Pontor Privacy Policy
Last updated: June 12, 2026
This Privacy Policy explains how Pontor handles your personal data. Pontor is a vendor search and procurement service operated by Recordo, LLC (“Recordo”, “we”, “us”, or “our”), a company based in the Republic of Armenia.
We’ve tried to write this in plain language. If anything is unclear, email us at contact@pontor.io and we’ll explain.
For people in the EU, EEA, and UK: Recordo, LLC is the data controller for the personal data described here. For people in California and other US states with privacy laws, we are the business that decides how your data is used.
1. The short version
- We collect what we need to run a vendor search service: your account details, the searches you make, basic technical information about your visit, and limited product analytics.
- We use trusted service providers (for hosting, sign-in, search, analytics, and security) to operate Pontor. They process data on our behalf.
- We do not sell your personal data, and we don’t use it for third-party advertising.
- You can see, correct, export, or delete your data, and you can delete your account yourself at any time.
- We’re a global service, so your data may be processed in countries other than where you live.
The rest of this policy is the detail behind those points.
2. Who this applies to
This policy applies to everyone who uses Pontor — whether you browse without an account, run a search, or create a free account. It covers our website and the Pontor web application.
Pontor is built for business users. It is not intended for children, and we don’t knowingly collect data from anyone under 18. See section 11.
3. What data we collect
Data you give us
- Account data. When you create a free account, you provide an email address and a password, or you sign in with Google. Sign-in and passwords are handled by our authentication provider (Supabase) — we never see or store your raw password. If you sign in with Google, we receive your email address and basic profile information that Google shares.
- Search data. When you run a search, you tell us what you’re looking for: the service or vendor you need, the location or service area, and optional buyer context (for example, “for a dental clinic” or “for a gym”). If you have an account, your searches are saved to your account so you can return to them.
- Messages you send us. If you contact us at contact@pontor.io, we keep your message and our reply.
Data we collect automatically
- Usage, device, and analytics data. When you use Pontor, we and our infrastructure and analytics providers automatically process technical information such as your IP address, browser type, device and operating system, pages viewed, referring pages, timestamps, and broad product events such as searches submitted, sign-up steps, outreach steps, errors, quota blocks, and similar service activity. We use this to operate the service, understand how people find and use Pontor, debug problems, improve the product, and protect against abuse.
- Cookies and similar technologies. See section 7 for the full list.
- Anti-abuse signals. To protect the service from bots and automated scraping, we use Cloudflare Turnstile and rate-limiting, which process technical signals including your IP address and request patterns.
Data we receive from others
- Google (if you use Google sign-in): your email and basic profile data.
- Vendor and business information that we retrieve from search and data providers (see section 6). This is mostly information about businesses, not about you, but search results are linked to the search you ran.
We do not ask for or want sensitive personal data (such as health, racial or ethnic origin, political opinions, or biometric data). Please don’t put sensitive personal data into your search descriptions.
4. Why we use your data, and our legal bases
If you are in the EU, EEA, or UK, the law requires us to have a “legal basis” for each use. Here’s how it maps:
| What we do | Why | Legal basis (GDPR / UK GDPR) |
|---|---|---|
| Create and manage your account; sign you in | To give you the service you asked for | Performance of a contract |
| Run your searches and save your results | Core function of the service | Performance of a contract |
| Operate, maintain, and secure the service | Keep Pontor working and safe | Legitimate interests; legal obligation (security) |
| Prevent abuse, fraud, and bot traffic | Protect Pontor, our providers, and users | Legitimate interests |
| Analyze website and product usage | Understand how people find and use Pontor and improve what we offer | Legitimate interests; consent where required by law |
| Respond to your messages | To help you | Legitimate interests |
| Send service or legal notices | To keep you informed about your account | Performance of a contract; legal obligation |
| Comply with the law and respond to lawful requests | Legal compliance | Legal obligation |
Where we rely on legitimate interests, we’ve considered your rights and only proceed where our interest isn’t overridden by them. You can object to this processing — see section 9.
If we ever rely on consent for a specific use (for example, an optional marketing email), we’ll ask first, and you can withdraw it at any time.
5. How long we keep your data
- Account data is kept while your account is active. When you delete your account, we delete your account record and your saved searches (see section 10).
- Search data tied to your account is deleted when you delete your account or the individual search.
- Anonymous searches (run without an account) are retained for a limited period to operate and improve the service, and may be disassociated from any identifier over time.
- Technical logs are kept for a limited period for security and debugging, then deleted or anonymized.
- We keep some records longer where we need to in order to comply with legal obligations, resolve disputes, or enforce our agreements.
6. Service providers and who else processes your data
We rely on a small set of providers to run Pontor. They process personal data on our behalf and under contract, and are not permitted to use it for their own purposes. The main ones:
| Provider | What it does for us | Data involved |
|---|---|---|
| Supabase | Authentication and database hosting (your account and saved searches) | Account data, search data |
| Vercel | Application and website hosting | Technical/usage data, IP address |
| Google sign-in (OAuth) and Google Places business data | Email and profile (if you use Google sign-in); search queries sent to retrieve business listings | |
| Google Analytics | Website analytics and high-level conversion reporting | Page views, referring pages, device/browser data, approximate location, and high-level events such as search or sign-up completion |
| Brave Search | Web search and business discovery for your queries | The search terms you submit (service, location, context) |
| PostHog | Product analytics and operational diagnostics | Product events, account state, internal IDs for searches/outreach, device/browser data, and coarse event properties |
| Cloudflare | Bot protection (Turnstile) and security | IP address, request and technical signals |
| AI/LLM provider | Helps interpret your search request and extract structured vendor information from web results | The search terms you submit |
When you run a search, the search terms you enter (service, location, and buyer context) are sent to search and AI providers to find and structure results. Please avoid including anything you wouldn’t want shared with those providers — there’s no need to put personal or sensitive details into a vendor search.
Our analytics setup is intended to be limited. We do not use analytics for third-party advertising, ad retargeting, or cross-context behavioral advertising. We do not send analytics providers raw outreach message bodies, vendor reply bodies, raw prompts, authentication secrets, payment details, or full provider payloads. PostHog session recording, heatmaps, and vendor email open/click tracking are disabled unless we make a separate product and privacy decision.
This list may change as the product evolves. We’ll keep it current here.
We may also share data: with professional advisors (lawyers, accountants); with authorities where the law requires; and with a buyer or successor if Recordo is involved in a merger, acquisition, or sale of assets (we’ll notify you if that changes who controls your data).
We do not sell your personal data, and we do not share it for cross-context behavioral advertising.
7. Cookies and similar technologies
We use essential, security, functional, and analytics cookies and similar technologies. We do not use advertising, retargeting, or cross-context behavioral advertising cookies.
| Cookie / technology | Purpose | Type |
|---|---|---|
| Supabase auth/session cookies | Keep you signed in and secure your session | Essential |
neg_anon_search_used |
Remembers that a browser has used its one free anonymous search, so we can prompt for sign-up | Functional |
| Cloudflare Turnstile | Distinguishes humans from bots to protect the service | Essential / security |
| Google Analytics | Helps us understand website traffic, referrals, and high-level conversion events | Analytics |
| PostHog | Helps us understand product usage, product funnels, and operational events after meaningful interaction | Analytics |
Essential and security cookies are needed for the service to work, so they’re set when you use Pontor. Analytics cookies help us improve the service. Where the law requires consent before setting non-essential analytics cookies, we will ask for it. You can control cookies through your browser settings, but blocking essential cookies may stop parts of Pontor from working.
8. International data transfers
Pontor is operated from Armenia and uses providers located in various countries, including the United States and the European Union. This means your personal data may be transferred to and processed in countries outside the one where you live, which may have different data protection laws.
Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses (and the UK Addendum where relevant) or transfers to countries recognized as providing adequate protection. You can ask us for more detail at contact@pontor.io.
9. Your rights
Depending on where you live, you have some or all of the following rights over your personal data.
If you’re in the EU, EEA, or UK (GDPR / UK GDPR)
- Access — get a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data (“right to be forgotten”).
- Restriction — ask us to limit how we use your data.
- Portability — get certain data in a portable format, or have it sent to another provider.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on consent, withdraw it at any time.
- Complain — lodge a complaint with your local data protection authority. (In the UK, that’s the ICO; in the EU, your national supervisory authority.)
If you’re in California (CCPA/CPRA) or a similar US state
- Know what personal information we collect and how we use it (this policy).
- Access a copy of your personal information.
- Delete your personal information.
- Correct inaccurate personal information.
- Opt out of sale or sharing — we don’t sell or share your personal information for advertising, so there’s nothing to opt out of, but you have the right regardless.
- No discrimination for exercising your rights.
How to exercise your rights
Email contact@pontor.io, or use the in-app tools (you can view, edit, and delete your searches and delete your account from your account settings). We’ll respond within the timeframes the law requires. We may need to verify your identity first. You can use an authorized agent where the law allows.
10. Deleting your account
You can delete your account yourself at any time from your account settings. You’ll be asked to confirm. When you delete your account, we delete your account record and your saved searches. Some shared, non-personal data — such as cached business listings that aren’t tied to your account — and limited records we’re legally required to keep may remain.
11. Children
Pontor is intended for business users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has given us personal data, email contact@pontor.io and we’ll delete it.
12. Security
We use technical and organizational measures to protect your data, including encryption in transit, access controls, and reputable infrastructure providers. Passwords are managed by our authentication provider and are never stored by us in readable form. No system is perfectly secure, but we work to protect your data and to respond quickly if something goes wrong.
13. Changes to this policy
We may update this policy as the product and the law change. When we make material changes, we’ll update the “Last updated” date and, where appropriate, give you additional notice. Your continued use of Pontor after an update means you accept the revised policy.
14. Contact us
Questions, requests, or complaints about privacy:
Recordo, LLC Email: contact@pontor.io Registered address: Artsruni Yeghbayrneri St. 14, Gavar 1201, Gegharkunik Province, Armenia
If you are in the EU/EEA or UK and we are required to appoint a representative or data protection officer, their details will be added here.
15. Vendor outreach and negotiation
When you use Pontor to contact vendors on your behalf, collect and compare quotes, and negotiate, we process personal data about vendor contacts — such as business names, business contact details, and the content of communications and quotes — so that we can reach out to vendors for you, gather and compare offers, and support negotiation.
For that processing, our legal basis (GDPR/UK GDPR) is performance of our contract with you and our legitimate interests in operating the Service. We keep and use aggregated, de-identified information about quotes and outcomes to improve the Service and build pricing and reliability benchmarks.