Privacy Policy

Last Updated: June 11, 2026

The short version

Pip is built so that privacy isn't a setting you turn on — it's the default. The four promises below are the ones we build around; the rest of this page explains, in plain language, what we collect, why, and the control you have. Where we rely on a third party to run part of the service, we name them and tell you exactly what they see.

For the bigger picture — where your data lives, who pays for Pip, and why that's the part that actually protects you — read Privacy as Architecture.

Four promises we build around

Your data stays in the European Union
We never train AI on your conversations without your explicit consent
We never sell your personal data
You can delete everything, anytime

1. Who We Are

Pip is an AI assistant operated by Different Robot AB (org. no. 559575-1768), a company registered in Sweden. When this policy says "we," "us," or "Pip," we mean Different Robot AB. For everything we describe here, Different Robot AB is the data controller — the company responsible for your personal data and accountable to you for how it's handled.

This policy explains what we collect, why, who we share it with, and the rights you have. If anything here is unclear, email us at privacy@hellopip.ai and a human will answer.

2. Information We Collect

Information You Provide

  • Account Information: Name, email address, profile picture, and authentication credentials
  • Family Profile Information: Family member names, relationships, nicknames, and preferences
  • Chat Messages: Your conversations with Pip, including text, images, and files
  • Notes and Preferences: Personal notes, settings, and customizations

Automatically Collected Information

  • Device Information: Device type, operating system, unique device identifiers
  • Usage Data: Features used, time spent in the app, interaction patterns
  • Log Data: IP address, browser type, access times, pages viewed
  • Location Data: General location (country/region) based on IP address
  • Operational Metrics: Latency, response timing, model cost, and which tools the assistant used — operational signals about how the service runs. These operational metrics never include the contents of your conversations; how we handle conversation content for product analytics is described separately under "Product Analytics" in Section 5.

3. How We Use Your Information

Provide Service

Operate and deliver Pip's assistant functionality

Personalization

Tailor your experience to your family context

Communication

Send service-related notifications and security alerts

Enhancement

Understand how Pip is used and improve quality and features

Security

Detect, prevent, and address technical issues and fraud

Legal Compliance

Comply with applicable laws and regulations

Our Legal Bases (GDPR)

Under European data protection law we only process your data when we have a lawful basis to. Here's which basis we rely on, and for what:

  • To run the service: Performing our contract with you — the account, chat, and other features you signed up for can't work without it
  • Product analytics & service improvement: Our legitimate interest in understanding and improving Pip for analytics about how the app runs; and, for using the text of your messages, your consent — which you give during onboarding and can withdraw at any time. Either way, content is redacted before it's stored for analysis (see Section 5).
  • Security & fraud prevention: Our legitimate interest, and in some cases a legal obligation, in keeping the service and your account safe
  • Optional integrations & marketing emails: Your consent, which you give when you connect a service or opt in — and can withdraw at any time
  • Legal & regulatory compliance: Compliance with laws that apply to us

How We Handle AI Training

Today, Pip does not train AI models on your conversations. Our AI capabilities come from third-party providers (see Section 5), and we require them, by contract, not to train their models on your data either. Where we use data to improve Pip itself, we work with aggregated, de-identified, or synthetic data — not your raw conversations. If we ever offer a way for your own data to help improve Pip — such as on-device personalization that never leaves your device, or examples you explicitly choose to contribute — it will be opt-in, off by default, clearly explained, and never applied to data you shared under earlier terms.

4. What We Never Do

  • Sell your personal data

    to advertisers, data brokers, or any third parties

  • Train AI on your conversations without your consent

    our providers never train on your data; we never will without your explicit opt-in

  • Share family conversations for marketing

    Your private conversations stay private

  • Track you across other websites or apps

    We only collect data within Pip

  • Knowingly collect data from children under 13

    Pip is for ages 13 and up

5. Who We Share Data With

We don't sell your data and we don't share it for marketing. We do rely on a small, carefully chosen set of providers to run Pip. Each one processes your data only on our instructions, under a contract that binds them to protect it. Here's the complete list and exactly what each one sees.

AI Providers

Pip is powered by a range of leading AI providers — including Google and Anthropic, among others. In Auto mode (the default for most chats) we route each request to the model best suited to the task; Pip Pro users can also choose a specific model. These providers process your messages only to generate Pip's responses.

We only use paid API tiers whose terms don't permit training AI models on your data — never the consumer apps that do.

We may add or change AI providers as the landscape evolves; we'll keep this current.

Product Analytics & Improving Pip

We use PostHog, hosted in the European Union, to understand how Pip is used so we can make it better. This product analytics is content-free — it records how the app behaves (which features are used, timing, and cost), never the text of your conversations — and is always on.

Separately, if you opt in, we use the text of your messages and Pip's replies to help us improve Pip. Before any of that text is stored for analysis it passes through Google Cloud's automated redaction (Data Loss Prevention), which detects and removes personal identifiers — email addresses, phone numbers, payment card numbers, access credentials, and similar — replacing each with a label such as [EMAIL_ADDRESS]. The redacted content is then held in our own data warehouse on Google Cloud (BigQuery), in the European Union — kept separate from the content-free product analytics above. This is your choice, off by default, and you can turn it off anytime in Settings. Everything stays in the European Union.

When you opt in, we use that redacted content only to:

  • Measure quality: Score how relevant, helpful, and accurate Pip's answers are
  • Understand needs: Find common topics and gaps in what people ask for
  • Improve Pip: Refine Pip's prompts, tools, and responses, and build test cases
  • Human review: Sometimes our own team reads examples to see where Pip helps or falls short. We only ever look at this content after it has been redacted and de-identified, and only our team and EU-based processors see it.

We never include your system instructions, the files or images you share, or the actions Pip takes for you (such as sending an email). We never use this analytics content to train AI models, for advertising, or for profiling, and we never sell it. Pip is your assistant — use it naturally. Automated redaction does its best to strip personal identifiers before anything is used for analytics, and whatever you share stays in the EU, is never sold, is used only for the purposes you agreed to, and is yours to delete anytime.

Infrastructure & Operations

  • Google Cloud (EU): Hosting, storage, databases, our analytics data warehouse (BigQuery), and automated redaction (Data Loss Prevention) — where Pip runs and your data lives
  • Sentry (EU): Crash and error reporting, with identifiers and message contents scrubbed before they leave your device
  • WorkOS Vault: Encrypted storage for the connection tokens of any integrations you enable

Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities — and only to the extent we're legally obliged to.

6. Where Your Data Lives

Your data stays in the European Union

This is one of the things that makes Pip different. Your account, your conversations, and the analytics we derive from them are stored and processed in the European Union — on Google Cloud infrastructure in Stockholm, Sweden. Our product analytics (PostHog), our redaction step (Google Cloud Data Loss Prevention), our analytics data warehouse (Google BigQuery), and our error reporting (Sentry) all run in the EU too. We've designed the service so your data doesn't need to leave the EU to work.

How it's protected in storage

Data at rest is encrypted using Google-managed keys, and every connection is protected with TLS in transit. Backups are managed by Google Cloud and are also encrypted at rest.

7. Connected Apps

You choose what Pip connects to

Pip can connect to a range of apps and services you already use — your Connected Apps — so it can actually act for you, not just talk about it. Every connection is your choice: you pick which apps to connect, you authenticate directly with the app, and Pip uses only the data that connection gives it, only to help you. You can disconnect any of them at any time.

How Connected Apps Work

  • 1. You initiate the connection — Connections are never automatic. You explicitly choose which apps to connect, in Settings.
  • 2. You authenticate directly with the app — You're sent to that app's own login page, where you review and approve the connection before it's made. Your credentials are handled by the app, not by us.
  • 3. Pip uses the data only to help you — and only when you ask. We never sell it and never share it for marketing.
  • 4. You can disconnect anytime — Remove access instantly from Settings, and we immediately delete that connection's tokens.

Token Security

Your integration credentials (OAuth tokens) are stored securely using WorkOS Vault, an industry-standard secrets management service. Tokens are encrypted at rest and never exposed in logs or error messages. When you disconnect an integration, tokens are immediately and permanently deleted.

Google API Services User Data Policy

Where a Connected App is a Google service, Pip's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

8. Data Security

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication using industry-standard protocols
  • Regular security audits and monitoring
  • Access controls limiting employee access to personal data

Error Reporting

We use Sentry (hosted in the EU) to capture crash and error reports so we can fix problems quickly. Reports include technical details about what went wrong, but a PII scrubber removes identifiers and message contents before they leave your device.

Data Breach Notification

In the unlikely event of a data breach:

  • Notification to affected users as quickly as we reasonably can, via email and in-app
  • Clear explanation of the incident
  • Information about what data was affected
  • Steps we're taking and recommended actions for you

9. Data Retention

Retention Periods

  • Account Data: Retained while your account is active
  • Chat Messages: Retained as long as your account is active, so Pip can reference earlier discussions when helpful. You can delete an individual conversation at any time from the chat sidebar, or delete your entire account to permanently remove all data.
  • Analytics Content: Redacted conversation content held in our EU data warehouse is kept for a limited period and then automatically deleted
  • Usage Data: Retained for service improvement and security
  • Legal Obligations: Some data may be retained longer where the law requires it

Deleting Your Account

You can delete your account yourself, anytime, from inside Pip — you don't need to ask us. When you do, we permanently purge everything we hold about you, as fast as our systems can process it and with no intentional delay. Once it's gone, it's gone, and it can't be recovered.

10. Your Privacy Rights

Under the GDPR and similar laws, you have a full set of rights over your data. The two biggest are built right into Pip, so you never have to ask: you can delete your account yourself at any time, and you can export your data at any time — Pip builds you a downloadable package with everything it knows and stores about you. For the rest, email privacy@hellopip.ai and we'll take care of it, free of charge.

Access

See the data we hold — it's all in your data export

Correction

Request correction of inaccurate information

Deletion

Delete your account yourself, anytime, inside Pip

Portability

Export your full data package, anytime, inside Pip

Restriction

Ask us to pause certain processing

Objection

Object to processing based on legitimate interest

Withdraw Consent

Withdraw consent you previously gave

Complain

Lodge a complaint with your data protection authority

11. Minimum Age

You must be at least 13 years old to use Pip. Pip is not directed to children under 13, and we don't knowingly collect their personal data. If we learn that someone under 13 has created an account, we'll delete it.

If you believe a child under 13 has provided us with personal data, contact us at privacy@hellopip.ai and we'll remove it. Family features designed for younger users — with parental consent and controls — may come in a future version, and we'll update this policy before they do.

12. Changes to This Policy

As Pip grows we may update this policy. When we make a material change, we'll update the "Last Updated" date above and, where appropriate, tell you in the app or by email. The current version always lives here.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data:

Different Robot AB · Sweden

Email:

privacy@hellopip.ai

You can delete your account and export your data yourself, anytime, inside Pip. Any other formal request is answered within 30 days, as required by GDPR. General questions usually get a faster reply.

This Privacy Policy constitutes a legally binding agreement between you and Different Robot AB regarding your use of Pip. By using the app, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.