Privacy Policy

This policy covers two distinct contexts:

1. The Pivot CMS software itself, which you install on your own server
2. The marketing site at cms.pivot.gdn, where you're reading this policy

The Pivot.gdn link-in-bio platform is a separate product with its own privacy policy at pivot.gdn/privacy.

1. Data the Pivot CMS software sends out

Once installed and running on your server, Pivot CMS makes exactly two kinds of outbound network calls. Everything else you do in the CMS — create pages, manage users, upload media, edit components — happens entirely on your server.

1.1 License activation & validation

When you activate a Pro license or when the CMS periodically re-validates an already-activated license, it sends a request to LemonSqueezy's public license endpoints. The request includes:

• The license key you entered
• An "instance name" identifying this install (typically the host header of your public deployment)

LemonSqueezy is an Ireland-based merchant of record; their privacy policy is at lemonsqueezy.com/privacy. Pivot Labworks does not see or store your license key beyond what is necessary to fulfill your purchase and activation history.

Free-tier (Solo) installs never make this call. Local, private-network, and *.local deployments are exempt and also never make this call.

1.2 Update check

Once per hour (cached), Pivot CMS asks the public npm registry whether a newer version of the pivot-cms package is available. This request contains no identifying information beyond what a standard HTTP request to a public registry naturally includes (your server's IP address, user-agent string).

The npm registry is operated by GitHub, Inc.; their privacy policy is at docs.npmjs.com/policies/privacy.

2. Data the Pivot CMS software stores locally

Everything you create or configure in the CMS is stored on your server, in the install directory:

• SQLite database — user accounts (username, email, hashed password using Argon2), roles, active sessions, system settings, and audit logs
• JSON flat files — all components, templates, modules, content (pages, posts, custom types), menus, and media metadata
• Uploaded media files — on the local filesystem

Pivot Labworks has no remote access to this data. We do not read it, copy it, mirror it, or telemetry it. We have no way to recover it for you if you lose it. Back it up.

3. Data we collect on the marketing site

This page (cms.pivot.gdn) is a static HTML site. It does not use cookies, run analytics, or fingerprint your browser. Standard web-server access logs (IP address, request path, timestamp, user-agent) are kept for security and troubleshooting purposes and are rotated/expired in line with standard infrastructure hygiene.

The contact form, where present, is provided through Pivot.gdn and is subject to the Pivot.gdn privacy policy.

4. Sub-processors

The following third parties may process your personal data on Pivot Labworks' behalf, or as independent controllers for their portion of the service. We will update this list as our infrastructure changes; material changes are announced via this page's effective date and (where applicable) the in-app update banner.

Sub-processor	Purpose	Location	Data shared
LemonSqueezy	Payment, license issuance, license validation. Merchant of record.	Ireland (EU)	Name, email, billing address, payment method (held by Stripe sub-processor), license activation host, IP address
npm registry (GitHub Inc.)	Update version check (1h cached).	United States	Server IP address, user-agent string
Google Fonts (Google LLC)	Web-font delivery on this marketing site.	United States	Visitor IP address, user-agent string
Web-hosting provider	Hosts cms.pivot.gdn static files and serves them.	United States	Standard access logs (IP, request path, timestamp, user-agent)

The contact form linked from this site, and any contact submissions via the company site at labworks.pivot.gdn, are processed by Pivot.gdn under its own privacy policy (Pivot.gdn is a sibling product of Pivot Labworks).

5. International data transfers

Several of our sub-processors are located in the United States. If you are in the European Union, the European Economic Area, the United Kingdom, or another jurisdiction with cross-border data-transfer restrictions, transfers of your personal data to the United States occur under one or more of the following legal mechanisms:

• The EU-US Data Privacy Framework (DPF), where the recipient is certified;
• Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable;
• UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA), for UK transfers;
• Your explicit consent, where applicable under Article 49 GDPR.

We rely on these mechanisms in addition to any safeguards maintained by the sub-processor itself.

6. Legal bases for processing (GDPR / UK GDPR)

If you are in the European Union, the European Economic Area, or the United Kingdom, we rely on the following legal bases under Article 6(1) of the GDPR (or equivalent UK GDPR provision) for each processing activity:

• License purchase, activation, and validation — Article 6(1)(b), performance of a contract (the EULA).
• Update version check — Article 6(1)(f), legitimate interests (informing you of available updates; minimal data exposure).
• Marketing-site server logs — Article 6(1)(f), legitimate interests (security, abuse prevention, troubleshooting).
• Google Fonts delivery — Article 6(1)(f), legitimate interests (rendering the site as designed).
• Support correspondence — Article 6(1)(b), performance of a contract, and (where applicable) Article 6(1)(f), legitimate interests.
• Compliance with legal obligations (e.g. responding to lawful requests, tax records) — Article 6(1)(c).

7. Data retention

We hold personal data only as long as we have a documented purpose for keeping it.

• License-purchase records — for the duration of your license plus seven (7) years for tax and accounting purposes (US federal record-retention guidance).
• License-activation history — for the duration of your license plus two (2) years, after which it is anonymized or deleted.
• Support correspondence — up to three (3) years after the last interaction, after which it is deleted unless retention is required by law.
• Marketing-site server logs — up to 90 days, after which they are rotated and deleted.

You may request earlier deletion of any data we hold about you by contacting us, subject to overriding legal obligations.

8. Your rights

Because Pivot Labworks does not host the data your Pivot CMS install stores, access/modification/deletion of that data is handled entirely within your install — we have no copy to share, modify, or delete.

For data that is held by Pivot Labworks or its sub-processors (your license purchase and activation records, support emails, marketing-site logs), depending on where you live, you may have one or more of the following rights:

8.1 European Union, European Economic Area, and the United Kingdom

Under GDPR and UK GDPR you have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure / "right to be forgotten" (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time where processing relies on consent (Art. 7(3))
• Lodge a complaint with your national supervisory authority. A list is maintained by the European Data Protection Board at edpb.europa.eu. UK residents can complain to the Information Commissioner's Office at ico.org.uk.

8.2 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell or share, and the categories of recipients;
• Access and obtain a copy of your personal information;
• Correct inaccurate personal information;
• Delete personal information, subject to certain exceptions;
• Limit the use and disclosure of sensitive personal information;
• Opt out of the sale or sharing of personal information — we do not sell or share personal information, so no opt-out is necessary, but the right exists in principle;
• Non-discrimination for exercising any of these rights.

You may exercise these rights through the contact channels in Section 10. We will verify your identity before fulfilling a request (typically by confirming details of your purchase record).

8.3 Other US states

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), or another US state with a comprehensive consumer privacy law in effect at the time of your request, you have access, correction, deletion, portability, and opt-out rights substantively similar to those described above. Contact us through the channels in Section 10 to exercise them.

8.4 Other jurisdictions

Residents of jurisdictions with their own data-protection laws (e.g. Brazil's LGPD, Canada's PIPEDA / Quebec Law 25, Australia's Privacy Act, Japan's APPI) may exercise the equivalent rights afforded by those laws by contacting us.

9. EU representative (Article 27 GDPR)

10. Data security and breach notification

We use industry-standard safeguards to protect personal data in transit (TLS 1.2+) and at rest. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR, and we will notify affected individuals without undue delay where required by Article 34 GDPR. For breaches involving US residents we follow the notification timelines set by applicable state law (typically without unreasonable delay and not exceeding the statutory deadline in your state).

11. Accessibility

Pivot Labworks aims to make this marketing site, the Pivot CMS admin interface, and the Pivot CMS public-site renderer accessible to people with disabilities, targeting conformance with WCAG 2.1 Level AA. If you encounter an accessibility barrier, please contact us via the channel in Section 13 so we can address it.

12. Children's privacy

Pivot CMS is a developer tool, not directed at children. We do not knowingly collect personal data from children under the age of 16 (or the lower age threshold permitted by your jurisdiction — for example, 13 in the United States under COPPA). If you become aware that a child has provided us with personal data, please contact us and we will delete the data and terminate any associated account promptly.

13. Changes to this policy

We may update this policy from time to time. The current version is always posted at cms.pivot.gdn/privacy.html with the effective date at the top. Material changes will be announced via the in-app update banner or email to license holders.

14. Contact

Privacy questions, data-subject requests, and breach inquiries can be sent through the contact form at labworks.pivot.gdn.

Data controller:

• Pivot Labworks LLC
• State of formation: Florida, United States (confirm before publishing)
• Registered address: to be added before publishing