Privacy Policy

Palpaca Platform

Effective Date: February 16, 2026

Last Updated: March 4, 2026

1. Introduction

This Privacy Policy (the “Policy”) explains how Sagewill S.r.l., trading as Palpaca, with registered office at Via Panciatichi 16, 50141 Florence (FI), Italy, VAT No. IT07481150485 (“Palpaca”, “we”, “us”, or “our”), collects, uses, stores, and shares personal data when you visit our website at palpaca.dev (the “Website”) or use our application at app.palpaca.dev (the “Application”).

Palpaca is an AI-powered platform that enables users to create custom HubSpot UI Extensions through natural language descriptions. This Policy applies to all users of the Website and the Application, including visitors, registered users, and paying customers.

We are committed to protecting your privacy and processing your personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”), the Italian Privacy Code (Legislative Decree 196/2003, as amended), and, where applicable, the UK General Data Protection Regulation (“UK GDPR”).

2. Data Controller

The data controller for the purposes of this Policy is:

Sagewill S.r.l., trading as Palpaca

Via Panciatichi 16, 50141 Florence (FI), Italy

Contact: support@palpaca.dev

3. What Data We Collect

We collect and process different categories of personal data depending on how you interact with us. We have organised this information by data zone to provide maximum transparency.

3.1 Website (palpaca.dev)

Our marketing website uses Cloudflare Web Analytics, which does not set cookies, use localStorage, or fingerprint visitors via IP addresses or User Agent strings.

We also use Microsoft Clarity, a behavioural analytics tool, to understand how visitors interact with the Website through session recordings, heatmaps, and aggregated usage metrics. Clarity sets first-party cookies (_clck, _clsk) and third-party cookies hosted on Microsoft domains (CLID, MUID, ANONCHK, MR, SM). For visitors located in the EU/EEA or UK, a cookie consent banner is displayed and these cookies are set only with your consent. For visitors located outside the EU/EEA/UK, these cookies load automatically in accordance with applicable local laws. Location is determined via Cloudflare’s IP geolocation. See our Cookie Policy for full details.

Cloudflare’s infrastructure may set strictly necessary security cookies (such as __cf_bm for bot detection) as part of its network protection services; these are detailed in our Cookie Policy.

3.2 Application (app.palpaca.dev)

We use Microsoft Clarity on the Application to understand how users interact with the platform through session recordings, heatmaps, and aggregated usage metrics. Clarity sets the same first-party and third-party cookies described in Section 3.1 above. Acceptance of analytics cookies is a condition of using the Application, as the data collected is required to provide and improve the service. For users located in the EU/EEA or UK, a consent banner is displayed to inform you of this requirement before cookies are set. For users located outside the EU/EEA/UK, these cookies load automatically. See our Cookie Policy for full details.

When you create an account and use the Application, we process the following data:

Zone 1 — Transient Data (not stored by Palpaca)

During code generation sessions, HubSpot CRM schema metadata (object names, property names, property types, association labels) is transmitted to the Anthropic API. This data is used solely to generate contextually accurate code and is not retained by Palpaca after the generation session concludes. The Anthropic API is configured with zero data retention, meaning prompts and outputs are not stored by Anthropic for model training or any other purpose.

We do not transmit actual CRM record values (e.g., contact names, email addresses, deal amounts, phone numbers) to the Anthropic API or any other third party. Only schema metadata — the structure and field definitions of your CRM — is used.

Zone 2 — Stored Data

Account information: name, email address, organisation name, as provided during HubSpot OAuth registration;
HubSpot credentials: encrypted OAuth 2.0 access and refresh tokens used for user authentication and CRM schema access; a Personal Access Key (PAK) used for HubSpot CLI operations in the managed development environment; and per-project Private Access Tokens (PATs) used for HubSpot API calls — all encrypted at rest;
Project data: natural language descriptions you provide, generated source code, and project configurations;
Usage data: credit balances, generation history (timestamps, token counts), plan and subscription information;
Referral data: referral link activity, successful referral counts, and referral credit balances;
Support data: correspondence and communications you send to us via email or other support channels.

Zone 3 — Payment Data

Payment processing is handled entirely by Stripe, Inc. as an independent data controller. We do not store credit card numbers, bank account details, or other payment instrument data. We store only Stripe customer IDs and transaction references necessary for billing and account management.

Zone 4 — CRM Data (HubSpot)

We store account and contact information about our customers in our own HubSpot CRM for the purposes of providing customer support, delivering marketing communications, and analysing platform usage to improve the Palpaca product. This may include your name, email address, organisation name, subscription plan, and usage metrics.

4. Legal Bases for Processing

We process personal data on the following legal bases under Article 6(1) GDPR:

Data Category	Legal Basis	Purpose
Account information	Contract performance (Art. 6(1)(b))	Creating and managing your account, providing the service
HubSpot credentials (OAuth tokens, PAK, PATs)	Contract performance (Art. 6(1)(b))	Authenticating with your HubSpot Portal, executing CLI commands, and making API calls to provide the service
Project data and generated code	Contract performance (Art. 6(1)(b))	Generating code based on your instructions
CRM schema metadata (transient)	Contract performance (Art. 6(1)(b))	Generating contextually accurate code
Usage data	Contract performance (Art. 6(1)(b))	Credit tracking, billing, and account management
Payment references	Contract performance (Art. 6(1)(b))	Processing payments and managing subscriptions
CRM data (our HubSpot)	Legitimate interest (Art. 6(1)(f))	Customer support, marketing, product improvement
Security cookies	Legitimate interest (Art. 6(1)(f))	Protecting the platform from malicious traffic and bots
Analytics cookies (Microsoft Clarity)	Consent (Art. 6(1)(a))	Understanding how visitors interact with the Website and Application to improve content and usability
Marketing communications	Consent (Art. 6(1)(a))	Sending promotional materials and product updates

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting us at support@palpaca.dev.

5. How We Use Your Data

We use your personal data for the following purposes:

Providing the service: creating and managing your account, processing code generation requests, storing your projects, and managing your subscription and credits;
Authentication and authorisation: verifying your identity through HubSpot OAuth 2.0, executing HubSpot CLI commands via your Personal Access Key (PAK), and making project-specific HubSpot API calls via Private Access Tokens (PATs);
Billing: processing payments, tracking credit usage, and managing subscription changes;
Customer support: responding to your inquiries and resolving issues;
Product improvement: analysing aggregated and anonymised usage patterns to improve the platform;
Marketing: sending you product updates, feature announcements, and promotional materials (with your consent, and with the ability to opt out at any time);
Referral program: tracking referral activity and allocating referral credits;
Security: protecting the platform from malicious traffic, bots, and abuse;
Analytics: understanding how visitors and users interact with the Website and Application through session recordings, heatmaps, and usage metrics (Microsoft Clarity), with your consent;
Legal compliance: fulfilling our obligations under applicable laws and regulations.

We do not sell your personal data. We share your data only with the following categories of recipients, each of which is bound by contractual data protection obligations:

Recipient	Purpose	Data Shared	Transfer Mechanism
Anthropic PBC (USA)	AI code generation	HubSpot CRM schema metadata only (transient, zero retention)	EU-U.S. Data Privacy Framework
Cloudflare, Inc. (USA)	Infrastructure, security, DNS, CDN	Application data, security metadata	EU-U.S. Data Privacy Framework
Stripe, Inc. (USA)	Payment processing (independent controller)	Payment instrument data (not stored by Palpaca)	EU-U.S. Data Privacy Framework
HubSpot, Inc. (USA)	CRM for customer support, marketing, analytics	Account info, usage metrics	EU-U.S. Data Privacy Framework
Microsoft Corporation (USA)	Behavioural analytics on Website and Application (Microsoft Clarity)	Pseudonymous user identifiers, interaction data (clicks, scrolls, page views), session recordings	EU-U.S. Data Privacy Framework

A complete and up-to-date list of sub-processors is maintained at palpaca.dev/legal/subprocessors.

We may also disclose personal data where required by law, regulation, legal process, or enforceable governmental request.

7. International Data Transfers

Palpaca is based in the European Union (Italy). Some of our sub-processors are based in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

EU-U.S. Data Privacy Framework: Our U.S.-based sub-processors (Anthropic, Cloudflare, Stripe, HubSpot, Microsoft) are certified under the EU-U.S. Data Privacy Framework, providing an adequate level of data protection as recognised by the European Commission;
Standard Contractual Clauses: Where required, we enter into Standard Contractual Clauses approved by the European Commission under Article 46(2) GDPR as an additional safeguard.

We regularly review the data protection practices of our sub-processors and the legal frameworks governing international transfers to ensure ongoing compliance.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Category	Retention Period	After Deletion/Expiry
Account information	Duration of account + 12 months after cancellation	Deleted
Project data (frontend code)	Indefinite (code remains deployed in your HubSpot account)	User-controlled
Project configurations	Duration of account + 12 months after cancellation	Deleted
HubSpot OAuth tokens	Duration of active subscription	Deleted upon cancellation
HubSpot PAK and PATs	Duration of active subscription	Deleted within 30 days of cancellation
CRM schema metadata	Not retained (transient processing only)	N/A
Usage and billing data	Duration of account + 10 years (Italian tax law)	Deleted
Support correspondence	Duration of account + 24 months	Deleted
Marketing consent records	Duration of consent + 24 months after withdrawal	Deleted

Where retention is required by applicable law (e.g., Italian tax and accounting obligations under Article 2220 of the Civil Code), we will retain the minimum data necessary for the legally mandated period.

9. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data.
Right to erasure (Art. 17): You may request that we delete your personal data, subject to legal retention obligations.
Right to restriction (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format. You may also export your project data via the Application’s export functionality.
Right to object (Art. 21): You may object to processing based on legitimate interest or for direct marketing purposes.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at support@palpaca.dev. We will respond to your request within one (1) month, which may be extended by two further months for complex requests, in accordance with Article 12 GDPR.

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it, or with the supervisory authority of your Member State of residence.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of all data in transit using TLS 1.2 or higher;
Encryption of all HubSpot credentials (OAuth tokens, Personal Access Key, and Private Access Tokens) at rest;
Encryption at rest for all database and object storage via Cloudflare’s provider-managed encryption;
Multi-factor authentication for all internal accounts;
Access controls restricting production access to authorised personnel;
Process-level tenant isolation at the infrastructure level;
Regular security reviews and code review processes.

A detailed description of our technical and organisational measures is available in Annex III of the Palpaca Data Processing Agreement.

11. Children’s Privacy

Palpaca is a B2B platform intended for use by business professionals. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

12. Cookies

Our use of cookies is described in detail in our separate Cookie Policy, available at palpaca.dev/legal/cookies. In summary:

palpaca.dev (Website): We use Microsoft Clarity for behavioural analytics. Clarity sets first-party cookies (_clck, _clsk) and third-party cookies on Microsoft domains (CLID, MUID, ANONCHK, MR, SM). For visitors in the EU/EEA or UK, a consent banner is shown and these cookies are set only with consent. For visitors elsewhere, cookies load automatically. Cloudflare may set strictly necessary security cookies (__cf_bm) as part of its network protection. No consent is required for strictly necessary cookies.
app.palpaca.dev (Application): We use Microsoft Clarity for behavioural analytics, which sets the same first-party and third-party cookies listed above. Analytics cookies are required as a condition of using the Application. For users in the EU/EEA or UK, a consent banner informs you of this requirement. For users elsewhere, cookies load automatically. We also use cookies for authentication, session management, and application functionality. These are strictly necessary for the operation of the Application and do not require consent.

13. Marketing Communications

We may send you marketing communications about Palpaca products, features, and updates via the email address associated with your account. We will only do so with your consent, which you can provide during account registration or at any time via your account settings.

You may opt out of marketing communications at any time by clicking the unsubscribe link included in every marketing email, or by contacting us at support@palpaca.dev. Opting out of marketing communications does not affect transactional communications (e.g., billing confirmations, security alerts, service notifications).

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. Changes will be communicated via the email address associated with your account at least fifteen (15) days before they take effect. We will indicate the date of the most recent update at the top of this Policy.

The latest version of this Policy is always available at palpaca.dev/legal/privacy.

15. Contact

For any questions, concerns, or requests regarding this Policy or our data processing practices, please contact: