Pipefile Privacy Policy

PIPEFILE PRIVACY POLICY

Updated: June 3, 2026


Pipefile, LLC ("Pipefile," "we," "us," or "our") provides cloud-based software and related services.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights and choices available to you.

This Privacy Policy applies to https://pipefile.com and the Pipefile platform and related services (collectively, the "Service").

Many Pipefile customers use the Service to collect and manage information on behalf of their own clients, applicants, signers, or end users. In those cases, the customer controls the data and Pipefile acts as a service provider or data processor on the customer's behalf.

This Privacy Policy primarily describes personal data that Pipefile collects and processes as a controller, such as account, billing, support, marketing, and analytics information. Customer-controlled content is governed by the applicable customer agreement and any Data Processing Addendum.

By accessing or using the Service, you acknowledge this Privacy Policy. If you do not agree to it, do not use the Service.

1. Personal Data We Collect

We use "Customer" to mean the individual or organization that purchases the Service and their authorized agents and employees. We use "End User" to mean a client, applicant, signer, member, contractor, or other person who interacts with the Service at the direction of a Customer (for example, a client of a law firm who uploads documents in response to a Customer's request, or a signer on a Pipefile document).

Information you provide

When you register for or use the Service, you may provide us with your name, email address, password, billing and payment information, company name, job title, phone number, and any other information you choose to share with us (including through support requests).

Content uploaded to the Service ("Your Data" / "End User Content")

Files, forms, checklists, identity documents, and other content uploaded to the Service by Customers and End Users. When a Customer's End User uploads content, the Customer is the controller of that content and Pipefile is the processor, acting on the Customer's instructions under the Customer's agreement with us.

We treat all uploaded content as confidential and process it on the Customer's behalf to provide the Service. We do not use Your Data or End User Content to train artificial intelligence or machine learning models, and we do not permit our AI subprocessors to do so. See Section 2 for more on AI-assisted features.

Signer and e-signature data

When you or a counterparty signs or completes a document through the Service, we collect information necessary to create a legally valid audit trail. This includes signer name and email, signature images or typed signatures, IP address, browser and device information, timestamps for key signing actions (signed and completed), and the document hash. This data is retained as part of the document record so that the signed document remains verifiable. Signatures may be voided and replaced; prior signature events remain in the audit record.

Information collected automatically

When you access the Service, we automatically collect technical information such as IP address, device identifiers, browser type and version, operating system, referring URL, pages viewed, time spent, clickstream data, and other usage information. This is collected through cookies, server logs, and similar technologies (see Section 6).

Information from third parties

If you sign in via your organization's identity provider via WorkOS SSO, we receive basic profile information from that provider as authorized by you. If you connect a third-party integration to your account, we receive the data necessary to operate that integration.

2. How We Use Personal Data

We use personal data to:

  • Provide, operate, maintain, and improve the Service;
  • Create and manage your account, authenticate you, and process payments;
  • Process, store, route, and verify documents and signatures submitted through the Service;
  • Power AI-assisted features (described below);
  • Respond to your inquiries and provide customer support;
  • Send service-related communications (security alerts, billing notices, changes to terms or policies);
  • Send marketing communications about Pipefile's products and services, where permitted by law and subject to your right to opt out;
  • Analyze usage to understand and improve the Service;
  • Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Use;
  • Comply with legal obligations and enforce our agreements.

AI-assisted features

The Service offers AI-assisted features such as intelligent checklists, natural-language form editing, and client data pre-fill. When you use these features, the relevant content is processed by an AI subprocessor solely to return a result to you. We have contractual commitments from our AI subprocessors that prohibit them from using Your Data to train their models and that limit retention to what is necessary to return a response.

We do not use Your Data to train AI models, and we do not share Your Data with AI subprocessors for any purpose other than providing the requested feature.

Legal bases under GDPR / UK GDPR

Where GDPR or UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract with you (to provide the Service);
  • Our legitimate interests (to operate, secure, and improve the Service, and for direct marketing of similar products to existing customers);
  • Your consent (for non-essential cookies and certain marketing); and
  • Compliance with legal obligations.

3. How We Share Personal Data

We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as defined under the CCPA/CPRA. We share personal data only as described below.

Service providers and subprocessors

We share personal data with vendors that help us operate the Service. Categories include cloud hosting and storage, payment processing, email delivery, customer support tooling, product analytics, error monitoring, AI inference, and security services.

A current list of our subprocessors is maintained at https://pipefile.com/subprocessors. Where required by your organization's agreement with us, we will provide advance notice of new subprocessors and a right to object.

Customer access to End User Content

End User Content is shared with the Customer that requested or received it, in accordance with the Customer's configuration of the Service.

Legal and safety disclosures

We may disclose personal data when we reasonably believe disclosure is necessary to comply with a law, regulation, legal process, or governmental request; to protect the rights, property, or safety of Pipefile, our users, or others; or to investigate fraud, security incidents, or violations of our Terms.

Where not prohibited by law, we will use commercially reasonable efforts to notify affected users of law enforcement or court-ordered requests for their data.

Business transfers

If Pipefile is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any change in ownership or material change in how your personal data is handled.

With your direction

If you choose to share content through a third-party integration, to send a document to a signer or recipient, or to publish content publicly through the Service, we will share data as you direct. Use of third-party services is governed by those services' own terms and privacy policies.

4. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.

Approximate retention periods:

  • Account data: for the life of your account, plus up to 90 days after account deletion to allow for recovery and to complete final billing.
  • Your Data and End User Content: for the life of the associated Customer account; removed from active systems upon account closure and from backups within 90 days using commercially reasonable efforts, unless the Customer's agreement specifies otherwise.
  • Signed documents and audit trails: for the life of the associated account, so that signed documents remain verifiable. On account closure, treated the same as Your Data above, unless the Customer directs otherwise in writing or applicable law requires longer retention.
  • Billing and tax records: up to 7 years, as required by tax and accounting law.
  • Marketing data: until you unsubscribe, plus a short suppression record to honor your opt-out.
  • Server logs and security logs: typically up to 12 months.
  • Support tickets: up to 3 years after resolution.

We may retain data longer where required for legal, regulatory, or legitimate business reasons (for example, an ongoing dispute or investigation).

5. Your Rights

Depending on where you live, you may have some or all of the following rights:

  • Access: request a copy of the personal data we hold about you;
  • Correction: request that we correct inaccurate or incomplete data;
  • Deletion: request that we delete your personal data;
  • Portability: request a copy of certain data in a machine-readable format;
  • Restriction or objection: request that we restrict or stop certain processing, including direct marketing;
  • Withdraw consent: where we rely on consent, withdraw it at any time (without affecting prior processing);
  • Opt out of "sale" or "sharing": under California, Colorado, Connecticut, Virginia, Texas, Oregon, and similar US state laws. We do not sell personal data and do not "share" personal data for cross-context behavioral advertising as defined under the CCPA/CPRA;
  • Non-discrimination: we will not discriminate against you for exercising these rights;
  • Authorized agents: California residents may use an authorized agent to submit requests, subject to verification;
  • Appeal: if we deny a request and you are in a state that provides an appeal right (Virginia, Colorado, Connecticut, and others), you may appeal our decision by replying to our response or emailing inquiries@pipefile.com;
  • Lodge a complaint: EU/UK residents may complain to their local data protection authority. The UK authority is the Information Commissioner's Office (ico.org.uk).

If you are an End User using the Service through a Customer (for example, a law firm or housing authority), we will generally refer rights requests concerning content uploaded through that Customer to the Customer, which acts as the controller of that content. We will support the Customer in responding.

To exercise any of these rights, email inquiries@pipefile.com. We may need to verify your identity before fulfilling a request, and we will respond within the timeframes required by applicable law (generally 30 days under GDPR; 45 days under most US state laws, extendable once where permitted).

6. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, local storage, SDKs) for the following purposes:

  • Strictly necessary: sign-in, security, load balancing. These cannot be disabled.
  • Functional: remembering your preferences.
  • Analytics: understanding how the Service is used (for example, Google Analytics).
  • Marketing: measuring the effectiveness of our marketing (limited use).

Where required by law (including in the EU, UK, and certain US states), we request your consent before setting non-essential cookies through our cookie banner. You can change your preferences at any time via the cookie settings link in our website footer.

You can also control cookies through your browser settings; rejecting cookies may affect Service functionality.

We honor Global Privacy Control (GPC) signals as an opt-out of sale and sharing where applicable under US state laws.

7. Security

We use reasonable administrative, technical, and physical safeguards to protect personal data, including encryption in transit (TLS) and at rest, access controls protected by password and multi-factor authentication, network segmentation, malware scanning on uploaded files, monitoring, and regular employee security and privacy training.

We regularly review our security program and align our controls to recognized industry frameworks. No system is perfectly secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and applicable regulators without undue delay and, where required, within 72 hours under GDPR / UK GDPR and consistent with applicable US state breach-notification laws.

8. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your personal data will be transferred to, processed, and stored in the United States, which may have different data protection laws than your country.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. A copy of the safeguards we rely on is available on request at inquiries@pipefile.com.

We no longer rely on the EU-US or Swiss-US Privacy Shield frameworks, which were invalidated by the Court of Justice of the European Union in Schrems II (July 2020). Any prior references in earlier versions of this Policy or related materials to Privacy Shield are superseded by this Section.

If your organization has executed a Data Processing Addendum with us, the transfer mechanisms in that DPA govern data your organization provides under the Service.

9. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16 without verifiable parental consent (or the higher age threshold required by applicable law), we will delete it promptly. To request deletion, contact inquiries@pipefile.com.

We recognize that some of our Customers may handle documents that reference minors as part of a matter. Such information is uploaded by the Customer as a controller, governed by the Customer's agreement with us, and is not collected directly from the child.

10. Marketing Communications

We may send you marketing emails about Pipefile products and services where permitted by law. You can opt out at any time by clicking the "unsubscribe" link in any marketing email or by emailing inquiries@pipefile.com.

You will continue to receive transactional and service-related messages (for example, billing, security, and policy updates) regardless of marketing preferences.

If you provide a phone number, you consent to service-related calls or texts. Standard message and data rates may apply. You can opt out of marketing texts by replying STOP.

11. Third-Party Sites and Integrations

The Service may link to or integrate with third-party services. We are not responsible for the privacy practices or content of those services. When you leave the Service or connect a third-party integration, the privacy policy of that third party applies.

12. Public Content

If you choose to post content publicly through the Service or in any public forum (blogs, chat rooms, social media), others may view, copy, and use that content. We cannot control how third parties use information you make public.

13. Do Not Track

Our Service does not currently respond to "Do Not Track" browser signals, as there is no consistent industry standard for how to interpret them. We do honor Global Privacy Control (GPC) signals as described in Section 6.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes (for example, expanding the categories of data we collect, adding new purposes such as AI model training, or expanding the categories of third parties with whom we share data), we will notify you by email and/or by prominent notice in the Service before the change takes effect, and where required by law we will seek your consent.

The "Updated" date at the top of this Policy indicates when it was last revised.

15. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of laws principles. To the extent permitted by applicable law, disputes will be resolved in the state or federal courts located in New Castle County, Delaware.

This Section does not limit any non-waivable rights you have under the laws of your country of residence.

16. Contact

For questions, concerns, or to exercise your rights, contact us at:

Pipefile, LLC
2093 Philadelphia Pike #8923
Claymont, DE 19703
United States

Email: inquiries@pipefile.com
Phone: +1 (855) 646-9337