Privacy Policy
Last Updated: November 19, 2025
Effective Date: November 19, 2025
1. Introduction
Pinnlo ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you:
- Access or use the Pinnlo platform (our SaaS product), or
- Visit our website or any related sub-domains (e.g. app.pinnlo.com).
This policy complies with the UK General Data Protection Regulation (UK GDPR), EU GDPR, and California Consumer Privacy Act (CCPA).
2. Who We Are
Pinnlo is operated by RPS Studio Ltd, a company registered in England and Wales (Company No. 16700907). We act as:
- Data Controller for account registration and platform access; and
- Data Processor for any client-owned content handled under contract and governed by our Data Processing Agreement (DPA).
📧 General Contact: info@pinnlo.com
🔒 Privacy Requests: privacy@pinnlo.com
🛡️ Security Issues: security@pinnlo.com
3. Data We Collect
A. Information You Provide
- Name and email address when creating or being invited to a Pinnlo account.
- Support communications (e.g. emails or chat messages you send to us).
B. Information Generated by You
Workspace content (e.g. strategies, notes, uploaded text) created within Pinnlo. This content belongs to your organisation and is processed only under their direction. We do not use this data for training AI models or marketing.
C. Automatically Collected Technical Data
- Usage data: features used, session length, interaction patterns.
- Device and log data: IP address, browser type, error logs (for security and performance).
No payment or financial information is collected.
D. Voice Features - Audio Not Stored
IMPORTANT: When you use voice features, audio recordings are processed in real-time and are NOT stored on our servers. Only text transcripts are retained (with your consent). Audio is transmitted securely via TLS 1.3 to our voice processing partners (ElevenLabs, Deepgram) and immediately discarded after transcription.
4. How We Use Your Data
We use personal data only to:
- Provide and secure access to the Pinnlo platform.
- Maintain platform stability and prevent fraud or abuse.
- Respond to support requests and communicate about your account.
- Comply with legal or regulatory obligations.
We never sell personal data and do not use it for advertising.
5. Lawful Bases for Processing
| Purpose | Lawful Basis |
|---|---|
| Account setup and authentication | Performance of a contract |
| Platform maintenance and security | Legitimate interest |
| Support communication | Legitimate interest |
| Legal compliance | Legal obligation |
6. Data Sharing
We share data only with trusted sub-processors essential to delivering our services.
| Provider | Purpose | Data Processed | Region |
|---|---|---|---|
| Supabase | Database & authentication | Name, email, workspace data | US (with SCCs for EU transfers) |
| Vercel | Hosting and delivery | App traffic data | EU/US |
| OpenAI / Anthropic (Claude) | AI functions (if enabled by client) | User text inputs | US |
| Railway | Backend services (N8N workflows) | Workflow metadata | US |
| ElevenLabs | Voice AI (conversational agents) | Voice transcripts (audio NOT stored) | US |
| Deepgram | Speech-to-text processing | Voice audio (real-time only, not stored) | US |
| GitHub | Source code & CI/CD | Development metadata, code | US |
| Sentry | Error & performance monitoring | Anonymised logs | EU/US |
All sub-processors are bound by data-protection agreements equivalent to our DPA.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | While the account is active |
| Deleted accounts | Removed within 30 days |
| Support communications | Up to 12 months |
| Audit logs | 12 months |
8. International Transfers
When data is transferred outside the UK or EEA, we use:
- Standard Contractual Clauses (SCCs) or the UK Addendum, and
- Encryption and access-control measures to protect it.
9. Data Security
We implement strong technical and organisational controls, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Supabase Row-Level Security (RLS) and JWT-based authentication
- Role-based access control and least-privilege principles
- Automated patching and threat monitoring
10. Your Rights
Depending on your location, you may have the right to:
- Access, rectify, or delete your data
- Restrict or object to processing
- Port your data to another provider
- Lodge a complaint with your local Data Protection Authority
Privacy requests can be sent to privacy@pinnlo.com. We verify identity before responding and typically reply within 30 days.
11. Cookies
Pinnlo uses only essential cookies for authentication and session management. No tracking or marketing cookies are used. You may disable cookies through your browser settings.
Cookie Consent
We use a cookie consent banner that appears on your first visit. You can manage your cookie preferences at any time through your browser settings. Essential cookies required for platform functionality cannot be disabled.
12. Children's Data
Pinnlo is intended for professional use and not for individuals under 16. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this policy to reflect changes in law or our services. Material updates will be notified via email or in-app announcement before taking effect.
14. Contact Information
📧 General Inquiries: info@pinnlo.com
🔒 Privacy Requests: privacy@pinnlo.com
🛡️ Security Issues: security@pinnlo.com
📍 Operated by RPS Studio Ltd, Registered in England and Wales (No. 16700907)
Registered Office: 3 Mushroom Castle, Bracknell RG42 7PL, United Kingdom
If you are unsatisfied with our response, you can contact the UK Information Commissioner's Office (ICO) at www.ico.org.uk.