Privacy Policy

Palpaca Platform

Effective Date: February 16, 2026 Last Updated: February 16, 2026

1. Introduction

This Privacy Policy (the “Policy”) explains how Sagewill S.r.l., trading as Palpaca, with registered office at Via Panciatichi 16, 50141 Florence (FI), Italy, VAT No. IT07481150485 (“Palpaca”, “we”, “us”, or “our”), collects, uses, stores, and shares personal data when you visit our website at palpaca.dev (the “Website”) or use our application at app.palpaca.dev (the “Application”).

Palpaca is an AI-powered platform that enables users to create custom HubSpot UI Extensions through natural language descriptions. This Policy applies to all users of the Website and the Application, including visitors, registered users, and paying customers.

We are committed to protecting your privacy and processing your personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”), the Italian Privacy Code (Legislative Decree 196/2003, as amended), and, where applicable, the UK General Data Protection Regulation (“UK GDPR”).

2. Data Controller

The data controller for the purposes of this Policy is:

Sagewill S.r.l., trading as Palpaca

Via Panciatichi 16, 50141 Florence (FI), Italy

Contact: support@palpaca.dev

3. What Data We Collect

We collect and process different categories of personal data depending on how you interact with us. We have organised this information by data zone to provide maximum transparency.

3.1 Website (palpaca.dev)

Our marketing website is designed to be privacy-friendly. We use Cloudflare Web Analytics, which does not set cookies, use localStorage, or fingerprint visitors via IP addresses or User Agent strings. We do not collect any personal data from casual visitors to the Website. Cloudflare’s infrastructure may set strictly necessary security cookies (such as __cf_bm for bot detection) as part of its network protection services; these are detailed in our Cookie Policy.

3.2 Application (app.palpaca.dev)

When you create an account and use the Application, we process the following data:

Zone 1 — Transient Data (not stored by Palpaca)

During code generation sessions, HubSpot CRM schema metadata (object names, property names, property types, association labels) is transmitted to the Anthropic API. This data is used solely to generate contextually accurate code and is not retained by Palpaca after the generation session concludes. The Anthropic API is configured with zero data retention, meaning prompts and outputs are not stored by Anthropic for model training or any other purpose.

We do not transmit actual CRM record values (e.g., contact names, email addresses, deal amounts, phone numbers) to the Anthropic API or any other third party. Only schema metadata — the structure and field definitions of your CRM — is used.

Zone 2 — Stored Data

Account information: name, email address, organisation name, as provided during HubSpot OAuth registration;
HubSpot OAuth tokens: encrypted OAuth 2.0 access and refresh tokens used to authenticate with your HubSpot Portal;
Project data: natural language descriptions you provide, generated source code, and project configurations;
Usage data: credit balances, generation history (timestamps, token counts), plan and subscription information;
Referral data: referral link activity, successful referral counts, and referral credit balances;
Support data: correspondence and communications you send to us via email or other support channels.

Zone 3 — Payment Data

Payment processing is handled entirely by Stripe, Inc. as an independent data controller. We do not store credit card numbers, bank account details, or other payment instrument data. We store only Stripe customer IDs and transaction references necessary for billing and account management.

Zone 4 — CRM Data (HubSpot)

We store account and contact information about our customers in our own HubSpot CRM for the purposes of providing customer support, delivering marketing communications, and analysing platform usage to improve the Palpaca product. This may include your name, email address, organisation name, subscription plan, and usage metrics.

4. Legal Bases for Processing

We process personal data on the following legal bases under Article 6(1) GDPR:

Data Category	Legal Basis	Purpose
Account information	Contract performance (Art. 6(1)(b))	Creating and managing your account, providing the service
HubSpot OAuth tokens	Contract performance (Art. 6(1)(b))	Authenticating with your HubSpot Portal to provide the service
Project data and generated code	Contract performance (Art. 6(1)(b))	Generating code based on your instructions
CRM schema metadata (transient)	Contract performance (Art. 6(1)(b))	Generating contextually accurate code
Usage data	Contract performance (Art. 6(1)(b))	Credit tracking, billing, and account management
Payment references	Contract performance (Art. 6(1)(b))	Processing payments and managing subscriptions
CRM data (our HubSpot)	Legitimate interest (Art. 6(1)(f))	Customer support, marketing, product improvement
Security cookies	Legitimate interest (Art. 6(1)(f))	Protecting the platform from malicious traffic and bots
Marketing communications	Consent (Art. 6(1)(a))	Sending promotional materials and product updates

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting us at support@palpaca.dev.

5. How We Use Your Data

We use your personal data for the following purposes:

Providing the service: creating and managing your account, processing code generation requests, storing your projects, and managing your subscription and credits;
Authentication: verifying your identity through HubSpot OAuth and maintaining your session;
Billing: processing payments, tracking credit usage, and managing subscription changes;
Customer support: responding to your inquiries and resolving issues;
Product improvement: analysing aggregated and anonymised usage patterns to improve the platform;
Marketing: sending you product updates, feature announcements, and promotional materials (with your consent, and with the ability to opt out at any time);
Referral program: tracking referral activity and allocating referral credits;
Security: protecting the platform from malicious traffic, bots, and abuse;
Legal compliance: fulfilling our obligations under applicable laws and regulations.

We do not sell your personal data. We share your data only with the following categories of recipients, each of which is bound by contractual data protection obligations:

Recipient	Purpose	Data Shared	Transfer Mechanism
Anthropic PBC (USA)	AI code generation	HubSpot CRM schema metadata only (transient, zero retention)	EU-U.S. Data Privacy Framework
Cloudflare, Inc. (USA)	Infrastructure, security, DNS, CDN	Application data, security metadata	EU-U.S. Data Privacy Framework
Stripe, Inc. (USA)	Payment processing (independent controller)	Payment instrument data (not stored by Palpaca)	EU-U.S. Data Privacy Framework
HubSpot, Inc. (USA)	CRM for customer support, marketing, analytics	Account info, usage metrics	EU-U.S. Data Privacy Framework

A complete and up-to-date list of sub-processors is maintained at palpaca.dev/legal/subprocessors.

We may also disclose personal data where required by law, regulation, legal process, or enforceable governmental request.

7. International Data Transfers

Palpaca is based in the European Union (Italy). Some of our sub-processors are based in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

EU-U.S. Data Privacy Framework: Our U.S.-based sub-processors (Anthropic, Cloudflare, Stripe, HubSpot) are certified under the EU-U.S. Data Privacy Framework, providing an adequate level of data protection as recognised by the European Commission;
Standard Contractual Clauses: Where required, we enter into Standard Contractual Clauses approved by the European Commission under Article 46(2) GDPR as an additional safeguard.

We regularly review the data protection practices of our sub-processors and the legal frameworks governing international transfers to ensure ongoing compliance.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Category	Retention Period	After Deletion/Expiry
Account information	Duration of account + 12 months after cancellation	Deleted
Project data (frontend code)	Indefinite (code remains deployed in your HubSpot account)	User-controlled
Project configurations	Duration of account + 12 months after cancellation	Deleted
HubSpot OAuth tokens	Duration of active subscription	Deleted upon cancellation
CRM schema metadata	Not retained (transient processing only)	N/A
Usage and billing data	Duration of account + 10 years (Italian tax law)	Deleted
Support correspondence	Duration of account + 24 months	Deleted
Marketing consent records	Duration of consent + 24 months after withdrawal	Deleted

Where retention is required by applicable law (e.g., Italian tax and accounting obligations under Article 2220 of the Civil Code), we will retain the minimum data necessary for the legally mandated period.

9. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data.
Right to erasure (Art. 17): You may request that we delete your personal data, subject to legal retention obligations.
Right to restriction (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format. You may also export your project data via the Application’s export functionality.
Right to object (Art. 21): You may object to processing based on legitimate interest or for direct marketing purposes.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at support@palpaca.dev. We will respond to your request within one (1) month, which may be extended by two further months for complex requests, in accordance with Article 12 GDPR.

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it, or with the supervisory authority of your Member State of residence.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of all data in transit using TLS 1.2 or higher;
Encryption of HubSpot OAuth tokens at rest;
Encryption at rest for all database and object storage via Cloudflare’s provider-managed encryption;
Multi-factor authentication for all internal accounts;
Access controls restricting production access to authorised personnel;
Process-level tenant isolation at the infrastructure level;
Regular security reviews and code review processes.

A detailed description of our technical and organisational measures is available in Annex III of the Palpaca Data Processing Agreement.

11. Children’s Privacy

Palpaca is a B2B platform intended for use by business professionals. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

12. Cookies

Our use of cookies is described in detail in our separate Cookie Policy, available at palpaca.dev/legal/cookies. In summary:

palpaca.dev (Website): No analytics cookies. Cloudflare may set strictly necessary security cookies (__cf_bm) as part of its network protection. No consent is required for these.
app.palpaca.dev (Application): We use cookies for authentication, session management, and application functionality. These are strictly necessary for the operation of the Application and do not require consent.

13. Marketing Communications

We may send you marketing communications about Palpaca products, features, and updates via the email address associated with your account. We will only do so with your consent, which you can provide during account registration or at any time via your account settings.

You may opt out of marketing communications at any time by clicking the unsubscribe link included in every marketing email, or by contacting us at support@palpaca.dev. Opting out of marketing communications does not affect transactional communications (e.g., billing confirmations, security alerts, service notifications).

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. Changes will be communicated via the email address associated with your account at least fifteen (15) days before they take effect. We will indicate the date of the most recent update at the top of this Policy.

The latest version of this Policy is always available at palpaca.dev/legal/privacy.

15. Contact

For any questions, concerns, or requests regarding this Policy or our data processing practices, please contact: