PRIVACY AND DATA ENCRYPTION

Your data is encrypted at rest and can only be decrypted using your API key. This includes your pipelines, exports (environment variables), aliases, temporary files, AI API keys, and SMTP passwords.

ENCRYPTION AT REST

All user data stored in the Piped database is encrypted:
- Pipelines: Encrypted using your API key before storage
- Exports (environment variables): Encrypted using your API key
- Aliases: Encrypted using your API key
- Temporary files: Encrypted using AES-256-GCM with your API key
- AI API keys (xAI, OpenAI, Google): Encrypted using AES-256-GCM with your API key
- SMTP passwords: Encrypted using AES-256-GCM with your API key

Your API key is never stored in plaintext. Only a SHA-256 hash of your API key is stored in the database. This means:
- Even if the database is compromised, your API key cannot be recovered
- We cannot decrypt your data without your API key
- Your data remains secure even if the server is compromised

AI API KEYS AND SMTP PASSWORDS

Your AI API keys (xAI, OpenAI, Google) and SMTP passwords are encrypted at rest using the same AES-256-GCM encryption as your other data:
- Encryption key is derived from your API key using PBKDF2
- Each token uses its unique ULID as salt (token-specific encryption)
- Encrypted secrets are stored as base64-encoded strings in the token config
- Without your API key, these encrypted secrets are impossible to decrypt
- Even with full database access, encrypted AI API keys and SMTP passwords are useless without your API key
- The encryption is one-way: we cannot recover your AI API keys or SMTP passwords without your API key

API KEY DELIVERY

When you create an account, your API key is:
1. Generated as a cryptographically random 256-bit key
2. Sent to you via email
3. Hashed (SHA-256) and stored in the database
4. Never stored in plaintext anywhere

If you lose your API key, it cannot be recovered. You must regenerate a new key, which will re-encrypt all your data.

PERSONAL INFORMATION

We minimize the personal information we collect and store:
- Email addresses: We only store your email address to communicate with you when a token requires payment to buy more quota. We do not use your email for marketing or other purposes.
- Names: We do not store your name or any other personally identifiable information (PII) beyond your email address.
- Optional labels: You may optionally set a label for your tokens (e.g., "Production", "Development") for your own organization. These labels are stored but are not considered PII.

LOGGING AND GDPR COMPLIANCE

Our logging is anonymized to conform to GDPR laws of the European Union:
- Logs do not contain personally identifiable information
- API keys are never logged in plaintext
- User data in logs is anonymized or excluded
- We comply with GDPR requirements for data protection and privacy

DATA ACCESS

Your encrypted data can only be decrypted when:
1. You provide your API key in API requests (X-API-Key header)
2. You are authenticated via session cookie (web interface)

The server uses your API key to:
- Authenticate your requests (by comparing hash)
- Decrypt your pipelines, exports, aliases, and temp files
- Decrypt your AI API keys and SMTP passwords when needed
- Re-encrypt data when you regenerate your API key

SHARED PIPELINES

The only exception to encryption is when you explicitly choose to share a pipeline:
- Shared pipelines are stored in a decrypted format (pipeline_shared field)
- This allows anyone with the pipeline URL to view and run the pipeline
- Shared pipelines are publicly accessible without authentication
- You control which pipelines are shared - sharing is opt-in only

When you share a pipeline:
- The pipeline content is stored unencrypted
- It becomes accessible via a public URL
- Anyone with the URL can view and execute the pipeline
- A pipeline is unshared by deleting it

SECURITY GUARANTEES

- Your data is encrypted at rest using industry-standard AES-256-GCM
- Your pipelines, exports, aliases, temporary files, AI API keys, and SMTP passwords are all encrypted
- Your API key is hashed using SHA-256 (one-way function)
- Your AI API keys and SMTP passwords are encrypted and impossible to decrypt without your API key
- We cannot decrypt your data without your API key
- Even with full database access, your data remains protected
- Encrypted secrets (AI API keys, SMTP passwords) are cryptographically secure and cannot be recovered without your API key
- Only you (with your API key) or someone you share a pipeline with can access your data

WHAT THIS MEANS FOR YOU

- Keep your API key secure - it's the only way to decrypt your data
- If you lose your API key, you'll need to regenerate it (data will be re-encrypted)
- Your pipelines, exports, aliases, temporary files, AI API keys, and SMTP passwords are all encrypted and protected
- Your AI API keys and SMTP passwords are encrypted and cannot be recovered without your API key
- Shared pipelines are public - only share pipelines you're comfortable making public
- Your encrypted data is safe even if the server is compromised
- We cannot access your data without your API key
- Encrypted secrets (AI API keys, SMTP passwords) stored in the database are impossible to decrypt without your API key