Pantoh for Good Privacy Policy






Pantoh for Good — Privacy Policy


Privacy Policy

Pantoh for Good · Effective date: March 28, 2026 · Last updated: March 28, 2026

The short version: Pantoh for Good is designed to protect the privacy of vulnerable people. You can use the app without creating an account. We never sell your data. We never show ads. Sensitive resource interactions are architecturally separated from your identity — they cannot be linked to you, even by us.

1. Who We Are

Pantoh for Good is operated by CookingSocial LLC, a Public Benefit Corporation. Our mission is to connect people to life-saving community resources and cultural community events. The app is permanently free for users. We are funded by partner organisation subscriptions and donation platform fees — never by selling user data or showing advertisements.

Contact: privacy@pantoh.app

2. Open Door Mode — Using the App Without an Account

You can browse community resources, discover cultural events, and use Compass AI chat without creating an account. We call this Open Door mode.

What is prohibited in Open Door mode:

  • No Firebase Analytics or any analytics that tie events to a device identity
  • No device fingerprinting or persistent identifiers of any kind
  • No cross-session stitching — two separate sessions from the same device cannot be linked
  • No individual session journeys stored — your path through the app is not reconstructable
  • No personally identifiable information collected or inferred

What we do collect in Open Door mode

We collect anonymous aggregate signals to help community organisations understand where help is needed. These are not individual records — they are counters grouped by category, ZIP code, and hour.

  • Resource category views — e.g., “food pantry lookups in ZIP 94110 peaked Tuesday 11am–1pm”
  • Failed searches — e.g., “12 searches for shelter in ZIP 10001 with zero results” (this tells organisations where unmet demand exists)
  • Navigation events — category and ZIP only, never a specific resource for sensitive categories

These signals are aggregated in-memory during your session and flushed to aggregate counters when you close the app. The raw events are purged — they never reach disk as individual records. Your approximate location is coarsened to ZIP code level before any aggregation. No individual session or user contributed a traceable record.

“Pantoh doesn’t collect your name, email, or account information in Open Door mode. We use your approximate location to show you nearby resources. We count anonymous visits to improve the app and help community organisations understand where help is needed. Nothing we collect can identify you.”

3. Authenticated Accounts

If you choose to create an account (via Google or Apple Sign-In), we store:

  • Account identifier — your Firebase UID (a random string, not your name or email)
  • Email hash — a one-way hash of your email, used only for support lookup. We do not store your plaintext email in our database.
  • Cause subscriptions — the resource categories you selected during onboarding (e.g., food access, shelter, legal aid)
  • Preferred radius — your search distance preference
  • Notification preferences — what types of updates you want to receive and how

What we do NOT store for authenticated users

  • We do not store your resource browsing history
  • We do not store which specific resources you viewed or navigated to
  • We do not store AI chat conversations — chat history is client-side only and never sent to our servers for storage

4. Sensitivity Tier System

Some resources in our directory serve people in vulnerable situations — domestic violence survivors, undocumented individuals, people seeking reproductive healthcare. We classify every resource into a sensitivity tier that governs how data about it is handled:

Tier Examples Privacy protection
0 — Public Food pantries, community fridges, cultural events Standard protections
1 — Discreet General legal aid, emergency shelters Not shown in notification previews
2 — Protected Immigration legal aid, reproductive health Address withheld. Phone only. No analytics. Interactions stored in physically separate database with no link to user identity.
3 — Referral-only DV shelters, crisis resources All Tier 2 protections plus consent gate required to view. No public listing.

For Tier 2 and 3 resources: Your interactions are stored in a physically separate database with separate encryption keys. No user ID, session ID, or device ID is ever stored alongside these interactions. A government subpoena of the Pantoh user database returns zero rows about your interactions with sensitive resources — because those rows do not exist in that database.

5. AI Chat (Compass AI)

Compass AI is powered by Claude (Anthropic). When you use the chat:

  • No server-side conversation storage. Your chat history is stored on your device only. When you close the app, it’s gone.
  • We send your messages to Anthropic’s API to generate responses. Anthropic’s API does not train on your conversations.
  • We inject nearby resource data into the AI’s context so it can give you specific, location-relevant answers. This data is the same data visible in Compass — no additional personal data is used.
  • If the AI detects a crisis signal, it will surface crisis resources (988, National DV Hotline, 211, SAMHSA) immediately. This is a safety feature, not data collection.

6. Partner Organisations

Partner organisations that manage resource listings in our directory provide:

  • Organisation name, address, contact information, operating hours
  • Account credentials (via Google or Apple Sign-In)
  • Subscription and payment information (processed by Stripe — we do not store card numbers)

Instagram Integration

Partners on Starter tier or above can connect their Instagram account to automatically import event announcements. When a partner connects Instagram:

  • We request read-only access to their feed media (images, captions, timestamps) via the Meta Graph API
  • We do not publish, comment, or modify anything on their Instagram account
  • We extract event details (date, time, location, description) from their posts using AI
  • All extracted content goes through a human review queue before appearing in the resource directory
  • We download and store images on our own servers — we do not hotlink to Instagram
  • Partners can disconnect their Instagram at any time in the partner portal. On disconnection, we delete all stored Instagram content within 24 hours.

7. Third-Party Services

Service What they receive Their privacy policy
Firebase (Google) Authentication tokens. Analytics disabled in Open Door mode. firebase.google.com/support/privacy
Anthropic (Claude AI) Chat messages for response generation. Not used for training. anthropic.com/privacy
Stripe Payment processing for donations and partner subscriptions. stripe.com/privacy
Google Maps Map tile requests. No user identity shared. policies.google.com/privacy
Meta (Instagram) Partner-authorised read-only access to feed content. facebook.com/privacy/policy
Postmark Email addresses for transactional emails (partner confirmations, receipts). postmarkapp.com/privacy-policy

8. Data Retention

  • Open Door aggregate signals: retained indefinitely as anonymous counters. No individual data to delete.
  • Account data: retained while your account is active. Deleted within 30 days of account deletion request.
  • AI chat history: not retained by us. Stored on your device only.
  • Instagram content: deleted within 24 hours of partner disconnection.
  • Feedback responses: retained indefinitely as fully anonymous aggregate data. No user ID is ever attached.

9. Your Rights

You can:

  • Use the app without an account — Open Door mode provides full resource discovery with zero data collection
  • Delete your account — contact privacy@pantoh.app or use the in-app deletion option in Profile → Settings
  • Request your data — we will provide all data associated with your account within 30 days of request
  • Opt out of notifications — per-type, per-channel controls in Settings
  • Disconnect third-party integrations — Instagram, Google, Apple connections can be revoked at any time

For California residents: we do not sell personal information. We do not share personal information for cross-context behavioural advertising. These are not opt-out rights because we simply do not engage in these practices.

10. Data Deletion for Meta Platform

In compliance with Meta Platform Terms, if you connected your Instagram account to Pantoh for Good and wish to delete all data obtained through this connection:

  • Disconnect Instagram in the partner portal (Settings → Integrations → Disconnect Instagram)
  • Or email privacy@pantoh.app with the subject “Instagram Data Deletion Request”
  • All Instagram-sourced content (images, captions, extracted events) will be deleted within 24 hours
  • A deletion confirmation will be sent to your registered email

11. Children’s Privacy

Pantoh for Good is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@pantoh.app.

12. Changes to This Policy

We will notify you of material changes via in-app notification and update the “Last updated” date at the top of this page. Continued use of the app after changes constitutes acceptance.

13. Contact

CookingSocial LLC
Email: privacy@pantoh.app