing of your personal information in certain circumstances.
Restriction: Request restriction of processing of your personal information in certain circumstances.
Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

7.2 Rights of EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have the rights set forth in the General Data Protection Regulation ("GDPR"), including:

The rights described in Section 7.1 above, as guaranteed under Articles 15 through 22 of the GDPR
The right to lodge a complaint with your local supervisory authority
The right not to be subject to automated decision-making, including profiling, which produces legal effects or similarly significantly affects you (GDPR Article 22)

Under GDPR Article 6, our lawful bases for processing are mapped to each processing purpose as follows:

Processing Purpose	Lawful Basis	GDPR Article
Provide and maintain the Service	Performance of contract	Art. 6(1)(b)
Process payments and manage subscriptions	Performance of contract	Art. 6(1)(b)
Route Customer Data through AI Sub-processors	Performance of contract	Art. 6(1)(b)
Service communications (notices, support)	Legitimate interest	Art. 6(1)(f)
Security, fraud prevention, abuse detection	Legitimate interest	Art. 6(1)(f)
Improve and develop the Service (aggregate/anonymized data)	Legitimate interest	Art. 6(1)(f)
Comply with legal obligations	Legal obligation	Art. 6(1)(c)
Marketing communications	Consent	Art. 6(1)(a)

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting privacy@pom.dev.

7.3 Rights of California Residents (CCPA/CPRA)

If you are a California resident, you have the rights set forth in the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), including:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: POM does not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary, but you may submit a request for confirmation.
Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

For purposes of the CCPA, we are a "service provider" with respect to personal information we process on behalf of our business Customers.

7.4 Exercising Your Rights

To exercise any of the rights described in this Section 7, please contact us at:

Email: privacy@pom.dev

We will respond to verifiable requests within the timeframes required by applicable law (generally thirty (30) days for GDPR and forty-five (45) days for CCPA, subject to permitted extensions). We may request additional information to verify your identity before fulfilling your request.

8. International Data Transfers

8.1 Cross-Border Transfers

POM and its AI Sub-processors are located in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries that may have data protection laws different from those in your country of residence.

8.2 EU-US Data Privacy Framework

Where applicable, we rely on the EU-US Data Privacy Framework ("DPF"), the UK Extension to the DPF, and the Swiss-US Data Privacy Framework as mechanisms for the lawful transfer of personal data from the European Union, United Kingdom, and Switzerland to the United States.

8.3 Standard Contractual Clauses

In addition to or in the absence of DPF certification, we enter into the European Commission's Standard Contractual Clauses ("SCCs") with Customers and sub-processors as appropriate to ensure adequate safeguards for the transfer of personal data outside the EU/EEA.

8.4 Transfer Impact Assessments

We conduct transfer impact assessments as required under applicable data protection law to evaluate the legal framework and practices in the recipient country and to implement supplementary measures where necessary to ensure an adequate level of protection for transferred personal data.

9. Children's Privacy

The Service is not directed at, marketed to, or intended for use by children under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@pom.dev, and we will take appropriate steps to investigate and address the matter.

This Policy is intended to comply with the Children's Online Privacy Protection Act ("COPPA") and similar laws in other jurisdictions that restrict the collection of personal information from minors.

10. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law.

10.1 Notice of Material Changes

For material changes to this Policy — including changes to the categories of information collected, the purposes of processing, or third-party sharing practices — we will provide at least thirty (30) days' prior notice before the changes take effect. Notice will be provided through:

Email notification to the address associated with your account
In-app notification within the Service
Posting the revised Policy at https://askpom.com/legal/privacy with a revised "Last Updated" date

10.2 Non-Material Changes

For non-material changes (e.g., formatting, clarifications that do not alter the substance of the Policy), we may update this Policy by posting the revised version at https://askpom.com/legal/privacy with a revised "Last Updated" date.

10.3 Continued Use

Your continued use of the Service after the effective date of any updated Policy constitutes your acknowledgment of and agreement to the updated Policy. If you do not agree with a material change, you may terminate your account before the change takes effect.

11. Contact Information

If you have questions or concerns about this Policy, our data practices, or your rights, please contact us at: