Pistachio AI

Privacy Policy

Last updated: April 24, 2026

This Privacy Policy explains how Pistachio AI (“Pistachio”, “we”) collects, uses, and protects information when you use our website and subscription Service (the “Service”). It also explains how we handle information about professionals whose public roles are surfaced by the Service.

1. Who This Policy Applies To

This policy applies to two groups:

  • Customers and visitors — people who create accounts, subscribe, or visit our website.
  • Professional contacts — individuals whose public roles (such as directors of research operations at life-sciences institutions) are surfaced by the Service based on information from public registries, scholarly publications, regulatory filings, and licensed data providers.

2. Information We Collect

From customers and visitors

  • Account information — name, work email, company, role, and password (hashed).
  • Billing information — handled by our payment processor (Stripe). We do not store full card numbers.
  • Usage data — queries, saved accounts, exports, logs, device/browser metadata, and analytics events used to operate and improve the Service.
  • Support communications — messages you send us via email or in-product chat.

About professional contacts

The Service aggregates publicly available information about professionals in the life-sciences ecosystem — for example, names, job titles, employer, publications, conference participation, trial roles, and public contact information. Sources include:

  • public clinical-trial registries such as ClinicalTrials.gov;
  • scholarly databases and preprint servers such as PubMed, bioRxiv, and medRxiv;
  • regulatory and financial disclosures such as OpenFDA and the CMS Open Payments database;
  • public professional directories such as the NPI Registry;
  • professional networking platforms (e.g., LinkedIn) via their supported APIs or licensed data;
  • licensed data providers that supply business-contact enrichment.

We do not collect protected health information (PHI), patient-identifiable data, or data subject to HIPAA, and we instruct our customers not to submit such data to the Service.

3. How We Use Information

  • to provide, operate, and secure the Service;
  • to process payments and manage subscriptions;
  • to answer support questions and communicate service updates;
  • to improve the Service through de-identified usage analytics;
  • to detect, prevent, and respond to fraud, abuse, or unlawful activity;
  • to comply with applicable law and respond to lawful requests.

We do not use Customer Content (your queries, saved accounts, or exports) to train foundation models that are offered to other customers or the public.

4. Legal Bases for Processing (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases:

  • Contract — to provide the Service you have subscribed to.
  • Legitimate interests — to operate, secure, and improve the Service; to make public professional information useful in a B2B commercial-intelligence context; and to protect against fraud and abuse. We have considered data-subject rights against these interests.
  • Consent — where required, such as for non-essential cookies.
  • Legal obligation — to comply with applicable laws.

5. Subprocessors and Service Providers

We share information with third-party service providers who help us operate the Service. We contract with these providers to protect the information we share and to use it only to perform services for us. Current subprocessors include:

ProviderPurposeLocation
StripePayment processing, billingUnited States
VercelWebsite and application hostingUnited States
SupabaseDatabase, authenticationUnited States
AnthropicAI model inference for research queriesUnited States
People Data LabsBusiness-contact enrichmentUnited States
ExaWeb search infrastructureUnited States
Vercel AnalyticsUsage analyticsUnited States

We may update our subprocessor list as our stack evolves. Material additions will be communicated to customers at least 15 days in advance where practicable.

6. How We Share Information

We share information only as described in this policy, including:

  • with the subprocessors listed above, as needed to operate the Service;
  • with your organization’s account owner and other members of your workspace;
  • in connection with a corporate transaction (e.g., merger, acquisition), subject to appropriate safeguards;
  • when required by law, court order, or regulatory request, or to protect our rights, customers, or the safety of others.

We do not sell personal information, and we do not share it with third parties for their own marketing purposes.

7. Data Retention

  • Account and billing records — retained for the duration of your subscription and for up to seven years afterward to meet legal, tax, and audit obligations.
  • Customer Content — retained while your subscription is active. On termination, we delete or anonymize Customer Content within 90 days, except as required by law.
  • Logs and usage telemetry — typically retained for up to 13 months.
  • Information about professional contacts — retained while needed to provide the Service. You and the data subject may request deletion as described below.

8. Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit, encrypted data-at-rest for databases, access controls, and auditing. No security measure is perfect — we cannot guarantee absolute security, but we work continuously to reduce risk.

9. Your Rights

Depending on where you live, you may have the following rights:

  • Access — to ask what information we hold about you.
  • Correction — to ask us to correct inaccurate information.
  • Deletion — to ask us to delete your information (subject to legal exceptions).
  • Portability — to receive your information in a structured, machine-readable format.
  • Objection — to object to processing based on legitimate interests.
  • Withdrawal of consent — where we rely on consent.
  • Complaint — to lodge a complaint with your supervisory authority.

To exercise any of these rights, email pranay@trypistachio.ai. We typically respond within 30 days.

If you are a professional contact surfaced by the Service

You may request review or removal of information about you that appears in the Service. Send your request to pranay@trypistachio.ai with enough detail for us to identify the relevant record (for example, your name, employer, and a link or context). We will remove or restrict the information unless we have a legitimate and overriding basis to retain it, in which case we will explain that basis.

10. International Transfers

Pistachio is based in the United States. When personal information is transferred outside your country, we rely on appropriate safeguards, including Standard Contractual Clauses where required.

11. Children

The Service is not directed at children under 18 and we do not knowingly collect personal information from children. If you believe we have, contact us and we will delete the information.

12. Cookies and Tracking

We use a small number of cookies and similar technologies. For details, see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will change the “Last updated” date at the top and, for material changes, notify customers by email to the address on their account or post a notice in the Service.

14. Contact

Privacy questions, rights requests, and data-subject inquiries: pranay@trypistachio.ai.