This Privacy Notice (“Notice”) describes Pipefy’s policies and procedures regarding the collection, use, and disclosure of your Personal Data. This notice does not apply to any information we collect from you through other means (including offline) or through other sources.
Controller: The natural or legal person, under public or private law, who is responsible for decisions regarding the Processing of Personal Data.
Personal Data: Any information related to the natural person, directly or indirectly, identified or identifiable.
Data Protection Officer: The individual designated by Pipefy to be responsible for ensuring compliance to your rights and for clarifying questions about the Processing of your Personal Data.
Purpose: The reason why the Personal Data will be processed, or the goal intended to be achieved as a consequence of the Processing.
Operator: The natural or legal person, under public or private law, who carries out the Processing of Personal Data on behalf of the controller.
Third Party: Refers, but is not limited to, any and all natural or legal person, with whom Pipefy has a relationship or will have a relationship, for example, a service provider, supplier, consultant, customer, business partner, third party contracted or subcontractor, lessee, assignee of commercial space, regardless the signature of formal contract or not, including one who uses Pipefy’s name for any purpose or who provides services, supplies materials, interacts with Public Officials, the Government ,or other Third Parties on behalf of Pipefy.
Holder: Natural person to whom the Personal Data refers, such as customers, employees, contractors and you.
Processing: Any operation performed with Personal Data within its life cycle, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, or control of information, modification, communication, transfer, diffusion, or extraction.
Capitalized terms that are not defined in this Privacy Notice have their meaning disclosed in our Terms of Service.
2. What Personal Data do we handle and for what?
Pipefy uses information it collects to operate, maintain, and provide the features and functionality of the Service, to analyze how the Service is used, diagnose services or technical issues, maintain security, customize content, retrieve information to help you access your account efficiently, monitor aggregate metrics such as total number of visitors, traffic, and demographic patterns, and track content and users to provide better service.
When in the position of Operator, Pipefy has the right to refuse, upon formal and written notification, any operation ordered by a Controller, which implies the Processing of Personal Data in non-compliance with the rules for the protection of Personal Data in force.
Information provided directly by yourself:
• Registration: You provide us with information about yourself, such as your name and email address, when you register for an account to use our Service, including connecting to our Service through a Third Party service, or "following", "becoming a fan," downloading Pipefy app etc. on a Third Party website or network. Your name, email address, and other information, which you choose to provide on the Service, will be visible to and discovered by other users in accordance with your settings on our Service.
We may use your email address to send messages related to the Service (including any notices required by law, instead of postal mail communication). We may also use your contact information to send email marketing. If you don’t want to receive further messages from us, you can choose to unsubscribe to them by following the proper instructions disclosed in each message.
If you communicate with us by email, we may retain the content of your email messages and your email address, as well as our responses. If you choose to use our invitation service to invite a friend to sign up to the Service, we will ask for that person's email address and will automatically send an email invitation. Pipefy stores this information to send this email, to register your friend if your invitation is accepted, and to track the success of our invitation service.
• Content: You also provide us non-personal information in Content you post to the Service. Your Content and metadata about your Content may be viewed by other users in accordance with your settings on the Service. Pipefy can, but has no obligation, to monitor your Content you post on the Service. We may also remove any information you post in accordance with the provisions of the Terms and Conditions. Pipefy or Pipefy’s employees will not review your Content, except for the following: (i) if your settings on the Service allow it; (ii) to maintain, provide or improve the Service; (iii) to help you resolve your support requests; or (iv) to comply with or avoid any violation of applicable law or regulation by cooperating with law enforcement.
Data automatically collected
• Cookies: When you use the Service, we may send one or more “cookies” — a small data file — to your computer to uniquely identify your browser and let Pipefy help you log in faster and enhance your navigation through the site. A cookie may convey anonymous information about how you browse the Service to us. A persistent cookie remains on your hard drive after you close your browser so that it can be used by your browser on subsequent visits to the Service. Persistent cookies can be removed by following your web browser’s directions. A session cookie is temporary and disappears after you close your browser. You can reset your web browser to refuse all cookies or to indicate when a cookie is being sent. However, some features of the Service may not function properly if the ability to accept cookies is disabled.
• Log Files: When you use the Service, our servers automatically record certain information sent by your web browser. These server logs may include information such as your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks, and how you interact with links on the Service, domain names, landing pages, pages viewed, mobile carrier, and other such information.
• Clear Gifs Information: When you use the Service, we may employ clear gifs (also known as web beacons) which are used to track the online usage patterns. In addition, we may also use clear gifs in HTML-based emails sent to our users to track which emails are opened by recipients. The information is used to enable more accurate reporting and make Pipefy better for our users.
• Geo-Location Information: When you use the Service by or through a mobile device or computer/laptop, we may access, collect, monitor, and/or remotely store “location data,” which may include GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your device. Location data, even though we do not collect or share Personal Data that identifies you immediately, may be used in conjunction with other Personal Data that allows your identification. Some features of the Service, particularly location-based services, may not function properly if usage or availability of location data is impaired or disabled.
• Device Identifiers: When you access the Service by or through a mobile device, we may access, collect, monitor, and/or remotely store one or more “device identifiers.” Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identify your mobile device and are used to enhance the Service. A device identifier may remain persistently on your device, to help you log in faster and enhance your navigation through the Service. Some features of the Service may not function properly if use or availability of device identifiers are impaired or disabled. Pipefy may access, collect, and/or store device identifiers upon enabling Pipefy’s Services.
A device identifier may be stored by the following means: in connection with the device hardware, by data stored in connection with the device’s operating system or other software, or data sent to the device by us. A device identifier, while not collecting or sharing any Personal Data that directly identifies you, may be used in conjunction with other Personal Data that allows your identification.
Your Use: We will display your Personal Information in your profile page and elsewhere on the Service according to the preferences you set in your account. Any information you choose to provide should reflect how much you want others to know about you. Please consider carefully what information you disclose in your profile page and your desired level of anonymity. We may also share or disclose your information with your consent, for example, if you use a third party application to access your account (see below). You can review and revise your profile information at any time.
In Brazil, in the event that Personal Data of individuals under 12 years old is processed, we will request specific and detached consent from a parent or legal guardian. In European Union, if the Personal Data of individuals under 16 years of age is processed, we will request the consent of the person who holds parental power over the child. Finally, in the UK, if the Personal Data Processing of individuals under the age of 13 is incomplete, we will ask for the consent of the person who holds parental power over the child.
3. Why and with whom do we share your Personal Data?
We share your Personal Data only for specific and legitimate Purposes, always in accordance with applicable privacy and data protection legislation, as described below:
Service providers and others: Pipefy may share your Personal Data with other Third Parties for the purpose of providing the Service to you. If we do, such business partners and other Third Parties will be required to keep your information confidential and adopt the same procedures and level of protection that Pipefy does. We may also store Personal Data in locations outside Pipefy's premises (for example, on servers or databases co-located with hosting providers).
Business Transfers: As we develop our business, we may buy or sell assets or business offerings. Customers, email, and visitor information is generally one of the transferred business assets in these types of transactions. We may also transfer or assign such information in the course of corporate divestitures, mergers, or dissolution.
See here our sub-processors list.
Compliance with Laws and Law Enforcement Requests and Protection of Pipefy’s Rights: Pipefy may disclose your personal information if required to do so by law or subpoena or if we believe that it is reasonably necessary to comply with a law, regulation, or legal request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect Pipefy’s rights or property.
Anonymized Data: We may disclose some information, normally aggregated, with Third Party interested third parties to help them understand the usage patterns for certain Pipefy Services. The information shared for this purpose are not deemed Personal Data by LGDP, since they don’t allow the identification of their owner.
4. Is there International Data Sharing?
We offer the service in several geographic regions. We define a geographical region as the location where a user is located.
4.1. General Data Protection Law
For users located in Brazil, we transfer data to the United States for processing. For these users, we adopt protective physical measures, adopt reasonable physical, technical, and organizational protective measures against accidental, unauthorized or illegal destruction, loss, alteration, disclosure, access, use, or processing of user data in our possession, following the guidelines and principles established by the LGPD (Brazil’s General Data Protection Law).
4.2. GDPR and UK GDPR
For users within the European Union, we may store or transfer your Personal Data to countries outside the European Economic Community and the United Kingdom for the purposes described throughout this notice.
Whenever we carry out these international transfers of Personal Data, we take the necessary precautions to ensure that your Personal Data is properly protected, and we follow the applicable laws. International transfers of Personal Data are made
- to countries recognized by the European Commission (GDPR) or the United Kingdom Secretary of State (UK Data Protection Act 2018), since they provide an adequate level of protection; or
- to a country that does not provide adequate protection, but whose transfer is supported by Standard Contractual Clauses (SCCs) as issued by the data protection authorities in UK’s GDPR and EU’s GDPR jurisdictions.
5. Which rights do you have and how to exercise them?
5.1. Brazil’s General Data Protection Law (LGPD)
Under the scope of LGPD, you, as a Data Owner, have the right to:
- know which Personal Data has been handled by Pipefy and access them;
- find out with whom your Personal Data has been shared;
- correct, update, and complete your Personal Data
- require anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
- when Processing requires your consent, to be informed about the possibility of not providing it and about the consequences of such refusal;
- revoke your consent at any time if you have provided it;
- request data portability to another service or product provider, upon express request by the User;
- request the reconsideration of decisions taken solely on the basis of Automated Processing of personal data and that affect your interests; and
- oppose the Processing of data that, perchance, has been undertaken in disagreement with the law.
To exercise the above rights, or any other rights guaranteed by law, please contact us at [email protected].
To comply with Brazil’s General Data Protection law, we offer a support channel from our Data Protection Officer, who will answer within the legal deadlines established by law. The contact of the Data Protection Office is: [email protected]. Our Data Protection Officer is Cainã Gomez.
After we receive notice that you have revoked your consent, we will no longer process your information for the purpose(s) you originally consented to.
In case we handle your Personal Data for direct marketing purposes, you have the right to object to this activity at any time, in which case we will no longer process your Personal Data for such marketing purposes.
Our Service offers publicly accessible community services, including blogs and forums. You should be aware that any information you provide in these areas can be read, collected, and used by others who access them.
5.2. GDPR and UK GDPR
Within the scope of the GDPR and the UK GDPR, you, as a Holder, have the following rights with respect to your Personal Data:
- request information, including confirmation whether Pipefy handles your Personal Data.
- request access to your Personal Data.
- rectify incorrect Personal Data, or complement incomplete data, according to the Purpose of Processing.
- request deletion of your Personal Data, in cases where: (i) they are no longer necessary for the Purpose that justifies their Processing; (ii) the Processing is based on your consent, and you revoke it; (iii) you object to the Processing, as long as Pipefy does not have an overlapping legitimate interest; (iv) the Processing is contrary to law; or (v) the exclusion is necessary to fulfill a legal obligation.
- request restriction on the Processing of your Personal Data, whereas: (i) their correctness or completeness is under analysis; (ii) the Treatment is contrary to law; (iii) they are no longer needed for the Purpose justifying your Processing, but you still need them; or (iv) you oppose the Processing and Pipefy's interests are under review.
- request the portability of your Personal Data;
- object to the Processing of your Personal Data, since Pipefy does not have a legitimate interest that overlaps. If You oppose the Processing of data for direct marketing purposes, your Personal Data will no longer be processed for this Purpose.
- If your Personal Data is subject to solely automated decisions that affect your interests, you may object to this Processing, unless it is necessary to fulfill a contract with you, comply with legal obligations or based on your consent.
- petition to your country's data protection authority (or the Information Commissioner's Office in the UK’s case) if you have concerns about how we handle your Personal Data.
You can exercise these rights by contacting one of our Representatives indicated in item 7.1 below.
6. For how long do we retain your Personal Data?
We will retain copies of your information throughout the period you have an account or for the duration necessary for the purposes set out in this Notice, unless applicable law requires a longer period or retention. In addition, we retain your information for the necessary period to establish, exercise, or defend any legal rights.
From the moment the service provision contract between Pipefy and you terminates, we will keep your Personal Data in our database for 180 days. After this period, your data will be permanently deleted from our systems.
7. Additional information about GDPR and UK GDPR
If you are under the jurisdiction of GDPR or UK GDPR (individuals in the European Union and the United Kingdom, respectively), this topic applies to you in addition to the rest of this Notice. If any information here conflicts with the rest of this Notice, this topic will prevail.
7.1. Controller and Representatives
Pipefy Inc., a Delaware corporation whose registered address is 1209 Orange Street, Wilmington, Delaware, USA, is the Personal Data Operator.
For matters related to the General Data Protection Regulation (“GDPR”), in accordance with Article 27 of the GDPR, Pipefy has appointed the European Data Protection Office (“EDPO”) as its Representative in the European Union. You can contact EDPO about issues related to the GDPR:
- using the EDPO online request form: https://edpo.com/gdpr-data-request/; or
- writing a letter to the following address: Avenue Huart Hamoir 71, 1030 Brussels, Belgium
Concerning UK General Data Protection Regulation (“UK GDPR”), according to Article 27 of the UK GDPR, Pipefy has appointed EDPO UK Ltd as its representative in the UK. You can contact EDPO UK about UK GDPR issues:
- using an online request form from EDPO: https://edpo.com/uk-gdpr-data-request/; ou
- writing a letter to the following address: 8 Northumberland Avenue, London WC2N 5BY, Reino Unido
7.2. Legal Basis for data Processing in GDPR and UK GDPR
Pipefy handles Personal Data only in circumstances authorized by GDPR and UK GDPR, such as:
- when necessary for the execution of a contract, or pre-contractual steps with you.
- when necessary for the fulfillment of our legal obligations.
- when necessary for our legitimate interests, always observing your fundamental rights. In this case, the legitimate interests for which we may handle Personal Data are the following:
I. ensure the security of our platforms and facilities (if you visit our office);
II. run financial and compliance procedures;
III. maintain relationships with our business partners and serve our customers;
IV. improve and promote the provision of our services
V. recruit applicants for job openings.
- when you have provided your consent.
7.3. Data we collect from third parties
We may collect some Personal Data from sources other than the Data Holder, in the following situations:
- registration and behavioral data, when a Pipefy partner provides its customers' Personal Data for prospecting and promoting our products and services;
- registration and financial data, when you enter Pipefy's premises to provide a service on behalf of a third party;
- registration and behavioral data, when you apply for a job vacancy, through the intermediation of a Third Party;
- registration and user interaction data with our products, collected through third-party sales management platforms, subscriptions and feedbacks, as well as marketing and business analytics.
- registration and behavioral data, for customer service when this support involves third-party platforms;
- when you are an employee of a company that uses Pipefy, this company may provide us with registration data about you so that we can execute the contract with it. Furthermore, the company will also be able to share behavioral data of its employees with us, for the purpose of training users who will be administrators of Pipefy’s tool on behalf of the company.
8. Changes to this Notice
If we change our Privacy Notice and you are our customer or registered in our mailing, we will send you an email informing you about the update. In addition, we will post these changes on this page to keep you aware of what information we collect, how we use it, and under what circumstances we may disclose it.
9. Legal Notice
We are not responsible for the practices employed by websites linked to or from our Service, nor for the information or content contained therein. Please remember that when you use a link to go from the Service to another website, our Privacy Notice will no longer be in effect. Your navigation and interaction on any other website, including those that have a link on our website, is subject to the rules and policies of the website you are visiting.
If you have any questions about this Privacy Notice, please contact us at [email protected]
If you prefer, you can directly contact our Supervisor, Cainã Gomez, through the email address [email protected], or our Representatives in the European Union or in the United Kingdom, through the informed channels in topic 7.1 above.
Last Update: March 7, 2023.