Privacy Policy

1. Introduction

PipData GmbH ("PipData," "we," "us," or "our") operates the website pipdata.net and provides institutional-grade Forex market data services via WebSocket and REST API. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

As a company registered and operating in Germany, we are subject to the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telemedia Act (TMG). We take your privacy seriously and are committed to processing your personal data lawfully, fairly, and transparently.

Please read this policy carefully. By accessing or using our services, you acknowledge that you have read and understood the practices described herein. If you do not agree with this policy, please do not use our services.

2. Information We Collect

We collect information that is necessary to provide and improve our services. We do not collect more data than is required for the stated purposes.

Account Information

When you register for a PipData account, we collect:

• Full name
• Email address
• Company name (optional)
• Country of residence or business registration

API Usage Data

To ensure service quality, security, and fair usage compliance, we automatically collect:

• API endpoint calls (method, path, timestamp)
• Request volume and frequency per API key
• WebSocket connection events (connect, disconnect, duration)
• Error codes and response status codes
• Subscribed data streams and currency pairs

Payment Reference Data

We accept payments exclusively in USDT cryptocurrency. We collect:

• Transaction hash (TX hash) provided by you upon payment
• Wallet address used for the transaction (for verification and refund purposes)
• Payment amount and date

We do not store any credit card numbers, bank account details, or other traditional financial credentials. No payment processing middlemen have access to personal data beyond what is stated here.

Technical Logs

Our servers and infrastructure automatically record:

• IP addresses (for security and abuse prevention)
• Browser type and version
• Operating system
• Referring URLs
• Timestamps of all requests
• HTTP headers (excluding sensitive values)

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

• Creating and managing your account
• Generating and delivering API keys
• Providing access to our WebSocket and REST API data feeds
• Sending service-critical notifications (outages, planned maintenance, changes)
• Responding to support requests

Billing and Account Management

• Verifying subscription payments
• Issuing invoices and receipts
• Processing refund requests under our Refund Policy
• Enforcing subscription tier limits and rate limits

Security

• Detecting and preventing unauthorized access
• Identifying abuse or violations of our Terms of Service
• Rate-limit enforcement and DDoS mitigation
• IP-based access controls at your request

Analytics and Service Improvement

• Aggregated, anonymized usage analytics to understand which features are most used
• Performance monitoring and infrastructure capacity planning
• Identifying and resolving technical issues

We do not use your data for advertising, sell it to third parties, or use it to build marketing profiles.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we must have a lawful basis for each processing activity. Our legal bases are:

Contract Performance — Art. 6(1)(b) GDPR

Processing is necessary for the performance of the contract between you and PipData GmbH. This includes account registration, API key management, service delivery, billing, and subscription enforcement.

Legitimate Interest — Art. 6(1)(f) GDPR

Processing is necessary for our legitimate interests, provided those interests are not overridden by your rights. This includes security logging, abuse detection, anonymized analytics, and service improvement. You may object to processing based on this ground at any time (see Section 8).

Consent — Art. 6(1)(a) GDPR

Where we rely on your consent (e.g., for optional marketing communications), we will ask for your explicit agreement. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Legal Obligation — Art. 6(1)(c) GDPR

Where we are required to process data to comply with German or EU law — for example, retaining financial records for 10 years under the German Commercial Code (HGB) — we process data on this basis.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.

Account Data

Account information (name, email, account preferences) is retained for 3 years after the termination or expiry of your last active subscription, unless you request earlier deletion and no legal retention obligation applies.

API Usage Logs

Detailed API request logs are retained for 12 months on a rolling basis. After this period, they are permanently deleted or anonymized for aggregate statistical purposes.

Financial Records

Invoice data and payment records are retained for 10 years from the date of the transaction, as required by §257 of the German Commercial Code (HGB) and §147 of the German Fiscal Code (AO). This legal obligation overrides any erasure request for financial documentation.

Security Logs

Security-relevant logs (failed authentication attempts, suspicious activity) are retained for 6 months and then deleted.

6. Third-Party Services

We use a limited number of trusted third-party services. We do not sell your data to any third party under any circumstances.

Formspree

We use Formspree to process contact form submissions on our website. Formspree processes submitted data (name, email, message) on EU-based servers and is GDPR-compliant. Their privacy policy is available at formspree.io. Data is used solely to respond to your enquiry and is not retained beyond operational necessity.

Cloudflare

We use Cloudflare for content delivery (CDN), DDoS protection, and DNS. Cloudflare processes network-level data (IP addresses, request headers) as a data processor acting on our behalf. Cloudflare is GDPR-compliant, participates in the EU-U.S. Data Privacy Framework, and processes EU visitor data in European data centers where feasible. Their privacy policy is at cloudflare.com.

No Data Sales

We never sell, rent, or otherwise commercially share your personal data with any third party for their own marketing or commercial purposes.

7. International Data Transfers

PipData GmbH is headquartered in Berlin, Germany. Our primary servers and infrastructure are located within the European Union (EU) and European Economic Area (EEA). We prioritize keeping your data within the EU/EEA wherever possible.

Transfers Outside the EU/EEA

In circumstances where data must be transferred to countries outside the EU/EEA (for example, via certain Cloudflare nodes or support tools), we ensure that such transfers are protected by one or more of the following safeguards:

• EU Standard Contractual Clauses (SCCs) — as approved by the European Commission under Art. 46(2)(c) GDPR
• Adequacy decisions — transfers to countries recognized by the European Commission as providing an adequate level of data protection
• EU-U.S. Data Privacy Framework — for transfers to certified U.S. organizations

You may request a copy of the applicable safeguards by contacting us at support@pipdata.net.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at support@pipdata.net. We will respond within 30 days.

1. Right of Access — Art. 15 GDPR

You have the right to obtain confirmation of whether we process personal data about you, and to receive a copy of that data along with information about how and why it is processed.

2. Right to Rectification — Art. 16 GDPR

You have the right to have inaccurate personal data corrected, and incomplete data completed, without undue delay.

3. Right to Erasure ("Right to be Forgotten") — Art. 17 GDPR

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other legal basis applies. Note: legally mandated retention periods (e.g., financial records) may prevent full erasure.

4. Right to Data Portability — Art. 20 GDPR

You have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller.

5. Right to Object — Art. 21 GDPR

You have the right to object to processing of your personal data where we rely on legitimate interests (Art. 6(1)(f)) as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

6. Right to Restriction of Processing — Art. 18 GDPR

You have the right to request that we restrict (pause) the processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested.

7. Right to Withdraw Consent — Art. 7 GDPR

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

8. Right to Lodge a Complaint — Art. 77 GDPR

You have the right to lodge a complaint with a supervisory authority if you believe our processing violates the GDPR. The competent authority for PipData GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany
Website: datenschutz-berlin.de

9. Cookies

We use a minimal, privacy-respecting approach to cookies on pipdata.net.

Session Cookies (Necessary)

We use session cookies that are strictly necessary for the operation of the website — for example, to maintain your login state. These cookies expire at the end of your browser session. They do not track you across websites and cannot be disabled without breaking core functionality.

No Tracking Cookies

We do not use cookies to track your browsing behavior across the internet. We do not deploy Google Analytics, Facebook Pixel, or any other behavioral advertising or third-party tracking technologies.

No Marketing Cookies

We do not use cookies for marketing retargeting or profiling purposes.

Because we do not use non-essential cookies, we do not display a cookie consent banner. If this changes, we will update this policy and implement appropriate consent mechanisms.

10. Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction.

Technical Measures

• TLS 1.3 encryption for all data in transit between clients and our servers
• API key hashing — API keys are stored as irreversible cryptographic hashes; the plaintext key is only shown once at generation
• IP whitelisting — subscribers may restrict API access to specific IP addresses or CIDR ranges
• No plaintext password storage — passwords are hashed using bcrypt with appropriate cost factors
• Encryption at rest for database volumes containing personal data
• Regular security audits and penetration testing

Organizational Measures

• Access to personal data is restricted to personnel who require it for their role
• All staff handling personal data are trained in data protection obligations
• Data breach notification procedures in place per Art. 33–34 GDPR

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected data subjects without undue delay.

11. Children

Our services are intended exclusively for business and professional use. PipData's Forex market data API is not directed at, and is not intended for use by, individuals under the age of 18 years.

We do not knowingly collect personal data from children. If we become aware that personal data from a person under 18 has been collected without parental consent, we will take prompt steps to delete that information. If you believe we have collected data from a minor, please contact us immediately at support@pipdata.net.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all active subscribers for any material changes that affect how your data is used
• Where required by GDPR, seek fresh consent

We encourage you to review this page periodically. Your continued use of our services after changes take effect constitutes acceptance of the updated policy, subject to any consent requirements under applicable law.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all enquiries within 30 days. For data subject rights requests, please include sufficient information to verify your identity.