Privacy Policy
This Privacy Notice (“Notice”) describes Pipefy’s policies and procedures regarding the collection, use, and disclosure of your Personal Data. This notice does not apply to any information we collect from you through other means (including offline) or through other sources.
1. Definitions
Controller: The natural or legal person, under public or private law, who is responsible for decisions regarding the Processing of Personal Data.
Personal Data: Any information related to the natural person, directly or indirectly, identified or identifiable.
Data Protection Officer: The individual designated by Pipefy to be responsible for ensuring compliance to your rights and for clarifying questions about the Processing of your Personal Data.
Purpose: The reason why the Personal Data will be processed, or the goal intended to be achieved as a consequence of the Processing.
Operator: The natural or legal person, under public or private law, who carries out the Processing of Personal Data on behalf of the controller.
Third Party: Refers, but is not limited to, any and all natural or legal person, with whom Pipefy has a relationship or will have a relationship, for example, a service provider, supplier, consultant, customer, business partner, third party contracted or subcontractor, lessee, assignee of commercial space, regardless the signature of formal contract or not, including one who uses Pipefy’s name for any purpose or who provides services, supplies materials, interacts with Public Officials, the Government ,or other Third Parties on behalf of Pipefy.
Holder: Natural person to whom the Personal Data refers, such as customers, employees, contractors and you.
Processing: Any operation performed with Personal Data within its life cycle, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, or control of information, modification, communication, transfer, diffusion, or extraction.
Capitalized terms that are not defined in this Privacy Notice have their meaning disclosed in our Terms of Service.
2. What Personal Data do we handle and for what?
Pipefy uses information it collects to operate, maintain, and provide the features and functionality of the Service, to analyze how the Service is used, diagnose services or technical issues, maintain security, customize content, retrieve information to help you access your account efficiently, monitor aggregate metrics such as total number of visitors, traffic, and demographic patterns, and track content and users to provide better service.
Pipefy undertakes to process information legally classified as Personal Data in compliance with applicable legislation, including, but not limited to, Federal Law 13.709/2018 (Brazil’s General Data Protection Law) and, as Personal Data Processing Operator, will carry out the Processing of Personal Data solely to achieve the Purposes delimited by the Terms of Use and/or other documents that regulate the relationship between Pipefy and its customers.
When in the position of Operator, Pipefy has the right to refuse, upon formal and written notification, any operation ordered by a Controller, which implies the Processing of Personal Data in non-compliance with the rules for the protection of Personal Data in force.
Pipefy declares itself as data controller only of the personal data used to create the platform users, for example: the customer's name and email, where the legal basis defined for such control is the contract execution, in order to access the platform to use our product.
For all other data entered, registered, stored, and processed on the platform, Pipefy declares itself as data operator, providing only the platform for our customers to operationalize this data.
Information provided directly by yourself:
• Registration: You provide us with information about yourself, such as your name and email address, when you register for an account to use our Service, including connecting to our Service through a Third Party service, or "following", "becoming a fan," downloading Pipefy app etc. on a Third Party website or network. Your name, email address, and other information, which you choose to provide on the Service, will be visible to and discovered by other users in accordance with your settings on our Service.
We may use your email address to send messages related to the Service (including any notices required by law, instead of postal mail communication). We may also use your contact information to send email marketing. If you don’t want to receive further messages from us, you can choose to unsubscribe to them by following the proper instructions disclosed in each message.
If you communicate with us by email, we may retain the content of your email messages and your email address, as well as our responses. If you choose to use our invitation service to invite a friend to sign up to the Service, we will ask for that person's email address and will automatically send an email invitation. Pipefy stores this information to send this email, to register your friend if your invitation is accepted, and to track the success of our invitation service.
• Content: You also provide us non-personal information in Content you post to the Service. Your Content and metadata about your Content may be viewed by other users in accordance with your settings on the Service. Pipefy can, but has no obligation, to monitor your Content you post on the Service. We may also remove any information you post in accordance with the provisions of the Terms and Conditions. Pipefy or Pipefy’s employees will not review your Content, except for the following: (i) if your settings on the Service allow it; (ii) to maintain, provide or improve the Service; (iii) to help you resolve your support requests; or (iv) to comply with or avoid any violation of applicable law or regulation by cooperating with law enforcement.
Data automatically collected
• Cookies: When you use the Service, we may send one or more “cookies” — a small data file — to your computer to uniquely identify your browser and let Pipefy help you log in faster and enhance your navigation through the site. A cookie may convey anonymous information about how you browse the Service to us. A persistent cookie remains on your hard drive after you close your browser so that it can be used by your browser on subsequent visits to the Service. Persistent cookies can be removed by following your web browser’s directions. A session cookie is temporary and disappears after you close your browser. You can reset your web browser to refuse all cookies or to indicate when a cookie is being sent. However, some features of the Service may not function properly if the ability to accept cookies is disabled.
• Log Files: When you use the Service, our servers automatically record certain information sent by your web browser. These server logs may include information such as your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks, and how you interact with links on the Service, domain names, landing pages, pages viewed, mobile carrier, and other such information.
• Clear Gifs Information: When you use the Service, we may employ clear gifs (also known as web beacons) which are used to track the online usage patterns. In addition, we may also use clear gifs in HTML-based emails sent to our users to track which emails are opened by recipients. The information is used to enable more accurate reporting and make Pipefy better for our users.
• Geo-Location Information: When you use the Service by or through a mobile device or computer/laptop, we may access, collect, monitor, and/or remotely store “location data,” which may include GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your device. Location data, even though we do not collect or share Personal Data that identifies you immediately, may be used in conjunction with other Personal Data that allows your identification. Some features of the Service, particularly location-based services, may not function properly if usage or availability of location data is impaired or disabled.
• Device Identifiers: When you access the Service by or through a mobile device, we may access, collect, monitor, and/or remotely store one or more “device identifiers.” Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identify your mobile device and are used to enhance the Service. A device identifier may remain persistently on your device, to help you log in faster and enhance your navigation through the Service. Some features of the Service may not function properly if use or availability of device identifiers are impaired or disabled. Pipefy may access, collect, and/or store device identifiers upon enabling Pipefy’s Services.
A device identifier may be stored by the following means: in connection with the device hardware, by data stored in connection with the device’s operating system or other software, or data sent to the device by us. A device identifier, while not collecting or sharing any Personal Data that directly identifies you, may be used in conjunction with other Personal Data that allows your identification.
• Third Party Tools: Pipefy uses third party analytics tools, such as Google Analytics, to help understand use of the Service. Many of these tools collect the information sent by your browser as part of a web page request, including cookies and your IP address. These analytics tools also receive this information and their use of it is governed by their privacy policy.
Your Use: We will display your Personal Information in your profile page and elsewhere on the Service according to the preferences you set in your account. Any information you choose to provide should reflect how much you want others to know about you. Please consider carefully what information you disclose in your profile page and your desired level of anonymity. We may also share or disclose your information with your consent, for example, if you use a third party application to access your account (see below). You can review and revise your profile information at any time.
In Brazil, in the event that Personal Data of individuals under 12 years old is processed, we will request specific and detached consent from a parent or legal guardian. In European Union, if the Personal Data of individuals under 16 years of age is processed, we will request the consent of the person who holds parental power over the child. Finally, in the UK, if the Personal Data Processing of individuals under the age of 13 is incomplete, we will ask for the consent of the person who holds parental power over the child.
3. Why and with whom do we share your Personal Data?
We share your Personal Data only for specific and legitimate Purposes, always in accordance with applicable privacy and data protection legislation, as described below:
Service providers and others: Pipefy may share your Personal Data with other Third Parties for the purpose of providing the Service to you. If we do, such business partners and other Third Parties will be required to keep your information confidential and adopt the same procedures and level of protection that Pipefy does. We may also store Personal Data in locations outside Pipefy's premises (for example, on servers or databases co-located with hosting providers).
Business Transfers: As we develop our business, we may buy or sell assets or business offerings. Customers, email, and visitor information is generally one of the transferred business assets in these types of transactions. We may also transfer or assign such information in the course of corporate divestitures, mergers, or dissolution.
Third-Party Services: We may share your information with a third party application with your consent, for example when you choose to access our Services through such an application. So you should make sure you trust the application and that it has a privacy policy acceptable to you.
See here our sub-processors list.
Compliance with Laws and Law Enforcement Requests and Protection of Pipefy’s Rights: Pipefy may disclose your personal information if required to do so by law or subpoena or if we believe that it is reasonably necessary to comply with a law, regulation, or legal request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect Pipefy’s rights or property.
Anonymized Data: We may disclose some information, normally aggregated, with Third Party interested third parties to help them understand the usage patterns for certain Pipefy Services. The information shared for this purpose are not deemed Personal Data by LGDP, since they don’t allow the identification of their owner.
4. Is there International Data Sharing?
We offer the service in several geographic regions. We define a geographical region as the location where a user is located.
4.1. General Data Protection Law
For users located in Brazil, we transfer data to the United States for processing. For these users, we adopt protective physical measures, adopt reasonable physical, technical, and organizational protective measures against accidental, unauthorized or illegal destruction, loss, alteration, disclosure, access, use, or processing of user data in our possession, following the guidelines and principles established by the LGPD (Brazil’s General Data Protection Law).
4.2. GDPR and UK GDPR
For users within the European Union, we may store or transfer your Personal Data to countries outside the European Economic Community and the United Kingdom for the purposes described throughout this notice.
Whenever we carry out these international transfers of Personal Data, we take the necessary precautions to ensure that your Personal Data is properly protected, and we follow the applicable laws. International transfers of Personal Data are made
- to countries recognized by the European Commission (GDPR) or the United Kingdom Secretary of State (UK Data Protection Act 2018), since they provide an adequate level of protection; or
- to a country that does not provide adequate protection, but whose transfer is supported by Standard Contractual Clauses (SCCs) as issued by the data protection authorities in UK’s GDPR and EU’s GDPR jurisdictions.
5. Which rights do you have and how to exercise them?
5.1. Brazil’s General Data Protection Law (LGPD)
Under the scope of LGPD, you, as a Data Owner, have the right to:
- know which Personal Data has been handled by Pipefy and access them;
- find out with whom your Personal Data has been shared;
- correct, update, and complete your Personal Data
- require anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
- when Processing requires your consent, to be informed about the possibility of not providing it and about the consequences of such refusal;
- revoke your consent at any time if you have provided it;
- request data portability to another service or product provider, upon express request by the User;
- request the reconsideration of decisions taken solely on the basis of Automated Processing of personal data and that affect your interests; and
- oppose the Processing of data that, perchance, has been undertaken in disagreement with the law.
To exercise the above rights, or any other rights guaranteed by law, please contact us at [email protected].
To comply with Brazil’s General Data Protection law, we offer a support channel from our Data Protection Officer, who will answer within the legal deadlines established by law. The contact of the Data Protection Office is: [email protected]. Our Data Protection Officer is Cainã Gomez.
After we receive notice that you have revoked your consent, we will no longer process your information for the purpose(s) you originally consented to.
In case we handle your Personal Data for direct marketing purposes, you have the right to object to this activity at any time, in which case we will no longer process your Personal Data for such marketing purposes.
Our Service offers publicly accessible community services, including blogs and forums. You should be aware that any information you provide in these areas can be read, collected, and used by others who access them.
5.2. GDPR and UK GDPR
Within the scope of the GDPR and the UK GDPR, you, as a Holder, have the following rights with respect to your Personal Data:
- request information, including confirmation whether Pipefy handles your Personal Data.
- request access to your Personal Data.
- rectify incorrect Personal Data, or complement incomplete data, according to the Purpose of Processing.
- request deletion of your Personal Data, in cases where: (i) they are no longer necessary for the Purpose that justifies their Processing; (ii) the Processing is based on your consent, and you revoke it; (iii) you object to the Processing, as long as Pipefy does not have an overlapping legitimate interest; (iv) the Processing is contrary to law; or (v) the exclusion is necessary to fulfill a legal obligation.
- request restriction on the Processing of your Personal Data, whereas: (i) their correctness or completeness is under analysis; (ii) the Treatment is contrary to law; (iii) they are no longer needed for the Purpose justifying your Processing, but you still need them; or (iv) you oppose the Processing and Pipefy's interests are under review.
- request the portability of your Personal Data;
- object to the Processing of your Personal Data, since Pipefy does not have a legitimate interest that overlaps. If You oppose the Processing of data for direct marketing purposes, your Personal Data will no longer be processed for this Purpose.
- If your Personal Data is subject to solely automated decisions that affect your interests, you may object to this Processing, unless it is necessary to fulfill a contract with you, comply with legal obligations or based on your consent.
- petition to your country's data protection authority (or the Information Commissioner's Office in the UK’s case) if you have concerns about how we handle your Personal Data.
You can exercise these rights by contacting one of our Representatives indicated in item 7.1 below.
6. For how long do we retain your Personal Data?
We will retain copies of your information throughout the period you have an account or for the duration necessary for the purposes set out in this Notice, unless applicable law requires a longer period or retention. In addition, we retain your information for the necessary period to establish, exercise, or defend any legal rights.
From the moment the service provision contract between Pipefy and you terminates, we will keep your Personal Data in our database for 180 days. After this period, your data will be permanently deleted from our systems.
7. Additional information about GDPR and UK GDPR
If you are under the jurisdiction of GDPR or UK GDPR (individuals in the European Union and the United Kingdom, respectively), this topic applies to you in addition to the rest of this Notice. If any information here conflicts with the rest of this Notice, this topic will prevail.
7.1. Controller and Representatives
Pipefy Inc., a Delaware corporation whose registered address is 1209 Orange Street, Wilmington, Delaware, USA, is the Personal Data Operator.
For matters related to the General Data Protection Regulation (“GDPR”), in accordance with Article 27 of the GDPR, Pipefy has appointed the European Data Protection Office (“EDPO”) as its Representative in the European Union. You can contact EDPO about issues related to the GDPR:
- using the EDPO online request form: https://edpo.com/gdpr-data-request/; or
- writing a letter to the following address: Avenue Huart Hamoir 71, 1030 Brussels, Belgium
Concerning UK General Data Protection Regulation (“UK GDPR”), according to Article 27 of the UK GDPR, Pipefy has appointed EDPO UK Ltd as its representative in the UK. You can contact EDPO UK about UK GDPR issues:
- using an online request form from EDPO: https://edpo.com/uk-gdpr-data-request/; ou
- writing a letter to the following address: 8 Northumberland Avenue, London WC2N 5BY, Reino Unido
7.2. Legal Basis for data Processing in GDPR and UK GDPR
Pipefy handles Personal Data only in circumstances authorized by GDPR and UK GDPR, such as:
- when necessary for the execution of a contract, or pre-contractual steps with you.
- when necessary for the fulfillment of our legal obligations.
- when necessary for our legitimate interests, always observing your fundamental rights. In this case, the legitimate interests for which we may handle Personal Data are the following:
I. ensure the security of our platforms and facilities (if you visit our office);
II. run financial and compliance procedures;
III. maintain relationships with our business partners and serve our customers;
IV. improve and promote the provision of our services
V. recruit applicants for job openings.
- when you have provided your consent.
7.3. Data we collect from third parties
We may collect some Personal Data from sources other than the Data Holder, in the following situations:
- registration and behavioral data, when a Pipefy partner provides its customers' Personal Data for prospecting and promoting our products and services;
- registration and financial data, when you enter Pipefy's premises to provide a service on behalf of a third party;
- registration and behavioral data, when you apply for a job vacancy, through the intermediation of a Third Party;
- registration and user interaction data with our products, collected through third-party sales management platforms, subscriptions and feedbacks, as well as marketing and business analytics.
- registration and behavioral data, for customer service when this support involves third-party platforms;
- when you are an employee of a company that uses Pipefy, this company may provide us with registration data about you so that we can execute the contract with it. Furthermore, the company will also be able to share behavioral data of its employees with us, for the purpose of training users who will be administrators of Pipefy’s tool on behalf of the company.
8. Data Privacy Framework (DPF)
8.1 - Compliance with Federal Laws:
Pipefy Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
Pipefy Inc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
Pipefy has also certified its compliance with the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. In the event of any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program and view our certification, please visit https://www.dataprivacyframework.gov.
8.2 - Contact Us:
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Pipefy commits to resolving DPF Principles-related complaints regarding our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints about our handling of personal data received under the DPF should contact Pipefy at: [email protected].
8.3 - Compliance with Authorities:
Pipefy commits to cooperating and complying with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding unresolved complaints concerning personal data received under the DPF frameworks.
8.4 - Third Party:
Pipefy may share information with a limited number of sub-processors necessary to provide its services. In compliance with the DPF Principles, Pipefy ensures that all sub-processors adhere to equivalent standards of data protection and privacy. A list of sub-processors can be found at: https://www.pipefy.com/sub-processors.
8.5 - Data Rights:
Pipefy commits to handling all data in accordance with DPF regulations, granting users full rights to access, rectify, and delete their personal data. Detailed information about your rights can be found in section 5 of this policy.
For any questions regarding your rights, please contact us at: [email protected].
8.6 - Data Usage and Sharing Limitation:
Pipefy provides individuals with options to limit the use and disclosure of their personal data, including customizable privacy settings, consent controls, and the ability to access, correct, or delete their information. We implement strict security measures and comply with privacy standards to safeguard user data, ensuring transparency and control over how personal information is used and shared.
8.7 - Federal Trade Commission's Investigation and Regulation:
Pipefy is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), which ensures that Pipefy complies with privacy and data security regulations. The FTC has the authority to investigate and take action in case of any violations, promoting accountability in Pipefy’s data handling practices.
8.8 - Legal Requests:
Pipefy is committed to informing individuals when personal information must be disclosed in response to legal requests from public authorities, including requests related to national security or law enforcement. Pipefy will ensure transparency while complying with lawful requests, safeguarding individual privacy to the fullest extent possible under the law.
8.9 - Onward Transfers to Third Parties:
Pipefy is liable for onward transfers of personal data to third parties. This means Pipefy ensures that third parties receiving personal data adhere to the same standards of data protection and privacy as Pipefy. In the event of non-compliance by third parties, Pipefy will take appropriate measures to address and resolve any issues that arise.
8.10 - Binding Arbitration:
For residual claims, the EU-U.S. DPF provides for the right to request binding arbitration to resolve a complaint that has not been resolved by other means, as described in Annex I of the DPF Principles. The purpose of this option is to provide a prompt, independent, and fair mechanism, at the option of individuals, for resolution of any claimed violations of the Principles not resolved by any of the other EU-U.S. DPF mechanisms
9.Your Rights - California Residents
If you are a resident of California, under the California Consumer Privacy Act (“CCPA”), we are required to provide additional information to you about how we use and disclose your information, and you may have additional rights regarding how we use your information.
As described in the "What Personal Data Do We Handle and For What?" section, we collect certain categories and specific pieces of information about individuals that are considered "Personal Information" under California law. As detailed above, we may collect this Personal Information from you and other third parties, and we use, share, and disclose it for the business and commercial purposes described in that section.
We do not sell Personal Information, as defined under California law.
Subject to certain exceptions, as a California consumer, you have the right to:
- Access your Personal Information;
- Request the deletion of your Personal Information;
- Receive information about the Personal Information about you that we have "sold" (as defined under California law) to third parties in the past 12 months;
- Opt-out of the "sale" of your Personal Information, as detailed above in the "Cookies and Tracking Technologies" section.
To the extent permitted by applicable law, we may be required to retain some of your Personal Information, and certain Personal Information is strictly necessary for us to fulfill the purposes described in this Privacy Policy.
Should you wish to exercise the rights detailed above regarding your Personal Information, we will not discriminate against you by offering different pricing, products, or services, or by providing a different level or quality of products or services solely based on your request.
Please contact us at [email protected] if you have questions or wish to exercise these rights.
If you are a California consumer and you wish to exercise your rights as outlined in this section, you may need to provide information such as your name and email so that we can verify your identity. We will use the information you provide for no other purpose than verifying your identity. You also have the option of designating an authorized agent to exercise your rights on your behalf. For authorized agents submitting requests on behalf of California residents, please contact us as described above, providing any evidence that you have been authorized by a California consumer to submit a request on their behalf.
Shine the Light: We do not rent, sell, or share your Personal Information with nonaffiliated companies for their direct marketing purposes unless we have your permission. You also have the right to request that we provide you with: (1) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, and (2) the identity of those third parties.
10. Changes to this Notice
If we change our Privacy Notice and you are our customer or registered in our mailing, we will send you an email informing you about the update. In addition, we will post these changes on this page to keep you aware of what information we collect, how we use it, and under what circumstances we may disclose it.
Changes to this Privacy Policy are effective when they are posted on this page.
11. Legal Notice
We are not responsible for the practices employed by websites linked to or from our Service, nor for the information or content contained therein. Please remember that when you use a link to go from the Service to another website, our Privacy Notice will no longer be in effect. Your navigation and interaction on any other website, including those that have a link on our website, is subject to the rules and policies of the website you are visiting.
12. Questions
If you prefer, you can directly contact our Supervisor, Cainã Gomez, through the email address [email protected], or our Representatives in the European Union or in the United Kingdom, through the informed channels in topic 7.1 above.
Last Update: Sep 23, 2024.