Privacy Policy

2.1 Platforms and Services Covered

This Privacy Policy applies to all personal information collected through:

• The plutonal.ai website and all associated subdomains
• The Plutonal web application and any mobile applications
• The @askplutonal social media accounts and any interactive features associated with those accounts
• Email communications sent to or from Plutonal
• Any beta testing, waitlists, or pre-launch programmes

It does not apply to any third-party websites or services that Plutonal may link to. We are not responsible for the privacy practices of third parties.

2.2 Global Application and Jurisdictional Compliance

Plutonal Inc is incorporated in Delaware and operates globally, serving users across every major market. This Policy is designed to meet or exceed the requirements of the following frameworks simultaneously:

• United States (Federal): Children’s Online Privacy Protection Act (COPPA); CAN-SPAM Act; Electronic Communications Privacy Act
• United States (Delaware): Delaware Personal Data Privacy Act (DPDPA), effective 1 January 2025
• United States (California): California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• United States (other states): Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and all other enacted state privacy statutes
• European Union: General Data Protection Regulation (GDPR)
• United Kingdom: UK GDPR and the Data Protection Act 2018
• India: Digital Personal Data Protection Act 2023 (DPDP Act) and Digital Personal Data Protection Rules 2025
• Australia: Privacy Act 1988 (Cth) as amended by the Privacy and Other Legislation Amendment Act 2024, and the Australian Privacy Principles (APPs)
• Singapore: Personal Data Protection Act 2012 (PDPA)
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation
• Brazil: Lei Geral de Protecao de Dados (LGPD)
• South Africa: Protection of Personal Information Act 2013 (POPIA)
• Japan: Act on the Protection of Personal Information (APPI) as amended
• South Korea: Personal Information Protection Act (PIPA)
• Middle East / UAE: Federal Decree-Law No. 45 of 2021 on Personal Data Protection

Where a user’s local mandatory law provides greater protections than this Policy, we will comply with those additional requirements. If there is any conflict between the terms of this Policy and the requirements of a local mandatory law that cannot be contractually displaced, the mandatory local law shall prevail to the minimum extent necessary.

3.1 Information You Provide Directly

When you register, subscribe, or interact with us, we may collect:

• Full name and email address
• Username or display name
• Billing information (processed by our payment processor; we do not store full card details)
• Country and timezone
• Communications you send to us, including support requests and feedback
• Any queries or prompts you submit through the Platform

3.2 Information Collected Automatically

When you use the Platform, we automatically collect certain technical information, including:

• IP address and approximate geolocation derived from it
• Browser type, operating system, and device identifiers
• Pages visited, time spent, clickstream data, and referral source
• Platform usage patterns, including which features are used and when
• Session identifiers and access timestamps
• Credit usage and subscription tier activity

3.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies for the following purposes:

• Strictly necessary cookies: Required for the Platform to function (session management, authentication). These cannot be disabled.
• Performance cookies: Help us understand how users interact with the Platform. Used in aggregate, anonymised form only.
• Preference cookies: Remember your settings and display preferences.
• Analytics cookies: Used to understand traffic sources and user behaviour in aggregate.

We do not use cookies for advertising or retargeting purposes. You may manage non-essential cookies through our cookie preference centre. Disabling performance or preference cookies may affect your experience of the Platform.

3.4 Information We Do Not Collect

We do not collect, and you must not submit:

• Government-issued identification numbers (e.g., passport numbers, tax file numbers, social security numbers) unless required for mandatory regulatory identification, in which case this will be stated separately at the point of collection
• Biometric data
• Health or medical information
• Information about minors under the age of 18

4.1 Primary Purposes

We use your personal information to:

• Create and manage your account
• Provide access to the Platform and its features in accordance with your subscription tier
• Process payments and manage credit balances
• Respond to your support requests and enquiries
• Send you transactional communications including receipts, account notices, and platform updates
• Detect, investigate, and prevent fraudulent or unauthorised use
• Comply with legal and regulatory obligations

4.2 Secondary Purposes (With Your Consent or Legitimate Interest)

• Send you marketing communications about new features, products, or research content (you may opt out at any time)
• Conduct aggregate, anonymised analysis of Platform usage to improve our services
• Develop and test new features and analytical models
• Fulfil any legal obligation arising from a court order or regulatory requirement

4.3 What We Do Not Do With Your Information

We expressly confirm that:

• We do not sell your personal information to any third party under any circumstances
• We do not use your personal information to provide you with personalised investment advice or recommendations
• We do not share your personal information with advertisers for targeted advertising
• We do not use your queries to construct a financial profile of you that is shared with any third party

4.4 Automated Decision-Making

Our Platform uses automated processes to generate quantitative research outputs in response to your queries. These outputs are general statistical and analytical outputs and do not constitute decisions about you as an individual. They are not used to determine your eligibility for financial products, credit, insurance, or any similar purpose.

In accordance with the Privacy and Other Legislation Amendment Act 2024 (Cth) and in preparation for the transparency obligations taking effect on 10 December 2026, we disclose that automated processes are used to generate research outputs. These do not significantly affect your legal rights or interests as a data subject.

5.1 United States (Delaware DPDPA, CCPA/CPRA, and Other State Laws)

Plutonal Inc is incorporated in Delaware. Under the Delaware Personal Data Privacy Act (DPDPA), effective 1 January 2025, we process your personal data on the following bases: contract performance (to provide the services you have subscribed to); legal obligation (to comply with applicable law); legitimate interest (for fraud prevention, platform security, and service improvement); and consent (for marketing communications and non-essential cookies). Delaware residents may exercise their rights under the DPDPA by contacting hello@plutonal.ai. Complaints regarding DPDPA compliance may be submitted to privacy@delaware.gov.

For California residents under the CCPA and CPRA: you have the right to know what personal information we collect and how it is used, to request deletion of your personal information, to correct inaccurate personal information, to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising), and to non-discrimination for exercising these rights. To exercise any California privacy right, contact hello@plutonal.ai.

For residents of other US states with enacted privacy laws (Virginia, Colorado, Connecticut, Texas, and others): we process personal data on equivalent bases and will honour your rights as required by the applicable state law. Contact hello@plutonal.ai to exercise any such right.

5.2 European Union and United Kingdom (GDPR / UK GDPR)

We rely on the following lawful bases for processing under Article 6 GDPR:

• Contract performance: Processing necessary to provide the services you have subscribed to
• Legal obligation: Processing required to comply with applicable law
• Legitimate interests: Processing for fraud prevention, platform security, and service improvement, where our interests are not overridden by your fundamental rights
• Consent: Marketing communications, non-essential cookies, and any processing not covered by the above bases

5.3 India (DPDP Act 2023 / DPDP Rules 2025)

We process your personal data on the basis of your consent and, where applicable, on the basis of legitimate use as defined under the DPDP Act. We will provide a clear, plain-language privacy notice at the point of collection for any data collected in connection with our services to users in India. You may withdraw your consent at any time by contacting hello@plutonal.ai, subject to the terms governing your account.

5.4 Australia (Privacy Act 1988 as amended)

We collect, hold, use, and disclose personal information in accordance with the Australian Privacy Principles. We take reasonable steps to ensure information is collected for a legitimate purpose and not used or disclosed for secondary purposes without consent, except where permitted or required by law.

5.5 Brazil (LGPD)

We process personal data in accordance with the Lei Geral de Protecao de Dados. Processing is based on contract performance, legitimate interest, legal obligation, or consent as applicable. Brazilian users may exercise their rights under the LGPD by contacting hello@plutonal.ai.

5.6 South Africa (POPIA)

We process personal information in accordance with the Protection of Personal Information Act 2013. Processing is based on a lawful ground including contract performance, consent, or legitimate interest. South African users may contact hello@plutonal.ai to exercise their rights or lodge a complaint with the Information Regulator of South Africa.

5.7 All Other Jurisdictions

Where we collect your personal data in connection with services offered to you in your country of residence, we process that data in accordance with the local data protection law of your jurisdiction to the extent it applies. We will respond to any request to exercise your privacy rights under local law by contacting hello@plutonal.ai.

6.1 Service Providers

We share personal information with carefully selected third-party service providers who assist in delivering our Platform. These providers are engaged under contractual terms that require them to process your data only on our instructions and to implement appropriate security measures. Categories of service providers include:

• Cloud hosting and infrastructure providers
• Payment processing providers (who handle billing data under their own PCI-DSS compliant environments)
• Analytics and product monitoring services
• Email delivery and customer communications platforms
• Security and fraud detection services

6.2 Legal and Regulatory Disclosures

We may disclose your personal information where we are required to do so by:

• A valid court order, subpoena, or legal process
• A request from a regulatory or law enforcement authority with lawful jurisdiction
• Applicable law in any jurisdiction where we operate

Where legally permitted, we will notify you of any such disclosure request before complying. We will challenge any request we consider to be overly broad, disproportionate, or not legally valid.

6.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your personal information may be transferred to the acquiring entity. We will notify you by email or through a prominent notice on the Platform before your information becomes subject to a materially different privacy policy.

6.4 Aggregate and Anonymised Data

We may share aggregate, de-identified, or anonymised data that cannot reasonably be used to identify you. This includes statistical data about Platform usage, which may be shared with investors, partners, or published for research purposes.

10.1 Data Breach Notification

In the event of a data breach that is likely to result in harm to affected individuals, we will notify relevant regulators and affected users in accordance with the applicable law of each jurisdiction, including:

• United States: We will notify affected individuals and, where required, state attorneys general or other relevant authorities in accordance with applicable state breach notification laws
• European Union / UK: Notification to the relevant supervisory authority within 72 hours of becoming aware of the breach, and notification to affected individuals where the breach is likely to result in a high risk to their rights and freedoms
• India: Notification to affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of the breach, in accordance with the DPDP Act 2023
• Australia: Notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches scheme
• All other jurisdictions: In accordance with applicable local breach notification law