Last updated: 2026-05-05
Pidgin ("we", "us") respects your privacy. This policy describes what data
we collect, how we use it, and your choices.
1. Data we collect
When you sign up via GitHub OAuth:
- Your GitHub user ID, login, and primary verified email address (if you grant permission)
- The subdomain you chose
- Account creation timestamp
When you create API keys:
- The key name you chose
- A SHA-256 hash of the key (we never store the plaintext)
- The first 8 characters of the key body, for display
- Last-used timestamp
When you upload artifacts:
- The artifact bytes themselves, stored in Cloudflare R2
- Filename, content type, size, version, upload timestamp
- A random privacy slug (generated server-side) used in the public URL
When you visit the Service:
- Standard HTTP request logs (IP address, user agent, requested URL, response status, timestamp), retained by Cloudflare per their default settings
- A signed session cookie (HttpOnly, Secure, scoped to pidgin.sh)
If you become a paid customer (when paid plans are available):
- Your Stripe customer ID. Payment details are handled by Stripe; we never see your card.
2. How we use it
- To run the Service (authenticate you, serve your artifacts, enforce plan limits)
- To bill you (paid plans only)
- To respond to abuse reports and law enforcement requests
- To detect and prevent fraud, abuse, and security incidents
- To improve the Service (aggregate usage analysis only)
We do not sell your data. We do not run advertising. We do not use your
uploaded content to train machine learning models.
3. Who we share it with
- Cloudflare: hosting, CDN, storage (R2), database (D1)
- GitHub: OAuth identity verification
- Stripe: payment processing (paid plans only)
- Law enforcement, when legally compelled by valid process
CSAM detected by Cloudflare's scanning service is reported to the National
Center for Missing & Exploited Children (NCMEC) as required by US law.
4. Retention
- Account data: kept while your account is active
- Uploaded artifacts: kept while you keep them; deleted when you delete them; older versions garbage-collected per plan
- Standard request logs: per Cloudflare's defaults (typically a few hours to a few days)
- Abuse reports: kept for 2 years after resolution
- Account closure: account data and remaining artifacts are deleted within 30 days, except where retention is legally required
5. Your rights
You can:
- Export your account and artifact metadata (contact privacy@pidgin.sh)
- Delete your artifacts at any time from the dashboard or API
- Close your account at any time
- Request correction of inaccurate data
- Object to processing or request restriction (under GDPR, where applicable)
If you're in the EU, EEA, UK, or California, you have additional rights under
GDPR, UK GDPR, or the CCPA. Contact privacy@pidgin.sh to exercise them.
6. Security
We use industry-standard practices: HTTPS for all traffic, hashed
credentials, scoped session cookies, signed and constant-time-compared API
keys. No system is perfectly secure; if you discover a vulnerability, please
report it to security@pidgin.sh.
7. Age requirement
Pidgin is not intended for children under 13. We do not knowingly collect
personal information from children under 13. If we learn we have, we will
delete it.
8. Changes
We may update this policy. Material changes will be announced at least 30
days before taking effect.
9. Contact
privacy@pidgin.sh