Privacy Policy
Effective date: 7 May 2026
Controller: Epigos Ltd (“Epigos”, “we”, “us”)
Product: PingChange
Contact (general & privacy): hello@pingchange.com
This Privacy Policy explains how Epigos collects, uses, discloses, and protects personal data when you use PingChange websites, applications, APIs, and related services (collectively, the “Service”). It is designed to align with the EU/UK General Data Protection Regulation (“GDPR”) and common U.S. state privacy expectations (including California-style disclosures).
If you do not agree with this Policy, please do not use the Service.
1. Who is responsible for your data?
For personal data processed in connection with PingChange, the controller is:
Epigos Ltd
Email: hello@pingchange.com
We do not sell your personal data in the conventional sense of exchanging it for money. Some jurisdictions define “sale” or “sharing” broadly (for example, for targeted advertising). We do not use your personal data for cross-context behavioral advertising as described under California law.
2. Scope
This Policy applies when you:
- Visit our marketing site or documentation
- Create or administer an account
- Use in-product features (monitors, alerts, AI summaries, etc.)
- Communicate with support or sales
- Interact with cookies or similar technologies where we control them
If your organization purchases PingChange, your employer may control certain account data; see Section 4 (Roles).
3. Personal data we collect
We collect data in three broad ways: you give it to us, we collect it automatically, and we receive it from others.
3.1 Data you provide
| Category | Examples |
|---|---|
| Account & profile | Name, email, organization, role, avatar (if supplied) |
| Billing | Billing contact, payment method metadata (payments are usually processed by our payment processor; we typically do not store full card numbers) |
| Support & comms | Messages, attachments, meeting details, feedback |
| Service configuration | Monitor settings, notification endpoints (Slack workspace IDs, webhook URLs, tokens you paste), prompts, labels |
3.2 Data collected automatically
| Category | Examples |
|---|---|
| Usage & telemetry | Feature usage, request metadata, rough geolocation derived from IP, timestamps |
| Device & technical | Browser type, OS, approximate locale, diagnostic logs |
| Security | Auth events, session identifiers, fraud/abuse signals |
3.3 Data from third parties
| Source | Examples |
|---|---|
| Identity / SSO | If you authenticate through a provider (for example Clerk, Google, Microsoft), we receive identifiers and profile elements allowed by your consent |
| Integrations | When you connect channels (Slack, email providers, webhooks), we receive technical tokens/metadata needed to deliver messages |
| Analytics / error reporting | If enabled, limited events may be processed by subprocessors (for example error monitoring) |
3.4 Snapshot and monitored content
To provide monitoring, we process content retrieved from URLs you configure (HTML/text, screenshots, API specifications, headers where relevant). That content may occasionally contain personal data if it appears on a page you monitor. You instruct that processing as the customer; see Section 4.
4. Roles under GDPR (controller / processor)
- For account, billing, support, product analytics, and our own marketing (where applicable), Epigos generally acts as controller.
- For Customer Data you submit—such as monitored URLs, snapshots, diffs, and most integration configuration—Epigos typically acts as processor, processing personal data on your instructions, subject to our Terms of Service and any Data Processing Agreement (“DPA”) you execute with us.
Where we are processor, you are responsible for lawfully configuring monitors and for providing any required notices to individuals whose data might appear in monitored pages.
5. Purposes and legal bases (GDPR / UK GDPR)
We process personal data on the following bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service | Contract (Art. 6(1)(b) GDPR) |
| Security, abuse prevention, audit logs | Legitimate interests (Art. 6(1)(f)); where required, legal obligations |
| Product improvement & limited analytics | Legitimate interests; where required, consent for non-essential cookies |
| Billing & tax records | Contract and legal obligation (Art. 6(1)(c)) |
| Marketing communications (where not covered by soft opt-in) | Consent (Art. 6(1)(a)) where required |
| AI-assisted features | Contract and, where special categories could appear, your explicit instructions as customer; we instruct customers not to submit unnecessary sensitive data |
Where we rely on legitimate interests, we balance our interests against your rights. You may object to processing based on legitimate interests as described in Section 10.
6. How we use personal data (summary)
- Create and secure accounts; authenticate users
- Operate monitoring, alerting, storage, search, and exports you request
- Provide AI-assisted summaries of changes in accordance with product design and your configuration
- Troubleshoot, prevent fraud, enforce our Terms, respond to incidents
- Communicate service, technical, and (where permitted) promotional messages
- Comply with law, regulation, or lawful requests
- Improve reliability and performance (including aggregated or de-identified metrics)
7. Cookies and similar technologies
We use strictly necessary cookies and local storage for authentication, security, load balancing, and basic preferences. Where we use non-essential cookies (for example analytics), we will seek consent where required by law.
You can control many cookies through browser settings. Blocking some cookies may degrade functionality.
8. Disclosures and subprocessors
We share personal data with:
- Infrastructure & hosting (cloud regions you select or we operate from)
- Authentication providers
- Email & transactional messaging providers
- Payment processors
- Background jobs / queues for scheduled checks and notifications
- AI model providers where you use AI features (prompts and minimal context may be transmitted per request)
- Error monitoring / logging vendors
- Professional advisors (lawyers, accountants) under confidentiality
- Authorities when required by law or to protect rights and safety
A current list of typical subprocessors is available on request at hello@pingchange.com. We impose data-protection terms on vendors who process personal data on our behalf.
9. International transfers
We may process data in the United Kingdom, the European Economic Area, and the United States, and other locations where we or our vendors operate.
Where GDPR/UK GDPR applies and we transfer personal data to countries not subject to an adequacy decision, we use appropriate safeguards such as the EU Commission Standard Contractual Clauses and/or the UK International Data Transfer Addendum, supplemented by technical and organizational measures as appropriate.
10. Your rights (EEA / UK / Switzerland)
Subject to applicable law, you may have the right to:
- Access personal data we hold about you
- Rectify inaccurate data
- Erase data (“right to be forgotten”) in certain cases
- Restrict processing in certain cases
- Object to processing based on legitimate interests (including profiling)
- Data portability for data you provided where processing is automated and based on contract/consent
- Withdraw consent where we relied on consent (withdrawal does not affect prior lawful processing)
- Lodge a complaint with a supervisory authority (in the UK, the ICO; in the EEA, your local authority)
To exercise rights, contact hello@pingchange.com. We may need to verify your identity. Organization accounts may require admin coordination.
11. U.S. privacy disclosures
11.1 Categories of personal information (California-style)
In the preceding twelve months, we may have collected the following categories (examples are illustrative):
- Identifiers — name, email, account ID, IP address
- Customer records — billing contact details, support history
- Commercial information — subscription tier, purchase history
- Internet or electronic activity — service logs, diagnostic telemetry
- Geolocation — coarse location from IP
- Professional information — organization, title
We use these categories for the business purposes described in Sections 5–7 and Section 8.
11.2 Sensitive personal information
We do not intentionally collect sensitive categories (for example health, precise geolocation, government IDs) through PingChange. Do not include such information in monitors or prompts unless you have a lawful basis and explicit configuration approved by us in writing.
11.3 Your U.S. state rights
Depending on your state of residence, you may have rights to access, delete, correct, port, or opt out of certain processing, and to appeal our decisions. We honor global privacy control (“GPC”) signals where legally required as a request to opt out of sale/sharing for that browser or device.
Submit requests at hello@pingchange.com. We will not discriminate against you for exercising rights.
12. Retention
We retain personal data as long as necessary to provide the Service, comply with law, resolve disputes, and enforce agreements. Typical guidelines:
- Account data — duration of the relationship plus a reasonable post-closure period (for example up to 24 months unless a longer period is required)
- Billing/tax records — as required by applicable tax and accounting law (often 6–10 years depending on jurisdiction)
- Security & abuse logs — a shorter rolling window, unless needed for an investigation
- Customer monitoring data — according to your plan, workspace settings, and any contractual DPA
Exact schedules may vary; contact us for more detail about your account.
13. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls, least-privilege practices, vendor review, and incident response procedures. No method of transmission or storage is 100% secure.
14. Children
The Service is not directed to children under 16. If you believe a child provided personal data, contact hello@pingchange.com and we will take appropriate steps to delete it.
15. Automated decision-making
We do not use personal data for solely automated decisions that produce legal or similarly significant effects about individuals in a GDPR sense. AI features assist operational summarization and should be verified by humans for important decisions.
16. Changes to this Policy
We will post updates here and revise the “Effective date.” For material changes, we will provide additional notice where appropriate (email or in-product).
17. Contact
Epigos Ltd — PingChange
Privacy & data requests: hello@pingchange.com
This document is provided for transparency. It is not legal advice.