Privacy Policy

This Privacy Policy outlines the rules for processing and protecting personal data of Users using the Pinly platform (pinly.pl).

The data controller is:

Personal data processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR).

2.1. Voluntarily Provided Data

During registration and use of the Platform, we collect the following data:

• Account data: email address, name (optional), password (stored encrypted)
• Project data: project names, URLs of pages subject to feedback
• Feedback data: comment content, screenshots, pin coordinates, status labels
• Payment data: subscription information (we do not store credit card data – handled by Stripe)

2.2. Automatically Collected Data

• Technical data: IP address, browser type, operating system, device type, screen resolution
• Analytics data (Vercel Analytics):
  • Visit statistics (page views, session duration)
  • Traffic sources (referrer, UTM parameters)
  • Page events (clicks, scrolling)
  • No external cookies – Vercel Analytics works without tracking cookies, user identification is based on temporary hash generated from HTTP request data
  • Aggregated data, does not allow identification of specific individuals
• Server logs: dates and times of requests, HTTP errors (stored for security purposes)

2.3. Session Recording (optional, Pro plan)

As part of the Pro plan, Users can activate session recording of visitors to their pages. Recordings include:

• Cursor movements, clicks, page scrolling
• DOM changes (without storing sensitive data such as passwords or card numbers)
• Device and browser information

Important: Users enabling session recording are required to inform visitors to their website about this fact and obtain their consent in accordance with GDPR.

Personal data is processed for the following purposes:

User personal data may be shared with the following entities:

• Vercel Inc. – hosting and analytics service provider (Vercel Analytics)
  Location: USA, GDPR compliance ensured through Standard Contractual Clauses (SCC) and Data Privacy Framework
• Stripe – payment processor (transaction processing, subscriptions)
  Location: USA and EU, GDPR certified
• Supabase – database and authentication provider
  Location: EU (Frankfurt), full GDPR compliance
• Entities authorized by law – law enforcement, courts, offices (only upon justified legal request)

Important: The Controller does not sell, rent, or share User personal data with third parties for marketing purposes.

• Account data: until account deletion by User or contract termination
• Project and feedback data: until deletion by User
• Payment data: for the period required by tax regulations (5 years from the end of the year in which the tax obligation arose)
• Analytics data (Vercel Analytics): maximum 24 hours in identifiable form, then only aggregated
• Security logs: up to 12 months
• Marketing data (newsletter consent): until consent withdrawal

Each User has the right to:

• Access to data (Art. 15 GDPR) – obtain information about processed data and its copy
• Rectification (Art. 16 GDPR) – correct inaccurate or incomplete data
• Erasure (Art. 17 GDPR, "right to be forgotten") – in cases provided by law
• Restriction of processing (Art. 18 GDPR) – suspend data operations in specific situations
• Data portability (Art. 20 GDPR) – receive data in a format enabling transfer to another controller
• Object to processing (Art. 21 GDPR) – when data processing is based on legitimate interest
• Withdraw consent – at any time, if processing is based on consent (e.g., marketing)
• Lodge a complaint with supervisory authority – national Data Protection Authority

To exercise the above rights, please contact: kontakt@pawlukstudio.pl

7.1. Functional Cookies

The Platform uses cookies necessary for operation:

• User session – storing login information
• User preferences – interface settings, language

Legal basis: Art. 6(1)(f) GDPR (legitimate interest – ensuring service functionality).

7.2. Vercel Analytics – Cookie-Free

Vercel Analytics does not use cookies or any cross-site tracking technologies. Identification is done by generating a temporary hash based on:

• IP address (hashed)
• Browser User-Agent
• Timestamp (session expires after 24h)

GDPR Compliance: Vercel Analytics is designed as a privacy-first tool. It does not store personal data enabling direct user identification. Data is aggregated and anonymized.

7.3. Cookie Management

Users can change cookie settings in their browser at any time. Disabling functional cookies may result in limited availability of some Platform features.

The Controller implements technical and organizational measures ensuring personal data protection:

• Encryption: HTTPS connections (TLS 1.3), encrypted password storage (bcrypt)
• Access control: multi-factor authentication (MFA), role and permission restrictions
• Monitoring: security logs, anomaly detection, regular audits
• Backup: regular database backups (Supabase – automatic backup every 24h)
• Compliance: GDPR compliance audits, internal data protection policies

The Platform is not intended for persons under 16 years of age. If the Controller learns that data of a person below this age is being processed without consent of a legal representative, it undertakes to delete it immediately.

The Controller reserves the right to introduce changes to the Privacy Policy in case of changes in legal regulations, technology, or scope of services provided.

Users will be informed of any changes at least 14 days in advance through a notice on the Platform or by email.

For questions regarding personal data processing or exercising rights under GDPR, please contact: