Privacy Policy

Last updated: 6 June 2026

1. Who we are

Pipelit Ltd ("Pipelit", "we", "us") is a UK-registered company. We provide compliance scanning and revenue compliance tools for B2B SaaS companies. Our products include the free scanner (scan.pipelit.co.uk), Scanner Pro (app.pipelit.co.uk), and the Revenue Compliance Platform.

Data controller: Pipelit Ltd
Contact: lalarukh@pipelit.co.uk

2. What data we collect

Free scanner (scan.pipelit.co.uk):

• No personal data collected. No account required. We scan the URL you provide and return results. Scan data is not persisted beyond the session.

Scanner Pro (app.pipelit.co.uk):

• Account data: Name, email address, company name, website domain. Collected at sign-up.
• Authentication data: Password (stored as a salted scrypt hash — we never store or see your plaintext password).
• Scan results: Compliance findings, cookies detected, tools identified, scores. Stored in your account.
• Fix tickets: Violation records, review notes, status history, audit trail.
• Team member data: Names, emails, and roles of team members you invite.
• GTM integration data: OAuth tokens (encrypted, auto-expire), tag configurations, trigger rules, consent settings. Read-only — we cannot modify your GTM.

Revelio AI:

• When you use Revelio, your question and relevant scan context are sent to Anthropic's Claude API for processing. Anthropic does not train on API inputs. See Anthropic's privacy policy.

Payment data:

• Payments are processed by Stripe. We do not store credit card numbers. Stripe handles all payment data under PCI-DSS compliance.

Website (pipelit.co.uk):

• Google Tag Manager, Google Analytics (GA4), and Cookiebot consent management. These fire only after you grant consent via the cookie banner.
• HubSpot forms on the waitlist page — collects email and name if you choose to submit.
• AI chatbot — your messages are processed by Anthropic's Claude API via a Cloudflare Worker. No messages are stored after the session ends.

3. Why we process your data

• Contract performance (Art. 6(1)(b)): To provide the Scanner Pro service you signed up for — running scans, storing results, managing fix tickets, team access.
• Legitimate interest (Art. 6(1)(f)): To improve our products, prevent abuse, and communicate service updates.
• Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies on our website. You can withdraw consent at any time.

4. Third-party processors

• Anthropic (US): AI processing for Revelio and the website chatbot. Processes query text only, no PII beyond what you type. Does not train on API data.
• Stripe (US): Payment processing. Handles card data under PCI-DSS. We never see your full card number.
• Google (US): GTM integration via OAuth (read-only). Analytics on our website (consent-gated).
• Smartproxy (Lithuania): UK residential proxy for scanner. Routes scan requests through UK IPs. No personal data is processed — only the target URL.
• Cookiebot (Denmark): Consent management on pipelit.co.uk.

All processors operate under data processing agreements. A full DPA is available at pipelit.co.uk/dpa.

5. What we do NOT do

• We never access your visitors' or customers' personal data
• We never write to your GTM, CRM, or any connected system
• We never share your data with third parties for their own purposes
• We never sell personal data
• We never store raw cookie values — only cookie names and domains

6. Data retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Scan results: Retained while your account is active.
• Free scanner data: Not persisted beyond the browser session.
• GTM OAuth tokens: Stored encrypted while connected. Revoked immediately on disconnect.
• Payment records: Retained by Stripe per their retention policy and applicable tax law.

7. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time
• Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, email lalarukh@pipelit.co.uk.

8. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, secure password hashing (scrypt), cryptographic session tokens, and role-based access controls. See our Security & Data page for details.

9. International transfers

Some processors (Anthropic, Stripe, Google) are based in the US. Transfers are protected by Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA) as applicable.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top always reflects the current version.

11. Contact

For any privacy questions or data requests:
Email: lalarukh@pipelit.co.uk
Website: pipelit.co.uk