Executive summary
Short answer: yes, Pangram stores data in some parts of its product line, but not in all of them. Pangram’s own FAQ and privacy policy say the dashboard and browser extension store submitted text so users can see results and query history, and LMS integrations store extra metadata that can map submissions to students. At the same time, Pangram separately says its API and some enterprise offerings can be transient or zero retention, with content discarded after scoring rather than kept in history. So the honest answer is: Pangram does store data for the dashboard, browser extension, and LMS workflows, while some API and enterprise paths are presented as non-retentive or contract-specific.
- Pangram says it collects submitted text, submission metadata, account data, IP-based location, browser and OS details, usage information, and cookie or tracking data. It also collects billing information through Stripe and support communications when provided.
- Pangram says user-submitted content is not used to train its models, and its FAQ says user content is excluded from the proprietary detection dataset.
- For active dashboard accounts, Pangram says stored content remains in history until you delete it, and after an account is closed the company says it securely deletes personal data within 30 days. Retention for the free unregistered service is not clearly specified in the public materials reviewed.
- Pangram says its services are hosted in the United States, cites Amazon Web Services as an example hosting provider, and says data may also be transferred to other countries or regions in connection with storage and processing. The exact AWS region is unspecified in the public sources reviewed.
- Pangram says it does not sell or share personal information in the CCPA or CPRA sense, but its policy also says it uses infrastructure, analytics, authentication, payment, and support vendors, uses third-party tracking technologies, may disclose information for legal compliance, and may transfer information during a business sale or financing event.
- Pangram publicly claims encryption at rest and in transit, SOC 2 Type 2 certification, FERPA alignment, GDPR compliance for institutional use, and deletion rights. But its public pages do not spell out exact encryption methods, regional pinning, retention for IP and device logs, or detailed human access controls such as role-based access policies. Those points remain unspecified.
Also Read: Is Pangram a Reliable AI Detector?
What Pangram says it collects and stores
If you are wondering whether Pangram keeps the text you paste into it, Pangram’s own answer is mostly yes for the dashboard and extension. Its public FAQ states that “in our dashboard and browser extension, we store submitted text” so users can see results and query history. It also says LMS integrations store extra metadata to match submissions to individual students.
The privacy policy adds more detail. Pangram says it may collect different categories of information depending on how the service is used. For AI detection itself, the most important categories are content submissions, associated metadata for registered customers, and automatically collected technical data.
- Submitted text and files: Pangram says free-service text submitted for AI detection is collected, and registered-customer submissions are collected with metadata such as submission date and user ID. The main product page also says users can paste text or upload PDF, DOCX, and RTF files.
- LMS and institutional metadata: Pangram’s FAQ specifically says LMS integrations store additional metadata to match submissions to students.
- Account information: Pangram says it may collect name, email address, password, and place of employment when an account is registered.
- IP, location, device, and usage data: Pangram says it infers general location from IP address and collects device and software information including IP address, browser type, operating system version, visited pages, and timestamps of visits.
- Cookies and tracking data: Pangram says it and third-party partners use cookies, pixel tags, SDKs, or similar technologies to collect information about activity on its services.
- Billing and support data: Pangram says billing is processed through Stripe and that it does not store complete payment-card details. It also says support contacts may include messages and attachments you choose to send.
The browser extension deserves special attention because it widens the data surface. The Chrome Web Store disclosure says the extension handles “website content,” and the store listing says it can scan highlighted text on the web, analyze social feeds in real time, and in Google Docs show total edits, pasted blocks, and a live replay of writing history. Pangram’s own FAQ then says browser-extension submissions are stored in history. That does not automatically mean Pangram stores every page you visit, but it does mean the extension is designed to access page content as part of its core function.
One more nuance matters. Pangram’s Terms of Service say users retain their copyright and other proprietary rights in submitted user content. That is good. But the same terms also reserve Pangram’s right to monitor information transmitted or received through the service for operational and other purposes. That means “confidential” does not necessarily mean “no human or system access ever.” Public support and monitoring rights still exist in the legal language.
Also Read: [STUDY] Is Pangram AI Detector Similar to Turnitin?
How retention, location, sharing, and training differ by product
The biggest source of confusion is that Pangram’s public materials describe different retention models for different products. If you only read the FAQ for the dashboard, Pangram clearly stores submitted text while the account is active. If you only read enterprise pages, Pangram may sound almost stateless, with transient processing and immediate discard. Both statements appear in Pangram’s public materials, which means readers should not talk about “Pangram” as if every workflow is identical.
For the dashboard and browser extension, Pangram says submitted text is stored so users can review results and history. It says content remains available while the account is active and can be deleted from history to remove it from servers. It also says that if you delete queries from history, Pangram will still keep a record that a query occurred for billing and analytics purposes.
For account closure, Pangram’s privacy policy says content submitted to registered accounts is securely deleted within 30 days after the customer account is closed, unless customer terms define something else. Pangram’s privacy blog post says the company keeps customer history until deletion is requested and then deletes personal data within 30 days after closure. So the public message on closed-account retention is fairly consistent. The retention of active-account history is indefinite until deletion or closure.
For the API and enterprise uses, Pangram’s public pages say something different. The Trust & Safety page says API content is processed transiently and discarded, not retained, indexed, or used for model training. The ML Engineers page says enterprise clients can get zero-retention guarantees where data is processed in memory and discarded immediately after scoring. The Law Firms page likewise says legal documents are processed ephemerally and are not retained, indexed, or reused. This suggests Pangram has a genuine product split between history-based end-user tools and lower-retention enterprise paths. Still, because these are marketing and FAQ statements, organizations with sensitive data should get the exact retention promise in a contract or DPA, not rely only on website copy.
Pangram also says user submissions are not used for model training. The FAQ says submitted content is not part of the proprietary dataset used for detection. The privacy policy says data is not used to train, refine, or improve AI models. The privacy blog says models are trained on commercially licensed external datasets such as Wikipedia, Project Gutenberg, and Pangram-created data. The compliance page repeats that customer data stays yours and is never used for training. This is one of Pangram’s clearest and most repeated privacy commitments.
On storage location, Pangram’s privacy policy says its services are hosted in the United States and gives Amazon Web Services as an example hosting provider. It also says it may transfer data from the United States to other countries or regions for storage and processing. So “U.S.-hosted” is the clearest public statement, while the exact cloud region and any regional isolation commitments are unspecified in the public materials reviewed.
On sharing, Pangram’s simple FAQ says it never shares or sells your data to third parties. But the longer privacy policy gives the more precise version: Pangram says it uses third-party vendors for hosting, analytics, authentication, payments, support, and other services, uses third-party tracking technologies, may share data for legal compliance, and may transfer data in mergers or asset sales. It also mentions Twilio as an example subprocessor for its SMS service. So the careful conclusion is that Pangram says it does not sell user data for marketing, but it does disclose or process data with service providers and in limited legal or corporate scenarios.
On security, Pangram publicly claims encryption at rest and in transit, “reasonable” physical and electronic safeguards, SOC 2 Type 2 certification verified by AssuranceLab, FERPA handling for educational records, and GDPR compliance for institutional use in the EU. Pangram also says customer support may access submission data to diagnose and fix issues. What remains unspecified in the public materials are the exact encryption standards, access-control design, log-retention periods, regional data pinning, or whether customer-managed encryption keys are available.
Also Read: StealthWriter vs Pangram: Can a "Humanized" Rewrite Really Escape Detection?
If your site supports Mermaid, the flowchart below shows the product split in plain English.
flowchart TD A[Reader pastes text, uploads a file, or scans page content] --> B[Pangram processing] B --> C{Which product path?}
C --> D[Dashboard or browser extension]
C --> E[LMS integration]
C --> F[API or enterprise zero-retention path]
D --> G[Submitted text stored for results and history]
E --> H[Submission plus student-linked metadata]
F --> I[Transient scoring and discard after processing]
A --> J[Technical data such as IP, browser, OS, usage, cookies]
G --> K[Hosting and service providers]
H --> K
I --> K
J --> K
K --> L[Possible legal disclosure or business transfer]
G --> M[Deletion by history removal or account closure]
H --> M
M --> N[Publicly stated 30-day deletion after closure]
What independent sources add and what remains uncertain
Here is the central reality: Pangram’s privacy detail is mostly self-reported. The strongest public evidence on storage, retention, training use, and deletion comes from Pangram’s own FAQ, privacy policy, terms, and product pages. Independent sources add useful context, but they mostly evaluate detector accuracy, ethics, and institutional risk, not Pangram’s internal retention architecture. That means readers should distinguish between “Pangram says” and “an outside auditor publicly proved.” Public proof is stronger for security certification claims like SOC 2 than for day-to-day deletion mechanics.
Independent research does show that Pangram is taken seriously as an AI detector, which partly explains why schools, media organizations, and other institutions may trust it with sensitive content. A University of Chicago working paper found commercial detectors outperforming open-source ones and identified Pangram as the standout detector on their main metrics. But that is an accuracy result, not a privacy audit. It tells readers Pangram is influential. It does not independently verify the company’s deletion schedules or storage design.
Other academic work also adds caution. A 2025 arXiv paper on AI-polished writing found that detectors can misclassify minimally polished human writing as AI-generated, and a 2025 MDPI paper argued that heavy reliance on AI detection can raise fairness, transparency, due-process, and surveillance concerns in education. MIT Sloan’s teaching guidance likewise warns that AI detection software is not foolproof and should not be trusted as the sole basis for misconduct accusations. Those points matter here because privacy risk is not only about storage. It is also about what happens after a detector score enters a school or workplace decision process.
Tech and education reporting adds one more useful warning. EdTech Magazine notes that AI tools in universities can gather not only obvious data like assignments and applications but also behavioral metadata that many users do not notice. That echoes Pangram’s own policy, which includes usage information, timestamps, IP-derived location, and cookies or tracking technologies. So even if the submitted essay itself is the headline issue, readers should remember that metadata collection is part of the picture too.
What about user reports, forums, and GitHub? The public forum discussions that surfaced in review were mostly about false positives, reliability, and how institutions use Pangram, not about documented retention misconduct. Pangram’s public GitHub organization mainly exposes research and SDK repositories rather than privacy documentation. In other words, those sources were useful for pressure-testing the broader debate, but they did not materially confirm or rebut Pangram’s published data-handling claims.
On known incidents, Pangram says it has never experienced a data breach in its operational history. In the English-language public sources reviewed for this post, I did not find a clearly documented public breach event tied to Pangram that would justify an incident timeline. That is reassuring, but it is still only partly verifiable from public materials.
Comparison table
| Topic | Pangram’s public position | Independent findings or uncertainty | Bottom line |
|---|---|---|---|
| Does Pangram store submitted text? | Yes for the dashboard and browser extension. The FAQ says submitted text is stored so users can see results and history. | Chrome Web Store disclosures confirm the extension handles website content, which is consistent with page-level access, but they do not independently verify exact storage duration. | Yes, in end-user products. |
| Does Pangram retain API submissions? | Enterprise and API pages say API content is transient, ephemerally processed, discarded after scoring, and not retained or indexed. | This appears to be a product-specific claim rather than a universal rule. Public contract language for all customers is not linked from the reviewed pages. | Usually presented as no retention, but contract detail matters. |
| What metadata is collected? | Pangram says it collects submission metadata, IP-derived location, browser, OS, usage data, cookies, and tracking technologies. | Independent higher-ed privacy reporting warns that AI systems often collect behavioral metadata that users do not notice. | Yes, metadata collection is real and important. |
| Is user content used for model training? | Pangram repeatedly says no. It says submissions are not used to train or improve AI models and are excluded from the proprietary dataset. | I did not find an independent public audit that directly validates this promise. Most outside research focuses on detector performance rather than retention internals. | Clear vendor promise, limited outside verification. |
| How long is data kept? | Active-account history persists until deleted or account closure. Pangram says registered-account content is deleted within 30 days after closure. | Retention for free, unregistered checks and for technical logs such as IP, usage, and cookie data is not clearly broken out in the public materials reviewed. | Some retention is clear, but not all retention windows are public. |
| Where is data stored? | Pangram says services are hosted in the United States and uses AWS as a hosting example. | The exact cloud region is unspecified, and Pangram also says data may be transferred to other countries or regions for storage and processing. | U.S.-hosted, exact regional architecture unspecified. |
| Does Pangram share data? | Pangram says it does not sell or share data in the CCPA sense, but says it uses vendors for hosting, analytics, auth, payments, support, and may disclose for legal requests or business transfers. | The FAQ’s simpler “we never share or sell your data” wording is less precise than the privacy policy. Readers should rely on the full policy, not the short FAQ alone. | No sale for marketing, but yes to service-provider processing and limited legal disclosures. |
| Security measures | Pangram says data is encrypted at rest and in transit, it is SOC 2 Type 2 certified, and it uses reasonable safeguards. | Public pages do not specify encryption algorithms, key management, role-based access, default log retention, or customer-controlled key options. | Security posture looks serious, but many implementation details are unspecified publicly. |
| Compliance claims | Pangram says it is FERPA-compliant, acts as a service provider under CCPA and CPRA, supports deletion and correction, and is GDPR-compliant for institutional use. | Cross-border transfers to the U.S. are still disclosed for international users, and public GDPR implementation details such as SCCs or EU-hosting are not spelled out in the reviewed pages. | Compliance claims are substantial, but international implementation details remain partly unspecified. |
| Known incidents | Pangram says it has never experienced a data breach in its operational history. | I did not find a clearly documented public breach report in the English-language sources reviewed for this post. | No public breach identified in reviewed sources, but visibility is limited. |
Recommendations for writers and organizations
The safest practical takeaway is simple: assume the dashboard, browser extension, and LMS flows retain content and metadata unless your contract explicitly says otherwise. Pangram’s published materials support exactly that reading. If what you are scanning includes unpublished manuscripts, legal documents, sensitive student records, source code, medical narratives, or client confidential information, you should treat Pangram’s consumer or end-user workflows differently from its enterprise API claims.
- For individual writers: avoid pasting highly confidential text into the dashboard or browser extension unless you are comfortable with stored history, account-linked metadata, and IP or usage logging. If you do use it, delete the query from history afterward, and remember that Pangram says billing and analytics records of the query may still remain.
- For schools and employers: do not treat Pangram scores as conclusive proof of misconduct. External research and institutional guidance repeatedly warn that AI detectors can raise fairness, due-process, and trust issues, especially in educational settings. Use detector output as one signal among many, with clear policy notice and human review.
- For organizations with sensitive data: prefer the API or a private enterprise deployment that explicitly promises no retention, transient processing, deletion SLAs, and clear subprocessor terms. Ask for the SOC 2 report, HECVAT if relevant, a subprocessor list, and the exact retention language in writing. Pangram’s public product pages suggest these options exist, but the website alone is not a substitute for contract language.
- For privacy teams: press for clarity on what remains unspecified publicly, including cloud region, log retention, access controls, customer support access boundaries, cookie vendors, and cross-border transfer safeguards. Pangram’s policy is transparent on many points, but not all of them.
- For browser-extension users: remember that the extension is built to handle website content and Google Docs content in context. That means it can touch more than just a pasted paragraph. If that makes you uncomfortable, do not run it on pages containing sensitive material.
Conclusion
So, does Pangram store data? Yes, often. Pangram’s own public materials say the dashboard and browser extension store submitted text, and LMS deployments store extra metadata tied to students. Pangram also says active-account history remains until deleted, with a 30-day deletion window after account closure. On the other hand, Pangram says some API and enterprise paths are transient or zero-retention and do not keep customer content after scoring. Pangram’s strongest privacy commitments are that it does not use submitted content for model training, does not sell data in the CCPA sense, encrypts data at rest and in transit, and supports deletion requests. The biggest caution is that several important details, including exact cloud region, technical log retention, and fine-grained access controls, remain unspecified in the public documents reviewed.
For most readers, the practical rule is easy to remember: if you are using Pangram as a normal end-user, assume the text you submit may be stored in your history. If you need minimal retention, use an enterprise setup that explicitly guarantees it.