PPipeValue
Legal

Privacy Policy

Last updated: 16 June 2026

This policy describes how PipeValue (“we”) processes personal data in connection with the service, in compliance with Regulation (EU) 2016/679 (GDPR) and applicable data-protection law.

1. Two distinct roles

Data controller — for the data of our own customers (user accounts, billing, service usage), we determine the purposes and means of processing.

Data processor — for data coming from our customers' CRMs (our customers' leads and contacts), we act on their behalf and on their instructions. The customer remains the controller of that data and must have a legal basis to process it and transmit it to advertising platforms. A data processing agreement (DPA) is available on request.

2. Data collected

  • Account data: name, email address, organization, password (hashed).
  • Billing data: plan, payment method (handled by Stripe — we never store the card number).
  • Lead CRM data (on behalf of the customer): contact, deal and company attributes (e.g. email, industry, amount), processed to compute a value.
  • Technical identifiers: advertising click identifiers (gclid, fbclid, etc.) and email/phone hashed (SHA-256) for matching.
  • Access tokens to CRMs and advertising platforms: encrypted in a vault (Supabase Vault) and never exposed to the browser.
  • Usage data: technical logs, scoring and dispatch events.

3. Purposes & legal bases

  • Providing the service (lead scoring, sending value to ad platforms) — performance of the contract.
  • Improving model performance and calibration — legitimate interest.
  • Billing and subscription management — performance of the contract and legal obligation (accounting).
  • Website audience measurement (analytics) — consent (banner, can be withdrawn at any time).
  • Security and fraud prevention — legitimate interest.

4. Retention periods

  • Account data: for the duration of the subscription, then deleted within 30 days of termination.
  • Lead CRM data: kept only for as long as strictly necessary for the service, then deleted per the customer's instructions.
  • Billing data: 10 years (legal accounting obligation).
  • Technical logs: 12 months maximum.

5. Recipients & sub-processors

We rely on technical sub-processors, each bound by contractual safeguards:

  • Supabase — hosting of the application and database (EU region).
  • Netlify — hosting of the marketing site (United States).
  • Stripe — payment processing.

In addition, on the customer's instruction, the computed value and matching identifiers are sent to the destination advertising platforms chosen by the customer (Meta, Google, LinkedIn, X, TikTok), which act as independent controllers for that data.

6. Transfers outside the European Union

Some sub-processors and destination platforms are located outside the EU (notably in the United States). These transfers are covered by appropriate safeguards: the European Commission's standard contractual clauses (SCCs) and/or membership of the EU-US Data Privacy Framework.

7. Security

Access tokens are encrypted at rest in a dedicated vault and are never returned to the browser. Each workspace is strictly isolated (row-level security / RLS). Transmissions are encrypted in transit (TLS), and direct identifiers are hashed before any sending.

8. Your rights

Under the GDPR, you have the following rights:

  • Right of access to your data;
  • Right to rectification;
  • Right to erasure (“right to be forgotten”);
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object, in particular to processing based on legitimate interest;
  • Right to withdraw your consent at any time, without retroactive effect.

To exercise these rights, write to hello@pipevalue.io. If the request concerns lead data for which one of our customers is the controller, we will forward it to that customer. You may also lodge a complaint with your data-protection authority (in France, the CNIL — www.cnil.fr).

9. Cookies

Strictly necessary cookies

Used for authentication and to maintain your session. Essential, they do not require consent.

Audience measurement cookies

The site uses Google Analytics to measure audience. These cookies are subject to your consent, which you can withdraw at any time via the consent banner on the site.

10. Contact

Data controller / point of contact: PipeValue — hello@pipevalue.io.