Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect information you provide when you:

• Create an Account: Name, email address, phone number, company name, job title, and login credentials
• Use Our Platform: Messages sent and received, contact information you upload, team and organizational data
• Contact Us: Information provided in support requests, feedback, or communications
• Subscribe to Updates: Email address and communication preferences

1.2 Information Collected Automatically

When you access our Services, we automatically collect:

• Device Information: Device type, operating system, browser type and version, unique device identifiers
• Log Data: IP address, access times, pages viewed, referring URL, actions taken on the platform
• Usage Data: Features used, messages sent/received counts, login frequency, session duration
• Widget Session Data: For embedded chat widgets, we collect session identifiers, authentication status, and interaction data to maintain conversation continuity
• Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar technologies (see Section 11)

1.3 Information from Third Parties

We may receive information from:

• Enterprise Identity Providers: When you authenticate via SSO (SAML, OIDC), we receive profile information from your organization's identity provider
• Messaging Providers: Delivery status, read receipts, and message metadata from SMS carriers and messaging platforms (Twilio, Meta, Apple)
• Customer Integrations: Contact and employee data synchronized from your organization's ATS, HRIS, or other business systems

1.4 Customer-Uploaded Data

Our enterprise customers upload and manage data about their employees, contacts, and communications through our platform. This includes contact information (names, email addresses, phone numbers), organizational data, message content, and consent records. For this data, the Customer is the data controller and Pipcast acts as a data processor (see Section 3 for more details).

2. How We Use Your Information

2.1 To Provide and Maintain Our Services

• Process and deliver messages across communication channels
• Manage user accounts, authentication, and access permissions
• Provide customer support and respond to inquiries
• Process payments and manage billing (where applicable)

2.2 To Improve Our Services

• Analyze usage patterns to improve platform functionality and user experience
• Develop new features and services
• Conduct research and analytics on platform performance
• Train and improve our AI-powered features (using aggregated, anonymized data only)

AI Processing Note: When AI features process your data, this is done to provide the Services you requested. We do not use your message content to train general-purpose AI models. Any data used for service improvement is first anonymized and aggregated.

2.3 To Ensure Safety and Compliance

• Detect, prevent, and respond to fraud, abuse, and security incidents
• Enforce our Terms of Service and other agreements
• Comply with legal obligations, including TCPA, CCPA, GDPR, and other applicable laws
• Maintain audit trails for regulatory compliance

2.4 To Communicate With You

• Send service-related notifications (account updates, security alerts, system maintenance)
• Respond to your requests and inquiries
• Provide product updates and announcements (with your consent)
• Send marketing communications (only with explicit opt-in consent)

2.5 Workforce Communication Context

As a B2B workforce communication platform, the personal data we process primarily relates to:

• Employees and Contractors: Contact information provided by employers for operational communications
• Job Candidates: Information provided during application processes or through text-to-apply workflows
• Team Members: Individuals who have enrolled in team communications via text-to-join

In all cases, individuals have provided consent or are receiving communications in the context of their employment relationship or job application. Pipcast does not facilitate unsolicited messaging or use purchased contact lists.

3. Our Role as Data Controller and Data Processor

3.1 When Pipcast Acts as Data Controller

Pipcast acts as the data controller for:

• Customer account information (organization administrators and operators who use our platform)
• Website visitor data
• Marketing and sales prospect information
• Our own employees' and contractors' data

As a data controller, we determine the purposes and means of processing this personal data and are directly responsible for compliance with applicable data protection laws.

3.2 When Pipcast Acts as Data Processor

Pipcast acts as a data processor for:

• End-user and contact data uploaded by our Customers
• Message content transmitted through our platform
• Consent records and opt-in/opt-out status managed by Customers
• Any other personal data our Customers process using our Services

As a data processor, we process this data only on behalf of and under the instructions of our Customers (who are the data controllers). Our Customers are responsible for ensuring they have the appropriate legal basis to collect and process this data.

3.3 Data Processing Agreement

Enterprise customers may request a Data Processing Agreement (DPA) that sets forth the terms under which Pipcast processes personal data on their behalf, including our obligations as a data processor, data security measures, sub-processor information, and data subject rights assistance. To request a DPA, please contact us at legal@pipcast.ai.

4. Information Sharing and Disclosure

We do not sell your personal information. We do not share, sell, or provide mobile phone numbers, mobile information, or SMS opt-in data to third parties or affiliates for marketing or promotional purposes. We may share your information in the following limited circumstances:

4.1 Service Providers and Sub-processors

We engage trusted third-party service providers to perform functions on our behalf, including:

• Cloud Infrastructure: Amazon Web Services (AWS) for hosting, storage, and computing
• Messaging Providers: Twilio (SMS), Meta (WhatsApp, Facebook Messenger), Apple (Messages for Business)
• AI Services: Third-party AI providers for message classification, workflow automation, and knowledge-base powered features (data is processed for service delivery only)
• Authentication: Keycloak for identity management and SSO
• Analytics: Service providers for usage analytics and performance monitoring
• Payment Processing: Third-party payment processors for billing (we do not store credit card information)

These providers are contractually bound to protect your data and may only use it to provide services to us.

4.2 Your Organization

If you access Pipcast through an enterprise account, your organization's administrators may have access to your usage data and account information in accordance with their internal policies.

4.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, including:

• To comply with a subpoena, court order, or other legal process
• To respond to lawful requests from public authorities, including national security or law enforcement requirements
• To protect the rights, property, or safety of Pipcast, our users, or others
• To enforce our Terms of Service or other agreements

4.4 Business Transfers

If Pipcast is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Messaging and Communications Compliance

5.1 SMS and Text Messaging (TCPA Compliance)

Our platform enables organizations to send SMS messages to their employees, contacts, and customers. We are committed to compliance with the Telephone Consumer Protection Act (TCPA) and related regulations:

• Consent Tracking: We maintain records of consent for each contact, including opt-in source and timestamp
• Opt-Out Handling: We automatically process STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT, OPTOUT, and REVOKE keywords to immediately opt-out recipients
• Compliance Messages: First outbound messages include required disclosures (message and data rate notices, HELP/STOP instructions)
• Quiet Hours: Our platform supports configurable send time restrictions to respect recipient preferences

Important: Our Customers (the organizations using our platform) are responsible for obtaining appropriate consent before messaging their contacts. Pipcast provides tools to help manage and document consent, but the legal responsibility for consent lies with the Customer.

5.3 Mobile Information Privacy

Mobile phone numbers and any information obtained as part of the SMS opt-in process (including mobile opt-in data and consent records) will not be shared with, sold to, or disclosed to any third parties or affiliates for their own marketing or promotional purposes. This restriction applies regardless of whether such third parties are lead generators, data brokers, or any other type of entity. Mobile opt-in data is used solely to deliver the messaging services for which consent was provided.

5.2 Other Messaging Channels

For WhatsApp Business, Facebook Messenger, and Apple Messages for Business, we comply with each platform's policies and requirements, including:

• 24-hour messaging windows and template message requirements (WhatsApp)
• Message tag policies (Facebook Messenger)
• Service quality standards (Apple Messages for Business)

5.4 Message Content

Message content transmitted through our platform is stored securely and is accessible only to authorized users within the Customer's organization. We do not access, review, or use message content except as necessary to provide the Services, comply with law, or enforce our Terms of Service.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

6.1 Account Data

Account information is retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements.

6.2 Message and Communication Data

Message content and related metadata are retained according to the Customer's retention settings and applicable legal requirements. Customers may request deletion of their data in accordance with our Terms of Service.

6.3 Consent Records

Consent records (opt-in/opt-out history) are retained for compliance purposes and to demonstrate lawful basis for communications, even after an account is terminated.

6.4 Anonymized Data

We may retain anonymized, aggregated data that cannot be used to identify individuals for analytics and service improvement purposes indefinitely.

7. Data Security

We implement industry-standard security measures to protect your information:

7.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control with least privilege principles
• Authentication: Multi-factor authentication (MFA) support, enterprise SSO (SAML, OIDC)
• Infrastructure: Hosted on Amazon Web Services (AWS) with industry-standard security controls
• Monitoring: Continuous security monitoring, intrusion detection, and logging

7.2 Organizational Safeguards

• Regular security training for all employees
• Background checks for employees with access to sensitive data
• Incident response procedures and breach notification protocols
• Regular security assessments and penetration testing

7.3 Multi-Tenant Isolation

Our platform is designed with strict multi-tenant isolation. Each Customer's data is logically separated, and access controls ensure that Customers cannot access another Customer's data.

Important: While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your information.

8. Your Privacy Rights

8.1 Rights for All Users

Regardless of your location, you may:

• Access your account information and update your profile
• Opt out of marketing communications at any time
• Request information about the data we hold about you
• Request deletion of your account (subject to legal retention requirements)

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@pipcast.ai. We will verify your identity before processing your request.

8.3 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

Legal Basis for Processing: We process your personal data based on: (a) performance of a contract; (b) legitimate interests (improving our services, security, fraud prevention); (c) compliance with legal obligations; or (d) your consent.

8.4 End-Users of Our Customers

If you are an employee, contact, or end-user of one of our Customers and wish to exercise privacy rights regarding data processed through our platform, please contact that organization directly. As a data processor, we process such data on behalf of our Customers and will assist them in responding to valid requests.

9. International Data Transfers

Pipcast is headquartered in the United States, and our primary data processing occurs in AWS data centers located in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures as necessary to ensure adequate protection
• Data Processing Agreements with appropriate transfer mechanisms

By using our Services, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.

10. Third-Party Services

Our Services may contain links to or integrations with third-party websites, applications, and services. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices.

When you use our Services, your information may be shared with messaging providers (such as Twilio, Meta, and Apple) to facilitate message delivery. These providers have their own privacy policies governing their use of your information.

We encourage you to review the privacy policies of any third-party services before providing them with your information.

11. Cookies and Tracking Technologies

11.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to improve your experience and understand how our Services are used.

11.2 Types of Cookies We Use

• Essential Cookies: Required for basic site functionality, authentication, and security. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website to improve user experience. These are optional.

11.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block cookies from particular sites
• Block all cookies

11.4 Do Not Track

Our Services do not currently respond to "Do Not Track" signals because there is no industry standard for how to interpret these signals. We will update this policy if a standard emerges.

12. Children's Privacy

Our Services are designed for businesses and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@pipcast.ai, and we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email (for registered users) or by posting a prominent notice on our website
• Where required by law, obtain your consent to the changes

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days, or sooner if required by applicable law.