Last Updated: January 28, 2026
At Pigment we take Privacy and Data Protection seriously. In this Privacy and Data Protection Policy (“Policy”) we have set out how we process personal data as a data processor, i.e. when we provide our services, via our Platform, on behalf of your organization (our customer). This means that we will comply with your organization’s instructions, in accordance with article 28 of the GDPR. In short, this Policy applies to users of the Pigment Platform. By “Platform”, we mean the tool that your organization uses to process and analyze business data and plan its business operations, as well as our training programs related to our tool. In this context, your organization is the data controller of your personal data.
For the avoidance of doubt, we will sometimes process your data as data controllers to further develop or improve our Platform (especially analytics, feedback, satisfaction surveys). In this respect, we also use de-identified and/or aggregated information that can no longer be linked to you.
All this information is not subject to this Policy and we may use this information for various purposes such as internal analysis, analytics or product/services improvement (e.g. within the context of our Pigment AI Features). We rely on either your consent, the performance of our contract with your organization or our legitimate interest to process your data. You can refer to our general privacy policy for further information.
When we refer to “Pigment” in this Policy, we mean Pigment SAS, a French simplified joint stock company with a capital of 29,681.1555 euros, registered with the trade and commercial register of Paris under n° 852 785 914 and having its head office at 8-12 rue Sainte-Cécile, 75009 Paris, France ("Pigment"), acting as a data processor on behalf of our customers (such as your organization).
Within the meaning of data protection laws (such as the European Data Protection Regulation No. 2016/679 (known as "GDPR") and this policy, “personal data” consists of any information that relates to an identified or identifiable individual, such as a name, email address, telephone number, and IP address.
At Pigment, as instructed by your organization, we process the following personal data about you:
We will keep your personal data for the retention period requested by your organization (i.e. 90 days after the expiry of our agreement with your organization).
Exceptions apply for specific purposes. For instance, (i) session replays are stored for 1 month only and (ii) data processed in relation with AI-powered features is subject to a zero retention policy with our sub-processors providing AI services.
After this period, your personal data will be erased from our systems and our sub-processors’ systems, unless we need to keep or archive them for another legitimate purpose, as data controllers (e.g. billing purposes, contractual history, legal proceedings). In this case, your personal data will be deleted once said purpose is achieved and in accordance with applicable statutes of limitations.
Pigment has implemented a number of measures to protect your privacy and personal data and to meet the requirements of the applicable laws including GDPR.
If you want to learn more about our security measures, please read our Security Addendum.
Your personal data can be accessed by your organization which acts as data controller of your personal data (i.e. your organization decides “why” Pigment Platform is being used).
In addition, your personal data is shared with our sub-processors. You can access the list of our sub-processors, which may be updated from time to time in accordance with our agreement with your organization, by clicking here.
When your personal data is shared outside Pigment, we make every effort to select our service providers on the basis of very demanding criteria in terms of privacy, data protection and security. All personal data transfers are secured contractually.
Your personal data may also be shared to providers located outside of the European Economic Area (“EEA”). In such case, we ensure that our providers are:
About Pigment Impersonation feature: The Impersonation feature allows an authorized user with a Security Admin role, as defined by your organization, to access a workspace as if they were another user. In this mode, the Security Admin sees exactly what the impersonated user sees, including communications on private boards, as well as their permissions and access rights. The Security Admin cannot edit any content while using this feature. It is designed for troubleshooting purposes only. This feature does not enable real-time screen sharing or recording.
What are we speaking about? Our Platform may contain integrations that you can activate. For instance:
Be careful. These third-parties are not controlled by Pigment. We do not endorse or approve, and we are not responsible for their privacy practices. Using these integrations is at your own risk. In particular:
Sensitive and personal data may be shared out from Pigment. We encourage you to read their privacy policies and to use these integrations carefully as it may lead to personal and sensitive data being sent out from Pigment. Be granular when you select which data can be shared via integrations.
For instance, if Pigment notifications are enabled for your instant messaging or email applications, such third-parties’ platforms will get access to your personal data and the sensitive information that may be included in the Pigment Platform. They will process notifications containing (i) tasks attributed to you on the Pigment Platform, (ii) operational and / or technical actions required to be performed on the Pigment Platform, (iii) error messages and (iv) comments. If you don’t want these third-parties to get access to said information, please disable the notifications. However, if other users’ of your organization have enabled the third-parties’ notifications, said third-parties will still be able to get access to the information.
We will collect your personal data from these third-parties, at your request (based on your settings and calls). In order to enable you to activate and use these integrations (including with the transfer of data from the third-party’s platform / application to Pigment Platform and vice versa), we will collect personal data from these third-parties. The categories of personal data collected depend on the connection at stake. For instance, if you use the Pigment App for Slack, we will receive from Slack your email address, your Slack ID and your display name.
Within the limits and conditions of applicable data protection laws, please note that you can request your organization to:
You can also lodge a complaint with a competent supervisory authority (for instance, the CNIL in France).
If you want to exercise your rights, we advise you to contact your organization.
When we are acting as a data controller of your data, you can request it directly from us via email: dpo@pigment.com.
In the case of a personal data breach, we will notify affected customers without undue delay, in accordance with applicable law and our agreements. We will inform your organisation about the nature of the breach and categories of data involved and will take the necessary and reasonable actions to remediate the breach, to the extent such remediation is within our reasonable control.
For any questions regarding this document and, in general, about the collection and processing of your personal data by Pigment, do not hesitate to contact us by e-mail: dpo@pigment.com or send us a letter at: Pigment SAS - Data Protection Officer, 8-12 rue Sainte-Cécile, 75009 Paris (France)..
Changes. This Policy may be updated from time to time, in particular to take into account changes in our services, technologies or applicable regulations. These updates will be effective immediately when they are made available and searchable on our Platform.
Cookies and tracking tools. Pigment Platform stores cookies and other tracking tools for technical, functional and analytics purposes. You can read more about this topic here.