Legal · Privacy Policy

Privacy Policy.

Effective2026-04-27Pisama · San Francisco

§ 01 · SummaryWhat you should know in one minute.

tl;dr

The open-source SDK and CLI run on your machine. They do not transmit traces to Pisama. The hosted platform at pisama.ai stores only the data you explicitly send it (account email and any traces you upload). We do not sell personal data and we do not train models on your data.

This policy explains what data we collect, how we use it, and what choices you have. It applies to the Pisama Service — the open-source SDK / CLI, the hosted platform at pisama.ai, the marketing site, and our API endpoints.

§ 02 · Local-firstWhat stays on your machine.

SDK and CLI. When you pip install pisama and run detection locally, traces are analyzed on your machine. Pisama does not make outbound network calls to our infrastructure during local detection.

Tier-4 LLM judge. When the optional LLM-judge tier is invoked, the request goes from your machine directly to your configured LLM provider (e.g. Anthropic) using your own API key. Pisama is not in the path and does not see those requests.

MCP server. The MCP server runs locally and serves clients you control (Cursor, Claude Desktop, Windsurf, etc.). No data leaves your machine.

§ 03 · Data we collectWhat the hosted platform receives.

The hosted platform collects only the data you choose to send it:

  • Account info. Email address, name, and authentication identifiers from your sign-in provider (Google OAuth).
  • Traces and detections. Trace data you upload or push via integration (LangGraph, OpenClaw, n8n, Dify, OpenTelemetry, etc.) and the detections, diagnoses, and fix suggestions produced from them.
  • Account data. The email you sign up with, the tenant name you choose, your role within the tenant, and the timestamp + IP + user agent recorded when you accept the Terms of Service.
  • Operational metadata. Standard server logs (IP, user agent, request path, timestamps) used for security, debugging, and abuse prevention.
  • Analytics. Aggregate usage analytics (Google Analytics 4, Vercel Analytics) on the marketing site and the dashboard. These do not include trace contents.

§ 04 · How we use itWhat we do with your data.

We use Customer Data only to:

  • Provide the Service you requested (run detection, store results, generate fix suggestions)
  • Communicate operational notices, security alerts, and product updates
  • Investigate abuse, debug failures, and maintain platform stability
  • Comply with legal obligations

We do not use Customer Data to train machine learning models or sell it to third parties.

§ 05 · SubprocessorsWho else sees data on our behalf.

The hosted platform relies on a small set of subprocessors:

  • Vercel — frontend hosting and edge delivery for pisama.ai.
  • Fly.io — backend application hosting and managed Postgres (api.pisama.ai).
  • Brevo — transactional email delivery (signup, password reset, alerts) from[email protected].
  • Google (OAuth) — sign-in identity for the dashboard.
  • Anthropic — LLM-judge calls for the Tier-4 escalation tier (only when explicitly invoked using your own API key on the SDK; Pisama-internal LLM features call Anthropic from our backend).

We update this list as the platform evolves. Material changes will be announced via email or in-product notice before they take effect.

§ 06 · RetentionHow long data is kept.

Account data. Retained while your account is active. Deleted within thirty (30) days of account closure.

Traces and detections. Retained for the duration of your subscription, or until you delete them. Deleted within thirty (30) days of account closure.

Server logs. Retained for up to ninety (90) days for security and operational purposes.

Backups. Encrypted backups may persist for up to thirty (30) days after primary deletion before being overwritten.

§ 07 · SecurityHow we protect data.

We use TLS in transit, encryption at rest, scoped database credentials, and rate-limited API endpoints. Production secrets are managed via the hosting provider’s secret store and rotated when staff change. We do not log trace payloads in plaintext server logs.

No system is perfectly secure. If you suspect a vulnerability or breach affecting your data, email [email protected].

§ 08 · Your rightsWhat you can ask us to do.

You can request to:

  • Access the personal data we hold about you
  • Correct or update inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Withdraw consent for processing where consent is the legal basis

Email [email protected] with your request. We respond within thirty (30) days.

§ 09 · CookiesCookies and similar technologies.

The marketing site at pisama.ai uses essential cookies for routing and an aggregate analytics cookie (Google Analytics 4). The dashboard uses a session cookie for authentication. We do not use third-party advertising cookies.

§ 10 · InternationalInternational transfers.

Pisama is operated from the United States. Data you submit may be processed in the United States and in the regions where our subprocessors operate (primarily the US for Vercel iad1 and Fly.io). By using the Service from outside the US, you consent to these transfers.

§ 11 · ChildrenChildren’s privacy.

The Service is intended for developers and engineering teams. It is not directed at children under 13, and we do not knowingly collect personal data from them.

§ 12 · ChangesChanges to this policy.

We may update this Privacy Policy from time to time. Material changes will be announced via email to account holders or via a notice on pisama.ai before they take effect. The “Effective” date at the top of this page is updated whenever the policy changes.

§ 13 · ContactContact.

Questions about this policy or your data: [email protected]. Security reports:[email protected]. General legal matters: [email protected].

© 2026 Pisama · San Francisco · Last updated 2026-04-27