Privacy Policy

Effective: March 30, 2026

1. Data Controller

The organisation responsible for personal data processed through this website and the Panthaion platform (“we”, “us”) is:

General contact: support@panthaion.org

We have not appointed a Data Protection Officer (DPO). If you are in the EU/EEA or UK and have questions about processing, use the contact above. You may also contact your local supervisory authority (see section 10).

2. Personal Data We Process

Depending on how you use the Service, we may process:

  • Account data: name, email address, password (stored hashed), role, and verification status.
  • Content you upload: datasets, models, project files, profile information, and associated metadata. Note that datasets you upload may themselves contain personal data — see section 4 regarding your responsibilities in that case.
  • Ecosystem and notebook activity: Content you list, download, or access; notebook sessions you create or run; projects you publish or collaborate on.
  • Technical and usage data: IP address, device and browser type, timestamps, pages visited, API actions, diagnostic logs, and security signals.
  • Support and communications: content of emails or tickets you send us.
  • Payment-related identifiers: if you pay for services, payment data is typically processed by our payment provider; we may hold identifiers they provide (e.g. customer IDs).

3. Purposes and Legal Bases (GDPR Articles 6 & 9)

We process personal data only where we have a valid legal basis:

  • Contract (Art. 6(1)(b)): providing and operating the platform, authentication, delivering Ecosystem and notebook features you request, and account management.
  • Legitimate interests (Art. 6(1)(f)): securing the Service, fraud and abuse prevention, improving reliability and platform quality, and analytics where consent is not required under ePrivacy rules — balanced against your rights.
  • Consent (Art. 6(1)(a)): for non-essential cookies and similar technologies as described in our Cookie Policy, and optional marketing communications if you opt in. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): where we must comply with law or a competent authority request.

We do not intend to process special categories of personal data (Art. 9) as part of the core platform. If you upload datasets that contain such data, you are responsible for establishing lawful grounds and providing required notices to data subjects.

4. Uploaded Dataset Content and User Responsibility

Panthaion provides the infrastructure for you to upload, host, and share datasets and models. If Content you upload contains personal data about third parties, you are the data controller (or processor, as applicable) in respect of that data. You are responsible for:

  • ensuring you have a lawful basis to upload and share the data;
  • complying with applicable data protection law and any licences governing the data;
  • providing appropriate notices to data subjects; and
  • setting appropriate access restrictions on your Ecosystem listing.

We process such data only as a processor acting on your instructions, subject to the Terms of Service.

5. Recipients and Processors

We use trusted service providers (“processors”) to host the platform, send email, process payments, provide security services, and similar functions. They may process personal data only on our instructions and under appropriate contractual safeguards (including GDPR Article 28 processing terms where required). We may also disclose data if required by law or to protect the rights, safety, and integrity of users and the Service.

6. International Transfers

If personal data is transferred outside the UK or EEA, we implement appropriate safeguards as required by GDPR Chapter V (such as the UK IDTA, EU Standard Contractual Clauses, or adequacy decisions), unless a specific derogation applies. You may request further information about transfers by contacting us.

7. Retention

We keep personal data only as long as necessary for the purposes described in section 3, including resolving disputes and meeting legal, accounting, or reporting requirements. Criteria include the nature of the data, whether the account is active, and applicable statutory limitation periods. When data is no longer needed, we delete or anonymise it where feasible.

8. Security

We implement appropriate technical and organisational measures proportionate to the risk (Article 32 GDPR). No system is perfectly secure. We encourage strong passwords, careful handling of credentials, and appropriate access controls when publishing Content to the Ecosystem.

9. Your Rights (EU/EEA and UK)

Subject to conditions and exemptions under applicable law, you may have the right to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure (“right to be forgotten”) in certain cases (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability where processing is based on consent or contract and is automated (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time where processing is based on consent (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77) — see section 10

To exercise these rights, contact support@panthaion.org. We will respond within one month where GDPR applies (extensions may apply for complex requests). You may need to verify your identity.

10. Supervisory Authorities

If you are in the EEA, you may contact your local data protection authority. UK residents may contact the Information Commissioner’s Office (ICO) at ico.org.uk. A list of EU authorities is available from the European Data Protection Board at edpb.europa.eu.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR as part of the core Service. If that changes, we will update this policy and provide the required information.

12. Children

The Service is not directed at children under 16 (or the digital age of consent in your country). We do not knowingly collect personal data from children below that threshold. If you believe we have done so, contact us and we will take appropriate steps.

13. Changes

We may update this policy. We will post the updated version with a new effective date. Where required by law, we will notify you or seek consent for material changes.