Privacy & GDPR
Pionne is designed to be GDPR-compliant by default. Here’s what’s done, what you should know, and what you can do on top.
What Pionne does by default
Section titled “What Pionne does by default”Automatic PII scrubbing
Section titled “Automatic PII scrubbing”Before sending, the SDK sanitizes common PII patterns: email, card numbers, IBAN, JWT, tokens, IPs, phone numbers. See PII Scrubbing for the full list and customization.
No email/IP storage
Section titled “No email/IP storage”- The server never logs the IP of an event.
- The
user.idfield is free SDK-side — use an anonymous identifier (UUID, hash). Never send the email.
// GoodPionne.setUser('user_a8f2c1');
// BadPionne.setUser('john@doe.com');30-day retention
Section titled “30-day retention”Events are automatically deleted after 30 days. No action required. This duration covers the vast majority of post-release debug needs without piling up data indefinitely.
End-user rights
Section titled “End-user rights”If a user of your app asks for their data to be deleted:
- Get their
user.id(the anonymous identifier you assigned them). - Filter the issues in the Pionne dashboard by that
user.id. - Delete the relevant issues via DELETE /api/projects/{id}/issues/{issueId}.
Since the only link between an event and the real user is that anonymous ID stored in your app, deletion on the Pionne side is final.
Geography (opt-in)
Section titled “Geography (opt-in)”Pionne can show the approximate city/region/country on every event — useful for spotting a regression localized to an ISP or a country. Disabled by default.
Enable:
Pionne.init({ token: '...', sendGeography: true,});What happens:
- A single HTTP call at startup to
https://ipapi.co/json/(4 s timeout). No GPS coordinates, no OS permission required. - The result —
{ city, region, country, country_code }— is cached and attached to every event undercontexts.geo. - The raw IP is never persisted: only the approximate city/region/country is, under the same 30-day retention as everything else.
- The lookup can be disabled at runtime via
setEnabled(false)or by passingsendGeography: falseon the nextinit().
Want your own provider to keep things in-house? geographyEndpoint: 'https://geo.yourapi.com/' accepts any URL returning { city, region, country, country_code }.
Screenshots
Section titled “Screenshots”Screenshots are:
- Opt-in (
captureScreenshot: true). - Stored as JPG q=0.5 by default on the Pionne server.
- Subject to the same 30-day retention.
Health / finance / minors apps
Section titled “Health / finance / minors apps”For these sensitive verticals, go beyond the default:
Pionne.init({ token: '...', captureScreenshot: false, scrubPii: [ { re: /patient_[a-z0-9]+/gi, replace: '[patient]' }, { re: /diagnosis:[^\n]+/gi, replace: 'diagnosis:[redacted]' }, ], beforeSend: (event) => { // Drop anything containing sensitive business fields if (event.extra?.medicalRecord) return null; return event; },});Subprocessing & hosting
Section titled “Subprocessing & hosting”- Data hosted in France (EU datacenter).
- Backend: Laravel + SQL stack.
- No transfers outside the EU.
- Subprocessors: Apple/Google for push notifications only.