Privacy Policy
  Effective Date: October 13, 2025  •  Last Updated: October 13, 2025
  1. Introduction
  Ponyrun (“we,” “our,” or “us”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Ponyrun Assistant mobile application (“App”). By using the App, you agree to this Privacy Policy.
  2. Data Controller
  The data controller responsible for your personal information is Nimbus Technology Inc..
  
  3. Information We Collect
  3.1 Information You Provide
  
    - Account Information: Email address, phone number, and profile details you provide during signup or within the App.
- Contact List (with permission): Names and phone numbers used to match and label incoming calls.
- Call Preferences: Screening rules, allow/block lists, and custom responses.
- Support Communications: Information you provide when you contact support.
3.2 Information Collected Automatically
  
    - Call Metadata: Incoming caller number, timestamps, duration, screening result (e.g., passed/blocked), and high-level intent labels.
- Usage Information: Feature usage, app interactions, in-app settings.
- Device Information: Device model, OS version, language, and identifiers (e.g., app-instance identifiers).
- Diagnostics/Logs: Crash logs, performance data, and error reports.
3.3 Information from Third Parties
  
    - Subscription & Billing: Purchase status and entitlements from Apple App Store (Apple processes payment details; we do not receive your full payment card information).
- Caller Information: Public or partner-provided data to improve spam detection and caller labeling.
4. How We Use Your Information
  
    Primary Purpose: To provide and improve AI-powered call screening and call management features while giving you control over which calls to accept.
   
  
    - Screen incoming calls, detect spam/scams, and summarize caller intent.
- Match calls to your contacts (if permission granted) and apply your screening rules.
- Provide notifications about caller identity and purpose so you can decide to answer or ignore.
- Operate, maintain, and improve App functionality and performance.
- Provide customer support and respond to inquiries.
- Process subscriptions and manage account access based on entitlements.
- Perform analytics (in aggregate or de-identified form) to improve quality and reliability.
- Product Feedback: We may contact you directly to request feedback about your experience with Ponyrun Assistant. You may opt out at any time.
- Comply with legal obligations and enforce our terms.
5. Legal Bases for Processing (EEA/UK Users)
  
    - Performance of a Contract: To provide the App and its features.
- Legitimate Interests: App security, fraud/spam prevention, product improvement, and user support.
- Consent: Access to contacts, certain notifications, and specific analytics where required.
- Legal Obligations: Compliance with applicable laws and regulations.
6. AI and Automated Decision-Making
  The App uses automated systems, including AI models, to analyze caller messages and metadata to detect spam, infer call purpose, and generate concise summaries. These systems are designed to enhance your control over calls. Final decisions (e.g., whether to answer) remain with you. We do not use AI to make decisions that produce legal or similarly significant effects without your input.
  7. Information Sharing and Disclosure
  We do not sell your personal information. We may share information in the limited circumstances below:
  
    
      
        | Recipient | Purpose | Example Data | 
    
    
      
        | Service Providers (e.g., Supabase, Twilio, Vapi) | Provide infrastructure, telephony, and AI-enabled features | Call metadata, technical logs, de-identified/aggregated analytics | 
      
        | Payment Platforms (Apple) | Subscription management and entitlement verification | Transaction/entitlement status; no full card details shared with us | 
      
        | Security & Anti-Abuse Tools | Spam detection, fraud prevention, abuse handling | Technical signals, risk indicators | 
      
        | Legal & Compliance | Respond to lawful requests; protect rights, safety, and property | Information required by law or necessary to protect users | 
      
        | Business Transfers | Mergers, acquisitions, financing, or asset sales | Relevant data transferred under appropriate safeguards | 
    
  
  Where appropriate, we enter into data processing agreements and require recipients to handle data securely and lawfully.
  8. Data Security
  
    - Encryption: Data encrypted in transit and at rest where applicable.
- Access Controls: Role-based access on a need-to-know basis.
- Monitoring: Logging and periodic security reviews.
- Secure Infrastructure: Industry-standard cloud security practices.
9. Data Retention
  
    - Account Data: Kept until you delete your account or as required by law.
- Call Logs/Metadata: Typically retained for up to 30 days to power features and support investigations, then deleted or de-identified.
- Diagnostics & Analytics: Retained up to 24 months in aggregate or de-identified form.
- Support Records: Retained up to 12 months after resolution unless a longer period is legally required.
10. International Data Transfers
  Your information may be transferred to and processed in countries other than your own. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) to protect your data during such transfers.
  11. Your Privacy Rights
  Depending on your location, you may have the following rights:
  
    - Access/Portability: Request a copy of your personal data.
- Correction: Update or correct inaccurate data.
- Deletion: Request deletion of your data (subject to legal obligations).
- Restriction/Objection: Restrict or object to certain processing.
- Withdraw Consent: Where processing is based on consent.
To exercise rights, contact [email protected]. We may verify your identity before fulfilling requests. EU/UK residents also have the right to lodge a complaint with a supervisory authority (see Section 15).
  12. Children’s Privacy
  The App is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, please contact us and we will take appropriate steps to delete it.
  13. California Privacy Rights (CCPA/CPRA)
  
    - Right to Know, Delete, Correct: California residents may request access to, deletion of, or correction of personal information.
- No Sale/Sharing: We do not “sell” or “share” personal information as defined by CCPA/CPRA.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
To submit a CCPA/CPRA request, email [email protected].
  14. Account & Data Deletion
  You can delete your Ponyrun account from the App’s settings. Once requested, we will permanently delete associated personal data (including call logs and preferences) within 30 days, except where retention is required by law or for security, fraud prevention, or record-keeping obligations.
  15. Third-Party Links and Services
  The App may contain links to third-party websites or integrate with third-party services. Their privacy practices are governed by their own policies. We encourage you to review those policies.
  16. Changes to This Privacy Policy
  We may update this Privacy Policy from time to time. If we make material changes, we will notify you via in-app notice and/or email and update the “Last Updated” date above. Continued use of the App after changes indicates acceptance of the updated policy.