Privacy Policy

Last updated 8 June 2026 | Version 1.0

Chxrles LTD, trading as Pip Decks, is the controller of your personal data. We are established in England and Wales, and our lead supervisory authority is the UK Information Commissioner's Office (ICO).

This policy and our service are written for, and offered to, users in the United Kingdom and the European Economic Area (EEA). If you are accessing Pip from outside the United Kingdom and the EEA, please read section 13 ("Where this policy applies"), which sets out the limited provisions that apply to you.

Nothing in this Privacy Policy limits or excludes your rights under the Consumer Rights Act 2015, the UK GDPR, or any other law that applies to you and that cannot be excluded by agreement.

Quick answers

Plain-English summary of the questions we get asked most often. Each answer links to the formal section below.

Am I talking to a real person or to AI?

You are interacting with an AI system, not a human. Pip is an artificial intelligence assistant that generates its replies automatically. We make this clear up front so you always know what you are dealing with. (See section 4.)

Do you train AI on my conversations?

No. Under the API terms on which we use each provider in our model chain, those providers do not use your conversations to train their AI models. Anthropic is our primary provider; OpenAI is a fallback we use only when Anthropic is unavailable. These positions reflect each provider's API terms as at the effective date of this policy; if a provider materially changes its terms, we will update this policy under section 12. (See section 4.)

Can Pip Decks staff read my conversations?

In normal operation, no Pip Decks staff read your conversations. A small number of specific situations allow restricted, logged access by authorised staff: a support issue you have raised with us, an abuse or security investigation, or a legal request we are required to comply with. (See section 4a.)

Who actually sees what I say to Pip?

Several processors handle your conversation content or facts derived from it, and they are all named in the table in section 5. In short: Anthropic (and OpenAI as a fallback) generate Pip's reply; the request is routed through Vercel's AI Gateway; your chat history is stored in our database (Neon Postgres, provisioned through Vercel); short-lived fragments may pass through Upstash for stream recovery; and facts Pip remembers about you are stored in our own database. Your conversation content is not sent to our payment, analytics, email, or marketing tools. (See section 5 for the authoritative list.)

Do I need to install anything?

No. Pip runs entirely in your browser at pip.app. No plugin, no desktop app, no firewall changes.

How do I delete my conversations or my account?

Both are self-serve under Settings then Privacy. We action account deletion without undue delay and in any event within one month, in line with UK GDPR Article 17. (Note: copies held by our AI providers are retained under their own policies, which we do not control. See section 6.) (See section 6 and section 7.)

Do you sell my personal information?

No. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. (See section 7a.)

Do you have a Data Processing Agreement (DPA)?

For procurement or compliance questions, including DPA requests, email support@pipdecks.com.

Key terms

A short glossary so the rest of this policy reads plainly. These are the formal terms used in data-protection law.

  • Controller: the organisation that decides why and how your personal data is processed. That is us (Chxrles LTD).
  • Processor: a company we hire to handle data on our instructions and on our behalf (for example, the company that stores our database). A processor is not allowed to use your data for its own purposes.
  • Sub-processor: a processor we engage to help deliver the service. The processors listed in section 5 are our sub-processors.
  • Special-category data: more sensitive personal data, such as information about your health, beliefs, ethnicity, or sexual orientation, which the law protects more strictly (see section 4b).
  • Lawful basis: the specific legal reason that allows us to process a given piece of your data, listed for each data type in section 2.
  • Subject Access Request (SAR): your right to ask for a copy of the personal data we hold about you (see section 7).

1. Data Controller

The controller of your personal data is Chxrles LTD, trading as Pip Decks. Company number 11587388, registered in England and Wales.

Registered address: Merchants House, Market Place, Stockport, England, SK1 1EU.

We are established in England and Wales. Our lead supervisory authority is the UK Information Commissioner's Office (ICO). For data protection queries, contact our privacy team at support@pipdecks.com, or write to us at the registered address above marked "Data Protection".

We are registered with the ICO as a data controller, registration number ZC117586, and we pay the annual data-protection fee.

We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR, and we have not appointed one. The single contact point for all data-protection matters, including rights requests, complaints, and DPA or procurement queries, is support@pipdecks.com.

EU/EEA and Swiss representative (Article 27): We have appointed Data Protection Representative Limited (trading as DataRep) as our representative in the European Union, the wider European Economic Area, and Switzerland, under Article 27 of the EU GDPR and the equivalent provision of the Swiss FADP. Individuals in the EEA or Switzerland, and supervisory authorities, can contact our representative about how we handle personal data:

  • by email at datarequest@datarep.com; or
  • using the form at https://www.datarep.com/data-request; or
  • by post to DataRep, 77 Camden Street Lower, Dublin, D02 XE80, Ireland.

Please address all correspondence to "DataRep" and quote "Chxrles LTD (Pip Decks)" so it reaches the right place. For general questions about Pip, your account, or our products, please contact us directly at privacy@pipdecks.com rather than our representative.

Scope. This policy and our service are offered to users in the United Kingdom and the European Economic Area (EEA). EEA users may complain to their own local EU/EEA supervisory authority, and the EU transfer basis described in section 8 covers transfers of their data out of the EEA. Section 13 explains the limited position for users in other countries.

2. Data We Collect

The table below names the categories of personal data we process, what each is used for, the lawful basis under Article 6(1) of the UK GDPR, and where the data comes from. Where the basis is legitimate interest (Article 6(1)(f)), we summarise the balancing test we apply. The "Source" column distinguishes data you give us directly from data we obtain from another source, which we are required to tell you about under Article 14.

Data Type Examples Lawful basis Source
Account information Name, email address, profile picture Art 6(1)(b) Contract From you
Authentication data Email one-time codes, sign-in method Art 6(1)(b) Contract From you
Conversation data Messages you send to Pip and the responses you receive Art 6(1)(b) Contract (plus Art 9(2)(a) explicit consent for any sensitive content you choose to share, see section 4b) From you
Memories Facts extracted from your conversations and stored so Pip can recall useful context (stored in our own database) Art 6(1)(b) Contract (plus Art 9(2)(a) explicit consent for any sensitive facts derived from content you share, see section 4b) Derived from your conversations
Payment data Subscription status, billing history (card details held by Stripe) Art 6(1)(b) Contract; Art 6(1)(c) Legal obligation for tax records From you, and status updates from Stripe
Payment-risk and fraud signals Payment-card risk indicators, chargeback and dispute signals Art 6(1)(f) Legitimate interest. Balancing: protects the service and other users from payment fraud; signals are operational. Received from Stripe
Usage data Pages visited, features used, session duration Art 6(1)(a) Consent (set only when you accept analytics cookies) From your use of the service
Device data Browser type, operating system, screen size, IP address Art 6(1)(f) Legitimate interest. Balancing: minimal intrusion against the need for debugging, abuse detection, and service integrity. You can object under Art 21. From your device
Abuse signals Rate-limit metadata, repeated-failure patterns Art 6(1)(f) Legitimate interest. Balancing: protects the service and other users from harm; signals are operational and time-limited. From your use of the service
Legacy customer records Prior Pip Decks customer and onboarding details we use to recognise returning customers Art 6(1)(f) Legitimate interest. Balancing: lets us give existing customers a joined-up experience; limited to records we already held. You can object under Art 21. From our prior Pip Decks systems (see "Where your data comes from" below)
Marketing preferences Email subscription status, consent choices Art 6(1)(a) Consent (with PECR opt-in) From you

Sign-in uses an email one-time code only. We do not offer Google, Apple, or other social sign-in, and we do not collect social-login tokens.

Where your data comes from (Article 14). Most of the data above you give us directly, by creating an account, chatting with Pip, or paying for a subscription. Some data reaches us from other sources rather than from you:

  • Legacy Pip Decks customer records. If you were a Pip Decks customer before this service launched, we may hold customer and onboarding records about you that originated in our earlier systems (our previous Firebase and Firestore platforms and our data warehouse). We read a limited set of those legacy records to recognise you as a returning customer and to set up your account. We do not write new data back to those legacy systems.
  • Payment-risk signals from Stripe. Our payment processor, Stripe, provides us with signals about payment-card risk, chargebacks, and disputes so we can detect and prevent fraud.

None of the data we obtain from other sources comes from publicly accessible sources. We do not buy personal data, scrape it from the public web, or acquire marketing lists.

3. How We Use Data

We use your personal data to:

  • Provide and maintain the Pip service
  • Process your subscription payments
  • Send transactional emails (account confirmations, billing receipts)
  • Send marketing communications (only with your consent)
  • Analyse usage patterns to improve the service (only with your consent for analytics cookies)
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

Marketing email

All marketing email is opt-in only. We do not pre-tick the marketing box at sign-up, and we do not rely on the soft opt-in route under Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR), the rule that would otherwise let a business email an existing customer about similar products without a fresh opt-in. Every marketing email contains a one-click unsubscribe link. Unsubscribing does not stop transactional emails (billing receipts, account notices, security alerts), which we send under Article 6(1)(b) to perform the contract.

4. Conversation Data Handling

Pip is an AI system. When you chat with Pip, you are interacting with artificial intelligence, not a human being. Pip's replies are generated automatically by the AI providers described below. We tell you this plainly so that you always know you are dealing with an AI system and not a person. Where EU users are in scope, this disclosure also serves the AI-interaction transparency obligation under Article 50 of the EU AI Act.

Under the API terms on which we use them, the providers in our model chain do not train their AI models on your conversations.

When you chat with Pip, your messages are sent to an AI provider to generate a reply. Requests are routed through the Vercel AI Gateway (operated by Vercel, Inc.), which passes them to the model provider.

Our primary provider is Anthropic (Claude). We operate under Anthropic's Commercial Terms (https://www.anthropic.com/legal/commercial-terms), which state, verbatim: "Anthropic may not train models on Customer Content from Services." That is a contractual prohibition, not a setting we toggle on or off. Under those terms and Anthropic's Data Processing Addendum, Pip Decks is the controller and Anthropic is the processor for your conversation content. You retain rights to your messages, and you own Pip's replies. You can review Anthropic's security and compliance posture at https://trust.anthropic.com/.

If Anthropic is unavailable, the same message may instead be routed to OpenAI as a fallback so the service can still respond. OpenAI processes the message through its API. Under the OpenAI API terms applicable to our account, OpenAI does not use data submitted through the API to train or improve its models. OpenAI sets out this position in its API data-usage terms (https://openai.com/policies/api-data-usage-policies/). We use OpenAI only as a fallback, and only for the purpose of generating a reply.

These positions reflect each provider's API terms as at the effective date of this policy. They describe the terms on which we use each provider, not a guarantee by us of a third party's future conduct. If a provider materially changes its terms, we will update this policy under section 12.

This section is a description of how your data is routed. It is not a guarantee that the service will always be available. Availability terms are dealt with in our Terms of Service.

Retention by AI providers

We do not currently hold a Zero Data Retention agreement with Anthropic. Because of that, Anthropic's standard published retention policy applies to the conversation content we send to their API. We do not control that retention period, we do not guarantee a fixed deletion window for the copy held by Anthropic, and we do not separately extend it. Anthropic remains contractually prohibited from training on your content as set out above. The same position applies to any content processed by OpenAI on fallback: it is retained under that provider's API retention policy, which we do not control. If your procurement function requires a Zero Data Retention arrangement, email support@pipdecks.com and we will scope it with you.

Storage of your history

Your conversation history is stored in our database (Neon Postgres, provisioned through Vercel; Neon and Vercel are both listed in section 5) so you can read back previous chats. This content is encrypted in transit using TLS. You can request deletion of your conversation history at any time (see section 6).

Memories

To make Pip more useful over time, facts extracted from your conversations are stored as "memories" in our own systems so they can be recalled in later chats. You can view and delete individual memories under Settings then Privacy, and deleting your account removes them (see sections 4b and 6).

The processors that receive your conversation content, or facts derived from it, are identified in the table in section 5, which is the authoritative list. Your conversation content is not sent to Stripe, PostHog, Resend, or Klaviyo. Those processors only see account-level data such as your email, billing details, and usage and device data (which can include an IP address and basic device information, see section 2). They never see the content of what you say to Pip.

4a. Access by Pip Decks Staff

In normal operation, no Pip Decks staff read your conversations. A small number of specific situations allow restricted access by authorised personnel:

  • Resolving a support issue you have raised with us, where access to the conversation is necessary to do so.
  • Investigating a suspected abuse incident or security breach.
  • Where required by law, for example a court order or regulatory request.

Where we access a conversation in these situations, we keep an internal record of the access. We do not read conversations for marketing, advertising, profiling, or any purpose other than those listed above, and we do not share them with anyone outside the processors listed in section 5.

This assurance concerns access by Pip Decks staff. Our AI providers operate their own automated trust-and-safety checks on the content they process, and a message a provider flags may be reviewed by that provider; section 7 explains this and its lawful basis.

4b. Sensitive Information You May Share with Pip

Pip is a free-text chat product. In the course of a conversation, you may mention information that is treated as "special category" personal data under Article 9 of the UK GDPR. Examples include references to your health, religious or philosophical beliefs, political views, sexual orientation, racial or ethnic origin, or trade-union membership.

We do not require, prompt for, or analytically profile such data. Where you choose to share it, our lawful basis for processing it is your explicit consent under Article 9(2)(a), given by your active decision to type the content into the chat after reading this notice. You may withdraw that consent at any time by deleting the message in the chat, deleting the related memory under Settings, or deleting your account.

Special-category content you type may be processed by the AI provider that generates Pip's reply (Anthropic, or OpenAI on fallback, as described in section 4), and a fact derived from it may be stored as a memory in our own database. Your explicit consent under Article 9(2)(a) covers both the reply generation and any derived memory. We do not use special-category content, or facts derived from it, for marketing, profiling, model training, or any purpose other than generating Pip's reply, storing your history for your own retrieval, and recalling relevant memories to you. Deleting a memory removes it from our database, and deleting your account removes all of your memories from our systems.

If you are a consumer in California or another US state with a privacy law, the sensitive content described here may count as "sensitive personal information" under that law, and you have the right to limit our use of it. Section 7a explains how.

5. Third-Party Processors

We share your data with the processors below. The Conversation content? column tells you which processors receive the words you type to Pip, or facts derived from them, and which only see account-level data.

Processor Purpose Conversation content? Other data
Anthropic (https://trust.anthropic.com/) Generates Pip's chat replies (primary model) Yes None
OpenAI Generates Pip's chat replies (fallback, when Anthropic is unavailable) Yes (on fallback only) None
Vercel, Inc. (hosting, AI Gateway, Blob) Hosts the app and our Neon database; routes chat requests to the model provider through the AI Gateway; stores data-export (Subject Access Request) archive bundles in Vercel Blob Yes (in transit through the gateway; export bundles in Blob contain conversation history) Account data and conversation history, in export archives only
Neon, Inc. Database storage for account data, conversation history, and memories Yes (storage, including derived facts) Account data, conversations, extracted personal facts
Upstash, Inc. (Redis) Rate limiting and short-lived stream-recovery cache Possibly (in-flight fragments only) Rate-limit metadata
Clerk, Inc. Authentication and identity No Email address, sign-in data
Stripe Payment processing No Email, payment card details
PostHog Product analytics, error tracking, session replay (with consent) No (see note) Usage events, device info, model metadata (no chat text)
Resend Transactional email No Email address
Klaviyo Marketing email (with consent) No Email address, name

Note on PostHog: the analytics and model-observability events we send to PostHog do not include the text of your conversations, which is held only in our database. PostHog session replay masks text input on the chat surface so the words you type are not captured in replays.

We also rely on Google LLC (Firebase / Firestore) on a limited, read-only basis to look up legacy Pip Decks customer records when you sign in, as described in section 2 ("Where your data comes from"). This is a residual legacy path only: Firebase does not receive your conversation content and is not used for current account, authentication, chat, or memory storage. The transfer is covered by Google's certification under the EU-US Data Privacy Framework and its UK Extension.

We put an Article 28 data-processing agreement in place with each processor that handles personal data on our behalf before it begins processing, and we require each processor to apply appropriate technical and organisational safeguards.

Keeping this list current, and your right to object to a new sub-processor. The table above is the authoritative list of the sub-processors we use as at the effective date of this policy, and we keep it current. If we add or change a sub-processor that would handle your conversation content, we will update this list and notify you in advance under the section 12 mechanism before the new sub-processor begins processing your conversation content. During that advance-notice period you may close your account if you do not wish your conversation content to be processed by the new sub-processor. Changes to a sub-processor that does not handle conversation content (for example, a change to a payment, analytics, email, or hosting infrastructure provider) are reflected by updating this list.

6. Data Retention

Data Type Retention Period
Account data and conversation history Duration of account, then deleted within one month of account deletion
Memories (extracted facts, stored in our own database) Until you delete them (no automatic expiry); deleting your account removes all of your memories from our systems
Payment and billing records 7 years (legal requirement)
Payment-card fingerprint (a pseudonymous identifier from our payment processor, used to detect repeat free-trial abuse) 13 months, including after account deletion (legitimate interest, fraud prevention)
Analytics data 26 months
Cookie consent preferences 365 days

When you delete your account, we remove or anonymise your personal data without undue delay and in any event within one month, in line with UK GDPR Article 17, except where we are required by law to retain specific records (such as payment records, see the table above), and except for the pseudonymous payment-card fingerprint described in the table above, which we keep for up to 13 months after deletion on the basis of our legitimate interest in preventing repeat free-trial abuse. The fingerprint cannot be used to identify you outside that purpose and is deleted automatically when its retention period ends.

Deleting your account does not by itself delete any copy of conversation content held by an AI provider (Anthropic, or OpenAI on fallback). As explained in section 4, we do not hold a Zero Data Retention agreement, so that content is retained under the relevant provider's standard published retention policy, which we do not control. The deletion-confirmation email you receive reflects this position and does not promise a fixed provider-side deletion date.

7. Your Rights

Under the UK GDPR, you have the right to:

  • Access your personal data, known as a Subject Access Request (Article 15)
  • Rectify inaccurate or incomplete data (Article 16)
  • Erase your personal data, the "right to be forgotten" (Article 17)
  • Restrict processing of your data in certain circumstances (Article 18)
  • Data portability, receiving your data in a machine-readable format (Article 20)
  • Object to processing based on legitimate interest (Article 21)
  • Withdraw consent at any time where processing is based on consent (Article 7(3))
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22)

To exercise any of these rights, email support@pipdecks.com. We will respond without undue delay and in any event within one month of receiving your request, in line with Article 12(3). For particularly complex requests, or where we receive a high volume, we may extend the response period by up to two further months and will tell you within the original month why. Responses are free of charge, except where requests are manifestly unfounded or excessive (Article 12(5)). Where we have reasonable doubts about your identity, we may request additional information necessary to confirm it (Article 12(6)).

Nothing in this policy affects your statutory rights as a consumer under the Consumer Rights Act 2015 or other applicable law. Those rights stand whatever this policy says.

Breach notification. Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it, in line with Article 33 of the UK GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also inform affected users without undue delay, in line with Article 34.

Automated decisions

We use automated checks to detect fraudulent sign-ups, free-trial abuse, and payment fraud. These checks can result in a sign-up or trial being blocked. They do not produce legal effects on you. Where a check has materially affected you and you believe it has done so wrongly, email support@pipdecks.com and a person will review the decision.

The AI providers in our model chain also operate automated trust-and-safety checks on conversation content under their own acceptable-use policies, in their capacity as providers of those AI services. Our lawful basis for this processing is our legitimate interest (Article 6(1)(f)) in providing a safe service and meeting the terms on which those providers make their models available to us; the balancing test weighs that interest against the minimal additional intrusion, since the content is content you have already chosen to send to the provider to generate Pip's reply. A message that a provider's system flags may be refused or filtered, and the provider may review flagged content as part of its own trust-and-safety process. This is separate from access by Pip Decks staff, which is addressed in section 4a. We do not control, and cannot opt out of, a provider's enforcement of its own acceptable-use policy.

Complaining to the ICO. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at any time, whether or not you have first raised the matter with us. We would welcome the chance to address your concern first, but you do not have to come to us before complaining to the regulator. You can reach the ICO here:

  • Online: https://ico.org.uk/make-a-complaint/
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Complaining to your local EEA supervisory authority. If you are in the European Economic Area, in addition to the routes already described you may lodge a complaint with the supervisory authority in your own EU/EEA country of residence, place of work, or place of the alleged infringement. You can find your local authority via the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en. Our EU Article 27 representative is your contact point in the EEA; the details are in section 1.

7a. Your US State Privacy Rights (California and other states)

This section applies if you are a resident of any US state that has enacted a comprehensive consumer-privacy law. We extend the rights described below to residents of every such state, as a matter of courtesy and good practice. Those states currently include California (under the CCPA, as amended by the CPRA) and, among others, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and the other US states that have enacted comprehensive consumer-privacy laws. The list of states with such laws continues to grow, and these rights are offered to residents of any of them, whether or not the state is named here.

Our status under the California Consumer Privacy Act (CCPA/CPRA). Pip Decks is a small UK company. We do not believe we currently meet the thresholds that make a business subject to the CCPA (broadly, US$25 million in annual revenue, or buying, selling, or sharing the personal information of 100,000 or more California consumers or households a year). Whether or not the CCPA applies to us, we extend the core rights below to California and other US-state residents who use Pip.

We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We have no advertising-technology partners, and we do not disclose your personal information to anyone for them to use for their own advertising. Because we do not sell or share in this sense, there is no "Do Not Sell or Share My Personal Information" transaction to opt out of. If that ever changes, we will update this policy and provide an opt-out before any such sale or sharing begins.

Categories of personal information. The categories of personal information we collect, the purposes we collect them for, and the categories we disclose to service providers, are set out in the tables in section 2 (what we collect and why) and section 5 (the processors who receive it). In US-state terms: we collect identifiers (name, email), commercial information (subscription and billing history), internet and device activity (usage and device data), and the contents of your communications with Pip. We disclose these to the service providers in section 5 for the business purposes described there. We do not disclose your personal information for any commercial purpose other than operating and improving the service.

Sensitive personal information. As section 4b explains, the free text you type to Pip can include "sensitive personal information" (for example, information about health or beliefs). Our position is that we use it only to generate Pip's reply, to store your history for your own retrieval, and to recall relevant memories to you, which are the limited purposes of providing the service you have asked for. You may ask us to limit our use of your sensitive personal information at any time. The simplest ways to do so are to avoid sharing it, to delete the message or the related memory, or to contact us as below. We do not use your sensitive personal information to infer characteristics about you, and we do not use or disclose it for cross-context behavioural advertising or for any third party's own purposes.

Your rights. Subject to verification, you have the right to: know and access the personal information we hold about you; delete it; correct it; opt out of any sale or sharing (we do neither); and limit the use of sensitive personal information. We will not discriminate or retaliate against you for exercising any of these rights.

How to exercise them. Most rights are self-serve: you can view and delete your conversations, view and delete your memories, and delete your account, under Settings then Privacy. For anything else, or to make a verifiable consumer request, email support@pipdecks.com. You may use an authorised agent to make a request on your behalf, and we will ask for proof of their authority.

Universal opt-out signals (including Global Privacy Control). Because we do not sell or share your personal information, and because we do not carry out targeted advertising or profiling that produces legal or similarly significant effects, there is currently no sale, sharing, targeted-advertising, or profiling opt-out for a universal opt-out signal (such as Global Privacy Control) to action, and so none is required of us today. If we ever introduce processing that would amount to a sale, sharing, targeted advertising, or such profiling of personal information, we will treat a recognised universal opt-out signal, including Global Privacy Control, as a valid opt-out of that processing, and we will do so before any such processing begins. See section 9 for the current state of our consent controls.

8. International Transfers

Several of our processors are based in the United States. For each, we identify the transfer mechanism we rely on under Chapter V of the UK GDPR (and, for EEA users, under Chapter V of the EU GDPR). Where the recipient is certified under the EU-US Data Privacy Framework and its UK Extension (a US government scheme the UK and EU recognise as giving adequate protection, referred to here as the "DPF"), that certification covers the transfer. For any recipient not so certified, we rely on Standard Contractual Clauses (the standard legal contract for international transfers, "SCCs"; for UK transfers the EU SCCs together with the UK International Data Transfer Addendum, the UK add-on to those clauses, "IDTA"), supported by a Transfer Impact Assessment (our written check that the destination country offers adequate protection in practice, "TIA") which we maintain. For EEA users, the EU SCCs (plus the EU-US Data Privacy Framework where the recipient is certified) provide the Chapter V basis for transfers of their data out of the EEA. Where a processor stores your data wholly within the United Kingdom or the EEA, no Chapter V transfer arises and none is claimed.

Processor Location Transfer mechanism
Anthropic, PBC US SCCs + UK IDTA (not DPF-certified), TIA maintained
OpenAI, L.L.C. (chat fallback) US SCCs + UK IDTA (not DPF-certified), TIA maintained
Vercel, Inc. (hosting, AI Gateway, Blob) US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
Neon, Inc. (certified via parent Databricks, Inc.) US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
Upstash, Inc. US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
Clerk, Inc. US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
Stripe (UK / Ireland for UK customers; US otherwise) UK / IE / US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
PostHog Inc. EU (Frankfurt) EU-hosted (Frankfurt), no Chapter V transfer; PostHog Inc DPF-certified for any onward US access
Resend, Inc. US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
Klaviyo, Inc. US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)
Google LLC (Firebase, legacy customer-record reads only) US EU-US Data Privacy Framework + UK Extension (SCCs/IDTA as backstop)

Our Transfer Impact Assessment documentation is available to data protection officers and procurement teams on request to support@pipdecks.com.

9. Cookies

We use the following types of cookies:

  • Essential cookies: required for authentication and core functionality. These cannot be disabled.
  • Analytics cookies: help us understand how you use the service (PostHog). Set only with your consent.
  • Marketing cookies: used for email marketing attribution (Klaviyo). Set only with your consent.

We set non-essential cookies (analytics and marketing) only after your consent, and you can withdraw consent at any time through the cookie-preferences control. Our handling reflects our obligations under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR), the UK rule that requires consent before non-essential cookies are set. Equivalent rules apply in other markets: the ePrivacy rules transposed in EEA countries take the same consent-first approach, while for US-state residents the relevant mechanism is an opt-out, as described in section 7a.

10. Children's Privacy

You must be at least 16 years old to create an account on Pip, as set out in our Terms of Service. This is a contractual age limit, more restrictive than the UK age of digital consent (13) under the Data Protection Act 2018 section 9.

We have considered the ICO's Age Appropriate Design Code and have assessed that Pip is not designed for, marketed to, or likely to be accessed by children. A valid payment card is required to start a paid subscription, which provides a soft additional age check.

We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@pipdecks.com and we will delete it without undue delay.

11. Security

No method of transmission over the internet or method of electronic storage is completely secure. While we take appropriate steps to protect your personal data, we cannot guarantee its absolute security, and no internet transmission or storage can be guaranteed to be completely secure. This does not limit or exclude any liability we have to you that cannot be limited or excluded by law, including under the Consumer Rights Act 2015.

We implement technical and organisational measures appropriate to the risk, as required by Article 32 of the UK GDPR, and we review them as our service and the risks to it change. These measures currently include:

  • Encryption in transit using TLS / HTTPS across our services.
  • Authentication. End-user sign-in via Clerk using an email one-time code.
  • Access controls. Access to production systems and customer data is limited to authorised personnel on a least-privilege, need-to-know basis.
  • Vulnerability management. Our dependencies are monitored for known security vulnerabilities via GitHub Dependabot, and security advisories trigger patch pull requests that we review and apply on a risk-based schedule.
  • Incident response. We maintain a process for detecting, triaging, and responding to suspected personal data breaches, including an escalation path. Where a breach is notifiable, we follow the timing set out in section 7 (ICO notification without undue delay and, where feasible, within 72 hours under Article 33; notification of affected users without undue delay where the breach is high-risk under Article 34).

The measures described in this section are those we apply as at the effective date of this policy; the specific tools and controls may change over time as we adopt better safeguards, provided the level of protection remains appropriate to the risk.

If you discover a security vulnerability, please report it to support@pipdecks.com.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our processing activities, our processors, the law, or regulator guidance. Each version carries a version number and an effective date at the top of this page.

For any change that materially reduces your rights, expands the categories of data we process, or adds a new sub-processor that handles your conversation content, we will give you at least 30 days' advance notice by email and by a banner on the service, identifying what has changed. During that notice period, you may close your account if you do not wish to accept the change. Closing your account during the notice period does not affect any refund or other statutory right you have under the Consumer Rights Act 2015 or under our Terms of Service; where you have paid in advance for a period that is cut short, your refund rights under those terms continue to apply.

Where a change is required to comply with the law, with a regulator's guidance or order, or to address a security or operational emergency (for example, an urgent change of processor that we cannot make on 30 days' notice), we may make that change effective immediately and will notify you as soon as reasonably practicable. We will still keep the change as limited as the circumstances allow.

For minor or clarifying changes (such as updating a contact address or improving wording without changing meaning), we will post the updated policy with a new "Last updated" date and version number, and the change takes effect from that date.

We keep a record of previous versions of this policy. Previous versions are listed and available at our changelog (see the "Previous versions" link at the foot of this page), and are also available on request to support@pipdecks.com, so you can check which version applied when you signed up or at any later date.

13. Where this policy applies

Pip is offered to users in the United Kingdom and the European Economic Area (EEA). Our service and this policy are written around UK and EU data-protection law. For UK users, the UK Information Commissioner's Office is our supervisory authority; for EEA users, you may complain to your own local EU/EEA supervisory authority as described in section 7. We do not hold the service out as compliant with the local law of any country outside the United Kingdom and the EEA.

We have appointed our Article 27 EU representative, whose details are set out in section 1, as our contact point for users in the EEA. EEA users may complain to their local supervisory authority (see section 7), and for EEA users the EU GDPR Chapter V transfer basis set out in section 8 covers transfers of their data out of the EEA.

If you live in the United States, section 7a sets out the state privacy rights we extend to you. If you live in another country with a statutory privacy law (for example, Canada or Australia), and you choose to use Pip, you may ask us to honour the privacy rights your local law gives you by emailing support@pipdecks.com, and we will consider, in good faith, requests to honour the rights your local law gives you. This is a goodwill statement: because Pip is built around UK law and is not actively marketed outside the United Kingdom, it is not a representation that we market the service in your country or that the service is certified as compliant with your local data-protection regime.

Wherever you are, your personal data is processed in the United Kingdom, the EEA, and the United States by the providers listed in section 5, and may be accessible to authorities in those countries under their own laws. Wherever you are, you can also use the self-serve controls under Settings then Privacy to view and delete your conversations and to delete your account.

14. General

Relationship with our Terms of Service. This Privacy Policy forms part of, and should be read alongside, our Terms of Service. The Terms govern your use of the service generally; this Privacy Policy governs how we handle your personal data. If there is any conflict between the two specifically about the handling of personal data, this Privacy Policy governs that question.

One contact route. The single authoritative channel for all privacy matters, including rights requests, complaints, sensitive-information limit requests, and DPA or procurement queries, is support@pipdecks.com. Where other sections of this policy invite you to contact us, they mean this address.

Governing law. This Privacy Policy is governed by and construed in accordance with the law of England and Wales, without prejudice to any mandatory consumer-protection law of your country of residence and subordinate to the governing-law provisions of our Terms of Service.

Severability. If any provision of this Privacy Policy is held to be invalid or unenforceable by a court or regulator, that provision is severed to the minimum extent necessary, and the remaining provisions continue in full force and effect. Nothing in this policy limits or excludes any right you have that cannot be limited or excluded by agreement.