EU-U.S. Privacy Shield

Privacy Shield Policy

EU-U.S. Privacy Shield

This Privacy Shield Policy (this “Policy”) applies to personal information transferred to Pipefy Inc. (Pipefy) in the United States from persons/organizations subject to data protection law in the European Economic Area (EEA) (which includes the member states of the European Union (EU) plus Iceland, Liechtenstein and Norway). This Policy sets out our practices for collecting, using, maintaining, protecting and disclosing that personal information. Please see our Privacy Policy ( for further information.


For purposes of this Policy, the following definitions shall apply:

Agent” means any third party that collects or uses personal information under the instructions of Pipefy or to which Pipefy discloses personal information for use on Pipefy’s behalf. The current third parties Pipefy work with are: AWS, CloudFlare, OneSignal, Pusher, Gravatar, Intercom, NewRelic, Hotjar, Mixpanel, Google Analytics, Google Tag Manager, Doubleclick, Wootric, MailChimp, SalesForce and Recurly.

Pipefy” means Pipefy Inc. and any of its subsidiaries, predecessors and successors in the United States.

Personal information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal information does not include information that is anonymized or aggregated.

Sensitive information” means any personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information that concerns health or sex life, and information about criminal or administrative proceedings and sanctions.

EU-U.S. Privacy Shield Principles

Pipefy participates in and complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from organizations subject to data protection law in the EEA to the United States, respectively. Pipefy has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms of this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Pipefy’s certification, visit

1. Notice

Pipefy receives data (name, e-mail address and organization name) from customers through its platform on the register phase. After the register phase, the customer may input any type of information on the platform and some of this data may include personal information about individuals in the EEA. Pipefy uses this information for the provision of the services to its customers and customer support for such services.

Pipefy also collects personal information about users of the platform (contact information and information on how users use Pipefy’s services) for the purposes of providing and improving its services. Pipefy may share such information to third parties.

Pipefy will subject all personal information received via the Privacy Shield to the EU-U.S. Privacy Shield Principles. Pipefy is subject to the investigative and enforcement authority of the Federal Trade Commission (FTC). Pipefy may be required to disclose personal information in response to lawful requests by public authorities.

2. Choice

If you are not a resident of the EEA, please see our Privacy Policy ( for information about your choices.

Pipefy will offer EEA individuals whose personal information has been transferred to us the opportunity to choose whether the personal information it has received may be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. An individual may opt-out of such uses of their personal information by contacting us at [email protected].

Pipefy will not use sensitive personal information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless Pipefy has received the individual’s affirmative and explicit consent (opt-in).

3. Accountability for Onward Transfer

Pipefy uses Agents analytics tools to help understand the use of the Service. Many of these tools collect the information sent by your browser as part of a web page request, including cookies and your IP address. These analytics tools also receive this information and their use of it is governed by their privacy policy.

Pipefy may share your information with an Agent application with your consent, for example when you choose to access our Services through such an application. We are not responsible for what those parties do with your information, so you should make sure you trust the application and that it has a privacy policy acceptable to you.

Pipefy will require its Agents to safeguard personal information consistent with this Policy by contract obligating the agent to provide at least the same level of protection as is required by the EU-U.S. Privacy Shield Principles. Under certain circumstances, Pipefy is liability for onward transfers of personal information from the EEA where its Agent processes personal information inconsistent with the EU-U.S. Privacy Shield Principles, unless Pipefy proves that it is not responsible for the event giving rise to the damages.

4. Security

Pipefy will take reasonable and appropriate precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. Data Integrity and Purpose Limitation

Pipefy limits the collection of personal information covered by this Privacy Shield Policy to information that is relevant for the purposes of processing. Pipefy does not process such personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the information provider.

Pipefy takes reasonable steps to ensure that such personal information is reliable for its intended use, accurate, complete, and current. Pipefy takes reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain personal information in identifiable form only for as long as it serves a purpose of processing, which includes Pipefy’s obligations to comply with professional standards, Pipefy’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Privacy Shield Principles for as long as it retains such personal information.

6. Access

Pipefy will grant individuals reasonable access to personal information it received pursuant to these Principles. In addition, Pipefy will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or incomplete. An individual may request to access to its own information, or otherwise correct, amend, or delete its own information pursuant to the EU-U.S. Privacy Shield Principles by contacting us at the address [email protected].

7. Recourse, Enforcement and Liability

Pipefy will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that Pipefy determines is in violation of this policy will be subject to disciplinary action.

In compliance with the EU-U.S. Privacy Shield Principles, Pipefy commits to resolve complaints about your privacy and our collection or use of your personal information. EEA individuals with inquiries or complaints regarding this Policy should first contact Pipefy at the address [email protected]. Pipefy will investigate and attempt to resolve complaints regarding use and disclosure of personal information by reference to the principles contained in this Policy.

Pipefy has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD (, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the link above for more information and to file a complaint.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at


This Policy may be amended from time to time, consistent with the requirements of the EU-U.S. Privacy Shield Principles. The amended Policy will be made publicly available via Pipefy’s website.

Last updated: November 27, 2019.