EnpingBack to home

Legal

Privacy Policy

Last updated June 10, 2026

This Privacy Policy explains how Enstate Labs, Inc. collects, uses, shares, protects, and retains personal information when you use Enping.

Introduction

Enstate Labs, Inc. ("Enstate Labs", "Company", "we", "us", or "our") is committed to protecting the privacy of users, organizations, reviewers, website visitors, and other people whose information is processed through Enping.

This Privacy Policy applies to our website at enping.app, the Enping web application, browser widget, APIs, integrations, support channels, and related services (collectively, the "Service"). Enping helps teams collect website feedback in context, anchor reports to page elements and page state, triage feedback, collaborate on comments and statuses, and route confirmed work into tools such as GitHub, Slack, Linear, or APIs.

If your organization uses Enping to collect feedback from its own visitors, reviewers, customers, clients, or employees, your organization is generally the controller or business responsible for that data, and Enstate Labs processes it as a service provider or processor under our agreements and applicable data-processing terms.

Information we collect

We collect personal information and non-personal information. "Personal information" means information that identifies, relates to, describes, or can reasonably be linked to an individual. "Non-personal information" means aggregated, de-identified, or technical information that does not identify an individual.

  • Account and profile data: name, email address, authentication credentials, organization membership, role, permissions, invitation status, preferences, and support details.
  • Organization and workspace data: organization name, customer and project configuration, site and environment settings, widget installation settings, access policies, audit logs, subscription status, and integration settings.
  • Feedback and user-generated content: feedback titles, messages, comments, statuses, priorities, assignments, labels, activity history, implementation context, linked issue metadata, and other content submitted to or generated through the Service.
  • Widget and page-context data: page URL, route or path, selected element metadata, DOM anchors, percentage-relative annotation rectangles, browser and viewport context, page state, reviewer or visitor session state, signed host identity metadata, invite-token metadata, and optional screenshots or attachments where enabled by policy.
  • Communications data: support messages, product feedback, survey responses, sales communications, and messages sent through customer-enabled integrations.
  • Usage and device data: IP address, browser type, operating system, device identifiers, referring and exit pages, pages viewed, features used, log data, timestamps, diagnostic data, and approximate location derived from IP address.
  • Payment and billing data: billing contact details, invoice information, plan, subscription status, tax information, usage counters, and payment status. Payment card or bank details are processed by our payment providers and are not stored directly by Enstate Labs.

Information collected through technology

We and our service providers use cookies, local storage, logs, and similar technologies to operate, secure, and improve the Service. Essential technologies are used for authentication, session management, widget reviewer state, pending submission retry state, security, fraud prevention, load balancing, and remembering preferences.

Optional analytics technologies are used only where permitted by law and, where required, only after consent. These technologies help us understand product usage, detect errors, measure performance, and improve the Service. We do not use advertising cookies or tracking pixels for third-party behavioral advertising.

You can configure your browser to reject cookies or notify you when cookies are being used. Some parts of the Service may not function properly without essential cookies or local storage.

Account registration and organization use

To create an account or join an organization, you may need to provide your name, email address, authentication credentials, organization information, and other profile details. Organization administrators may invite users, assign roles, review activity, configure projects and sites, connect integrations, manage screenshot policy, and manage data within the workspace.

If you use the Service on behalf of an organization, your organization may control certain account and workspace data and may be able to access, export, restrict, or delete content associated with the workspace. Please contact your organization administrator for requests involving workspace-controlled data.

Widget feedback and visitor data

When someone submits feedback through a widget installed by one of our customers, that customer decides what the widget collects, who may submit feedback, whether screenshots or attachments are enabled, which site origins are allowed, and how long feedback is kept. Production widget access is intended to be authenticated or explicitly permissioned through a reviewer session, signed host identity, or time-limited invite token.

We process widget feedback on behalf of the customer that installed the widget. If you are a visitor or reviewer and want to exercise privacy rights for feedback submitted through a customer widget, contact that customer first. We will assist the customer as required by applicable law and our agreements.

AI data processing

Enping may use AI features to classify feedback, suggest types or priorities, summarize reports, draft implementation context, or assist with triage. AI inputs and outputs may include personal information if your organization submits or connects that information to the Service.

We do not use customer workspace data, visitor feedback, prompts, screenshots, or AI outputs to train third-party foundation models. Where supported, we route AI requests through providers and controls configured to deny data collection, require zero data retention, or otherwise limit provider use of customer data. AI providers may process requests transiently to return a response, subject to their contractual obligations and applicable law.

Your organization is responsible for reviewing AI-generated outputs before relying on them for operational, legal, financial, employment, security, or customer-facing decisions.

How we use information

We use personal information to:

  • provide, operate, maintain, secure, and support the Service;
  • create and manage accounts, workspaces, roles, permissions, authentication, and billing;
  • process widget submissions, annotations, comments, statuses, assignments, and activity history;
  • validate widget origins, installation keys, access policies, reviewer sessions, invite tokens, and signed host identity;
  • operate integrations, such as creating linked issues or sending feedback to customer-enabled tools;
  • generate AI-powered classifications, summaries, recommendations, and workflow outputs;
  • communicate with you about account activity, support requests, product updates, security notices, billing, legal notices, and marketing where permitted;
  • monitor performance, debug issues, analyze usage, improve product functionality, and develop new features;
  • prevent fraud, abuse, unauthorized access, security incidents, and misuse of the Service; and
  • comply with legal obligations, enforce our agreements, resolve disputes, and protect rights, safety, and property.

Legal bases for processing

Where the GDPR, UK GDPR, or similar laws apply, we process personal information under one or more legal bases:

  • Contract performance: to provide the Service and fulfill our agreements with you or your organization.
  • Legitimate interests: to secure, maintain, improve, and market the Service, prevent fraud, and support customers, balanced against individual rights and expectations.
  • Consent: for optional analytics, certain marketing communications, screenshot capture where required, or other processing where consent is required.
  • Legal obligations: to comply with tax, accounting, regulatory, security, legal process, and other legal requirements.
  • Customer instructions: where we process personal information as a processor or service provider on behalf of an organization.

How we share information

We do not sell, rent, or trade personal information to third parties for advertising or marketing purposes. We may share information in the following circumstances:

  • Service providers and subprocessors: vendors that provide hosting, storage, authentication, analytics, AI routing and inference, monitoring, email, billing, payment processing, support, security, and other services necessary to operate Enping.
  • Customer-enabled integrations: third-party systems such as GitHub, Slack, Linear, project-management tools, webhooks, APIs, and other tools your organization chooses to connect.
  • Organization administrators: information associated with a workspace may be available to administrators and authorized members of that organization according to their permissions.
  • Legal and safety reasons: where we believe disclosure is reasonably necessary to comply with law, legal process, enforceable government requests, our agreements, security obligations, fraud prevention, or to protect rights, property, or safety.
  • Business transfers: in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, subject to appropriate confidentiality and privacy protections.
  • With consent or direction: when you or your organization instruct us to share information or give consent.

Billing and usage events sent to payment providers should use limited metadata. We do not intentionally place feedback text, screenshots, DOM data, raw authentication payloads, invite tokens, signed identity payloads, attachments, or private customer content in payment-event metadata.

Data location and international transfers

Enping is designed with privacy-aware product practices for production customer data where feasible. Some service providers and AI infrastructure may process information in other countries depending on the service, integration, support request, or provider configuration.

Where personal information is transferred internationally, we use appropriate safeguards as required by applicable law, such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum, data processing agreements, or other lawful transfer mechanisms.

Data retention

We retain personal information for as long as necessary to provide the Service, fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, enforce agreements, and maintain security.

  • Account and workspace data is retained while the account or workspace is active and for a limited period after termination or deletion, unless longer retention is required by law.
  • Feedback, annotations, comments, status history, and linked issue metadata are retained according to customer configuration, contractual terms, product functionality, and deletion requests.
  • Optional screenshots and attachments are retained only where enabled by policy and may be subject to shorter limits, masking guidance, size controls, or deletion requests.
  • AI prompts, outputs, and triage results may be retained as workspace records unless deleted according to product controls or agreement terms.
  • Logs, diagnostics, security events, and analytics data may be retained for shorter periods unless needed for security, legal, audit, or reliability purposes.
  • Billing, tax, and transaction records may be retained as required by accounting, tax, or legal obligations.

How we protect information

We use technical, organizational, and administrative safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These safeguards may include encryption in transit and at rest, access controls, authentication, tenant-scoped authorization, role-based permissions, audit logs, monitoring, vulnerability review, incident response processes, backups, vendor review, and environment separation.

No method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your credentials, using strong authentication practices, limiting access within your organization, and promptly notifying us of suspected unauthorized access.

Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected personal information from a child under 13 without appropriate consent, contact us at privacy@enping.app, and we will take appropriate steps to delete the information.

Organizations using Enping are responsible for ensuring that any visitor, reviewer, customer, employee, or minor-related data they provide or collect through the Service is processed lawfully.

Your privacy rights and choices

Depending on your location and relationship to Enstate Labs, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal information. You may also have the right to withdraw consent, opt out of certain communications, or lodge a complaint with a supervisory authority.

To exercise rights relating to your Enping account or direct interactions with Enstate Labs, contact privacy@enping.app. To exercise rights relating to data controlled by an organization using Enping, contact that organization directly; we will assist the organization as required by applicable law and our agreements.

You can unsubscribe from marketing emails by using the unsubscribe link in the email or contacting us. We may still send transactional, security, legal, billing, or administrative messages related to the Service.

California and other U.S. state privacy notices

Where U.S. state privacy laws apply, Enstate Labs does not sell personal information or share personal information for cross-context behavioral advertising. We process personal information for the business and commercial purposes described in this Privacy Policy.

Depending on your state, you may have rights to know, access, correct, delete, obtain a portable copy of, or opt out of certain processing of personal information. We will not discriminate against you for exercising privacy rights. Submit requests to privacy@enping.app.

Links and third-party services

The Service may contain links to third-party websites, applications, integrations, or services. This Privacy Policy does not apply to third-party services that are not controlled by Enstate Labs. We encourage you to review the privacy policies of any third-party services you access or connect to Enping.

When your organization enables an integration, the third party's terms and privacy policy may apply to data shared with or received from that integration.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the Service. Material changes will be communicated by email, in-product notice, or a prominent notice on the Site where appropriate. Non-material changes take effect when posted.

Contact us

If you have questions about this Privacy Policy or Enstate Labs' privacy practices, contact us at privacy@enping.app or hello@enping.app.

You may also contact us by mail at:

  • Enstate Labs, Inc.
  • 1111b South Governors Avenue STE 96453
  • Dover, Delaware 19904
  • United States