Last updated: March 29, 2026
Privacy Policy,
made clear.
1. Introduction
Pigion ("we", "our", "us") is an AI-powered email assistant that helps professionals manage their inbox through automated email classification, draft reply generation, meeting preparation, and workflow organization. This Privacy Policy explains how we collect, use, and protect your data when you use our service at app.pigion.ai (the "Platform").
Pigion.AI B.V. is registered in the Netherlands and operates in compliance with the General Data Protection Regulation (GDPR).
2. Data Controller and Data Processor
For your email and calendar data: Your organization (or you as an individual subscriber) is the Data Controller. Pigion.AI B.V. acts as Data Processor, processing this data solely on your behalf and according to your instructions, as described in our Data Processing Agreement (DPA).
For your account data: Pigion.AI B.V. acts as Data Controller for the personal data you provide when creating an account (name, email address, billing information, preferences).
For website visitors: Pigion.AI B.V. acts as Data Controller for any data collected through our website.
Pigion.AI B.V. Vondellaan 4, 6881 MC Velp, the Netherlands
Email: security@pigion.ai Website: https://pigion.ai
What Data We Process
3.1 Account Data
When you create an account, we collect and store:
Your name and email address, provided via Microsoft or Google sign-in
Your subscription status and billing information, processed by Stripe
Your preferences and settings, including tone of voice, email classification preferences, and available meeting times
3.2 Email Data
When you connect your email account, Pigion processes the following categories of data:
Email metadata: sender address, recipient addresses, subject line, timestamps, conversation identifiers, and message identifiers
Email body content: the text of incoming emails classified as requiring a response
Email headers: used for message threading and deduplication (including In-Reply-To, References, and Internet-Message-Id)
How we process email data:
Incoming emails are analyzed in real-time to classify them and, where applicable, generate draft replies.
Email body content is processed in memory by our AI models and is not permanently stored in its original form.
We store minimal metadata (sender address, subject line, timestamp, direction) and vector embeddings in our vector database for contextual retrieval. We do not store email body content in this database.
Draft replies are created directly in your email account's Drafts folder via the Microsoft Graph API or Gmail API. You always review and edit drafts before sending. Pigion never sends emails on your behalf.
Emails are organized in your mailbox by applying labels or moving them to category folders. This helps you see at a glance which emails need attention.
3.3 Calendar Data
If you grant calendar access, Pigion reads:
Calendar event start and end times
Event free/busy status
Event all-day indicators
How we process calendar data:
Calendar data is read only when an incoming email contains a meeting or scheduling request.
We read events within a 14-day window to determine your real availability.
Available time slots are calculated deterministically by comparing proposed meeting times against your existing events.
Calendar data is processed in memory and is not stored, cached, or persisted in any database.
Pigion does not create, modify, or delete calendar events.
3.4 Workflow and Meeting Data
Pigion may process workflow-related information to provide meeting preparation features and inbox organization. This includes analyzing email threads to determine conversation status and context.
3.5 Usage Data
We collect usage data to maintain and improve our service:
Number of emails processed and drafts generated (aggregated per user)
Feature usage patterns and interaction data
Error logs with personal data redacted
4. Legal Basis for Processing
We process your data on the following legal grounds under the GDPR:
Contractual necessity (Art. 6(1)(b)): Processing email, calendar, and workflow data is necessary to provide the Pigion service you or your organization subscribed to.
Legitimate interest (Art. 6(1)(f)): Usage analytics, monitoring, and error logging to maintain, improve, and secure our service.
Consent (Art. 6(1)(a)): You explicitly grant access to your email and calendar through the OAuth consent flow provided by Microsoft or Google. You can revoke this consent at any time.
5. How We Use Your Data
We use your data exclusively to:
Classify incoming emails into categories such as "Action needed", "FYI", "Finance", "Notification", and others
Generate draft replies based on the email content, conversation history, and your communication style
Check calendar availability when meeting or scheduling requests are detected in incoming emails
Organize your inbox by applying labels and sorting emails into category folders
Prepare meeting context by analyzing relevant email threads
Analyze and improve our service using anonymized and aggregated data
Send service communications such as account notifications and product updates
We do not:
Sell, rent, or trade your data to third parties
Use your email content or calendar data to train AI models
Send emails on your behalf without your explicit action
Access your email or calendar data outside of active, real-time processing
Store email body content or calendar event details permanently
6. AI Model Data Processing
Pigion uses third-party AI language models (Microsoft Foundry) to classify emails and generate draft replies. The following data may be processed by these models:
Email subject lines, body text, sender and recipient information
Calendar event times and free/busy status
Conversation thread context
This data is processed solely for the purpose of delivering the Pigion service. Our AI service provider does not use customer data to train, improve, or fine-tune their models. Processing occurs on Microsoft Foundry Service servers located in the European Union.
7. Sub-Processors
We engage the following sub-processors to operate our service. All sub-processors that handle personal data have entered into Data Processing Agreements with Pigion and process data on servers located in the European Union.
Supabase, Inc. (EU processing) - User account data, email metadata, workflow information
Pinecone Systems, Inc. (EU processing) - Email content embeddings, workflow data embeddings
PostHog, Inc. (EU processing) - Email content embeddings, workflow data embeddings
Microsoft Corporation (EU processing) - Email content, calendar data, workflow information (in-memory processing)
Vercel, Inc. (EU processing) - User identifiers, access logs
Stripe, Inc. (EU processing) - Payment details, billing information, user identifiers
Where sub-processors are established outside the European Economic Area, data transfers are protected by EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Details of transfer mechanisms and additional safeguards are documented in our DPA.
We will notify customers at least fourteen (14) days in advance before engaging a new sub-processor that processes personal data.
8. Data Retention
Account data - Duration of your subscription, deleted within 30 days after account deletion.
Email metadata and embeddings in vector database - Duration of your subscription, deleted within 30 days after account deletion.
Email body content - Not permanently stored, processed in memory only.
Calendar data - Not permanently stored, processed in memory only.
Draft replies - Stored in your email account's Drafts folder, controlled entirely by you.
OAuth tokens - Revoked immediately upon account disconnection or deletion
Usage analytics - Retained for product improvement; anonymized and aggregated
Billing and invoice records - 7 years, as required by Dutch fiscal law
System logs (no customer content) - Maximum 2 years
When you delete your account or your organization terminates its agreement, we delete all personal data within 30 days, including data held at sub-processors. Written deletion confirmation is available upon request.
9. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
Encryption: AES-256 encryption for data at rest. TLS 1.2 or higher for data in transit. Managed Key Management Service with periodic key rotation.
Tenant isolation: Row Level Security in the database and dedicated namespaces per customer in the vector database. Automated tests verify cross-tenant data isolation.
Access control: Multi-factor authentication is mandatory for all internal accounts. Access rights follow the principle of least privilege and are periodically reviewed.
Confidentiality: All employees with access to systems or infrastructure have signed confidentiality agreements. Employees have no standard access to customer email content or attachments.
Secure development: Mandatory code reviews, automated dependency scanning, secret scanning, and static application security testing. Periodic external penetration tests.
Monitoring: Centralized security monitoring with alerting on suspicious access patterns. Formal incident response procedures with documented escalation paths.
AI processing: Our AI processing occurs on Microsoft Foundry Service within the EU, which does not use customer data for model training.
10. Data Breach Notification
In the event of a data breach affecting your personal data, we will notify the affected party without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach. The notification will include all relevant information regarding the nature of the incident, the affected data, and measures taken to mitigate the consequences.
Your Rights
Under the GDPR, you have the right to:
Access (Art. 15): Request a copy of the personal data we hold about you
Rectification (Art. 16): Request correction of inaccurate personal data
Erasure (Art. 17): Request deletion of your personal data
Restriction (Art. 18): Request restriction of processing
Data portability (Art. 20): Receive your data in a structured, machine-readable format
Objection (Art. 21): Object to processing based on legitimate interest
Withdraw consent: Revoke your OAuth consent at any time through your Microsoft or Google account settings
To exercise any of these rights, contact us at security@pigion.ai. We will respond within 30 days.
If your organization has entered into an agreement with Pigion, please direct data subject requests to your organization's data protection contact. We will cooperate with your organization to fulfill such requests.
Revoking Access
You can disconnect Pigion from your email and calendar at any time:
Microsoft: Visit https://myaccount.microsoft.com/permissions and remove Pigion
Google: Visit https://myaccount.google.com/permissions and remove Pigion
Within Pigion: Navigate to Settings and click "Disconnect Account"
Upon disconnection, Pigion immediately stops processing your email and calendar data. OAuth tokens are revoked immediately. Stored metadata is deleted within 30 days.
International Data Transfers
Your data is primarily processed within the European Union. Where data is transferred to sub-processors established outside the EU, such transfers are protected by:
EU Standard Contractual Clauses (pursuant to Commission Implementing Decision (EU) 2021/914)
The EU-US Data Privacy Framework, where applicable
Additional technical safeguards including encryption at rest and in transit
Further details on transfer mechanisms are available in our Data Processing Agreement.
Cookies and Tracking
Pigion uses only essential cookies required for authentication and session management. We do not use advertising cookies, behavioral tracking pixels, or third-party analytics services that track individual users across websites.
Children's Privacy
Pigion is a business product designed for professional use. We do not knowingly collect data from individuals under the age of 16. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.
Anonymized and Aggregated Data
We may create anonymized or aggregated data from the personal data we process, in a manner that does not identify any individual. We may use such data to analyze, improve, and promote our service. Anonymized data is not considered personal data under the GDPR.
Business Transfers
If Pigion.AI B.V. is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy resulting from it. The acquiring entity will be bound by the terms of this Privacy Policy with respect to your personal data.
18. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the Pigion application at least fourteen (14) days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.
19. Contact and Complaints
For questions about this Privacy Policy or our data practices:
Pigion.AI B.V. Vondellaan 4, 6881 MC Velp, the Netherlands
Email: security@pigion.ai
Phone: +31 6 28 30 69 46
If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens https://autoriteitpersoonsgegevens.nl
Reactie nodig
Meeting update
Reclame
FYI
title:Pigion
Pigion
Probeer Pigion gratis
Na de setup leert Pigion je volledige schrijfpatronen binnen 24 uur. Daarna werkt het alsof het je inbox al jaren kent.
(Geen creditcard vereist)