Skip to main content
Legal

Privacy Policy

Last updated: 2026-05-31

This Privacy Policy explains how PPN World, a product of Bollé Communications inc. (Montreal, Quebec, Canada) ("PPN World", "we", "us", "our"), collects, uses, discloses and protects the personal information of people who use its real-time press-release intelligence service (the "Service"). PPN World is offered in three languages and serves users in Quebec, the rest of Canada, the European Union and the United Kingdom, and California; depending on where you live, different laws may apply. This policy is meant to be clear and concrete. For any question, write to info@ppnsource.com.

1. Controller and scope

The controller of your personal information is Bollé Communications inc., a company incorporated in Quebec and based in Montreal, Quebec, Canada, which operates the Service under the PPN World brand. Unless stated otherwise, any reference to "PPN World" in this policy means Bollé Communications inc. acting as the controller.

This policy covers the personal information we process when you create an account, use the Service (real-time feed, interactive globe, entity dossiers, AI briefs and summaries, journalist and press-contact directory, saved searches, email digests, and team workspaces), subscribe, or contact us. It does not cover the publicly distributed press-release content that the Service aggregates: that separate topic is addressed in our "Press Wire Content & Fair Use" page, which our Terms of Service may reference.

2. Personal information we collect

Account data. When you create an account we collect your name, email address, a profile image (avatar) if you provide one, and your interface language. Authentication is by email and password, or by OAuth sign-in with Google or GitHub, through our authentication provider Supabase. We never receive or store the password of your Google or GitHub account.

User content. We store the content you create in the Service: bookmarks, watchlists, saved searches, and team data (workspace name, members, invitations, roles). This content also indirectly tells us which topics, entities or countries interest you.

Usage data and IP address. We collect technical metadata about your use of the Service (pages and features viewed, timestamps, approximate browser and device type) and your IP address. The IP address is used in particular for rate limiting to prevent abuse, via our provider Upstash (Redis). We also use Vercel Web Analytics for aggregate audience measurement.

Payment metadata. If you subscribe, payment processing is handled by Stripe. Stripe collects and processes your payment-card data directly; we never receive or store your full card number. We retain billing metadata that Stripe returns to us (Stripe customer ID, card type and last digits, subscription plan, status, payment history, billing country).

AI prompt inputs. When you use the AI features (summaries, briefs, entity extraction, country classification, draft generation, the "Ask the World" agent), the text you submit — your prompt and the relevant press-feed content — is sent to our AI model providers to produce a response. Please avoid including sensitive or confidential personal information in these prompts. See the AI processing section below.

Communications and error logs. When you write to our support or privacy addresses, we keep your message and our exchanges. For reliability, our error-monitoring tool (Sentry) may capture limited diagnostic data during technical incidents, which can occasionally include technical identifiers or an IP address.

3. Purposes of processing

We process your personal information for the following purposes: - to create and manage your account and authenticate you; - to provide and operate the Service, including saving your bookmarks, watchlists, searches and team data; - to produce AI outputs (summaries, briefs, entity extraction, classification, drafts, agent answers) from your prompts; - to send you transactional emails and, if you subscribe to them, digest newsletters; - to process subscriptions and manage trials, billing and cancellations; - to ensure security, prevent fraud and abuse, and apply rate limiting; - to diagnose and fix errors and improve the Service; - to comply with our legal obligations and assert our rights.

4. Legal bases for processing

Where the GDPR (EU/UK) applies, we rely on the following legal bases: - Performance of a contract: to provide the Service you request, manage your account and subscription, and run your AI operations. - Legitimate interest: to secure the Service, prevent abuse (IP-based rate limiting), measure audience in aggregate, diagnose errors and improve the product, without disproportionately overriding your rights. - Consent: for optional marketing communications and for non-essential cookies, where consent is required. You may withdraw consent at any time. - Legal obligation: where the law requires us to retain or disclose certain data (for example, accounting and tax obligations).

Under Quebec's Law 25 and Canada's PIPEDA, we process your personal information with your consent (express or implied depending on sensitivity and context) and for the purposes described above, which are necessary to provide the Service. You may withdraw consent, subject to legal or contractual limits; withdrawal may prevent the delivery of certain features.

5. Data sharing and sub-processors

We do not sell your personal information. We share it only with service providers (sub-processors) that process it on our behalf and under our instructions, to operate the Service. Our current sub-processors and their roles are: - Vercel (Inc., USA) — application hosting, serverless functions, CDN, edge, and Web Analytics; - Supabase (USA; data hosted per project region) — authentication, Postgres database (profiles, bookmarks, watchlists, saved searches, teams), file and data storage; - OpenAI (USA) — AI summaries, entity extraction, country classification, draft generation; - Anthropic (USA) — Claude models powering the "Ask the World" agent and AI briefs; - Resend (USA) — transactional and digest email delivery; - Upstash (USA) — IP-based Redis rate limiting; - Stripe (USA/Ireland) — payment processing and subscription billing; - MapTiler / MapLibre — map tiles for the globe and map views; - Sentry (USA) — error monitoring (may capture limited diagnostic data).

An up-to-date list of our sub-processors, with their function and location, is maintained in a sub-processor table that we make available and update when that list changes. We may also disclose personal information where required by law (in response to a valid order), to protect our rights or safety, or in connection with a corporate transaction (merger, acquisition, asset sale), in which case the acquirer will be bound to honor this policy.

6. International data transfers

PPN World is operated from Canada, and most of our sub-processors process data in the United States (Stripe also processes in Ireland). This means your personal information may be transferred to, stored and processed outside your country of residence, including in the United States, where data-protection laws differ from those of Quebec, Canada, the EU/UK or California.

For transfers from the EU/UK to countries without an adequacy decision, we rely on appropriate mechanisms, in particular the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, incorporated into our sub-processors' data-processing agreements, together with supplementary measures where necessary. Under Law 25 and PIPEDA, before any transfer outside Quebec we assess the adequacy of the protection provided and frame the transfer by contract. You may ask us about these safeguards at info@ppnsource.com.

7. Retention periods

We retain personal information only as long as necessary for the purposes described, unless a longer period is required by law. As guidance: - Account data and user content (bookmarks, watchlists, searches, team data): kept while your account is active. After account deletion, we erase or anonymize this data within roughly 30 days, unless a retention obligation applies. - Billing metadata: kept for as long as required by applicable accounting and tax obligations, generally up to 6 to 7 years depending on the applicable law. - Usage data and logs (including the IP address used for rate limiting): kept for short periods; rate-limiting counters in Redis expire automatically after brief windows; error logs are retained on a limited basis (typically a few months). - AI prompt inputs: see the AI processing section for provider-side retention.

8. Security measures

We implement reasonable technical and organizational measures to protect your personal information, including: encryption of data in transit (HTTPS/TLS); Row-Level Security (RLS) in our Supabase Postgres database, which restricts data access so that users and team members can only see data they are entitled to; access controls and authentication for staff accounts; and the use of reputable infrastructure providers. Card payments are processed by Stripe, which applies payment-card industry standards; we do not store full card numbers.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. In the event of a confidentiality incident that presents a risk of serious injury, we will notify affected individuals and the competent authorities (including Quebec's Commission d'accès à l'information) as required by law.

9. Your rights

Depending on where you live and the applicable law (Quebec Law 25, Canada's PIPEDA, the GDPR in the EU/UK, the CCPA/CPRA in California), you may have all or some of the following rights: - to access your personal information and obtain a copy; - to have inaccurate, incomplete or ambiguous information rectified; - to request the deletion (erasure) of your information; - to receive your information in a structured, commonly used technological format (portability); - to withdraw your consent, where processing relies on it; - to request de-indexing or that dissemination cease, where the law permits; - to object to or restrict certain processing; - not to be discriminated against for exercising your rights.

To exercise your rights, write to info@ppnsource.com. You can also update your account data directly in the Service, and manage or cancel your subscription through the Stripe customer portal. We may verify your identity before responding, and we will respond within the time limits set by the applicable law (for example, 30 days under Law 25 and one month under the GDPR, extendable). In California, you may use an authorized agent. Our processing does not involve a "sale" or "sharing" of personal information for behavioral advertising within the meaning of the CCPA/CPRA.

If you believe we have not handled your information properly, you may lodge a complaint with the competent supervisory authority: Quebec's Commission d'accès à l'information (CAI), the Office of the Privacy Commissioner of Canada, your EU/UK data-protection authority, or the California Attorney General. We do, however, encourage you to contact us first so we can try to resolve the matter.

10. Cookies

The Service uses Supabase authentication session cookies, which are essential to keep you signed in, and browser localStorage to remember your interface preferences and language. A cookie banner (CookieBanner) informs you on your first visit. For the details of the cookies used, their purposes, and how to manage your preferences, see our Cookie Policy.

11. AI processing disclosure

The Service's AI features rely on third-party providers. When you use these features, your prompts and the relevant press-feed content are sent to OpenAI (summaries, entity extraction, country classification, draft generation, gpt-4o-mini-class models) and to Anthropic (Claude models powering the "Ask the World" agent and AI briefs), in the United States, to generate a response.

Under these providers' application programming interface (API) terms, the data we send them via the API is not used to train their public models. These providers may temporarily retain the data sent for limited purposes (for example, abuse monitoring) in accordance with their own policies. We recommend that you not enter sensitive or confidential personal information into AI prompts. AI-generated outputs may contain inaccuracies and should be verified before use.

12. Children

The Service is a professional tool intended for adults; it is not directed at people under 16, and we do not knowingly collect their personal information. If you believe a minor under 16 has provided us with personal information, write to info@ppnsource.com and we will take appropriate steps to delete it.

13. Changes to this policy

We may update this Privacy Policy to reflect changes to the Service, our sub-processors, or the law. If we make a material change, we will notify you by a reasonable means (for example, a notice in the Service or an email). The "Last updated" date shows the current version; we encourage you to review this page from time to time.

14. Contact and privacy officer

In accordance with Law 25, Bollé Communications inc. has designated a privacy officer (person in charge of access to information and the protection of privacy), whom you may contact for any question, rights request or complaint regarding your personal information: - Privacy and rights: info@ppnsource.com - Legal questions and terms: info@ppnsource.com - General support: info@ppnsource.com Mailing address: Bollé Communications inc., Montreal, Quebec, Canada. This policy is governed by the laws of the Province of Quebec and the federal laws of Canada applicable therein.

Sub-processor list

Sub-processorPurposeLocationData processed
Vercel Inc.Application hosting, serverless functions, content delivery network (CDN), edge processing and Web Analytics. Vercel runs and serves the Service and routes all user traffic.United StatesAll data passing through the Service in transit: IP addresses, request headers, user agent, access logs, requested URLs and aggregated audience metrics (Web Analytics). Vercel acts as the transport and hosting layer and may incidentally process all data sent by the user's browser.
Supabase Inc.Authentication (email/password and Google and GitHub OAuth sign-in), Postgres database and file storage. Supabase hosts accounts and all user-created content within the Service.United States (data hosted in the region selected for the project)Account data (name, email, avatar, interface language), authentication credentials and session tokens, and user-created content: bookmarks, watchlists, saved searches, team and workspace data, and uploaded files.
OpenAIArtificial-intelligence generation of summaries, entity extraction, country classification and draft writing (gpt-4o-mini class models). OpenAI processes requests only when a user triggers an AI feature.United StatesThe content of prompts submitted to the AI: press-release excerpts to summarize or classify, user-supplied text and the instructions entered to generate a draft. No account or payment data is sent to OpenAI as part of these requests.
AnthropicClaude models powering the "Ask the World" agent and AI-generated briefs. Anthropic processes requests only when a user triggers one of these features.United StatesThe content of prompts submitted to the AI: questions asked to the "Ask the World" agent, press-release excerpts and any text supplied by the user to generate a brief. No account or payment data is sent to Anthropic as part of these requests.
ResendDelivery of transactional emails (account verification, password reset, subscription-related notices) and digest emails (saved-search digests). Resend sends email on behalf of PPN World.United StatesRecipient email address and name, the content of the messages sent (including saved-search results contained in digests) and delivery metadata (sent, opened and failure statuses).
UpstashRequest rate limiting based on IP address, using a Redis store, to protect the Service against abuse and overload.United StatesIP addresses and the associated request counters, held temporarily to enforce rate-limit thresholds. No user name, email or content is stored at Upstash.
StripePayment processing and subscription billing, including the 14-day card-required trial, automatic conversion to a paid subscription and customer cancellation through the Stripe portal. Card data is handled by Stripe and is never stored by PPN World.United States and IrelandPayment card data (handled directly by Stripe, never stored by PPN World), billing name, email address, billing country, customer and subscription identifiers, transaction history and subscription status. PPN World only receives and retains payment metadata (for example the last four digits, status and Stripe identifiers), not raw card numbers.
MapTilerSupply of the map tiles displayed in the Service's globe and map views, rendered in the browser using the open-source MapLibre library. The user's browser requests tiles directly from MapTiler.SwitzerlandTechnical data inherent to loading tiles from the user's browser: IP address, user agent and the coordinates of the requested map area (bounding box and zoom level). MapLibre is a software library running in the browser and does not receive any data as a sub-processor.
SentryError monitoring and incident tracking to diagnose and fix Service failures.United StatesLimited diagnostic data captured at the moment of an error: stack traces, error messages, the current URL and action, browser and system type, IP address and, where applicable, a user identifier linking the incident to a session. This data may incidentally contain personal information present in the error context.

Contact

info@ppnsource.com