Privacy Policy
Effective date: 2026-06-02
This Privacy Policy explains how PK Digital (“Firepipe”, “we”, “us”) collects, uses, stores, shares, and protects personal data when you visit firepipe.io, create an account, or use the Firepipe SFTP gateway and dashboard (the “Service”). We are the data controller for the personal data described in this policy, your account, billing, and analytics data, which we process for our own purposes. For the operational data we process on your behalf to run the Service for you, your SFTP usernames, audit/access logs, the metadata index, and the encrypted bucket credentials you give us, we act as your data processor, and those terms are set out in our Data Processing Agreement.
1. A note on your files
Firepipe is a bring-your-own-bucket service. The files transferred through the Service are stored in your own cloud storage bucket (Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store such as Cloudflare R2). We do not copy, retain, or take ownership of your file contents; bytes are streamed between SFTP clients and your bucket and are not stored on our infrastructure. We connect to your bucket using least-privilege, scoped credentials: for Amazon S3, a cross-account IAM role you control (we store no access keys); for Azure Blob, Google Cloud Storage, and S3-compatible stores, a scoped credential you provide, which we store encrypted at rest. Where you enable it, we also maintain a metadata index (file names, paths, sizes, timestamps) to serve fast directory listings.
2. Personal data we collect
2.1 Account & profile data
When you sign up or sign in, we collect:
- Your name and email address;
- Authentication data (a hashed password, or a federated identity such as Google, see §3);
- Your organisation/tenant and role within it.
2.2 Service configuration & operational data
- Storage target configuration (bucket name, region; for Amazon S3 a role ARN / external ID with no secret keys; for S3-compatible stores, an access key you provide that we store encrypted at rest);
- The SFTP users you create (usernames, hashed passwords, SSH public keys, path prefixes);
- Audit and metrics data: connection events, authentication successes/failures, file transfer events (operation, path, byte counts, timestamps), and source IP addresses.
2.3 Technical data, cookies, and analytics
We collect standard server logs (IP address, browser/user-agent, timestamps, pages requested) to operate and secure the Service. On our website and dashboard we also use Google Analytics 4 and Google Ads (provided by Google) to understand usage and measure the effectiveness of our advertising. These set cookies and similar identifiers on your device and share data with Google (such as a pseudonymous identifier, pages viewed, and ad-click information).
These analytics and advertising cookies are not strictly necessary, so we
set them only after you consent through our cookie banner. We use Google
Consent Mode: until you accept, Google's tags are held in a “denied” state and do not store
these cookies. You can change or withdraw your choice at any time using your browser's cookie
controls (clearing the fp-consent value re-shows the banner). Strictly necessary
cookies required to run the Service, such as authentication/session cookies, are always set
and do not require consent.
3. Google Sign-In and Google user data
If you choose to sign in with Google, we use Google OAuth solely to authenticate you. We request only basic profile scopes and receive from Google:
- your email address,
- your basic profile information (name and profile picture), and
- your Google account identifier.
We use this Google data only to create and secure your Firepipe account, identify you at sign-in, and contact you about the Service. We do not request access to your Gmail, Google Drive, Calendar, Contacts, or any other Google service, and we do not read your files in Google services.
Firepipe's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, and do not transfer it to third parties except as necessary to provide or improve the Service, for security, or to comply with law. You can revoke Firepipe's access at any time from your Google Account permissions page.
4. How we use personal data
- To provide, operate, and secure the Service and authenticate you;
- To connect to the storage target you configure and serve directory listings and transfers;
- To produce audit logs and usage metrics shown in your dashboard and to detect abuse;
- To meter usage for billing;
- To communicate with you about your account, security, and material changes to the Service;
- To comply with legal obligations.
Our legal bases (where UK/EU GDPR applies) are performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (where requested), and compliance with legal obligations.
5. How we share data
We do not sell your personal data. We share it only with:
- Sub-processors that help us run the Service (e.g. our identity/authentication and database provider, and our hosting providers), under contracts requiring appropriate safeguards;
- Analytics and advertising providers (Google), where you have consented to analytics/advertising cookies, see §2.3;
- Your own cloud provider, when we connect to the bucket you configure;
- Authorities or third parties where required by law or to protect rights, safety, and the integrity of the Service.
6. International transfers
We host the control plane in the European Union and operate data-plane gateways in regional hubs. Where personal data is transferred outside your region, we rely on appropriate safeguards such as Standard Contractual Clauses.
7. Data retention
We keep account and configuration data for as long as your account is active. Audit and metrics data are retained for a limited period appropriate to security and compliance needs and then deleted or aggregated. When you close your account, we delete or anonymise your personal data within a reasonable period, except where we must retain it to comply with legal obligations. Deleting a storage target revokes our access; your files remain in your own bucket under your control.
8. Your rights
Depending on your location, you may have the right to access, correct, delete, export, or restrict processing of your personal data, and to object to processing or withdraw consent. To exercise any of these rights, including requesting deletion of your account and associated data, including any data obtained via Google Sign-In, email us at [email protected]. We will respond within the timeframe required by applicable law. You also have the right to lodge a complaint with your local data protection authority.
9. Security
We protect data with encryption in transit, hashing of credentials (argon2id for SFTP user passwords), envelope encryption for any static secrets we must hold, scoped least-privilege access to your bucket, and access controls and logging on our systems. No method of transmission or storage is completely secure, but we work to protect your data and to promptly address vulnerabilities. Report security concerns to [email protected].
10. Children
The Service is intended for businesses and is not directed to individuals under 16. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here with a new effective date and, for material changes, notify you through the Service or by email.
12. Contact us
PK Digital
Privacy enquiries: [email protected]