Privacy policy
Effective Date: [November 14th 2025]
Piston (“we,” “us,” or “our”) owns and operates the Piston platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect personal information of our users (“you” or “Customer”), and your rights regarding your personal data.
By using the Service, you consent to the practices described in this Privacy Policy. For information on the rules for using the Service, please refer to our Terms of Service
1. Data We Collect
We collect and process various types of information to operate, secure, and improve our Service.
“Personal Data” means any information that identifies or relates to an identifiable individual. We collect and process Personal Data to provide, operate, and improve the Service. “Personal Data” means information that identifies or relates to an identifiable individual. We collect Personal Data: (a) directly from you; (b) automatically when you use the Service; and (c) from third parties such as service providers or public sources.
1.1. Categories of data collected
Category | Examples of data collected | Source |
|---|---|---|
Account & profile data | Name, email address, company or organization, role or title, account credentials, authentication tokens, and contact preferences. | Provided directly by you when creating or managing an account, subscribing to the Service, or communicating with us. |
Billing & transaction data | Payment card type, last four digits, billing address, VAT/tax ID (if applicable), and transaction details. | Provided by you or our payment processor when purchasing or renewing subscriptions. |
Usage & technical data | IP address, device and browser type, operating system, session identifiers, referring URLs, log data, feature usage, and activity timestamps. | Collected automatically during your use of the Services. |
AI interaction & content data | Prompts, inputs, uploaded files, generated outputs, logs, metadata, or other content submitted or produced when using AI-powered features. | Provided directly by you or generated automatically during your use of AI features. |
AI interaction & content data | Name, email, company, message content, attachments, feedback, or other communications with our support or sales teams. | Provided directly by you when contacting us through forms, chat, or email. |
Cookies & similar technologies | Identifiers, session tokens, analytics and preference cookies, and tracking pixels. | Collected automatically through your device or browser. You can set your browser to block or delete cookies, but this may affect how our Service functions. |
Integration & third-party App data | Information received from tools or services that you connect to our platform. | Collected from third-party integrations or APIs that you authorize. |
1.2. Sensitive data
We do not intentionally collect or process Sensitive Personal Data, such as government identifiers, racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health information, or sexual orientation data.
If you include such data in content submitted to the Service, it is processed only on your instruction and under your control.
1.3. Data from Third parties
We may receive additional information about you from:
Service Providers, including analytics, authentication, and payment vendors;
Business Partners that help us market or distribute the Services;
Public or Professional Sources, such as LinkedIn or other publicly available databases;
Integrations you connect to our platform.
1.4. Service data
We may aggregate and anonymize data (so it no longer identifies any individual), the “Service data”, to analyze usage trends, enhance performance, and develop new features. Such data is not considered Personal Data under applicable laws.
Purposes for collecting data
We process data for the following purposes:
To provide, operate, maintain, and improve the Service
To perform technical support, troubleshooting, and security monitoring
To comply with legal and regulatory obligations
To respond to Customer requests or provide features explicitly authorized by the Customer
To analyze aggregated and anonymized Service Data for research, development, and optimization
We process Data on the following legal bases: (a) performance of a contract with you; (b) our legitimate interests (operating and improving the Service, security, fraud prevention), balanced against your rights; (c) your consent (for certain marketing communications and non-essential cookies); and (d) compliance with a legal obligation.
Sharing and disclosure
We may share data in limited circumstances:
With our subcontractors and service providers, including AI providers (LLMs), strictly to execute the Service under your instructions. For AI-powered features, we may transmit User Data to third-party LLM providers only as necessary to perform the Service. Providers must comply with GDPR Article 28 and CCPA principles.
As required by law or to protect our legal rights.
Aggregated or anonymized data may be used internally or shared externally for research, analytics, or benchmarking.
We do not sell personal information under any circumstances.
Sub-Processors and AI Providers
We may engage carefully selected third-party sub-processors to support the operation and delivery of our Service.
All sub-processors are contractually bound to comply with applicable data protection laws, including the GDPR and CCPA.
You may request an up-to-date list of sub-processors and the safeguards we apply to protect Personal Data.
Certain Service features use third-party Large Language Models (LLMs) or other AI providers. We do not train proprietary AI models on customer data.
Data shared with AI providers is strictly limited to what is necessary to perform the requested function.
AI providers are contractually prohibited from using customer data for model training or any purpose other than delivering the Service.
AI providers may operate in multiple regions but act solely under our documented instructions and data processing agreements.
Data Security
We are committed to protecting your Personal Data and have implemented appropriate technical, organizational, and administrative safeguards to maintain its confidentiality, integrity, and availability.
We encrypt Personal Data in transit and at rest using industry-standard encryption protocols (for example TLS for data in transit, AES-256 or equivalent for data at rest).
Access to systems handling Personal Data is restricted on a need-to-know basis. Employees and contractors who handle your data are subject to confidentiality obligations and regular training.
We maintain up-to-date physical, logical, and procedural controls to protect against unauthorized access, use, disclosure, alteration, or destruction of Personal Data. This includes firewalls, intrusion detection systems, secure data centres, role-based access controls, and regular system audits.
We monitor our systems and infrastructure for security incidents, keep logs of access and system events, and have incident response procedures in place to respond promptly to any suspected data breach.
As part of our development and operational lifecycle, we integrate “privacy by design” and “security by design” principles to ensure that our Services minimise the risk of data loss or compromise.
For customers who require additional controls, we may offer specific contractual add-ons in our enterprise plans.
While we use robust measures to protect your information, no online service or storage system can be guaranteed to be completely secure. If we become aware of a personal data breach affecting Customer Personal Data, we will investigate and notify affected Customers without undue delay, and, where required by law, within 72 hours of becoming aware of the breach.
We also ask you, as a user of the Service, to help maintain data security by:
Selecting strong, unique passwords or using multi-factor authentication (MFA) where available.
Ensuring appropriate access controls within your organisation (e.g., managing user permissions, revoking access when employees leave).
Limiting access to your devices and browsers, logging off when using shared devices, and ensuring your devices are secure and up-to-date.
Promptly notifying us if you suspect any compromise of your account credentials or any unusual activity related to your account.
Data Retention
We retain your Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, and to comply with legal, regulatory, accounting or reporting obligations.
We will retain account, profile and transaction data for as long as you have an active account or subscription with us, and thereafter for up to seven (7) years to (i) fulfill our contractual obligations, (ii) address disputes or enforce agreements, (iii) comply with applicable law (such as tax or regulatory retention-periods).
We delete or irreversibly anonymise Personal Data that is no longer required for these purposes, when retention period expires or when you request deletion, subject to underlying legal or regulatory obligations. Where data is anonymised and no longer constitutes Personal Data, we may continue to use it for aggregate statistical or analytical purposes.
Because our Service is AI-native, and you may upload inputs, prompts, files, or generate outputs, we may retain such data for as long as needed to provide the Service, support troubleshooting, enable performance optimization, or meet contractual obligations.
Usage data, logs and analytics may be retained for shorter periods, except when needed for security, system integrity, or regulatory compliance.
We periodically review our retention schedules and overall storage strategy to ensure data is not retained for longer than necessary.
If you request deletion of your account, we will delete or anonymise your Personal Data as soon as reasonably practicable, unless retention is required for legitimate business, legal or regulatory reasons.
Your Rights
We respect your privacy and give you control over your Personal Data.
Your rights may vary depending on where you reside. This section outlines your rights under the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA, as amended by the CPRA), and other applicable privacy laws.
7.1. Your rights under the GDPR (EEA, UK, and similar jurisdictions)
If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that provides similar rights, you have the following rights under the GDPR and equivalent laws:
Right | Description |
|---|---|
Right of Access | You have the right to request confirmation of whether we process your Personal Data and obtain a copy of that data. |
Right to Rectification | You can request correction of inaccurate or incomplete Personal Data. |
Right to Erasure (“Right to Be Forgotten”) | You may request deletion of your Personal Data when it is no longer necessary, when consent is withdrawn, or when processing is unlawful. |
Right to Restrict Processing | You can ask us to restrict processing while we verify accuracy, legality, or our legitimate grounds for processing. |
Right to Data Portability | You may request that we provide your data in a structured, commonly used, machine-readable format and/or transmit it to another controller. |
Right to Object | You can object to processing of your Personal Data when it is based on our legitimate interests or for direct marketing. |
Right to Withdraw Consent | If processing is based on your consent, you may withdraw it at any time, without affecting prior lawful processing. |
Right to Lodge a Complaint | You can lodge a complaint with your local supervisory authority. For example, in France, you may contact the CNIL (www.cnil.fr); in the UK, the ICO (www.ico.org.uk). |
7.2. Your rights under the CCPA / CPRA (California, USA)
If you are a resident of California, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
Rights | Description |
|---|---|
Right to Know / Access | You may request disclosure of: (i) the categories and specific pieces of Personal Data we have collected about you; (ii) the categories of sources; (iii) the purposes for which we collect, share, or sell it; and (iv) the categories of third parties with whom we share it. |
Right to Delete | You may request deletion of your Personal Data that we have collected, subject to certain exceptions (e.g., legal compliance, security, transactions). |
Right to Correct | You may request correction of inaccurate Personal Data we maintain about you. |
Right to Opt Out of Sale or Sharing | We do not “sell” Personal Data as defined under the CCPA. If we ever engage in “sharing” for cross-context behavioral advertising, you will have the right to opt out. |
Right to Limit Use of Sensitive Personal Information | If we collect Sensitive Personal Information, you may request that we limit its use to necessary business purposes. |
Right to Non-Discrimination | You will not receive discriminatory treatment for exercising your privacy rights. |
7.3. Other jurisdictions
If you reside in another jurisdiction with specific privacy rights (for example, Canada, Australia, or Brazil), you may have similar rights to access, correct, or delete your Personal Data.
We will honor all privacy rights granted under applicable local law.
8. International Data Transfers
Your Personal Data may be transferred to and processed in countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.
EU/EEA Users: If you are located in the European Union (EU) or European Economic Area (EEA), your Personal Data may be transferred outside the EU/EEA only in compliance with the GDPR. Such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent safeguards to ensure an adequate level of protection. In all cases, your data will be processed in accordance with the GDPR and this Privacy Policy.
UK Users: If you are located in the United Kingdom, your Personal Data may be transferred outside the UK only in compliance with the UK GDPR. Transfers are protected by UK Standard Contractual Clauses (UK SCCs) or equivalent safeguards approved under UK law.
US Users / CCPA-covered Personal Information: If you are located in the United States or your data is subject to the CCPA, Personal Data may be transferred within the United States or internationally under lawful protections in accordance with applicable US data protection requirements.
Other jurisdictions: For all other users, we ensure that any international transfer of Personal Data is carried out under appropriate contractual or legal safeguards, consistent with applicable data protection laws.
Safeguards and obligations:
All recipients of Personal Data act only on our documented instructions and are contractually required to implement appropriate technical and organizational measures to protect your data.
Transfers are limited to what is necessary for the performance of our Service or to comply with legal obligations.
9. Minors
The Service is not directed to children under 13 (or under applicable age in your jurisdiction). We do not knowingly collect or solicit Personal Information from anyone under the age of 13. If you are under 13, please do not attempt to register for the Services or send any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us Personal Information, please contact us at privacy@pistonhq.app.
10. Updates to this privacy policy
We may update this Privacy Policy from time to time. Changes are effective upon posting with a new effective date. Continued use of the Service constitutes acceptance of the updated policy.
11. Contact information
For privacy inquiries or to exercise GDPR/CCPA/CPRA rights, contact us:
Email: privacy@pistonhq.app
We may verify your identity before responding to your request.