PipeRain - Outreach Growth Agency for B2B

Last updated: 2026-06-08

Piperain Iris ("the App") is a calendar integration developed by Piperain ("we", "us") and operated for Piperain clients ("you", "the user"). This page describes what data the App collects, how it uses it, and your rights.

1. Who is operating the App

Piperain — simon@piperain.io — Netherlands.

2. Scope of the App

The App is exclusively used by Piperain clients to connect their work calendar (Google Calendar or Microsoft Outlook 365) to Piperain's internal lead management system. The App does NOT process data from end users (the prospects contacted by Piperain campaigns). It only processes data from authorized Piperain client accounts.

3. What data we access

When you authorize the App:

- Read-only access to your Google Calendar metadata via the scopes calendar.readonly and calendar.events.readonly. We do NOT request write access, and we never create, modify, or delete events on your calendar.

- Basic profile information (name, email address) via the openid, email, and profile scopes, to identify the connected account and display it on the App's interface.

4. What data we store

- OAuth refresh token and access token, encrypted at rest using AES-GCM 256-bit encryption with an application-level key (defense in depth above Cloudflare KV's at-rest encryption). Used solely to keep your calendar connection alive without re-prompting you to log in.

- Calendar event metadata (event title, start/end time, attendee email addresses, status) for events whose attendees include a prospect that has been contacted by one of your Piperain campaigns. Events that have no overlap with your Piperain prospect base are filtered out at ingest and are never persisted (privacy filter).

- Your selected calendar identifier and connected account email, for display purposes.

We do NOT store, log, or transmit the content of any calendar event description, attachments, or any data unrelated to prospect attribution.

5. How we use this data

- To detect when a prospect contacted by your Piperain campaigns has booked a meeting on your calendar, and to attribute the booking to the originating campaign in your internal Piperain dashboard.

- To notify you (via your own internal Slack channel) when such bookings occur.

- To detect cancellations and rescheduling of these attributed meetings.

We do NOT use the data for advertising, profiling unrelated to campaign attribution, machine learning model training, or any other secondary purpose.

6. Data sharing

Calendar event data and OAuth tokens are accessed exclusively by Piperain personnel (Simon Tort) and the Piperain operational infrastructure (Cloudflare Workers, Cloudflare KV). We do NOT share, sell, license, or transmit this data to any third party.

The App accesses Google APIs and Microsoft Graph APIs to read your calendar, as authorized by you. No other third-party API calls are made with your calendar data.

7. Data retention

- OAuth tokens: retained as long as your connection is active. Deleted within 30 days of you revoking access in your Google account settings (or upon written request to simon@piperain.io).

- Calendar event metadata: retained 90 days from the last update of the event, then automatically expired from our key-value store.

- Authentication metadata (connected account email, last refresh date): retained for the duration of the connection.

8. Your rights

- Revocation at any time: revoke the App's access from your Google account at https://myaccount.google.com/permissions. After revocation, our system detects the revocation at the next refresh attempt (within 30 minutes) and marks your connection as inactive.

- Deletion request: email simon@piperain.io to request immediate deletion of all your stored data. We process such requests within 7 days.

- Access request: email simon@piperain.io to receive a copy of the data we hold about you.

- GDPR rights (if you are in the EU/EEA): right of access, rectification, erasure, restriction, portability, and objection. Contact simon@piperain.io for any of these requests.

9. Security

- All OAuth tokens are encrypted at the application layer with AES-GCM 256-bit before being stored.

- Network transit uses TLS 1.2+ exclusively.

- Access to the Piperain operational infrastructure is restricted to Simon Tort (Piperain founder) via authenticated session.

- Cloudflare provides at-rest encryption on the underlying storage layer.

10. Changes to this policy

If we materially change how we process your data, we will update this page and notify connected clients via Slack and email at least 14 days before the change takes effect.

11. Contact

simon@piperain.io