PinAppAI

Privacy Policy

Last updated: 2026-05-03

1. Who we are

PinAppAI (“we”, “us”, “PinAppAI”) is the operator of pinappai.com and the PinAppAI service. Contact: [email protected].

2. Our two roles under GDPR

PinAppAI processes personal data in two distinct roles, and the rules differ:

  • Controller — when you sign up for an account, we decide why and how we process your account data (email, name, login activity).
  • Processor — when you embed the PinAppAI widget on your site, you (the customer) are the controller for end-user feedback collected. PinAppAI processes that data on your instructions, governed by our Data Processing Agreement.

3. Data we collect as controller (account holders)

  • Identity: email address, display name.
  • Authentication: sign-in attempts, hashed credentials, OAuth tokens (if applicable), session tokens.
  • Security telemetry: IP address and user-agent stored on each session row, retained for the session lifetime (30 days) and for security investigations.
  • Workspace and project metadata: workspace names, project names, billing plan.
  • Billing data (when paid plans are active): processed by Lemon Squeezy. We receive customer ID, subscription status, and invoice metadata only — never card numbers.

4. Data processed as processor (widget feedback)

When end users submit feedback through a PinAppAI widget on a customer’s site, the customer’s instructions determine what is collected. Typical fields:

  • Comment text
  • Optional author name and author email (only if the end user provides them)
  • Page URL and path where the feedback was left
  • Viewport dimensions and a CSS selector for the pin’s position
  • User-agent string
  • An optional screenshot image of the page region (only if the end user opts in via the widget’s screenshot mode)

PinAppAI stores this data in encrypted Cloudflare D1 (database) and Cloudflare R2 (image storage) on the customer’s behalf. The customer is the controller; we act only on their instructions.

5. Lawful bases

  • Contract (Art. 6(1)(b)) — to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure (logging IPs and user-agents on sessions to detect abuse), to communicate operational notices, and to improve the product through aggregate usage analysis.
  • Consent (Art. 6(1)(a)) — for any future marketing communications. We do not currently send marketing email.
  • Legal obligation (Art. 6(1)(c)) — to retain certain billing records for tax purposes.

6. Sub-processors

We use the third-party services listed at /sub-processors/ to provide the PinAppAI service. We give 30 days’ notice in our changelog and via email to account holders before adding new sub-processors that process personal data.

7. International transfers

PinAppAI is operated from outside the EU/EEA/UK. Personal data may be transferred to and processed by sub-processors in the United States and other regions. We rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) for these transfers, in line with each sub-processor’s published terms.

8. Retention

  • Account data — kept while your account is active. You can delete your account at any time from your account settings; deletion cascades to your workspaces, projects, feedback, and screenshots within 7 days.
  • Sessions — expire after 30 days; expired rows are removed automatically.
  • OTP attempts and verification rows — retained up to 30 days for fraud-prevention auditing.
  • Widget feedback — retained until the controller (the customer who installed the widget) deletes it, or for the lifetime of the project.
  • Audit logs — retained 7 years to satisfy SOC 2 and tax-records overlap.
  • Billing records — 7 years (legal obligation).

9. Your rights

You have the right to:

  • Access a copy of your data — use the “Export my data” button in your account settings, or email us.
  • Rectify inaccurate data — most fields are editable in your account settings.
  • Erase your data — use “Delete my account” in your settings.
  • Restrict or object to processing — email us.
  • Portability — exports are provided in JSON for machine-readability.
  • Lodge a complaint with your data protection authority. UK: ico.org.uk. EU: edpb.europa.eu. Türkiye (KVKK): kvkk.gov.tr.

If you are an end user whose feedback was submitted via a widget on a customer’s site, please first contact the site operator (the controller). We will assist them in fulfilling your request.

10. Security

All data is transmitted over HTTPS. Database and object storage use encryption at rest provided by Cloudflare. Authentication uses one-time codes via email and short-lived bearer tokens. Sessions can be revoked from your account settings. We maintain an immutable audit log of privileged actions and review access quarterly.

11. Children

PinAppAI is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to us, please contact us and we will delete it.

12. Cookies

PinAppAI uses only strictly-necessary cookies for authentication and session management. We do not use analytics, advertising, or tracking cookies. See our Cookie Policy for details.

13. Changes to this policy

We will post material changes to this policy at this URL and update the “last updated” date above. For significant changes, we will email account holders at least 14 days before the change takes effect.

14. Contact

Questions about this policy or your data: [email protected].