Pinly Logo
PinlyBack to Home

Privacy Policy

Last Updated: May 2, 2026

The Short Version

  • • We never sell your data — not to anyone, not for any reason.
  • • We collect what we need to run Pinly. Nothing more.
  • • We use Vercel's cookieless, anonymous analytics — and only after you opt in.
  • • You can export, edit, or delete your data anytime — from the dashboard or by emailing us.
  • • Your data lives in the EU (Frankfurt). Some processors are in the US, covered by SCCs and the EU-US DPF.

1. Who We Are

Pinly ("we", "us", "our") is a visual feedback tool operated by Pawluk Studio — a sole proprietorship registered in Poland. We are the data controller for the personal data processed through pinly.dev under the GDPR.

We are not legally required to appoint a Data Protection Officer (DPO). All privacy questions go directly to the email above and are handled by the owner.

2. What We Collect

Account data (from GitHub, when you sign in):

  • Email address associated with your GitHub account
  • Display name and avatar
  • GitHub user ID

Project content you create: project titles, URLs you target, share links, and any settings.

Feedback captured from your clients' browsers when they leave a pin:

  • The comment text and the element it was placed on
  • A screenshot of the page at the moment of feedback
  • A short session recording (typically the last ~20 seconds of interaction) powered by rrweb
  • Browser, OS, viewport, and screen resolution
  • Console errors and failed network requests (for debugging)
  • The name your client enters when first opening a share link

Technical data: IP address (hashed/truncated by our hosting provider for security and rate-limiting), authentication cookies (see Section 3), and server logs.

We do not collect: precise geolocation, contact lists, payment card details (those are stored by our payment processor when paid plans launch — we never see them), advertising identifiers, or any data covered by GDPR Article 9 (special categories like health, biometrics, religion, etc.).

3. Cookies & Local Storage

We use a small, deliberate set of cookies. We do not use advertising cookies, tracking pixels, or third-party marketing tags.

CookiePurposeDurationCategory
sb-*Supabase authentication — keeps you signed in.Session / 1 yearStrictly necessary
pinly_ccStores your cookie preferences so we don't ask twice.182 daysStrictly necessary

Local storage is also used to remember your display preferences (sidebar state, last-viewed project). This data never leaves your browser.

You can change your preferences at any time via the or by clearing site data in your browser.

4. Analytics & Performance

With your consent, we run two cookieless measurement tools provided by Vercel:

  • Vercel Web Analytics — anonymous page-view counts, referrer, country, device type. No cookies, no cross-site tracking, no personal identifiers.
  • Vercel Speed Insights — Core Web Vitals (LCP, INP, CLS) measured anonymously to help us spot performance regressions.

Both tools are technically cookielessand do not identify individual users, but because they involve a third party processing visitor data, we still ask for your consent before loading them. If you decline, the analytics scripts never load — there is no "light" version that runs anyway.

Read Vercel's privacy details: vercel.com/legal/privacy-policy.

5. How We Use Your Data

  • To run the service — store your projects, show feedback from your clients, authenticate you.
  • To send product updates and marketing — occasional emails about new features, tips, and product news. You can unsubscribe from a link in any email or by contacting us.
  • To prevent abuse and debug issues — server logs and error data are kept to keep the service stable and secure.
  • To understand product usage — only via the consented analytics described in Section 4.

6. Legal Basis (GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — processing needed to deliver the service you signed up for.
  • Consent (Art. 6(1)(a)) — analytics and marketing emails. You give consent in the cookie banner and at sign-up. You can withdraw it at any time.
  • Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, abuse detection, and core product improvement using server-side logs.
  • Legal obligation (Art. 6(1)(c)) — when required to retain or disclose data under EU/Polish law.

7. Who We Share Data With

We use a small number of vetted processors that are necessary to run Pinly. We do not sell your personal data to anyone, ever. A processor is anyone who handles your data on our behalf under a Data Processing Agreement.

  • Supabase — database, authentication, storage. EU region (Frankfurt). Parent company in the US, covered by the EU-US Data Privacy Framework.
  • GitHub (Microsoft) — OAuth sign-in. You log in through GitHub, which passes us the data listed in Section 2.
  • Vercel — hosting, edge network, analytics (with consent), Speed Insights (with consent). US company, processes data in EU edge regions where possible.
  • Team members and clients you invite to a project see the feedback on that project. You control these invitations.
  • Law enforcement — only if we are legally compelled to disclose data under a valid order.

We update this list when we add or change processors. The current list is always the one above.

8. International Transfers

Your data is primarily stored in the EU (Frankfurt). Some of our processors (GitHub, Vercel, Supabase's parent company) are based in the US. Transfers rely on:

  • The EU-US Data Privacy Framework, where the processor is certified;
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where it is not.

9. How Long We Keep Data

  • Account data: until you delete your account.
  • Projects, pins, screenshots, session recordings: until you delete them, or until the owner's account is deleted.
  • Backups: up to 30 days after deletion.
  • Server logs: up to 30 days.
  • Analytics data: Vercel retains aggregate web analytics data per their policy (typically up to 12 months).
  • Marketing email records: until you unsubscribe, then deleted within 30 days.

10. Your GDPR Rights

If you are in the EU, EEA, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you
  • Rectify it if it's wrong
  • Erase it ("right to be forgotten")
  • Export it in a portable, machine-readable format
  • Restrict or object to processing
  • Withdraw consent for analytics and marketing
  • Not be subject to automated decision-making (we don't do this)
  • Lodge a complaint with the Polish Data Protection Authority (UODO) at uodo.gov.pl, or with your local supervisory authority.

Most actions (deleting projects, deleting your account, exporting data) can be done from your dashboard. For anything else, email us at the address below — we respond within 30 days as required by GDPR Article 12(3).

11. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.

Categories of personal information we collect:identifiers (email, GitHub ID), commercial information (account plan), internet activity (pages viewed, browser, viewport — only with consent), and user-generated content (your projects and pins).

Do Not Sell or Share My Personal Information. We do not sell your personal information for monetary value, and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, because we never started.

Your CCPA rights:

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information we hold about you
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information (we don't collect any)
  • Right to non-discrimination for exercising any of these rights

To exercise any of these, email kontakt@pawlukstudio.pl with the words "CCPA Request" in the subject line. We will verify your identity through your registered account email and respond within 45 days.

12. Security

We use TLS 1.2+ for data in transit, row-level security on the database so your projects aren't visible to other users, and we never store passwords (auth is delegated to GitHub OAuth). Storage buckets default to private. No system is 100% secure, but we do our best to keep yours safe.

13. Data Breach Notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, in any case, within 72 hours of becoming aware of it — as required by GDPR Article 34. Notification will go to your account email and will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed.

14. Children

Pinly is not intended for users under 16 in the EU, or under 13 in the US. We don't knowingly collect data from minors. If we find out we have, we'll delete it.

15. Changes

If we change this policy in a material way, we'll tell you by email and update the "Last Updated" date above. Small fixes (typos, clarifications, new processors that don't change scope) happen quietly.

16. Contact

Questions, data requests (access, deletion, rectification, export), GDPR or CCPA complaints, or anything else: kontakt@pawlukstudio.pl. We reply within 30 days (GDPR) or 45 days (CCPA), whichever applies to you.