Your data is yours.

Introduction

Palnu, Inc. ("we," "us," "our," or "Palnu") is committed to protecting the privacy of financial advisors, compliance officers, and other users who access our platform (collectively, "users"). We understand that you are entrusting us with sensitive data about your firm, your advisors, and your clients. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your data.

This policy applies to all users of the Palnu platform and website. If you do not agree with our practices, please do not use our platform.

1. Information We Collect

1.1 Information from Your Firm (Organizational Data)

When your firm registers for Palnu, we collect:

• Firm legal name, business address, and business phone number
• SEC CRD number or FINRA Firm ID
• Subscription tier, billing address, and payment method (processed by Stripe)
• Designated contacts (firm administrator, compliance officer)
• Account settings, preferences, and configuration data

1.2 Information from Your Advisors (User Accounts)

When advisors register on Palnu, we collect:

• Name, email address, and phone number
• Job title and role within the firm (advisor, principal, compliance officer, admin, read-only)
• Password hash (we never store plain-text passwords)
• Multi-factor authentication credentials (TOTP seed, WebAuthn public key)
• Login history, last login time, and session information
• Account creation date and modification history

1.3 Client Testimonial and Referral Data

When advisors collect client feedback, testimonials, and referral records through Palnu, we collect:

• Client testimonial text, audio, or video (if applicable)
• Client name and basic identifying information (as provided by the advisor)
• Referral lead information (name, email, phone)
• Advisor-to-client relationship context and tenure
• Account values, assets under management, or other financial context (if optional fields are completed)
• Approval status, approval timestamps, and approver identity (per FINRA 2210)
• Publication date and any revisions made to the testimonial

1.4 Usage and Analytics Data

We automatically collect information about how users interact with Palnu:

• Pages visited, features used, and actions performed
• Time spent in the application and frequency of use
• Device type, operating system, and browser information
• IP address and approximate geolocation (city-level)
• Referral source (how you discovered Palnu)
• Error messages and crash reports
• API calls and webhook events (timestamps, endpoints, status codes)

1.5 Communication Data

When you contact us, we collect:

• Email messages sent to Palnu support or sales
• Chat transcripts via our in-app support widget
• Attachments and files shared during support interactions
• Phone call recordings (only with consent)
• Feedback survey responses

2. How We Use Your Information

2.1 Core Service Delivery

We use your data to:

• Provide, maintain, and improve the Palnu platform
• Authenticate users and enforce access controls
• Store and retrieve testimonials, referrals, and approval records
• Generate compliance audit logs and produce records for SEC/FINRA examinations
• Manage firm subscriptions, user accounts, and billing

2.2 Compliance and Legal Obligations

Palnu operates under SEC Marketing Rule 206(4)-1 and FINRA Rule 2210. We use your data to:

• Enforce principal review workflows for testimonials (FINRA 2210(b)(1))
• Generate and archive tamper-evident audit logs (SEC 204-2, FINRA 4511)
• Retain records for five years from creation (SEC 204-2(e)(1))
• Comply with legal process (subpoenas, warrants, court orders)
• Enforce our Terms of Service and prevent fraud or abuse

2.3 Communication

We use your contact information to:

• Send transactional emails (account confirmations, password resets, billing invoices)
• Provide customer support and respond to inquiries
• Send product announcements and feature updates (opt-out available in account settings)
• Conduct satisfaction surveys and gather feedback
• Notify you of security incidents or data breaches (within 72 hours if applicable)

2.4 Analytics, Research, and Improvement

We use aggregated and de-identified usage data to:

• Understand platform usage patterns and user behavior
• Identify product features that need improvement
• Debug technical issues and improve platform performance
• Conduct A/B testing and optimize the user experience
• Generate anonymized usage reports for our team and (if contracted) for auditors

2.5 Security and Fraud Prevention

We use your data to:

• Detect and prevent unauthorized access, hacking, and account takeover
• Identify suspicious behavior and block malicious traffic
• Monitor for data exfiltration or policy violations
• Investigate potential fraud or Terms of Service violations

3. Data Sharing and Subprocessors

3.1 What We Do NOT Share

Palnu does not sell, rent, or license your data to third parties for marketing purposes. We do not share client testimonials, referral records, or advisor personal information with any third party without explicit authorization from your firm.

3.2 Who We Do Share With

We share data with carefully selected service providers (subprocessors) who process data on our behalf:

Infrastructure & Cloud Services

• Amazon Web Services (AWS): Cloud hosting, compute, storage, databases, and backup services. Data is stored in us-east-1 (primary) and us-west-2 (failover).
• Cloudflare: Content delivery, Web Application Firewall (WAF), and DDoS mitigation.

Communications & Integration

• SendGrid (Twilio): Transactional email delivery (account confirmations, password resets, billing).
• Slack: (Optional) If your firm connects Slack, we send approval notifications and alerts to your workspace.

Payments & Billing

• Stripe: Payment processing and billing. Stripe complies with PCI DSS. We never store full credit card numbers.

Monitoring & Diagnostics

• Datadog: Infrastructure monitoring, application performance monitoring (APM), and alerting.
• Sentry: Error tracking and crash reporting (de-identified).

3.3 How Subprocessors Are Managed

All subprocessors are bound by data processing agreements (DPAs) that require them to:

• Process data only as instructed by Palnu
• Implement equivalent security controls
• Not share data with other third parties without our approval
• Delete or return data upon request
• Notify us of data breaches within 24 hours

We notify customers 30 days in advance before adding a new subprocessor. See the Trust Center for the complete subprocessor list and regular updates.

3.4 Legal Requirements & Disclosure

We may disclose your data when required by law:

• In response to a subpoena, court order, or law enforcement request
• To comply with SEC, FINRA, state attorney general, or other regulatory investigations
• If required to prevent imminent harm or illegal activity
• In connection with bankruptcy or insolvency proceedings

When legally permitted, we will notify customers before disclosing data to law enforcement.

3.5 Mergers & Acquisitions

If Palnu is acquired, merged, or sold, your data may be transferred to the acquirer as part of the transaction. We will notify affected customers before any such transfer and provide the opportunity to opt-out (if applicable).

4. Data Retention and Deletion

4.1 Retention Periods

Palnu retains different categories of data for different periods:

Testimonials & Referrals (Required by Law)

• Default retention: Five years from the date created (SEC Rule 204-2(e)(1))
• Extended retention: Seven years available upon request for firms that prefer stricter retention
• Permanent records: Audit logs and approval chains are retained permanently to satisfy SEC/FINRA examination requirements

User Account Data

• Active accounts: Retained for the duration of the subscription
• Deleted accounts: De-identified after 30 days; personal information (name, email) is deleted
• Inactive accounts: Retained for 12 months after last login, then archived

Usage & Analytics Data

• Detailed logs: Retained for 90 days
• Aggregated analytics: Retained indefinitely (in de-identified form)

Support Communications

• Email & chat transcripts: Retained for three years for customer support and dispute resolution
• Phone call recordings: Retained for one year

4.2 Your Right to Deletion

Subject to legal retention obligations, you may request deletion of your account and associated personal data. We will delete:

• Your name, email, phone number, and password hash
• Your login history and session data
• Support communications (subject to three-year retention for disputes)

We cannot delete testimonials and referrals within the five-year retention window, as these are required records under SEC Rule 204-2. After the retention period expires, they will be deleted or de-identified at your request.

5. Security Measures

Palnu implements the following technical, administrative, and physical controls to protect your data:

• AES-256-GCM encryption at rest; TLS 1.3 encryption in transit
• AWS Key Management Service (KMS) for key management
• Tenant isolation at the database, storage, and network layers
• Multi-factor authentication (TOTP, WebAuthn) required for all users
• Role-based access control (RBAC) and principle of least privilege
• 24/7 monitoring, alerting, and incident response
• Annual third-party penetration testing
• SOC 2 Type II audit targeted for Q4 2026

For detailed information on our security practices, see the Trust Center.

6. Your Privacy Rights

6.1 Access & Portability

You have the right to:

• Access a copy of the personal data we hold about you
• Request your data in a portable, machine-readable format (JSON or CSV)
• Export your testimonials, referrals, and audit logs at any time

To request data access or portability, contact us through our website with proof of account ownership.

6.2 Correction & Updates

You can update your name, email, phone number, and account preferences directly in the Palnu dashboard. For data you cannot modify, contact us through our website.

6.3 Deletion & Account Closure

You may request account deletion at any time. Personal information will be deleted within 30 days, subject to legal retention obligations. Testimonials and referrals cannot be deleted during the five-year retention period required by SEC Rule 204-2.

6.4 Opt-Out of Marketing Communications

You can opt-out of promotional emails by clicking the "Unsubscribe" link in any email or by updating your preferences in account settings. You will continue to receive transactional emails (billing, security alerts, support responses).

6.5 Do Not Track

Palnu respects Do Not Track (DNT) signals. If your browser sends a DNT signal, we will limit tracking to essential operational data only (authentication, session management, fraud prevention).

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

7.1 Right to Know

You can request what personal information Palnu has collected, the sources of that information, and the purpose for collection.

7.2 Right to Delete

Subject to legal retention obligations (SEC Rule 204-2), you can request deletion of your personal data. Palnu will comply within 45 days.

7.3 Right to Correct

You can request correction of inaccurate personal information.

7.4 Right to Opt-Out

You can opt-out of the "sale" of personal information. Palnu does not sell personal information for monetary consideration, but we do share data with service providers. This sharing may constitute a "sale" under the CPRA's broad definition.

7.5 Right to Limit Use

You can request that Palnu limit use of your personal information to the purposes necessary to provide the service you requested.

7.6 Right to Non-Discrimination

Palnu will not discriminate against you for exercising your CCPA/CPRA rights. We will not deny service, charge higher prices, or provide lower quality service based on your privacy requests.

7.7 Exercising California Rights

To exercise any of these rights, contact us through our website with proof of residency and account ownership. You may also appoint an authorized agent to submit requests on your behalf.

8. Other State Privacy Laws

Palnu complies with other state privacy laws that mirror CCPA/CPRA, including:

• Colorado: Colorado Privacy Act (CPA)
• Connecticut: Connecticut Data Privacy Act (CTDPA)
• Delaware: Delaware Personal Data Privacy Act (DPDPA)
• Utah: Utah Consumer Privacy Act (UCPA)
• Virginia: Virginia Consumer Data Protection Act (VCDPA)

If you reside in any of these states, you have similar rights to those described above. To exercise these rights, contact us through our website.

9. EU & GDPR Compliance

If you are located in the European Union, United Kingdom, or other GDPR-applicable jurisdictions, Palnu is the Data Controller, and your firm may be a Data Processor or Co-Controller (depending on your role). Data processing is permitted under the following legal bases:

• Contract: Processing is necessary to provide the Palnu service
• Legal obligation: Processing is required by SEC and FINRA regulations
• Legitimate interests: Processing is necessary for security, fraud prevention, and platform improvement
• Consent: For marketing communications, we obtain explicit opt-in consent

Under GDPR, you have additional rights including the right to data portability, erasure ("right to be forgotten"), and objection. Data transfers to the US are protected under Standard Contractual Clauses (SCCs) and adequacy decisions. Contact us through our website for a copy of our Data Processing Agreement (DPA).

10. Children's Privacy

Palnu is not intended for users under 18 years old. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, please contact us through our website immediately, and we will delete such data.

11. Third-Party Links & Services

Palnu may contain links to third-party websites, integrations, and services (e.g., Slack, Zapier, API partners). This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before sharing your data.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify affected customers via email at least 30 days before the change takes effect. Your continued use of Palnu after changes become effective constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, our data practices, or your privacy rights, please contact us through our website.

• Data Protection Officer: Available upon request

We will respond to privacy inquiries within 30 days. If you are not satisfied with our response, you may file a complaint with your state's Attorney General or (if applicable) your country's data protection authority.