Privacy Policy

1. Data Controller and Contact Information

PivotPM.ai is the controller of your personal data collected through this Platform, unless otherwise stated in a specific service agreement. In contexts where we process personal data on behalf of enterprise clients, we may also act as a data processor subject to their instructions.

For all privacy inquiries, rights requests, or concerns regarding this Policy, please get in touch with our Support Officer: contact@pivotpm.ai.

2. Personal Data We Collect

Personal Data means any information relating to an identified or identifiable natural person. We collect personal data through three primary channels.

Data You Provide Directly

When you create an account, subscribe to services, interact with the Platform, or contact us for support, you may provide:

• Name, email address, and phone number

• Professional information such as job title, company, and industry

• Account credentials and authentication details

• Payment and billing information

• Project, task, and workflow content you input into the Platform

• Any other information you choose to submit through forms, chat, or support channels

Data Collected Automatically

When you use the Platform, we automatically collect certain technical and behavioural data, including:

• IP address and approximate location derived from IP

• Browser type, operating system, and device identifiers

• Pages visited, features used, click patterns, and session duration

• Referral URLs and search terms used to reach the Platform

• Error logs and performance data

Data from Third Parties

We may receive data about you from third-party sources such as identity verification providers, payment processors, or integration partners, where you have authorized those providers to share your information with us.

3. Legal Basis for Processing

We process your personal data only where a valid legal basis exists. The applicable basis depends on the nature of the processing:

• We process data required to create and manage your account, authenticate users, deliver purchased services, and fulfill our obligations under the terms of service. Contractual Necessity:

• Where processing is based on your consent, such as marketing communications and non-essential cookies, you may withdraw that consent at any time without affecting the lawfulness of prior processing. Consent:

• We process certain data to improve Platform security, conduct internal research, prevent fraud, and maintain business operations, where these interests are not overridden by your rights and interests. Legitimate Interests:

• We process data where required by applicable law, regulation, or valid legal process. Legal Obligation:

Where processing is subject to GDPR, the specific legal basis for each processing activity is documented in our internal Records of Processing Activities, available to supervisory authorities upon request.

4. Use of Personal Data

We use your personal data to operate, secure, and improve the Platform. Specific purposes include:

• Creating and managing user accounts and authentication

• Delivering the project management features and services you have subscribed to

• Processing payments and managing billing

• Providing customer support and responding to inquiries

• Sending transactional communications such as account alerts, receipts, and service updates

• Sending marketing communications where you have opted in

• Conducting internal research and analytics to improve Platform performance

• Detecting, investigating, and preventing security incidents, fraud, and misuse

• Complying with legal obligations and enforcing our agreements

4A. AI-Driven Features and Automated Processing

PivotPM.ai uses artificial intelligence and machine learning to power core platform features. This section explains how AI is used, what data it processes, and what rights you have in relation to AI-driven outputs.

How We Use AI

Our platform uses AI to deliver the following capabilities:

• Task prioritization and workload analysis based on project activity and user behaviour

• Risk identification and early warning alerts within project timelines

• Natural language processing to generate project summaries, status updates, and recommendations

• Predictive scheduling and resource allocation suggestions

• Anomaly detection to surface unusual patterns in project execution data

These features are designed to assist project managers with decision support. They present recommendations, not directives, and do not replace human judgment.

Automated Decision-Making

We do not make decisions about individuals that produce legal or similarly significant effects solely by automated means without human review, except where such processing is necessary for the performance of a contract or is expressly permitted by law. Where any such automated processing is introduced, we will update this section and obtain your explicit consent where required.

AI Data Inputs and Safeguards

• AI models operate on project, task, and usage data within your account

• Personal data is not used to train external third-party AI models without your explicit consent

• AI-generated outputs are clearly labelled within the platform interface

• Users can disable specific AI recommendation features through account settings

Your Rights Regarding AI Processing

You have the right to request human review of any AI-generated output that has meaningfully affected your use of the Platform. You may also request information about the logic involved in AI-driven features by contacting us at contact@pivotpm.ai.

5. Data Sharing and Disclosure

We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing or commercial purposes.

We may share personal data in the following circumstances:

Third-Party Service Providers

We engage trusted third-party providers to help us deliver and operate the Platform. These providers act as data processors under written agreements that require them to safeguard your data and use it only for the purposes we specify. The categories of providers we use are described in the table below:

Legal and Regulatory Disclosure

We may disclose personal data to law enforcement agencies, courts, regulators, or other public authorities where required by applicable law, in response to a valid legal process, or to protect the rights, safety, or property of PivotPM.ai, our users, or the public.

Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of the transaction. Where this occurs, we will take reasonable steps to ensure that your data continues to be protected in accordance with this Policy.

6. International Data Transfers

Your personal data may be transferred to and processed in jurisdictions outside your country of residence, including India, the European Economic Area (EEA), and the United States. These jurisdictions may have different data protection standards than your home country.

Where personal data is transferred internationally, we implement appropriate safeguards to ensure your data receives a level of protection that is substantially equivalent to the standard in the originating jurisdiction. Safeguards may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA

• Contractual data processing agreements for transfers to India and the United States

• Data transfer impact assessments where required under applicable law

You may request information about the safeguards applicable to your data transfer by contacting us at contact@PivotPM.ai.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The table below sets out our standard retention schedules by data category.

Following the expiry of the applicable retention period, personal data is securely deleted or anonymized in accordance with our internal data destruction procedures. Where data cannot be immediately deleted due to backup cycles or technical constraints, it is isolated from active processing until deletion is complete.

Users may request early deletion of their personal data at any time, subject to our legal obligations to retain certain records. See Section 9 for how to exercise this right.

8. Security Measures

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, or destruction. Our security measures include:

• Encryption of personal data in transit using TLS and at rest where technically feasible

• Role-based access controls limiting access to personal data to personnel with a need to know

• Regular security assessments, vulnerability scanning, and penetration testing

• Confidentiality obligations for all personnel who handle personal data

• Incident response procedures and a documented breach management process

While we maintain robust security practices, no system can be guaranteed to be completely secure. We encourage users to use strong, unique passwords and to report any suspected unauthorized activity to contact@PivotPM.ai.

8A. Data Breach Notification

We maintain a documented incident response process to detect, assess, contain, and remediate data security incidents. In the event of a breach involving personal data, we will take the following actions.

Notification to Supervisory Authorities

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under Article 33 of the GDPR. Notification to Indian authorities will be made in accordance with the Digital Personal Data Protection Act, 2023. Where U.S. state law requires notification to a state Attorney General or regulatory body, we will comply within the timeframe mandated by applicable state law.

Notification to Affected Individuals

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, in plain language, through a durable communication channel such as email or in-platform notification. The notification will include, to the extent known at the time:

• A description of the nature of the breach

• The categories and approximate volume of personal data affected

• The name and contact details of our Grievance Officer

• The likely consequences of the breach

• The measures taken or proposed to address the breach and mitigate its effects

Internal Record-Keeping

We maintain an internal breach register documenting all personal data breaches, including those that do not require external notification. This register is available to supervisory authorities upon request and records are retained for a minimum of three years from the date of each incident.

9. Your Rights

Subject to applicable law, you have the following rights with respect to your personal data:

• Request a copy of the personal data we hold about you. Right of Access:

• Request that we correct inaccurate or incomplete personal data. Right to Correction:

• Request the deletion of your personal data, subject to legal obligations requiring retention. Right to Deletion:

• Request that we restrict the processing of your data in certain circumstances. Right to Restriction:

• Request a copy of data you have provided to us in a structured, machine-readable format. Right to Portability:

• Object to processing based on legitimate interests or for direct marketing purposes. Right to Object:

• Where processing is based on consent, withdraw your consent at any time without affecting prior processing. Right to Withdraw Consent:

To exercise any of these rights, contact us at contact@PivotPM.ai. We will verify your identity before processing your request and respond within the timelines prescribed by applicable law.

9A. Additional Rights for U.S. Residents

If you reside in the United States, you may have additional privacy rights under the laws of your state. We extend the rights described below to residents of all U.S. states with active comprehensive privacy legislation, including California, Colorado, Virginia, Texas, Connecticut, Montana, and Oregon.

Rights Available to U.S. Residents

• Know what personal data we collect, use, and disclose. Right to Know:

• Request a copy of the personal data we hold about you. Right to Access:

• Request that we correct inaccurate personal data. Right to Correction:

• Request deletion of your personal data, subject to legal exceptions. Right to Deletion:

• We do not sell or share personal data for cross-context behavioural advertising. If this changes, you will be notified and provided an opt-out mechanism. Right to Opt Out of Sale or Sharing:

• Request that we limit the use of sensitive personal data to the purposes for which it was collected. Right to Limit Sensitive Data Use:

• We will not discriminate against you for exercising any of these rights. Right to Non-Discrimination:

California-Specific Disclosures (CCPA / CPRA)

California residents have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. In addition to the rights listed above, California residents may appeal any decision we make in response to a rights request. We do not engage in profiling for decisions that produce legal or similarly significant effects.

How to Submit a U.S. Privacy Rights Request

Email contact@PivotPM.ai with the subject line U.S. Privacy Rights Request. We will verify your identity before processing the request and respond within 45 days, with one possible 45-day extension where permitted by law.

10. Children's Privacy

Our services are not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that personal data has been collected from a child under 16 without verifiable parental or guardian consent, we will take appropriate steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at contact@PivotPM.ai.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies, including pixels and local storage objects, to operate, secure, and improve the Platform. This section explains what we use, why we use it, and how you can manage your preferences.

What Are Cookies

Cookies are small text files placed on your device by a website or application. They allow us to recognize your device, remember your preferences, and understand how you use the Platform. Some cookies are essential to the Platform's operation; others are optional and used for analytics or personalization.

Cookie Categories

Managing Your Cookie Preferences

• Access and update your settings at any time via the cookie icon in the Platform footer. Cookie Preference Centre:

• Most browsers allow you to block or delete cookies through their privacy or security settings. Blocking strictly necessary cookies will affect Platform functionality. Browser Settings:

• We honour the GPC signal as a valid opt-out of sale and sharing for California residents and other users where applicable. Global Privacy Control (GPC):

• For analytics and marketing cookies set by third-party providers, visit the relevant provider’s opt-out page, linked from our Cookie Preference Centre. Third-Party Opt-Outs:

EU and UK Users

For users located in the European Economic Area or United Kingdom, we obtain explicit consent before placing any cookies that are not strictly necessary. Consent is captured through our cookie banner on the first visit and can be withdrawn at any time through the Cookie Preference Centre. We comply with the ePrivacy Directive and applicable national implementing legislation.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in applicable law, business operations, or Platform features. We will indicate the effective date of the current version at the top of this Policy.

For material changes, we will provide prominent notice through the Platform interface, by email to the address associated with your account, or by both means, at least 14 days before the changes take effect, where required by law. For non-material updates such as clarifications or formatting changes, we may update the Policy without prior individual notice.

Continued use of the Platform following the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree to the revised Policy, please discontinue your use of the Platform and contact us at contact@pivotpm.ai to request deletion of your account.