Privacy Policy

What we collect and why

Account identifiers

Email address, GitHub user ID, display name, and avatar URL — provided by GitHub when you sign in. Used to identify your account and authorise requests.

Pipe contents

The records you push through pipes. Encrypted at rest per workspace. We do not read pipe contents and use them only to deliver them as you instructed.

Operational metadata

IP address, user agent, request timestamps, and queue-level metrics. Used to operate the service, detect abuse, and bill usage.

Billing data

If you add a payment method, billing details are handled by Polar.sh; we do not store card numbers. We receive invoice metadata (country, VAT status, line items).

Legal basis

We process the data above to perform the contract with you (Art. 6(1)(b) GDPR), to comply with legal obligations such as invoicing and tax (Art. 6(1)(c)), and to pursue our legitimate interest in operating and securing the service (Art. 6(1)(f)).

Sub-processors

We use the following sub-processors. Each is bound by GDPR-compliant data processing terms or operates under their own controller relationship.

• GitHub, Inc. — OAuth sign-in (we receive your GitHub profile when you log in).
• Polar.sh — billing, invoicing, and payment processing.
• Mintlify — hosts our documentation at docs.pipedata.io.
• Hetzner Online GmbH (Germany) — Pipedata services run on virtual machines in Hetzner's Nuremberg / Falkenstein EU regions.

Data residency and international transfers

All pipe contents and operational data are stored and processed on EU-based infrastructure. Where a sub-processor (e.g. GitHub) processes data outside the EU, the transfer relies on the European Commission's Standard Contractual Clauses or an equivalent transfer safeguard recognised under Art. 46 GDPR.

Retention

Pipe contents are retained as long as the pipe exists. Deleting a pipe removes its records; deleting your workspace removes every pipe in it. Accounts inactive for 90 days receive a warning email; data is permanently deleted after 120 days of inactivity. Invoice records are retained for the period required by Spanish tax law.

Your rights

Under GDPR you may request access to your data, rectification, deletion, restriction, portability, and object to processing. You may also lodge a complaint with the Spanish supervisory authority (AEPD, aepd.es). To exercise any of these rights, email beta@pipedata.io.

Cookies

We use a single functional cookie to keep you signed in. We do not use analytics, advertising, or third-party tracking cookies, so no consent banner is required.

Children

Pipedata is a developer tool and is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, write to beta@pipedata.io and we will remove the account and its data.

Sale or reorganisation

If Pipedata is sold, merged, or otherwise reorganised, your data may transfer to the acquirer. The acquirer will be bound by this Privacy Policy, or we will notify you by email before any incompatible change so you can delete your account first.

Governing law

This policy is governed by Spanish data-protection law, in particular the GDPR (Regulation (EU) 2016/679) and the Spanish Organic Law on Data Protection (LOPDGDD 3/2018). The competent supervisory authority is the Spanish Data Protection Agency (AEPD).

Changes

We will update this page when our practices change and indicate the last-updated date above. Substantive changes affecting your data will be communicated by email.