Privacy Policy
Last updated: 5 July 2026
This Privacy Policy explains what personal data Piptera ("we", "us") collects, why we collect it, who processes it on our behalf, and the rights you have over it. It covers both the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).
1. Controller
The controller responsible for your personal data is Piptera, Switzerland. For any privacy request or question, contact us at privacy@piptera.com. Details about the operator are on the imprint page.
2. What data we collect
- Account data: your username and email address.
- Sign-in credentials: if you sign in through our identity service (see section 5), your password is held there in hashed form; we never see or store the plain password. Our own records hold only the identifier linking your sign-in to your account and the date you accepted this policy.
- Content you create: liquid classes, teams, comments and other contributions you choose to make. Your username appears on your contributions and in their version history.
- Technical data: an authentication token stored in your browser to keep you signed in, and, if you create API keys, their names and creation/last-used times (the key secret itself is stored only as a cryptographic hash).
- Transient abuse-prevention data: your IP address and browser identifier are processed briefly in server memory to enforce rate limits and to de-duplicate view counts. They are never written to durable storage and disappear on their own within minutes to hours. Standard server access logs may record IP addresses for a short period (see section 9).
3. Lawful basis and consent
We process your account data and content to perform our agreement to provide the service (Art. 6(1)(b) GDPR) and on the basis of the consent you give when creating an account (Art. 6(1)(a) GDPR). Transient abuse-prevention data is processed in our legitimate interest of keeping the service secure and available (Art. 6(1)(f) GDPR). You may withdraw consent at any time by deleting your account.
4. How we use your data
We use your data to authenticate you, to display your contributions, to enable collaboration within teams, and to operate and secure the service. We do not use your data for advertising or profiling.
5. Processors and recipients
We do not sell, rent, or trade your personal data. We use the following processors under data processing agreements:
- Google Ireland Limited (Firebase Authentication): manages sign-in credentials (email address, hashed password) and sends verification and password-reset emails on our behalf.
- Google Ireland Limited (Firebase Realtime Database): stores the application data described in section 2. The database instance is located in the European Union (europe-west1, Belgium) and accepts no client connections; only our backend can read or write it.
Beyond these processors and our hosting infrastructure, we do not share your personal data with third parties except where required by law.
6. International transfers
Your application data is stored in the European Union. Google may process limited data (for example authentication requests) through affiliates outside the EU/EEA and Switzerland, including Google LLC in the United States. These transfers are safeguarded by the EU Standard Contractual Clauses and Google's certification under the EU-US and Swiss-US Data Privacy Frameworks.
7. Cookies and local storage
We do not use tracking cookies and we run no analytics or advertising scripts. Your browser keeps a session credential (in local storage or the browser's IndexedDB, depending on the sign-in method) so that your session persists across page reloads. Signing out removes it. This storage is strictly necessary to provide the service, so no consent banner is required for it.
8. Your rights
Under the GDPR and the Swiss FADP you have the right to:
- Access the personal data we hold about you.
- Export a portable copy of your data, available from your Account page.
- Erasure: delete your account and associated private data, also from the Account page. Private classes and API keys are deleted, and your sign-in account at our identity service is deleted as well. Public contributions, their version history, and comments are anonymized rather than removed, to preserve community data; the content itself remains under its published license.
- Rectification of inaccurate data, and to object to processing based on legitimate interest.
- Complain to a supervisory authority: in Switzerland the Federal Data Protection and Information Commissioner (FDPIC), or the data protection authority of your EU/EEA member state.
9. Data retention
We retain your account data for as long as your account is active. When you delete your account, private data is removed from the live database immediately and public contributions are anonymized. Residual copies in database backups expire when the backups rotate, within 30 days. Server access logs are kept for at most 30 days. Session tokens expire within 24 hours of issue.
10. Security
All traffic is encrypted in transit and data is encrypted at rest on managed cloud storage. Passwords and API-key secrets are stored only as cryptographic hashes, and the database is reachable only by our backend.
11. Changes to this policy
We may update this policy when the service or its processors change. Material changes are reflected by the "last updated" date above.
12. Contact
For any privacy request or question, contact us at privacy@piptera.com. We answer requests concerning your rights within one month.