Privacy Policy
Effective date: June 2, 2026 · Last updated: June 16, 2026
Pantheon and its subsidiaries respect your privacy and are committed to protecting your personal data. This Policy will inform you as to how we look after your personal data, including when you use our mobile application and related services, or when you purchase or use our services, and tells you about your privacy rights and how the law protects you.
Who We Are and how to contact us
Pantheon Co. ("Pantheon," "we," "us," or "our") is a software studio that, among others, currently builds tools to help businesses understand and manage their visibility on Google. Our registered presence is operated under the domain pantheonco.dev.
For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection law, Pantheon Co. is the data controller of personal data processed through our services.
Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, "AKI"), Tatari 39, 10134 Tallinn; info@aki.ee.
EU representative: Not applicable. As a controller established in the EU (Estonia), we are not required to appoint an Article 27 representative.
Data Protection Officer: We have not appointed a DPO. Based on the nature and scale of our processing, we are not required to appoint a DPO under GDPR Article 37.
Contact: support@pantheonco.dev
Scope of This Policy
This Privacy Policy applies to all services offered by Pantheon Co., including our web applications, APIs, and any software products operated under the Pantheon brand. It describes what personal data we collect and why, how we use, store, and protect your data, your rights as a data subject under GDPR, how we handle data obtained through Google APIs, and how to contact us or request deletion of your data.
By using our services, you acknowledge that you have read and understood this Privacy Policy.
2.1 Scope and the two data paths of Pantheon myBusiness ("myBusiness") specifically:
myBusiness operates in two modes; our processing and your rights differ between them:
Path (i) — Public data only (MVP). We read publicly available business information (e.g., a business's public Google Business Profile/Places data) via the Google Maps Platform Places API to compute a "Verification Readiness Score." No private Google account is connected.
Path (ii) — Connected Google Business Profile. If you choose to connect your own Google Business Profile via Google OAuth, we access your private GBP data (e.g., insights, reviews, verification status) on your behalf and with your consent, via the Google Business Profile API.
2.2 Third-party links
The Platform may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Data We Collect
3.1 Account and Identity Data
When you register for or connect to our services, we may collect your name and email address, business name, address, and contact details, and your role or relationship to the business.
3.2 Google Business Data (via OAuth 2.0)
When you authorize our application through Google OAuth 2.0, we access and store data from your Google Business Profile, which may include: business profile information (name, address, phone number, website, categories, attributes, hours of operation, photos), customer reviews and your responses to reviews, performance metrics (search impressions, clicks, direction requests, call clicks), location data associated with your business listing, questions and answers posted on your profile, posts published to your Business Profile and verification status under the “https://www.googleapis.com/auth/business.manage” scope, (see Google’s OAuth 2.0 Scopes reference here)
This access is granted explicitly by you through Google's OAuth consent screen. You may revoke this authorization at any time (see Section 8).
We use this data solely to provide and improve the user-facing features visible in the App (your score, your insights, your suggestions). We store the minimum necessary, encrypted in transit and at rest, and we do not retain Google user data longer than necessary or beyond any applicable Google cache limits.
3.3 Limited Use disclosure (Google API Services User Data Policy)
myBusiness's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, our use of data obtained from Google API scopes is limited to providing or improving user-facing features prominent in the App; we do not transfer or sell this data to third parties (including advertising platforms, data brokers, or information resellers); we do not use it for serving advertisements; and we do not allow humans to read it except (a) with your consent, (b) for security, (c) to comply with law, or (d) where data is aggregated and anonymized for internal operations.
3.4 Competitor and Public Business Data
To provide competitive intelligence features, we process publicly available information about businesses other than your own ("Competitor Data"). This data is drawn from publicly visible Google Business Profiles, public search results and Google Places API responses, and other publicly accessible business information sources.
Competitor Data may include business names, addresses, public ratings, review counts, photo counts, business categories, and other information made publicly available by Google or the businesses themselves. We process this data solely to generate comparative analytics for your business, identify gaps and opportunities in your Google presence relative to similar businesses, and suggest best-practice improvements.
We do not contact, profile, or target competitor businesses on behalf of any user. Where Competitor Data incidentally contains personal data, we process it under our legitimate interest (GDPR Art. 6(1)(f)) and apply data minimization principles.
If you are a business owner who has identified your publicly listed business in our Competitor Data set and wish to object to this processing, please contact us at support@pantheonco.dev.
3.5 Usage Data
We collect standard technical data when you interact with our platform: IP address (anonymized after processing), browser type and version, device type and operating system, pages visited and features used within our application, and session timestamps and duration.
3.6 Mobile Application Data
If you access the Service through our mobile application, we additionally process device identifiers (device model, operating system version, app version) for crash reporting and compatibility diagnostics, push notification tokens — only if you have granted notification permissions — and approximate device locale and timezone to localize content correctly. We do not use the Apple App Tracking Transparency framework to track you across apps or websites owned by other companies.
3.7 Communications
If you contact us by email or through a contact form, we retain the contents of that communication and your contact information in order to respond to you.
3.8 Table of collected data
Categories, purposes and legal bases (GDPR Art. 6)
Data | Purpose | Legal basis |
|---|---|---|
Account data (email, user ID, auth identifiers) | Create/operate your account; authenticate you | Contract — Art. 6(1)(b) |
Connected Google Business Profile data (insights, reviews, verification status) — Path (ii) | Compute and display your Verification Readiness Score; generate visibility suggestions | Consent — Art. 6(1)(a) (granted via Google OAuth; revocable) |
Public place/competitor data (Places API) | Compute your score; rank/compare competitors to inform suggestions | Legitimate interests — Art. 6(1)(f): providing the analytics service you requested |
Computed Verification Readiness Score & suggestions | Deliver the core feature | Contract — Art. 6(1)(b) |
Support communications | Respond to your requests | Legitimate interests — Art. 6(1)(f) |
3.9 If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel an order or service you have with us but we will notify you if this is the case at the time.
Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases under GDPR Article 6:
Core service delivery: Performance of a contract — Art. 6(1)(b)
Google Business Profile data (OAuth): Your explicit consent — Art. 6(1)(a), revocable at any time
Service reliability and security: Legitimate interests — Art. 6(1)(f)
Legal requests and compliance: Legal obligation — Art. 6(1)(c)
Support communications: Legitimate interests — Art. 6(1)(f)
Where processing is based on your consent, you have the right to withdraw it at any time without affecting the lawfulness of prior processing.
How We Use Your Data
We use the data we collect for the following purposes: to provide, operate, and maintain the features of our platform; to display, analyze, and act on your Google Business Profile data on your behalf; to generate analytics and reports about your business visibility; to understand how users interact with our platform and improve its functionality; to respond to your inquiries and resolve issues; to detect, prevent, and investigate unauthorized access or misuse; and to meet our obligations under applicable law.
We do not use your data to serve advertising. We do not analyze your data to build advertising profiles. We do not sell, rent, or trade your personal data or your Google API data to any third party for any commercial purpose.
Google API Services — Limited Use Disclosure
Pantheon Co.'s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
Specifically, data obtained through Google APIs is used exclusively to provide and improve the features of our platform that are directly visible to and usable by you, to perform actions on your Google Business Profile that you have explicitly authorized, and for internal operations strictly necessary to provide the service, using aggregated or anonymized data where possible.
Data received from Google APIs will not be used for serving advertisements or building advertising profiles, selling or transferring to third parties for their independent use, determining creditworthiness or for lending purposes, or any purpose not directly related to delivering the authorized service.
Human access to Google API data is restricted. Our team will not read your Google Business data except: (a) with your explicit permission; (b) where necessary to investigate a security incident at your request; (c) as required by law; or (d) in aggregate, anonymized form for internal infrastructure purposes.
Data Storage and Security
7.1 Where We Store Data
All personal data and Google Business Profile data is stored in Supabase infrastructure hosted in the European Union / European Economic Area (EU/EEA). We do not transfer personal data outside the EU/EEA except where required by law and subject to appropriate safeguards.
7.2 Security Measures
We implement technical and organizational measures appropriate to the risk of processing, including encryption of data in transit (TLS 1.2+) and at rest (AES-256), access controls and least-privilege principles for internal systems, regular security reviews and dependency auditing, and no storage of Google OAuth tokens beyond what is operationally necessary. We notify AKI of qualifying personal-data breaches within 72 hours as required by GDPR Art. 33.
7.3 Retention
We retain your personal data for as long as your account is active or as needed to provide the service. Upon account deletion or a deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law. Google API data is retained only as long as you maintain your authorization and purged within 30 days of revocation. Usage and analytics data is retained for 6 months and then anonymized or deleted.
Revoking Google Authorization
You may revoke Pantheon's access to your Google account at any time by visiting myaccount.google.com/permissions, locating the Pantheon application, and selecting Remove Access.
Upon revocation, we will stop fetching new data from your Google account. Your previously stored data will be deleted within 30 days unless you request earlier deletion.
Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at support@pantheonco.dev with the subject line "Data Subject Request." We will respond within 30 days.
Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data.
Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where we have no other lawful basis for processing.
Right to Restriction of Processing (Art. 18): You have the right to restrict our processing of your data in certain circumstances.
Right to Data Portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): You have the right to object to processing based on our legitimate interests.
Right to Request Deletion: You may request the deletion of your account and all associated data at any time through the in-app account settings ("Delete Account") or by emailing support@pantheonco.dev with the subject line "Delete My Account." We will confirm deletion within 30 days.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in our case Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, "AKI"), Tatari 39, 10134 Tallinn; info@aki.ee.
Note on automated processing: the Verification Readiness Score is generated algorithmically but is advisory only and does not produce a legal or similarly significant effect; it is not Art. 22 "solely automated decision-making."
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
10. Cookies and Tracking Technologies
We use minimal, functional cookies necessary to operate our service (e.g., authentication session tokens). We do not use third-party advertising cookies or behavioral tracking scripts. Where applicable law requires consent for non-essential cookies, we will present a consent mechanism before setting them.
11. Third-Party Services
We use a limited number of trusted sub-processors to operate our platform. Each is bound by a data processing agreement and by GDPR-compliant data handling standards. Key sub-processors include Supabase, Inc. (database and authentication infrastructure, EU/EEA hosting) and Google LLC (OAuth 2.0 identity and Google Business Profile API). We do not sell access to our user base to any third-party service provider.
11.1 Recipients, sub-processors and international transfers
We share data with service providers acting as processors under Art. 28 DPAs:
Supabase (database/auth/hosting) — EU region.
Google LLC / Google Ireland — Google Maps Platform & Google Business Profile API. Through normal functioning of Google services, end users may provide data directly to Google subject to the Google Privacy Policy. This Policy incorporates by reference the Google Privacy Policy and the Google Maps / Google Maps Platform end-user terms.
International transfers. Where a recipient processes data in the United States (e.g., Google LLC), we rely on the EU-US Data Privacy Framework adequacy decision (Google LLC is DPF-certified) and, as a fallback, the European Commission's Standard Contractual Clauses (Decision 2021/914) together with a transfer impact assessment. The EU-US DPF adequacy decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v Commission); the applicant filed an appeal to the Court of Justice on 31 October 2025 (Case C-703/25 P), which remains pending — accordingly we maintain SCCs as a contingency.
Whenever we transfer your personal data out of the EEA, we seek to ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to third parties that have signed our own Data Processing Agreement to safeguard and secure your personal data, or which are located in countries deemed to provide an adequate level of protection by the European Commission. Where this is the case, we will ensure that we have an International Data Transfer Agreement (IDTA) in place.
Where we use international service providers, we are invariably bound by their own Data Processing Agreements, usually in a form approved by the European Commission, and which give personal data the same protection it has in Europe.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
12. Children's Privacy
Our services are designed for use by businesses and are not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact us immediately at support@pantheonco.dev and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or for other operational reasons. Where changes are material, we will provide at least 14 days' notice by email or by posting a prominent notice within the Service before the changes take effect.
14. Contact Us
For questions about this Privacy Policy or to exercise your data rights:
Pantheon Co. Email: support@pantheonco.dev Website: pantheonco.dev