Privacy Notice

This privacy notice for PinMy OÜ (“Company,” “we,” “us,” or “our”) describes how and why we collect, store, use, and share (“process”) your information when you use our services (“Services”), such as when you:

• Visit our website at https://www.pinmy.co
• Download and use our mobile application (PinMy) on iOS or Android
• Use the PinMy web application in any modern browser
• Install and use the PinMy Chrome extension
• Engage with us in other related ways, including sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

Table of contents

1. What information do we collect?
2. How do we process your information?
3. What legal bases do we rely on?
4. When and with whom do we share your personal information?
5. Where is your data stored?
6. How do we handle Guest Mode users?
7. How do we handle your social logins?
8. How do we handle voice notes and transcription?
9. How long do we keep your information?
10. How do we keep your information safe?
11. Do we collect information from minors?
12. What are your privacy rights?
13. Controls for do-not-track features
14. Do California residents have specific privacy rights?
15. Do Virginia residents have specific privacy rights?
16. Do we make updates to this notice?
17. How can you contact us about this notice?
18. How can you review, update, or delete your data?

1. What information do we collect?

Personal information you disclose to us

In short: We collect personal information that you voluntarily provide to us when you register, use the Services, or contact us.

When you register or use PinMy, we may collect:

• Name and username
• Email address
• Profile picture (optional)
• Billing address (Premium plans only)
• Authentication credentials (or social login tokens from Google, Apple, or Facebook)

Sensitive Information. We do not request, process, or store sensitive personal information such as race, religion, political opinions, health data, or biometric identifiers.

User-generated content

When you use PinMy, you create content that we store on your behalf:

• Project files you upload (images, PDFs, videos)
• Pins (text, voice, photo, video, or PDF comments) placed on those files
• Drawings, highlights, and rectangles you add to files
• Comments and replies inside pins, including @mentions of teammates
• Task assignments and Kanban board status changes
• Project sharing settings and team membership

This content is your data. We do not use it to train artificial intelligence models, sell it, or share it with third parties beyond what is necessary to operate the Service (see Section 4).

Mobile device permissions

If you use the PinMy mobile app, we may request the following permissions. Each is optional — you can deny or revoke any permission in your device settings.

• Camera: To capture photos directly inside pins and comments
• Photo library: To attach existing photos or videos to pins
• Microphone: To record voice notes inside pins (up to 30 seconds on Free, 180 seconds on Premium)
• Precise location (GPS): To place pins accurately on the interactive global project map and to geotag projects you create
• Push notifications: To alert you when teammates @mention you, assign you a task, or reply to your pin

Chrome extension permissions

The PinMy Chrome extension requests minimal permissions: access to the active browser tab when you click the extension icon, in order to capture a screenshot and forward it to your PinMy account. The extension does not read pages in the background, track your browsing, or store browsing history.

Information automatically collected

Some information is collected automatically when you use our Services. This does not reveal your identity but helps us operate and improve the product:

• Device type, operating system, and app version
• IP address and approximate location (country/region) derived from IP
• Language preferences
• Feature usage and crash diagnostics
• Cookies and similar technologies in the web application (essential cookies only — see Section 13)

2. How do we process your information?

In short: We process your information to provide, improve, and secure our Services, to communicate with you, and to comply with law.

Specifically, we process information to:

• Create and authenticate your account
• Store and synchronize your projects, pins, and comments across your devices
• Transcribe voice notes to searchable text (see Section 8)
• Enable team collaboration — sharing projects, @mentions, task assignments, notifications
• Process Premium subscriptions and payments
• Send service-related communications (changes to terms, security alerts, feature updates)
• Respond to your support requests
• Detect and prevent fraud, abuse, or violations of our Terms
• Comply with legal obligations (e.g., accounting, tax records, lawful requests from authorities)

We do not sell your personal data. We do not use your project content, voice notes, or files to train artificial intelligence models.

3. What legal bases do we rely on?

In short: We only process your personal information when we have a valid legal reason under the EU General Data Protection Regulation (GDPR).

• Consent: When you grant permissions (camera, microphone, location, push notifications, marketing emails). You can withdraw consent at any time.
• Performance of a contract: To provide the Service you have subscribed to (Free or Premium).
• Legitimate interests: To improve product reliability, prevent fraud, and ensure security — balanced against your rights.
• Legal obligations: To comply with EU and Estonian law, including accounting and tax records.

4. When and with whom do we share your personal information?

In short: We share data only with vetted service providers necessary to run PinMy, or when legally required.

Service providers (data processors)

We share specific data with the following categories of third-party processors. All are bound by Data Processing Agreements consistent with GDPR.

• Cloud hosting and database: Google Cloud Platform (Firebase) hosts your account data, files, pins, and comments. Data is stored in EU regions — see Section 5.
• Voice transcription: Deepgram, Inc. (United States) processes audio recordings from voice notes to generate searchable text transcripts. Audio is processed transiently and not retained for model training. Transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
• Payment processing: Premium subscriptions are processed by Apple App Store (for iOS purchases), Google Play (for Android purchases), or Stripe (for web purchases). We never see or store your full credit or debit card numbers — payment providers handle that directly under their own privacy policies.
• Email delivery: A transactional email provider sends account notifications, password resets, and feature updates on our behalf.
• Map services: Map tile providers render the interactive global project map. We send the map only your approximate viewport coordinates, never your full project data.
• Website analytics: We use Umami (operated by Umami Software, Inc.) for privacy-respecting website analytics. Umami does not use cookies, does not collect or store personal identifiers, and does not track visitors across other websites. It collects only aggregated, anonymised data such as page views, referral sources, country, browser, and device type.

Other PinMy users

When you share a project, the people you grant access to can see all pins, comments, and uploaded files in that project. Guest Mode users (see Section 6) can also see this content without creating an account.

Business transfers

In the event of a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

Legal requirements

We may disclose information when required by law, court order, or government request, or to protect the safety, rights, or property of PinMy, our users, or the public.

5. Where is your data stored?

In short: Your data is stored in the European Union.

PinMy OÜ is an Estonian company operating under EU jurisdiction. Your account data, project files, pins, voice recordings, and transcripts are stored in Google Cloud Platform data centres located in the European Union (Frankfurt, Germany; Dublin, Ireland; or the Netherlands, depending on region).

The only exception is voice transcription, which is processed by Deepgram, Inc. in the United States as described in Section 8. Audio is transmitted to Deepgram only for the time needed to generate the transcript, then the transcript is returned and stored in the EU alongside the original audio.

By choosing PinMy, you can have confidence that your project data — the files, the pins, the team conversations — stays in Europe and is governed by GDPR.

6. How do we handle Guest Mode users?

In short: Guest Mode lets non-registered users view shared projects and leave pins or comments using only their name. We collect minimal information about guests.

When someone opens a project shared with Guest Mode access:

• They can view all pins, voice notes, photos, and comments without creating an account
• To leave their own pin or reply, they enter their name (mandatory) and optionally an email address
• Their guest identity is stored locally in their browser
• If they clear their browser, switch devices, or use private mode, they will need to enter their name again

Guest contributions remain in the project record (attached to the file, the project, and the project owner’s account) even if the guest’s local identity is lost. The project owner can delete any guest pin or comment at any time.

Guest data is processed under our legitimate interest in enabling project collaboration, and is governed by the same retention and security practices as registered user data.

7. How do we handle your social logins?

In short: If you register or log in using a social media account, we receive limited profile information.

Our Services let you sign in using Google, Apple, or Facebook. When you do, we receive your name, email address, and profile picture from that provider. We use this information only to create your account and authenticate you. We do not post on your behalf, scrape your social graph, or read your messages.

8. How do we handle voice notes and transcription?

In short: Voice notes are recorded by you, stored in the EU, and transcribed to text using a third-party service.

When you record a voice note in PinMy:

1. The audio is uploaded to our cloud hosting provider in the EU and stored as part of your project.
2. A copy of the audio is sent to Deepgram, Inc. (our transcription provider in the United States) for speech-to-text processing in over 20 languages.
3. The text transcript is returned and stored alongside the audio in the EU.
4. You can manually edit the transcript if it misheard a technical term, product code, or name.

Deepgram processes audio transiently for transcription only. Audio data sent to Deepgram is not used to train models. Transfers to the United States are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.

If you do not want your voice notes transcribed, do not use the voice-note feature.

9. How long do we keep your information?

In short: We keep your data while your account is active, and for limited periods after deletion as required by law.

• Account data and project content: Retained while your account is active. Deleted within 30 days of account deletion, except where retention is required for legal or accounting purposes.
• Voice transcripts: Stored with the corresponding audio. Deleted when the pin, project, or account is deleted.
• Server logs and security records: Retained for up to 90 days for security and abuse prevention.
• Billing records: Retained for 7 years to comply with Estonian accounting law.

You can delete your account at any time from Settings inside the PinMy mobile app, or by contacting [email protected].

10. How do we keep your information safe?

In short: We use industry-standard technical and organizational security measures.

• Encryption in transit (TLS/HTTPS) for all data exchanged between your device and our servers.
• Encryption at rest for files and database records stored by our cloud hosting provider.
• Role-based access control: only authorized PinMy staff can access infrastructure, and only when necessary for support or maintenance.
• Regular security reviews and dependency updates.

No system is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant data protection authority within 72 hours as required by GDPR.

11. Do we collect information from minors?

In short: PinMy is not intended for users under 16 years of age.

We do not knowingly collect personal information from children under 16. If you are under 16, please do not register or use the Service. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.

12. What are your privacy rights?

In short: You may review, update, export, or delete your data at any time.

Under GDPR (EU/UK), CCPA (California), and similar regulations, you have the right to:

• Access: Request a copy of personal information we hold about you. Send a request to [email protected] and we will provide a copy within 30 days.
• Rectification: Correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”): Request deletion of your account and data.
• Restriction: Limit how we process your data.
• Portability: Receive your data in a structured, commonly used format. Send a request to [email protected].
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Revoke permissions (camera, microphone, location) at any time in your device settings.
• Lodge a complaint: Contact your local data protection authority. In Estonia, this is the Andmekaitse Inspektsioon (https://www.aki.ee).

To exercise these rights, email [email protected] or use the in-app settings.

13. Controls for do-not-track features

Most browsers and mobile operating systems offer Do-Not-Track (“DNT”) signals or App Tracking Transparency. We respect these signals where technically possible. We do not engage in cross-site advertising tracking.

14. Do California residents have specific privacy rights?

In short: Yes — California residents have additional rights under the California Consumer Privacy Act (CCPA).

PinMy OÜ has not sold or shared any personal information for business or commercial purposes in the preceding twelve months. We do not sell your personal data.

California residents may request:

• Disclosure of categories and specific pieces of personal information collected
• Deletion of personal information
• The right to non-discrimination for exercising privacy rights

To submit a request, email [email protected].

15. Do Virginia residents have specific privacy rights?

In short: Yes — Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA).

PinMy OÜ has not sold any personal data to third parties. Virginia residents have the right to:

• Access personal data
• Correct inaccuracies
• Delete personal data
• Obtain a portable copy of data
• Opt out of processing for targeted advertising or profiling

To exercise these rights, email [email protected].

16. Do we make updates to this notice?

In short: Yes, we update this notice as needed to remain compliant and reflect product changes.

The updated version is indicated by a new “Last updated” date. Material changes will be notified to you by email or in-app notice at least 30 days before they take effect. We encourage you to review this privacy notice periodically.

17. How can you contact us about this notice?

If you have questions or comments about this notice, you may email us at [email protected] or write to:

PinMy OÜ
Registry code: 16728502
Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia

18. How can you review, update, or delete your data?

You can manage your account directly inside the PinMy mobile application:

• Update your name, email, and password: Settings → Profile
• Manage notification preferences: Settings → Notifications
• Revoke device permissions: your device’s system settings
• Delete your account and all data: Settings → Delete Account

To export a copy of your data, contact us at [email protected] — self-service export is on our roadmap and not yet available through the app.

For any other data request, email [email protected]. We will respond within 30 days as required by GDPR.