Skip to main content
PactPact
Sign inTalk to us

Legal · Privacy

Privacy notice

Pact is built consent-first: every personal record carries an explicit basis for processing, and every export honours the active consent state at the moment the data leaves the platform.

This page is a placeholder while the full privacy notice is finalised with counsel. The substance of how Pact handles personal data has not changed — only the long-form prose that lives at this URL.

In the interim, the operative practices are:

  • Processor, not controller. Pact processes contact, account, and engagement data on behalf of its tenants. Tenants are the controllers; we sign DPAs with each one.
  • Tenant isolation. Records are scoped to a tenant ID at the row level and never cross tenants in queries, exports, ML features, or backups.
  • Consent enforcement. Any outbound message, segment, or export honours the contact's active consent record. Revocations propagate within minutes.
  • Data subject requests. Access, correction, and deletion requests run through the Consent module's DSAR flow; turnaround SLA is 30 days.
  • Encryption. TLS 1.2+ in transit; AES-256 at rest in Postgres and backups. Secrets live in Azure Key Vault / Fly secrets, never in source.

Questions, complaints, or data-subject requests: privacy@pact.place.