1.Introduction
qPipe (“qPipe”, the “Service”) is a data pipeline platform provided by Qvalento Solutions AB, a company registered in Sweden (“Qvalento”, “Company”, “we”, “us”, or “our”).
qPipe lets customers connect their own advertising, analytics, and business platform accounts (such as ad platforms, web analytics tools, CRMs, and financial systems) and automatically transfer data from those platforms into a data warehouse that the customer designates and controls.
This Privacy Policy explains what information we collect, how we use it, on what legal basis, with whom we share it, how long we keep it, and the rights you have. It applies to:
- the qPipe application (the web application and its APIs),
- the qPipe website (qpipe.io), and
- our communications with you (support, notifications, and account emails).
We process personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and applicable Swedish data protection law.
Contact for privacy matters:
- General support: support@qpipe.io
- Privacy, consent, and data subject requests: consent@qpipe.io
2.Who is responsible for your data (controller vs. processor)
qPipe handles two distinct categories of data, and our role differs for each:
2.1 Account and usage data — Qvalento as controller
For information about you as a user of qPipe (your account details, login information, billing details, support communications, and usage logs), Qvalento Solutions AB is the data controller. We decide how and why this data is processed, as described in this policy.
2.2 Pipeline data — Qvalento as processor
The Service exists to move data on behalf of our customers from third-party platforms into the customer’s own data warehouse (“Pipeline Data”). Pipeline Data may include advertising performance data, analytics data, CRM records, financial records, or any other data available from the connected source. Depending on the sources a customer connects, Pipeline Data may contain personal data (for example, contact details in a CRM export).
For Pipeline Data, the customer is the data controller and Qvalento acts as a data processor, processing the data only on the customer’s documented instructions — namely, extracting it from the sources the customer configured and loading it into the destinations the customer designated. We do not use Pipeline Data for our own purposes, we do not sell it, and we do not use it to train machine-learning models.
Our processing of Pipeline Data as a processor is governed by the qPipe Data Processing Agreement, which satisfies Article 28 GDPR and is incorporated into our Terms of Service — it applies automatically to every customer whose Pipeline Data includes personal data. Business customers who require an individually signed DPA can request one at consent@qpipe.io.
3.Information we collect
3.1 Information you provide
- Account information. When you register, we collect your name, email address, and authentication details. Sign-in is handled through our identity provider and supports email/password, Sign in with Google (Google OAuth), and passkeys/multi-factor authentication.
- Organization and billing information. Workspace (account) names, team membership and roles, subscription plan, and — where applicable — billing contact details and invoicing information.
- Third-party platform credentials. To connect a data source or destination, you provide authentication material for that platform: OAuth authorizations (access and refresh tokens), API keys, service account keys, or database connection details (host, port, username, password). See Section 5 for how these are protected.
- Configuration data. The data sources, report schemas, account selections, schedules, lookback windows, and destinations you configure.
- Communications. Messages you send to our support channels and your notification preferences.
3.2 Information collected automatically
- Usage and log data. We record metadata about pipeline runs (job status, start/end times, row counts, error categories and error messages, destination load results), credential health events (for example, that a token refresh failed — never the token itself), and application logs used for troubleshooting, security, and performance monitoring.
- Technical data. IP address, browser type, device information, and similar data collected when you access the application or website, including through cookies (see Section 10).
3.3 Pipeline Data (processed, not collected for ourselves)
When a scheduled or manual sync runs, the Service retrieves data from the connected source platform and writes it to the customer’s designated destination(s). This data passes through our infrastructure for the duration of the job. We retain only the operational metadata described in Section 3.2 (such as row counts and job status) — not the content of the transferred rows — beyond what is transiently necessary to complete the transfer.
3.4 Connected sources and destinations (generic)
qPipe supports a growing catalog of source integrations — including, by way of example, advertising platforms (such as Google Ads, Meta Ads, TikTok Ads, Microsoft Ads, Pinterest Ads, LinkedIn Ads), analytics and search tools (such as Google Analytics 4, Google Search Console), spreadsheets (such as Google Sheets), and CRM, finance, and other business systems — and additional sources added from time to time. The current list of supported integrations is available in the application.
Supported destinations include data warehouses and databases designated by the customer (for example Google BigQuery, ClickHouse, and PostgreSQL-compatible databases), and additional destinations added from time to time.
This Privacy Policy applies to all current and future integrations in the same way: we access only the data needed to perform the transfers you configure, using the credentials and permissions you grant.
4.How we use information and legal bases
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service: run the pipelines you configure, extract data from your connected sources, and load it into your destinations | Credentials, configuration data, Pipeline Data | Performance of a contract (Art. 6(1)(b)); for Pipeline Data, processing on the controller’s instructions (Art. 28) |
| Create and manage your account, authenticate you (including Sign in with Google), and manage team membership and roles | Account information | Performance of a contract (Art. 6(1)(b)) |
| Monitor pipeline health, detect failures, and send failure notifications and digests you have configured | Usage and log data, notification preferences | Performance of a contract (Art. 6(1)(b)); legitimate interest in service reliability (Art. 6(1)(f)) |
| Maintain security: encrypt credentials, detect abuse and unauthorized access, audit credential events | Credentials (encrypted), usage and log data, technical data | Legitimate interest in securing the Service (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Provide customer support and respond to inquiries | Account information, communications, relevant log data | Performance of a contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Billing and administration of subscriptions | Account and billing information | Performance of a contract (Art. 6(1)(b)); legal obligation (bookkeeping) (Art. 6(1)(c)) |
| Improve and develop the Service (aggregate, de-identified usage statistics) | Usage data | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations and respond to lawful requests | As required | Legal obligation (Art. 6(1)(c)) |
We do not use your data for advertising, we do not sell or rent personal data, and we do not use Pipeline Data or data obtained through connected platform APIs to train artificial-intelligence or machine-learning models.
5.How credentials are protected
Because platform credentials are the most sensitive data we hold, they receive specific safeguards:
- Encryption at rest. All OAuth tokens, API keys, service account keys, and database connection details are encrypted with AES-256-GCM before storage. The encryption key is held separately from the database and is never stored alongside the encrypted data.
- Never exposed. Decrypted credential material never appears in API responses, application logs, error messages, or notifications.
- Owner-only access. Credentials belong to the individual user who created them. A credential owner can allow teammates to use a credential by name when configuring pipelines, but other users can never view, export, or copy the underlying secret. Access controls are enforced at the database layer (row-level security).
- Scoped access. OAuth authorizations request only the scopes needed for the integration (for example, read-only scopes where the platform offers them). Tokens are refreshed automatically and used solely to perform the transfers you configure.
- Revocable at any time. You can delete credentials in qPipe, and you can additionally revoke qPipe’s access directly in the third-party platform (see Section 9).
6.Google user data
This section applies when you use Google-related features: Sign in with Google, and Google source or destination integrations (for example Google Ads, Google Analytics 4, Google Search Console, Google Sheets, and Google BigQuery).
6.1 What we access
- Sign in with Google: your basic Google profile information (name, email address, profile picture) to create and authenticate your qPipe account.
- Google integrations: when you connect a Google service as a data source or destination, we request OAuth scopes specific to that service (for example, read-only access to your Analytics data, your Search Console data, or a spreadsheet; or access to load data into your BigQuery project). The consent screen shows exactly which scopes are requested before you approve.
6.2 How we use it
Google user data is used only to provide the features you configured: authenticating your sign-in, listing the accounts/properties/resources you may select, extracting the data you asked qPipe to extract, and loading data into the Google destination you designated. We do not use Google user data for advertising, and we do not sell it.
6.3 Limited Use disclosure (required by Google)
qPipe’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
6.4 Storage and revocation
Google OAuth tokens are stored encrypted as described in Section 5 and refreshed automatically. Data retrieved from Google APIs is transferred to your designated destination and is not retained by qPipe beyond operational metadata (Section 3.2). You can revoke qPipe’s access to your Google account at any time via your Google Account security settings, in addition to deleting the credential inside qPipe.
7.Data sharing and disclosure
We do not sell, trade, or rent personal data. We share information only in these circumstances:
- Your designated destinations. The core function of the Service is to transfer Pipeline Data to the warehouse(s) and storage locations you configure. Once loaded, that data is under your control and governed by your own policies and those of your warehouse provider.
- Connected source platforms. To perform extractions, we send your credentials/tokens to the respective platform’s API, as authorized by you.
- Sub-processors and service providers. We use vetted third-party providers to operate the Service — including cloud infrastructure and hosting, managed database services, identity/authentication services, and email delivery services. These providers process data only on our instructions and under data protection agreements. The current list of sub-processors is published at qpipe.io/subprocessors.
- Within your team. Members of a qPipe account can see the configurations, job history, and metadata of that account according to their role (owner, editor, or viewer). Credential secrets are never visible to anyone but their owner.
- Legal requirements. We may disclose information where required by law, regulation, legal process, or enforceable governmental request, or where necessary to protect our rights, users, or the public.
- Business transfers. If Qvalento is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy’s protections and notice to you.
8.International transfers
Qvalento Solutions AB is based in Sweden, and we host the Service in the European Union where feasible. Some of our sub-processors may process data outside the EU/EEA (for example in the United States). Where that happens, we rely on appropriate safeguards under GDPR Chapter V — such as the European Commission’s Standard Contractual Clauses and/or adequacy decisions (including the EU–US Data Privacy Framework where the provider is certified).
Note that you choose where your destination warehouse is located. If you configure a destination outside the EU/EEA, the transfer of Pipeline Data to that destination is made under your instruction and responsibility as controller.
9.Data retention and deletion
- Credentials. Retained (encrypted) until you delete them or delete your account. Deleting a credential removes the encrypted secret. You can also revoke qPipe’s access at the platform level (for example, in your Google, Meta, or Microsoft security settings), which immediately invalidates the token regardless of what is stored.
- Pipeline Data. Not retained. Data passes through our infrastructure only for the duration of a transfer job; only operational metadata (job status, timing, row counts, error categories) is kept afterwards.
- Job history and logs. Retained for as long as needed for troubleshooting, reliability monitoring, and demonstrating service performance, and periodically pruned.
- Account data. Retained while your account is active. When you delete your account (or request deletion at consent@qpipe.io), we delete or anonymize your personal data without undue delay, except where retention is required by law (for example, Swedish bookkeeping rules require accounting records to be kept for seven years).
- Support communications. Retained as long as needed to handle the matter and for a reasonable period thereafter.
11.Your rights
If you are in the EU/EEA (and in many other jurisdictions), you have the right to:
- Access the personal data we hold about you (Art. 15 GDPR);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data (“right to be forgotten”) (Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Data portability — receive your data in a structured, machine-readable format (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time, where processing is based on consent, without affecting prior processing (Art. 7(3)).
To exercise any of these rights, contact consent@qpipe.io. We will respond within one month as required by GDPR. We may need to verify your identity before acting on a request.
If your request concerns Pipeline Data for which one of our customers is the controller, we will refer your request to that customer and assist them in responding, as required by our processor obligations.
You also have the right to lodge a complaint with a supervisory authority. In Sweden this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), www.imy.se. You may also complain to the authority in your country of residence or workplace.
12.Data security
We apply technical and organizational measures appropriate to the risk, including: encryption of credentials at rest (AES-256-GCM) and encryption of data in transit (TLS), row-level security and tenant isolation at the database layer, role-based access control, least-privilege and hashed API tokens, proactive credential-health monitoring, and audit logging of credential events. No method of transmission or storage is 100% secure, but we work continuously to protect your information, and we will notify you and the relevant authorities of any personal data breach as required by Articles 33–34 GDPR.
13.Children
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact consent@qpipe.io and we will delete it.
14.Changes to this Privacy Policy
We may update this Privacy Policy from time to time — for example when we add integrations, sub-processors, or features. The “Last updated” date at the top will always reflect the latest version. For material changes, we will provide notice through the Service or by email before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15.Contact
Qvalento Solutions AB
Organization number: 559216-3306
VAT: SE559216330601
Andra Långgatan 19
413 28 Gothenburg
Sweden
- Support: support@qpipe.io
- Privacy, consent & data subject requests: consent@qpipe.io
- Website: https://www.qvalento.com