Pinly Logo
PinlyBack to Home

Privacy Policy

Last Updated: April 19, 2026

1. Who We Are

Pinly ("we", "us") is a visual feedback tool operated by Pawluk Studio, a sole proprietorship registered in Poland. We are the data controller for the personal data processed through pinly.pl.

2. What We Collect

Account data (from GitHub, when you sign in):

  • Email address associated with your GitHub account
  • Display name and avatar
  • GitHub user ID

Project content you create: project titles, URLs you target, share links, and any settings.

Feedback captured from your clients' browsers when they leave a pin:

  • The comment text and the element it was placed on
  • A screenshot of the page at the moment of feedback
  • A short session recording (typically the last ~20 seconds of interaction) powered by rrweb
  • Browser, OS, viewport, and screen resolution
  • Console errors and failed network requests (for debugging)
  • The name your client enters when first opening a share link

Technical data: IP address and authentication cookies, used strictly to keep you signed in and to protect the service from abuse.

We do not use tracking cookies, advertising pixels, or third-party analytics.

3. How We Use Your Data

  • To run the service — store your projects, show feedback from your clients, authenticate you.
  • To send product updates and marketing — occasional emails about new features, tips, and product news. You can unsubscribe at any time from a link in the email or by contacting us.
  • To prevent abuse and debug issues — server logs and error data are kept to keep the service stable and secure.

4. Legal Basis (GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — processing needed to deliver the service you signed up for.
  • Consent (Art. 6(1)(a))— marketing emails. You gave consent when you accepted the Terms & Privacy Policy at sign-up. You can withdraw it at any time.
  • Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, and core product improvement.

5. Who We Share Data With

We work with a small number of processors that are necessary to run Pinly. We do not sell your data to anyone, ever.

  • Supabase (database, authentication, storage) — EU region (Frankfurt); parent company in the US, covered by the EU-US Data Privacy Framework.
  • GitHub (OAuth sign-in) — you log in through GitHub, which passes us the data listed in section 2.
  • Vercel (hosting, edge network) — serves the pinly.pl website.
  • Team members and clients you invite to a project see the feedback on that project.
  • Law enforcement — only if we are legally required to disclose data.

6. International Transfers

Your data is primarily stored in the EU (Frankfurt). Some of our processors (GitHub, Vercel, Supabase's parent company) are based in the US. Transfers rely on the EU-US Data Privacy Framework and Standard Contractual Clauses.

7. How Long We Keep Data

  • Account data: until you delete your account.
  • Projects, pins, screenshots, session recordings: until you delete them, or until the owner's account is deleted.
  • Backups: up to 30 days after deletion.
  • Server logs: up to 30 days.

8. Your Rights

Under GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct it if it's wrong
  • Delete it ("right to be forgotten")
  • Export it in a portable format
  • Object to or restrict processing
  • Withdraw consent for marketing emails
  • Lodge a complaint with the Polish Data Protection Authority (UODO) at uodo.gov.pl

Most actions (deleting projects, deleting your account) can be done from your dashboard. For anything else, email us at the address below and we'll respond within 30 days.

9. Security

We use TLS for data in transit, row-level security on the database so your projects aren't visible to other users, and we never store passwords. No system is 100% secure, but we do our best to keep yours safe.

10. Children

Pinly is not intended for users under 16. We don't knowingly collect data from minors. If we find out we have, we'll delete it.

11. Changes

If we change this policy in a material way, we'll tell you by email and update the "Last Updated" date above. Small fixes (typos, clarifications) happen quietly.

12. Contact

Questions, data requests (access, deletion, rectification), GDPR complaints: kontakt@pawlukstudio.pl. We reply within 30 days as required by GDPR Article 12(3).