pinmate
Draft — pending legal review

Privacy policy

Last updated: 2026-05-08

Who's collecting your data

Pinmate (the project owner). For privacy questions, contact us at the address in the Contact section below. A formal data-controller entity name will be added once Pinmate is incorporated.

What we collect

  • Email address — for sign-up, transactional mail (verify, 2FA, reminders), and the newsletter (if you opt in).
  • Display name (optional), bio, social handles, home location latitude/longitude — only if you fill them in your profile.
  • Pins you create: title, description, category, time, location, social link.
  • Newsletter consent metadata: timestamp, IP, user-agent — proof of consent under GDPR Art. 7.
  • Session cookie (httpOnly), push subscription endpoint (only if you enable push).

Why we use it

  • Run your account: sign-in, 2FA, password reset, password storage (argon2 hashed).
  • Show your pins on the map for other users in your area to find and RSVP.
  • Send the occasional newsletter — only if you've opted in via double opt-in.
  • Detect abuse, rate-limit auth, and keep things working.

Legal basis

Account features: contract performance (GDPR Art. 6(1)(b)). Newsletter: consent (GDPR Art. 6(1)(a)). Security and fraud prevention: legitimate interest (GDPR Art. 6(1)(f)).

How long we keep it

Account data: as long as your account exists, deleted within 30 days of account deletion. Newsletter records: until you unsubscribe, after which we keep a soft-deleted row to honour your unsubscribe choice. Server logs: rotated within 30 days.

Your rights

  • Request a copy of your data.
  • Correct anything wrong (most fields editable in Settings).
  • Delete your account and all associated data.
  • Object to processing or withdraw consent any time — newsletter unsubscribe is one click.
  • Lodge a complaint with your data-protection authority (in Poland: UODO, https://uodo.gov.pl).

Who else sees your data

Elastic Email (transactional + newsletter sends), MapTiler (map tile rendering — they only see anonymous tile requests, not your account). Hosting provider (TBD). We don't sell or share data with anyone else.

Contact

For data requests or any privacy question, write to the address listed at the bottom of every email we send you. We aim to respond within 30 days as required by GDPR.