legal
Privacy Policy
Last updated: 2026-05-09
This policy describes what data pipemason (operated by CrashBytes) collects, why, who it's shared with, and how you control it. The TL;DR: your source code never leaves your machine. We hold metadata about your pipeline runs so the dashboard and live monitor work; everything else is BYO (Bring Your Own).
1. Who we are
pipemason is operated by Blackhole Software, LLC, doing business as CrashBytes. References to “we,” “us,” or “pipemason” in this policy mean Blackhole Software, LLC. Our mailing address is available on request via [email protected].
2. What we collect (and why)
| Category | Examples | Why |
|---|---|---|
| Account | Email, Clerk user id, organization id, role | Authenticate you; scope your runs to your org |
| Run metadata | Run id, ticket reference, branch name, phase + status, iteration counts, agent names, timestamps, failure classes | Render the dashboard and live monitor; enforce per-plan run limits |
| Run events | Mirror of the runner's iterations.log: per-step JSON event objects (event type, phase, agent, outcome, duration, optional notes) | Stream to your dashboard in real time; replay history |
| Billing | Stripe customer id, subscription id, plan, seat count, billing cycle, last 4 of card (held by Stripe) | Charge you, enforce plan, surface invoices |
| GitHub integration | GitHub user id + login, OAuth scopes, encrypted access token (AES-GCM at rest) | Let the runner clone, push, and open PRs on your behalf — only when you explicitly connect at /settings |
| Audit log | Who did what, when (account exports, deletions, integration connect/disconnect, billing actions, pairing events) | Compliance, customer support, debugging |
| Operational | IP addresses (rate limiting only, in-memory), user agent, request timestamps for the cloud control plane | Abuse prevention; security |
| Error telemetry | Stack traces, error messages, route paths, environment tag (NOT request bodies, NOT cookie values) | Detect and fix bugs that hit your account |
3. What we don't collect
- Your source code. The runner executes on your machine; we never receive repository contents.
- Your environment variables, .env files, or secrets. These stay on your hardware.
- Your Anthropic API key. The runner reads it from your local environment and uses it directly with Anthropic. We never proxy or store it.
- Tracking cookies, ad cookies, or analytics IDs. We don't run ads or third-party trackers.
- Your full IP address in logs. IPs are used in memory for rate limiting and discarded; they aren't persisted with run records.
4. Sub-processors
We rely on the following service providers. Each has its own privacy policy linked.
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting (Workers, Pages), database (D1), object storage (R2), email routing | All cloud-side data above. Region: primarily US. |
| Clerk | Authentication (sign-in, session JWT, organization management) | Email, name, IP at sign-in, session metadata |
| Stripe | Payment processing, subscription management, sales tax computation | Billing data (Stripe is the card-of-record; we never see card numbers) |
| Sentry | Error and performance telemetry | Stack traces, route paths, environment tag, error messages |
| GitHub | OAuth (only when you connect) | Your GitHub user id + login, scopes you authorize |
We do not sell or share your data with advertisers, data brokers, or anyone else not listed above.
5. Where your data lives
The cloud control plane runs on Cloudflare's global edge network. Account data and run metadata are stored in Cloudflare D1 with the primary region in the United States; Workers and Pages serve from the edge nearest the request. Backups are managed by Cloudflare under their standard policy.
6. How long we keep it
- While you have an account: account, run, billing, integration, and audit data are kept indefinitely (you need them for the product to work).
- After account deletion (your trigger): we cascade-delete all of the above immediately. Stripe retains billing data per their own retention rules (typically 7 years for tax / fraud).
- Sentry telemetry: 90 days, per Sentry's default.
- Backups: Cloudflare D1 backups age out per Cloudflare's policy; we have no separate copy.
7. Your rights (GDPR, UK GDPR, CCPA)
You have, at no cost, the rights to:
- Access your data — export it as a single JSON file from Settings → Data & privacy → Export your data.
- Erase your data — click Delete account in the same panel. We cascade-delete in the same request.
- Rectify data — most fields are editable in your Clerk profile or the dashboard; for anything else, email [email protected].
- Restrict / object to processing — email us; we will process the request within 30 days.
- Data portability — the export above is in JSON.
- Lodge a complaint with your local data protection authority (for UK/EU users).
- California residents have equivalent CCPA rights (right to know, right to delete, right to non-discrimination). We do not sell personal information.
8. Legal basis for processing (GDPR users)
- Contract: account, run, billing data — required to deliver the service you signed up for.
- Legitimate interests: rate limiting, error telemetry, audit log — to keep the service secure and working. We've balanced these against your privacy and consider the impact minimal.
- Consent: the GitHub integration. You can revoke at any time at /settings or via your GitHub authorized-apps page.
- Legal obligation: tax records (Stripe handles most of this).
9. Cookies
We set only essential cookies on pipemason.com: the Clerk session cookie that keeps you signed in. We do not run analytics, advertising, or third-party tracking pixels. Stripe and GitHub set their own cookies on their own domains during checkout / OAuth flows; those are governed by their privacy policies. The cookie banner you see on first visit is informational.
10. Security
In summary: TLS in transit; AES-GCM application-layer encryption for stored OAuth tokens (in addition to Cloudflare D1's encryption-at-rest); rate limiting; audit logging; HMAC-signed CSRF state on OAuth callbacks; runner tokens stored as SHA-256 hashes (the plaintext only lives on your machine); webhook signature verification on incoming Stripe and Clerk events. No system is impenetrable — if you discover a vulnerability, please email [email protected] rather than disclosing it publicly.
11. Children
pipemason is a developer tool not directed at children. We do not knowingly collect data from anyone under 18. If you believe a child has signed up, email us and we'll delete the account.
12. Changes
When we materially change this policy we'll update the date at the top and email account holders before the change takes effect. The current version always lives at this URL.
13. Contact
Privacy questions, exercise-of-rights requests, or anything else about your data: [email protected].