Privacy Policy
Last updated: March 29, 2026
Pipveu ("we", "us", "our", "the platform") is committed to protecting the privacy of its users. This Privacy Policy describes how we collect, use and protect your personal data, in compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the EU GDPR (Regulation (EU) 2016/679), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Canada's PIPEDA and Quebec Law 25, and the Australian Privacy Act 1988.
1. Controller / Business
The data controller (UK/EU GDPR) and business (CCPA/CPRA) responsible for processing your personal data is Pipveu, a sole proprietor based in Spain. Contact: [email protected]
For Quebec residents, the Person in Charge of the Protection of Personal Information (Privacy Officer / DPO) can be reached at the same address.
2. Personal data we collect
| Category | Data | Storage |
|---|---|---|
| Account | Email, username, authentication provider (Google, Twitter or password) | Our database |
| Payment | Stripe customer ID, subscription status. We do not store card numbers or bank details | Stripe (PCI DSS L1) |
| Trading | Trades you voluntarily import (instrument, price, date, P&L) | Our database |
| Technical | IP address, browser type, session cookies, error telemetry | Server logs |
We do not knowingly collect Sensitive Personal Information as defined under CCPA §1798.140 (e.g. precise geolocation, racial/ethnic origin, religious beliefs, health, biometric data, contents of private communications) or Special Category Data under UK/EU GDPR Article 9.
3. Legal bases (UK/EU GDPR Art. 6) and CCPA business purposes
| Legal basis (UK/EU) | Application / CCPA business purpose |
|---|---|
| Performance of contract | Account management, dashboard, subscription. CCPA: providing the service requested. |
| Consent | Marketing communications (may be withdrawn at any time). PIPEDA: meaningful, informed consent. |
| Legitimate interests | Service improvement, security, fraud prevention. CCPA: detecting security incidents and protecting against fraud. |
4. Purposes of processing
- Providing the trading-analytics service.
- Managing your subscription and billing through Stripe.
- Service-related communications (changes, incidents, invoices).
- Platform improvement, security and fraud prevention.
5. Sub-processors
We do not sell or share personal information as defined under the CCPA/CPRA (no cross-context behavioural advertising, no monetary or other valuable consideration in exchange for personal data). We share data only with the following providers, who are required to protect it under contractual safeguards:
| Provider | Function | Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs / UK IDTA) |
| OAuth authentication (only if you choose social login) | USA (SCCs / UK IDTA) | |
| Resend | Transactional email delivery | USA (SCCs / UK IDTA) |
SCCs = Standard Contractual Clauses (EU). UK IDTA = UK International Data Transfer Agreement / Addendum to the EU SCCs.
6. International transfers
Some sub-processors (Stripe, Google, Resend) may process data outside the European Economic Area, the United Kingdom, Canada and Australia. In those cases we rely on appropriate transfer mechanisms: EU Standard Contractual Clauses, the UK International Data Transfer Agreement (or UK Addendum to the EU SCCs), or the EU-US / UK-US Data Privacy Framework where the recipient is certified.
7. Data retention
| Data type | Retention period |
|---|---|
| Account data | While the account is active. Deleted within 30 days of an erasure request |
| Payment data | Held by Stripe (typically 7 years for tax/financial obligations) |
| Trading data | While the account is active. Deleted with the account |
8. Your rights (UK / EU / Ireland — UK GDPR & EU GDPR)
| Right | Description |
|---|---|
| Access | Obtain a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data ("right to be forgotten") |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing in certain circumstances |
| Restriction | Request restriction of processing |
| Withdraw consent | Withdraw consent for processing based on consent, at any time |
| Automated decisions | Not be subject to solely automated decisions with legal/significant effect (we do not perform such decisions) |
To exercise these rights, email [email protected]. We respond within one (1) month, extendable by two further months for complex requests.
9. California residents (CCPA / CPRA)
If you reside in California, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know what personal information we collect, use, disclose and share, and the categories of sources and recipients.
- Right to delete personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing for cross-context behavioural advertising. We do not sell or share your personal information.
- Right to limit use of Sensitive Personal Information. We do not collect Sensitive Personal Information as defined in CCPA §1798.140 (categories include government identifiers, financial-account access credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, contents of mail/email/text messages, genetic data, biometric identifiers, health data and sex-life information).
- Right to non-discrimination for exercising your privacy rights.
We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age. Our response time for verifiable consumer requests is 45 days (extendable once by 45 days). To submit a request, email [email protected] with the subject line "California Privacy Request". You may designate an authorised agent to act on your behalf.
10. Canadian residents (PIPEDA & Quebec Law 25)
For users in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial laws including Quebec's Act respecting the protection of personal information in the private sector (Law 25), Alberta PIPA and BC PIPA.
- Meaningful consent (PIPEDA): we obtain informed, knowing consent before collecting, using or disclosing personal information.
- Access and correction: you may request access to or correction of your personal information.
- Withdrawal of consent at any time, subject to legal or contractual restrictions.
- Quebec Law 25 — explicit opt-in for certain categories (e.g. sensitive information). Right to data portability (in force since 22 September 2024). Right to know if a decision was made about you based exclusively on automated processing.
- Privacy Officer: contact [email protected] (acting Privacy Officer / Person in Charge for Quebec).
We respond to access requests within 30 days as required by PIPEDA.
11. Australian residents (Privacy Act 1988)
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Australian users have the right to access and correct their personal information, to anonymity or pseudonymity where practicable, and to lodge a complaint about how their personal information is handled. Contact: [email protected]
13. Security
We apply technical and organisational measures to protect your data:
- Encryption in transit (HTTPS/TLS).
- Secure authentication (JWT with token rotation).
- Restricted database access.
- Payments handled by Stripe (PCI DSS Level 1 certified).
- Password reset tokens hashed with SHA-256 and rate-limited.
Breach notification: we notify supervisory authorities within 72 hours and affected users without undue delay where required (UK/EU GDPR Art. 33-34, Quebec Law 25, Australian NDB scheme, US state breach laws).
14. Minors
Pipveu is not directed to children under 18 (or under 16 in jurisdictions where that is the relevant age, including under COPPA in the US for those under 13). We do not knowingly collect data from minors. If we discover a minor has created an account, we will delete it promptly.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or via in-app notice at least 30 days in advance.
16. Contact and complaints
For privacy enquiries: [email protected]
If you believe your rights have not been adequately addressed, you may lodge a complaint with the relevant supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
- California: California Privacy Protection Agency (CPPA) — cppa.ca.gov — or California Attorney General
- Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca — or Commission d'accès à l'information du Québec for Quebec residents
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- Spain (lead authority for the controller): Agencia Española de Protección de Datos (AEPD) — aepd.es