← Back to home

Privacy Policy

Effective date: 2026-06-02

This Privacy Policy explains how PK Digital (“Firepipe”, “we”, “us”) collects, uses, stores, shares, and protects personal data when you visit firepipe.io, create an account, or use the Firepipe SFTP/FTPS gateway and dashboard (the “Service”). We are the data controller for the personal data described here.

1. A note on your files

Firepipe is a bring-your-own-bucket service. The files transferred through the Service are stored in your own cloud storage bucket (Amazon S3, or an S3-compatible store such as Cloudflare R2). We do not copy, retain, or take ownership of your file contents; bytes are streamed between SFTP clients and your bucket and are not stored on our infrastructure. We connect to your bucket using least-privilege, scoped credentials: for Amazon S3, a cross-account IAM role you control (we store no access keys); for S3-compatible stores, a scoped access key you provide, which we store encrypted at rest. Where you enable it, we also maintain a metadata index (file names, paths, sizes, timestamps) to serve fast directory listings.

2. Personal data we collect

2.1 Account & profile data

When you sign up or sign in, we collect:

  • Your name and email address;
  • Authentication data (a hashed password, or a federated identity such as Google — see §3);
  • Your organisation/tenant and role within it.

2.2 Service configuration & operational data

  • Storage target configuration (bucket name, region; for Amazon S3 a role ARN / external ID with no secret keys; for S3-compatible stores, an access key you provide that we store encrypted at rest);
  • The SFTP users you create (usernames, hashed passwords, SSH public keys, path prefixes);
  • Audit and metrics data: connection events, authentication successes/failures, file transfer events (operation, path, byte counts, timestamps), and source IP addresses.

2.3 Technical data

Standard server logs and limited analytics (IP address, browser/user-agent, timestamps, pages requested) collected to operate and secure the Service.

3. Google Sign-In and Google user data

If you choose to sign in with Google, we use Google OAuth solely to authenticate you. We request only basic profile scopes and receive from Google:

  • your email address,
  • your basic profile information (name and profile picture), and
  • your Google account identifier.

We use this Google data only to create and secure your Firepipe account, identify you at sign-in, and contact you about the Service. We do not request access to your Gmail, Google Drive, Calendar, Contacts, or any other Google service, and we do not read your files in Google services.

Firepipe's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, and do not transfer it to third parties except as necessary to provide or improve the Service, for security, or to comply with law. You can revoke Firepipe's access at any time from your Google Account permissions page.

4. How we use personal data

  • To provide, operate, and secure the Service and authenticate you;
  • To connect to the storage target you configure and serve directory listings and transfers;
  • To produce audit logs and usage metrics shown in your dashboard and to detect abuse;
  • To meter usage for billing;
  • To communicate with you about your account, security, and material changes to the Service;
  • To comply with legal obligations.

Our legal bases (where UK/EU GDPR applies) are performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (where requested), and compliance with legal obligations.

5. How we share data

We do not sell your personal data. We share it only with:

  • Sub-processors that help us run the Service (e.g. our identity/authentication and database provider, and our hosting providers), under contracts requiring appropriate safeguards;
  • Your own cloud provider, when we connect to the bucket you configure;
  • Authorities or third parties where required by law or to protect rights, safety, and the integrity of the Service.

6. International transfers

We host the control plane in the European Union and operate data-plane gateways in regional hubs. Where personal data is transferred outside your region, we rely on appropriate safeguards such as Standard Contractual Clauses.

7. Data retention

We keep account and configuration data for as long as your account is active. Audit and metrics data are retained for a limited period appropriate to security and compliance needs and then deleted or aggregated. When you close your account, we delete or anonymise your personal data within a reasonable period, except where we must retain it to comply with legal obligations. Deleting a storage target revokes our access; your files remain in your own bucket under your control.

8. Your rights

Depending on your location, you may have the right to access, correct, delete, export, or restrict processing of your personal data, and to object to processing or withdraw consent. To exercise any of these rights — including requesting deletion of your account and associated data, including any data obtained via Google Sign-In — email us at privacy@firepipe.io. We will respond within the timeframe required by applicable law. You also have the right to lodge a complaint with your local data protection authority.

9. Security

We protect data with encryption in transit, hashing of credentials (argon2id for SFTP user passwords), envelope encryption for any static secrets we must hold, scoped least-privilege access to your bucket, and access controls and logging on our systems. No method of transmission or storage is completely secure, but we work to protect your data and to promptly address vulnerabilities. Report security concerns to security@firepipe.io.

10. Children

The Service is intended for businesses and is not directed to individuals under 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here with a new effective date and, for material changes, notify you through the Service or by email.

12. Contact us

PK Digital
Privacy enquiries: privacy@firepipe.io