Privacy Policy
Effective Date: April 14, 2026 · Version 2.0
1. Introduction
Panxo Stacks, Inc. ("Panxo", "we", "us", or "our") operates an AI traffic monetization platform that detects visits originating from AI assistants (ChatGPT, Perplexity, Claude, Gemini) on publisher websites and serves programmatic advertising. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our services. It is issued in accordance with Articles 13 and 14 GDPR, the UK GDPR, CCPA/CPRA, and other applicable data-protection laws.
2. Data Controller Status
Panxo acts as an independent data controller for all personal data collected through its JavaScript SDK, APIs, dashboards, and related services. Publishers deploying the SDK act as separate and independent controllers. Panxo and publishers are not joint controllers within the meaning of Article 26 GDPR.
Controller contact: Panxo Stacks, Inc., 447 Broadway, 2nd Floor, New York, NY 10013. Email: support@panxo.ai · Data Protection Officer: dpo@panxo.ai. Panxo is registered with the IAB Europe Transparency & Consent Framework (TCF 2.2) under Global Vendor List ID 1527.
3. Categories of Personal Data
3.1 Pseudonymous Identifiers. panxo_uid (UUID v4 in localStorage), _psid (first-party cookie on .panxo-sys.com), panxo_optout (opt-out preference, 1 year — 365 days, as declared under IAB TCF 2.2 GVL ID 1527).
3.2 Technical & Device Data. IP address (via Cloudflare cf-connecting-ip, truncated where feasible), user-agent, referrer URL, page URL, viewport dimensions, language, approximate geolocation (country/region).
3.3 Content Signals. Page title, meta description, h1/h2 headings, initial paragraphs. The SDK does not collect content from paths such as /login, /account, /checkout.
3.4 Consent & Privacy Signals. IAB TCF 2.2 consent strings, CCPA us_privacy strings, Global Privacy Control (GPC) signals.
3.5 AI Attribution Signals. AI source detected (ChatGPT, Perplexity, Claude, Gemini), confidence score, matched segment.
3.6 Publisher & Advertiser Account Data. Name, business email, company name, role, authentication data, billing.
Panxo does not intentionally collect special categories of data under Article 9 GDPR, nor data of children under 16. Publishers warrant they do not direct the SDK at such audiences.
4. Purposes and Legal Bases
AI traffic detection and classification — Legitimate Interests (Art. 6(1)(f) GDPR).
Security, anti-fraud, invalid traffic detection — Legitimate Interests.
Ad personalization, storage of and access to device information — Consent (Art. 6(1)(a)) signalled via IAB TCF 2.2.
Aggregated analytics and performance reporting — Legitimate Interests.
Contracting, billing and payouts — Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)).
Responding to data-subject requests and legal claims — Legal obligation and Legitimate Interests.
A Legitimate Interests Assessment (LIA) has been performed for each activity relying on Article 6(1)(f).
5. Infrastructure and Processing Locations
Panxo's entire platform runs on Cloudflare Workers, a globally distributed edge network. Requests are processed at the Cloudflare data centre geographically closest to the end user; data from EU visitors is therefore typically processed within the EU. Panxo operates no primary data centre outside the Cloudflare network. The registered place of business of the controller is New York, United States. IP addresses are truncated or hashed where feasible; full IPs are retained only transiently for anti-fraud scoring.
6. Recipients and Sub-processors
Cloudflare, Inc. — edge compute, storage, CDN (processor, global).
OpenAI, L.L.C. — embeddings, AI insights (processor, US).
Anthropic, PBC — visibility scoring via Claude API (processor, US).
Perplexity AI, Inc. — AI query context (processor, US).
Resend, Inc. — transactional email (processor, US).
BoldSign / Syncfusion, Inc. — electronic signatures (processor, US).
Stripe, Inc. — payments and payouts (independent controller, US / Ireland).
Adserver.online — user synchronisation for programmatic delivery (independent controller, EU).
SSPs, DSPs and advertising partners — programmatic ad auctions (independent controllers, TCF vendors).
Prighter Group (iuro Rechtsanwälte GmbH, Prighter Ltd, IPTECH Legal) — EU/UK/Turkey representatives under Art. 27 GDPR and KVKK (controller for advisory, processor for DSR tool).
An up-to-date list of sub-processors is provided on request to dpo@panxo.ai.
7. International Data Transfers
Where personal data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, Panxo relies on the European Commission's Standard Contractual Clauses (SCCs) (Module 1 or Module 2 as applicable), supplemented by the UK International Data Transfer Addendum. Where a recipient (e.g., Cloudflare, OpenAI, Anthropic) self-certifies under the EU-US Data Privacy Framework, the DPF forms the primary transfer mechanism with SCCs as a fallback. Transfer Impact Assessments (TIAs) have been performed for each non-adequate recipient.
8. Retention
KV signal cache: 60–300 seconds (TTL).
KV user profiles: 24–48 hours (TTL).
_psid cookie: 1 year.
panxo_uid (localStorage): Persistent until cleared by the end user.
Analytics Engine events: 90 days.
D1 aggregated / statistical data: Indefinite (non-identifying).
panxo_optout cookie: 1 year (365 days), as declared under IAB TCF 2.2 GVL ID 1527.
Publisher and advertiser account records: Duration of the contract plus 7 years.
Billing records: 7 years (US/EU accounting obligations).
9. Your Rights
Subject to applicable law, data subjects have the rights of: Access (Art. 15 / CCPA right to know), Rectification (Art. 16), Erasure / Deletion (Art. 17 / CCPA right to delete), Restriction (Art. 18), Data portability (Art. 20), Objection (Art. 21), Withdrawal of consent (Art. 7(3)), Opt-out of "sale" or "sharing" under CCPA/CPRA, Non-discrimination, and the right to lodge a complaint with a supervisory authority.
Because Panxo processes pseudonymous data (Art. 11 GDPR), you may be asked to provide your panxo_uid to enable us to locate your record. Requests to dpo@panxo.ai. Response within 1 month (GDPR) or 45 days (CCPA), extensible per law.
To opt out directly, visit panxo.com/ad-choices or transmit a GPC signal from your browser.
10. California-Specific Disclosures (CCPA/CPRA)
In the preceding 12 months, Panxo has "shared" the following categories of personal information for cross-context behavioural advertising: identifiers, internet/network activity information, and inferences. Panxo does not "sell" personal information for monetary consideration. Panxo does not knowingly share or sell the personal information of consumers under 16. California residents may exercise their rights as set out in Section 9 or via panxo.com/ad-choices.
11. Security
Panxo implements technical and organisational measures appropriate to the risk, including TLS 1.2+ in transit, encryption at rest across Cloudflare storage services, least-privilege access controls, audit logging, secrets management, pseudonymisation of identifiers, and regular security reviews. Vanta continuous-controls monitoring is in progress.
12. Children
The Panxo SDK is not directed to children under 16. Panxo does not knowingly process data of children. Publishers contractually warrant that they will not deploy the SDK on properties directed at children under the GDPR, COPPA, or equivalent regimes.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by updating the "Last Updated" date and, where appropriate, by direct notice to publishers and advertisers. Continued use of the Services after a change constitutes acceptance of the updated Policy.
14. Contact
Panxo Stacks, Inc. — Data Controller
447 Broadway, 2nd Floor
New York, NY 10013, United States
General: support@panxo.ai
Data Protection: dpo@panxo.ai
Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions: European Union (EU) and United Kingdom (UK).
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit: https://app.prighter.com/portal/panxo
