Pomelo Labs
Sign inGet started
Privacy Policy

Your data, your control.

This Privacy Policy explains how Pomelo Labs, Inc. ("Pomelo Labs", "we", "us") collects, uses, and protects information about users of the AI Marketing Team platform at pomeolabs.ai.

Effective date: June 1, 2026  ·  Last updated: June 1, 2026

Section 1

Who we are and how to reach us

  • Data Controller: Pomelo Labs, Inc., a Delaware corporation, San Francisco, California, USA.
  • Privacy contact: privacy@pomelolabs.ai
  • EU/UK Representative: [To be appointed — required under GDPR Art. 27 once EU/UK users onboard. Services like Prighter or DataRep cost ~$30–150/mo.]
Section 2

Data We Collect

Account and identity data

  • Email address, full name, and profile photo (collected at signup or via Google OAuth).
  • Company name, company website URL, industry, and team size (collected during onboarding).
  • Billing name, billing address, and last-four card digits. Full card numbers are processed exclusively by Stripe and never touch our servers.

Content and project data

  • Brand voice settings, ICP (ideal customer profile) descriptions, competitor URLs, and content strategy documents you create inside the platform.
  • AI-generated content drafts, article outlines, image prompts, social captions, and other outputs produced by Pomelo agents on your behalf.
  • Website pages crawled by Firecrawl during onboarding to analyse your existing content and brand voice. Crawling is limited strictly to your own domain(s).
  • Images generated via OpenAI gpt-image-1 per your instructions.

Third-party integration data

  • Google Search Console (read-only): search queries, impressions, clicks, and average position data. We do not modify your GSC account.
  • Google Analytics 4 (read-only): traffic metrics, session data, and conversion events. We do not modify your GA4 property.
  • Webflow CMS (write, limited scope): article and page content you explicitly approve for publishing via Pomelo. Write access is scoped only to CMS collections you authorise.
  • OAuth tokens for each integration, stored server-side in Supabase (encrypted at rest) and never exposed to the frontend.

Usage and technical data

  • Log data: IP address, browser type, pages visited, agent interactions, and timestamps.
  • Usage analytics: feature clicks, workflow completions, content approvals, and error events — used solely for product improvement.
  • Cookies: a session cookie required for authentication and optional analytics cookies (see Section 12).
Section 3

How We Use Your Data

PurposeLegal basis (GDPR)
Provide and operate the ServicePerformance of contract
Process payments and manage subscriptionsPerformance of contract
Run AI agents to generate drafts and recommendationsPerformance of contract
Send service announcements, security alerts, billing noticesPerformance of contract / legitimate interest
Send marketing emails (opt out anytime)Consent (EU/UK) / legitimate interest (US)
Monitor and improve the Service, debug issuesLegitimate interest
Detect fraud, abuse, and security threatsLegitimate interest / legal obligation
Comply with legal obligationsLegal obligation
Section 4

AI Processing — What You Need to Know

What we do

  • We process your content, brand voice samples, and connected analytics data through third-party large language models (LLMs) provided by OpenAI and Anthropic to generate drafts, recommendations, and reports.
  • We pass only the data necessary for the specific task — for example, generating an article uses your brand voice and topic, not your billing data.
  • Both OpenAI and Anthropic are bound by data processing agreements that prohibit them from using your API data to train their general-purpose models. We use only their API offerings, which provide this contractual protection by default.

What we do NOT do

  • We do not use your content to train our own AI models or any third-party models.
  • We do not sell your data to any third party.
  • We do not share your content with other Pomelo customers.

AI accuracy and your responsibility

AI-generated outputs may contain errors, hallucinations, or outdated information. You are responsible for reviewing and verifying all content before publishing. Pomelo's approval-queue design exists for this reason. See our Terms of Service for the full disclaimer.

Automated decision-making

Pomelo uses automated processing to generate content recommendations and prioritise tasks. These outputs are suggestions for human approval, not decisions that produce legal or similarly significant effects on you. Under GDPR Art. 22, you have the right to object to automated processing — email privacy@pomelolabs.ai.

Section 5

Sub-processors and Third Parties

We share data with the sub-processors below to deliver the service. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual clauses restricting use of your data to providing services on our behalf. We keep this list current and notify customers of material additions with at least 14 days notice.

Sub-processorPurposeCountry
VercelApplication hosting, edge delivery, serverless computeUS / Global
SupabaseAuthentication, relational database, file storageUS
StripePayment processing, subscription billing, invoicingUS
OpenAILLM inference — content generation, image generation (gpt-image-1), recommendationsUS
AnthropicLLM inference — content analysis and long-form generation (Claude models)US
Google LLC (GA4)Website and product analytics (IP anonymised, Consent Mode v2)US / Global
DataForSEOSEO keyword data, SERP analysis, backlink metricsUS
FirecrawlWebsite crawling during onboarding — limited to your domain onlyUS
ResendTransactional email delivery — content-ready notifications, competitor alerts, team invitationsUS
Section 6

How We Share Your Information

We share information only in these limited circumstances:

  • With sub-processors listed in Section 5, under data processing agreements.
  • With third-party services you connect (e.g., publishing a draft article to your Webflow site sends that content to Webflow).
  • For legal reasons: to comply with valid legal process, protect rights and safety, or respond to lawful government requests.
  • In a business transfer: if Pomelo is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

We do not sell or share your personal information

We do not sell or share your personal information for cross-context behavioural advertising as defined under CCPA/CPRA.

Section 7

Data Retention

  • Active account data (profile, projects, content): retained for the duration of your subscription plus 30 days after cancellation.
  • Content drafts and agent outputs: retained while your account is active; deleted within 30 days of an account deletion request.
  • Billing records: retained for 7 years to comply with US tax and accounting regulations.
  • Server and access logs: retained for 90 days, then automatically purged.
  • OAuth tokens: deleted immediately upon integration disconnection or account deletion.
  • Website crawl data from Firecrawl: used only for the duration of the onboarding session and not retained long-term.

You may request early deletion of any category of your data at any time. We will action deletion requests within 30 days, subject to mandatory legal retention obligations.

Section 8

International Data Transfers

Pomelo Labs is incorporated in Delaware, USA. If you access our services from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We rely on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Decision 2021/914) and UK International Data Transfer Agreements (IDTAs) where applicable to lawfully transfer personal data outside the EEA and UK. All sub-processors are subject to these same transfer mechanisms or equivalent safeguards.

Where a sub-processor operates global edge infrastructure (e.g., Vercel's CDN), data may transit international edge nodes for performance purposes, but primary processing and storage remain in the United States under the contractual protections described above.

Section 9

GDPR Lawful Basis (EEA and UK Users)

For users in the EEA and United Kingdom, we process personal data under the following lawful bases under the General Data Protection Regulation (GDPR) and UK GDPR:

  • Contract (Art. 6(1)(b)): Processing necessary to deliver the AI Marketing Team service — including running agents, storing your projects, processing payments, and syncing integrations.
  • Legitimate interest (Art. 6(1)(f)): Product analytics, fraud detection, and security monitoring. We balance these interests against your privacy rights and you may object to this processing at any time.
  • Legal obligation (Art. 6(1)(c)): Retaining billing records and complying with verified governmental or regulatory requests.
  • Consent (Art. 6(1)(a)): For optional analytics cookies, where we request your explicit consent via our cookie banner before placing them.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. To object to processing on legitimate interest grounds, email privacy@pomeolabs.ai.

Section 10

Your Rights

Depending on your location and applicable law, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Data portability: Export your content, project data, and account information in JSON format directly from Settings → Data Export.
  • Restriction of processing: Request that we limit processing while a dispute is under review.
  • Objection: Object to processing based on legitimate interest, including any profiling.
  • Withdraw consent: Withdraw consent for analytics or marketing communications at any time.

To exercise any right, email privacy@pomeolabs.ai or use Settings → Privacy within the platform. We will respond within 30 days (EEA/UK: within one month per GDPR Art. 12). EEA and UK users may lodge a complaint with their local supervisory authority if they believe their rights have not been upheld.

Section 11

California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, our business purpose, and the categories of third parties we share it with.
  • Right to delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information we hold.
  • Right to opt out of sale or sharing: Exercise your right to prevent sale or sharing of your personal information for cross-context behavioural advertising.
  • Right to limit use of sensitive personal information: Request we limit use of sensitive personal information to what is necessary to provide the service.
  • Non-discrimination: We will never discriminate against you for exercising any CCPA/CPRA right.

Do Not Sell or Share My Personal Information

Pomelo Labs does not sell personal information to third parties and does not share personal information for cross-context behavioural advertising. The sub-processors in Section 3 receive data only as service providers performing processing on our behalf under written contracts.

To submit a California Privacy Request, email privacy@pomeolabs.aiwith subject line "California Privacy Request". We will verify your identity before actioning the request and respond within 45 days.

Section 12

Cookies

  • Strictly necessary cookies: Session tokens and CSRF protection required for authentication and security. These cannot be disabled as the service cannot function without them.
  • Analytics cookies (optional, consent required): Anonymous usage tracking to understand feature adoption and fix usability issues. You can opt out via our cookie banner or by emailing us. We do not use these cookies to identify you personally.
  • We do not use advertising cookies, retargeting pixels, or third-party ad-network cookies. No advertising network places cookies on our platform.
Section 13

Security Measures

  • All data in transit is encrypted using TLS 1.3.
  • All data at rest is encrypted using AES-256 (managed by Supabase).
  • Authentication is handled by Supabase Auth with support for multi-factor authentication (MFA).
  • OAuth tokens are stored encrypted and are never logged or exposed in API responses.
  • Production database access is restricted to authorised Pomelo Labs engineering staff on a need-to-know basis, with audit logging enabled.
  • Row-level security (RLS) policies in Supabase ensure each organisation can access only its own data.

For details on our security practices, visit our Trust & Security page.

Section 14

Children's Privacy

The Pomelo Labs platform is a B2B service intended for business use and is not directed at individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact privacy@pomeolabs.ai and we will delete it promptly.

Section 15

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes (such as adding a new sub-processor or changing how we use your data), we will notify you by email at least 14 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy. The most current version of this policy is always available at pomeolabs.ai/privacy.

Questions or requests?

Contact our privacy team at privacy@pomeolabs.ai. Pomelo Labs, Inc., 2261 Market Street #4487, San Francisco, CA 94114, USA.

© 2026Pomelo Labs, Inc. All rights reserved.  · Terms · Privacy · Trust & Security