legal
Privacy Policy
Last updated: 2026-06-21
This policy describes what data pipemason (operated by CrashBytes) collects, why, who it's shared with, and how you control it. The TL;DR: your source code never leaves your machine. We hold metadata about your pipeline runs so the dashboard and live monitor work; everything else is BYO (Bring Your Own).
1. Who we are
pipemason is operated by Blackhole Software, LLC, doing business as CrashBytes. References to “we,” “us,” or “pipemason” in this policy mean Blackhole Software, LLC. Our mailing address is available on request via [email protected].
2. What we collect (and why)
| Category | Examples | Why |
|---|---|---|
| Account | Email, Clerk user id, organization id, role | Authenticate you; scope your runs to your org |
| Run metadata | Run id, ticket reference, branch name, phase + status, iteration counts, agent names, timestamps, failure classes | Render the dashboard and live monitor; enforce per-plan run limits |
| Run events | Mirror of the runner's iterations.log: per-step JSON event objects (event type, phase, agent, outcome, duration, optional notes) | Stream to your dashboard in real time; replay history |
| Billing | Stripe customer id, subscription id, plan, seat count, billing cycle, last 4 of card (held by Stripe) | Charge you, enforce plan, surface invoices |
| GitHub integration | GitHub user id + login, OAuth scopes, encrypted access token (AES-GCM at rest) | Let the runner clone, push, and open PRs on your behalf — only when you explicitly connect at /settings |
| Audit log | Who did what, when (account exports, deletions, integration connect/disconnect, billing actions, pairing events) | Compliance, customer support, debugging |
| Operational | IP addresses (rate limiting only, in-memory), user agent, request timestamps for the cloud control plane | Abuse prevention; security |
| Error telemetry | Stack traces, error messages, route paths, environment tag (NOT request bodies, NOT cookie values) | Detect and fix bugs that hit your account |
| Mobile push (Pipemason app) | Expo push token (backed by Apple Push Notification service on iOS / Firebase Cloud Messaging on Android) — a delivery address, not a tracking identifier | Send notifications when your runs or programs change state, only if you enable them. Per-event controls live in Settings → Notifications; removed on sign-out. Lawful basis: consent |
| Mobile analytics (Pipemason app) | Firebase Analytics — a pseudonymous app-instance id, screen views, and non-PII interaction events (screen names, run/program status enums, counts). No emails, names, tokens, or run content. | Understand which features are used and improve the app; disabled in dev/E2E builds. Lawful basis: legitimate interest |
| Mobile crash diagnostics (Pipemason app) | Firebase Crashlytics — crash stack traces, device/OS model, and your opaque Clerk user id for attribution. No PII payloads. | Detect and fix crashes. Lawful basis: legitimate interest |
3. What we don't collect
- Your source code. The runner executes on your machine; we never receive repository contents.
- Your environment variables, .env files, or secrets. These stay on your hardware.
- Your provider key. The runner reads your Anthropic key (Claude) or Cursor key (Cursor) from your local environment and uses it directly with that provider. We never proxy or store it.
- Advertising IDs or ad trackers. We don't run ads or ad networks and never request the advertising identifier (IDFA / GAID). The Pipemason mobile app does use Firebase Analytics (a pseudonymous app-instance id) and Crashlytics — product analytics and crash reporting, not advertising; see the data table and sub-processors.
- Your full IP address in logs. IPs are used in memory for rate limiting and discarded; they aren't persisted with run records.
4. Sub-processors
We rely on the following service providers. Each has its own privacy policy linked.
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting (Workers, Pages), database (D1), object storage (R2), email routing | All cloud-side data above. Region: primarily US. |
| Clerk | Authentication (sign-in, session JWT, organization management) | Email, name, IP at sign-in, session metadata |
| Stripe | Payment processing, subscription management, sales tax computation | Billing data (Stripe is the card-of-record; we never see card numbers) |
| Sentry | Error and performance telemetry | Stack traces, route paths, environment tag, error messages |
| GitHub | OAuth (only when you connect) | Your GitHub user id + login, scopes you authorize |
| Expo (650 Industries) | Push notification delivery for the Pipemason mobile app | Your Expo push token + notification contents (title, short body, run/program id), relayed to APNs/FCM |
| Google (Firebase) | Mobile app analytics (Firebase Analytics) + crash reporting (Crashlytics) for the Pipemason app | Pseudonymous app-instance analytics id, screen/event data (non-PII), crash diagnostics, opaque Clerk user id |
We do not sell or share your data with advertisers, data brokers, or anyone else not listed above.
5. Where your data lives
The cloud control plane runs on Cloudflare's global edge network. Account data and run metadata are stored in Cloudflare D1 with the primary region in the United States; Workers and Pages serve from the edge nearest the request. Backups are managed by Cloudflare under their standard policy.
6. How long we keep it
- While you have an account: account, run, billing, integration, and audit data are kept indefinitely (you need them for the product to work).
- After account deletion (your trigger): we cascade-delete all of the above immediately. Stripe retains billing data per their own retention rules (typically 7 years for tax / fraud).
- Sentry telemetry: 90 days, per Sentry's default.
- Backups: Cloudflare D1 backups age out per Cloudflare's policy; we have no separate copy.
7. Your rights (GDPR, UK GDPR, CCPA)
You have, at no cost, the rights to:
- Access your data — export it as a single JSON file from Settings → Data & privacy → Export your data.
- Erase your data — click Delete account in the same panel. We cascade-delete in the same request.
- Rectify data — most fields are editable in your Clerk profile or the dashboard; for anything else, email [email protected].
- Restrict / object to processing — email us; we will process the request within 30 days.
- Data portability — the export above is in JSON.
- Lodge a complaint with your local data protection authority (for UK/EU users).
- California residents have equivalent CCPA rights (right to know, right to delete, right to non-discrimination). We do not sell personal information.
8. Legal basis for processing (GDPR users)
- Contract: account, run, billing data — required to deliver the service you signed up for.
- Legitimate interests: rate limiting, error telemetry, audit log — to keep the service secure and working. We've balanced these against your privacy and consider the impact minimal.
- Consent: the GitHub integration. You can revoke at any time at /settings or via your GitHub authorized-apps page.
- Legal obligation: tax records (Stripe handles most of this).
9. Cookies
We set only essential cookies on pipemason.com: the Clerk session cookie that keeps you signed in. We do not run analytics, advertising, or third-party tracking pixels. Stripe and GitHub set their own cookies on their own domains during checkout / OAuth flows; those are governed by their privacy policies. The cookie banner you see on first visit is informational.
10. Security
In summary: TLS in transit; AES-GCM application-layer encryption for stored OAuth tokens (in addition to Cloudflare D1's encryption-at-rest); rate limiting; audit logging; HMAC-signed CSRF state on OAuth callbacks; runner tokens stored as SHA-256 hashes (the plaintext only lives on your machine); webhook signature verification on incoming Stripe and Clerk events. No system is impenetrable — if you discover a vulnerability, please email [email protected] rather than disclosing it publicly.
11. Children
pipemason is a developer tool not directed at children. We do not knowingly collect data from anyone under 18. If you believe a child has signed up, email us and we'll delete the account.
12. Changes
When we materially change this policy we'll update the date at the top and email account holders before the change takes effect. The current version always lives at this URL.
13. Contact
Privacy questions, exercise-of-rights requests, or anything else about your data: [email protected].