pug Open beta — free
Docs Log in Start free
Docs GitHub Log in Start free
Legal

Privacy Policy.

How we collect, use, and protect personal information across pug.sh, the Pug Cloud, and self-hosted deployments.

Last updated 13 June 2026.

Overview

Pug is an open-source product-analytics platform with unified user profiles, operated by Tshoka Pvt Ltd (“Pug”, “we”, “us”). This policy explains what personal information we handle, why, and the choices you have, when you:

  • visit our website at pug.sh;
  • create an account and use Pug Cloud (app.pug.sh); or
  • contact us.

Because Pug is open source, the same code that runs Pug Cloud is available to inspect and to run yourself. If you self-host Pug, your data stays on your own infrastructure and this policy’s Cloud sections do not apply — see Self-hosted deployments.

Definitions

  • Personal data — information that identifies, or can be used to identify, a person.
  • Customer Data — the events, properties, and profiles you send to Pug Cloud. Because Pug supports identifying users, this may include personal data about your own users.
  • Controller / processor — the party that decides why and how data is processed (controller) versus the party that processes it on the controller’s instructions (processor).
  • Service — pug.sh, Pug Cloud, and the related services we operate.
  • You — the person or organization using Pug.

Controller and processor

For your account information — the details you give us to register and use Pug Cloud — Tshoka Pvt Ltd is the controller.

For the Customer Data you send to Pug Cloud, we act as a processor: we process it only on your instructions and to provide the service. You are the controller of your end users’ data, and you are responsible for having a lawful basis to collect it and for honoring your users’ privacy rights.

Information we collect

Account data

Your name and email address, a password (stored only as a salted hash), and your organization or project details. If and when paid plans launch, billing details will be handled by a third-party payment processor.

Usage and log data

When you sign in to Pug Cloud, we collect standard log data — your IP address, browser and device type, and the actions you take in the app — to operate, secure, and troubleshoot the service.

Customer Data (the analytics you send us)

Unlike cookieless web-analytics tools, Pug is a product-analytics platform: when you call identify(), it can tie events to a known person and build a unified profile. The Customer Data you send may therefore include personal data about your users — such as user IDs, email addresses, or traits you choose to attach. You decide what to send, so you should avoid sending sensitive data you do not need. On ingest, events are enriched with approximate geolocation derived from IP address, device and browser details, and UTM parameters.

The marketing website

pug.sh ships with no third-party trackers, analytics scripts, or advertising cookies. Visiting it adds you to no profile and no ad audience. Our servers may keep aggregate, non-identifying request logs for security and reliability.

What we don’t do

  • We do not sell personal information, ever.
  • We do not use your data or your Customer Data for third-party advertising.
  • We do not use your Customer Data to train machine-learning models.
  • We do not mix one customer’s data with another’s.
  • We do not track you across other websites.

How we use information

  • To provide, maintain, secure, and improve the service.
  • To authenticate you and protect your account.
  • To respond to your requests and send service, security, and administrative notices.
  • To comply with legal obligations and enforce our terms.

Where the EU/UK GDPR applies, we rely on these legal bases to process account information:

  • Performance of a contract — to provide the service you sign up for.
  • Legitimate interests — to secure and improve the service and communicate about it, balanced against your rights.
  • Consent — where we ask for it (for example, optional communications); you can withdraw it at any time.
  • Legal obligation — where the law requires us to process or retain information.

We process Customer Data as a processor on your documented instructions.

Cookies

pug.sh sets no analytics or advertising cookies. Pug Cloud uses only the strictly necessary cookies needed to keep you signed in and secure your session — never for advertising or cross-site tracking. If you deploy a Pug SDK in your own product, any client-side storage it uses is part of your deployment, and you are responsible for the cookie and consent obligations toward your users.

How we share information

We share personal information only in these limited circumstances:

  • With service providers and sub-processors who help us run Pug Cloud, under confidentiality and data-protection terms (see below).
  • To comply with the law or a valid legal request, or to protect the rights, property, or safety of Pug, our users, or the public.
  • In a business transfer such as a merger, acquisition, or asset sale, with notice to affected users.

We never sell personal information, and we never share it for third-party advertising.

Service providers & sub-processors

We rely on a limited set of third-party providers to operate Pug Cloud, in categories such as cloud hosting and infrastructure, transactional email, and — when paid plans launch — payment processing. Each may process personal information only to provide services to us and is bound by data-protection obligations. A current, named list of our sub-processors is available on request via the contact details below.

International data transfers

We and our service providers may process information in countries other than the one you live in, including India. Where personal data is transferred across borders, we rely on appropriate safeguards — such as Standard Contractual Clauses — where required by applicable law.

Data retention

We keep account information for as long as your account is active. After you close your account, we delete or anonymize it within 90 days, unless we must retain it to meet a legal obligation or resolve a dispute. You can export or delete your Customer Data at any time while your account is active; on termination it is deleted in accordance with our agreement with you.

Security

We protect personal information with measures including encryption in transit, access controls, and least-privilege practices. No method of transmission or storage over the internet is completely secure, so we cannot guarantee absolute security — but we work to protect your information and will notify you of a security incident where the law requires it.

Your rights & choices

Depending on where you live, you may have rights to access, correct, delete, export (port), restrict, or object to the processing of your personal information, and to withdraw consent where processing is based on it. You can export or delete much of your data directly in the app, or contact us to exercise any of these rights. We will not discriminate against you for doing so.

Because we do not sell personal information, “do not sell or share” requests under laws such as the California Consumer Privacy Act (CCPA) are honored by default. If we hold your data as a processor on behalf of a Pug Cloud customer, please direct your request to that customer; we will help them respond.

Self-hosted deployments

When you self-host Pug, your event and profile data stays entirely on your own infrastructure. Tshoka Pvt Ltd does not receive it and is neither the controller nor the processor of it — you are. The Cloud-specific sections of this policy do not apply to self-managed deployments, and you are responsible for the privacy practices of your own instance.

Children’s privacy

Pug is not directed to children, and we do not knowingly collect personal information from children under 16 (or the age of digital consent in your jurisdiction). If you believe a child has provided us personal information, contact us and we will delete it.

Data Processing Agreement

If you use Pug Cloud to process personal data about your users and need a Data Processing Agreement (DPA) to meet your GDPR obligations, one is available on request via the contact details below.

Changes to this policy

We may update this policy from time to time. When we do, we will post the revised version here and update the “Last updated” date above. If the changes are significant, we will provide a more prominent notice as required by law.

Contact us

Questions, requests, or complaints about privacy? Email [email protected], or reach us via Tshoka Pvt Ltd.