SafePipe
Back to Home

Last updated: December 2, 2025

Privacy Policy

At SafePipe, privacy is not a feature—it's our foundation.

🔒 Zero Data Persistence

We do not store your request bodies on disk. All prompt data is processed entirely in RAM and is immediately discarded after the request is complete. We are a pass-through proxy—your data flows through us, not to us.

1. Data Controller & Data Processor Roles

🔄 SafePipe as Data Processor

When you use SafePipe to process data on behalf of your end-users, you are the Data Controller and SafePipe EU GmbH acts as a Data Processor under GDPR Article 28.

  • Controller (You): Determines the purposes and means of processing personal data. You decide what data to send, which filters to enable/disable, and how to use AI responses.
  • Processor (SafePipe): Processes data on your behalf, according to your documented instructions (your API Key configuration). We apply the filters you have configured and route requests to AI providers.

By configuring your API Key settings (e.g., enabling/disabling "Mask Emails"), you are providing documented instructions to SafePipe as your Data Processor. We process data strictly in accordance with these configurations.

For SafePipe's own account and service management purposes, the data controller is:

SafePipe EU GmbH

Musterstraße 123

60311 Frankfurt am Main

Germany

Email: privacy@safepipe.eu

Data Protection Officer: dpo@safepipe.eu

2. What Data We Process

2.1 Data We DO Process (Temporarily)

  • API Request Content: Prompts and messages sent through our API are processed in memory to apply PII redaction and content filtering. This data is never written to disk.
  • API Response Content: Responses from AI providers pass through our servers for filtering. This data is never written to disk.

2.2 Data We DO Store

  • Account Information: Email address, name, company name (if provided)
  • Authentication Data: Hashed API keys, OAuth tokens
  • Request Metadata: Timestamps, model used, latency, token counts, PII detection flags (boolean only, not the actual PII)
  • Billing Information: Processed by Stripe; we do not store full payment details
  • Configuration: Your protection settings and preferences

2.3 Data We DO NOT Store

  • The content of your prompts or messages
  • AI-generated responses
  • Any PII detected (we redact it and forget it)
  • IP addresses beyond access logs (30-day retention)

3. Infrastructure & Data Location

🇪🇺 All data is processed within the European Union.

  • Primary Servers: Frankfurt, Germany (AWS eu-central-1)
  • Backup Infrastructure: Hetzner Cloud, Falkenstein, Germany
  • Database: Supabase (EU region)
  • CDN: Cloudflare (EU nodes only)

Your data never leaves the European Economic Area (EEA). When routing to AI providers, we only send redacted/cleaned data, and we prioritize EU-based endpoints where available.

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): To provide the SafePipe service
  • Legitimate Interest (Art. 6(1)(f)): For security, fraud prevention, and service improvement
  • Legal Obligation (Art. 6(1)(c)): For tax and accounting requirements
  • Consent (Art. 6(1)(a)): For optional marketing communications (which you can opt out of anytime)

5. Data Retention

Data TypeRetention Period
Request Content0 seconds (never stored)
Request Metadata90 days
Access Logs30 days
Account DataUntil account deletion + 30 days
Billing Records7 years (legal requirement)

6. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate data
  • Right to Erasure (Art. 17): Request deletion of your data
  • Right to Restrict Processing (Art. 18): Limit how we use your data
  • Right to Data Portability (Art. 20): Receive your data in a machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time

To exercise any of these rights, contact us at privacy@safepipe.eu. We will respond within 30 days.

7. Third-Party Services

We use the following third-party services:

  • Stripe: Payment processing (PCI-DSS compliant)
  • Supabase: Database and authentication (EU region)
  • Vercel: Hosting (EU region)
  • OpenAI / Anthropic / DeepSeek / Mistral: AI providers (receive only cleaned/redacted data)

8. Security Measures

We implement industry-standard security measures including:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Regular security audits and penetration testing
  • Access controls and principle of least privilege
  • 24/7 infrastructure monitoring

9. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by posting the updated policy on this page.

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit

Gustav-Stresemann-Ring 1

65189 Wiesbaden

Germany

SafePipe EU GmbH

For legal inquiries, contact: legal@safepipe.eu