Privacy Policy

PinFlow ("we", "us", "our") is an AI-powered tool that converts e-commerce listings into Pinterest-ready pins. For privacy questions, contact us at privacy@pinflow.app.

Before the product launches, we operate a public beta waitlist. When you join, we collect:

• Your email address — to notify you when PinFlow opens.

• Your plan interest (optional) — to understand demand across our pricing tiers.

• Your IP address and the exact consent wording you agreed to — to maintain a record of consent as required by GDPR.

Lawful basis: explicit consent (Article 6(1)(a) GDPR). You opt in actively via a checkbox and may withdraw consent at any time.

We will send you one email when PinFlow launches. Nothing else.

To remove yourself from the waitlist at any time, visit pinflow.app/beta/unsubscribe or email privacy@pinflow.app. Your record will be deleted within 5 business days.

We retain waitlist data until the beta launch email is sent, or until you unsubscribe — whichever comes first. After the launch email is sent, waitlist records are deleted.

• Account information: name, email address, and optional shop name provided at signup.

• Listing data: when you submit a listing URL, we fetch and store the title, description, price, tags, and images from that URL to display your pin history.

• Pinterest connection: when you connect Pinterest via OAuth, we store your access token, refresh token, and Pinterest user ID. These tokens are encrypted at rest and never sent to the browser.

• Generated content: AI-generated images and pin copy (title, description, hashtags) we produce for you.

• Usage data: feature usage, pin counts, and plan consumption to enforce quotas and improve the product.

• Payment information: payment is handled by Stripe. We store only a Stripe customer ID — never your card details.

• Log data: standard server logs including IP addresses, browser type, and request timestamps.

• To provide and maintain the service, including generating and publishing pins.

• To enforce plan quotas and manage billing.

• To send transactional emails (account confirmation, password reset, billing receipts).

• To notify you of service updates and policy changes.

• To improve the product through aggregated, anonymised analytics.

We do not use your data for advertising or sell it to third parties.

We share your data with the following providers only as necessary to operate the service:

• Supabase — database and file storage

• Pinterest, Inc. — to publish pins using the OAuth scopes you authorise

• Anthropic — generates pin copy from listing data you submit

• Google Cloud / Vertex AI — generates pin images from listing data you submit

• Google LLC (Google Analytics 4) — website traffic and usage analytics; data is collected via cookies and may be processed in the United States

• Stripe, Inc. — payment processing

• Railway — cloud infrastructure for our background worker

All processors are required to handle your data under appropriate data protection agreements.

Your Pinterest access and refresh tokens are used exclusively to publish pins and retrieve your boards. They are:

• Never logged or transmitted to the browser

• Automatically rotated when refreshed by Pinterest

• Deleted immediately when you disconnect your Pinterest account or delete your PinFlow account

We retain your data for as long as your account is active. If you delete your account, personal data is removed within 30 days, except where retention is required by law (e.g., billing records for 7 years under financial regulations). Aggregated, anonymised analytics may be retained indefinitely.

Depending on your location, you may have the right to access, correct, delete, or export your personal data, or to restrict or object to certain processing. To exercise any right, email privacy@pinflow.app. We will respond within 30 days.

We use a session cookie set by Supabase to maintain your login state.

We also use Google Analytics 4, which sets first-party cookies (_ga, _ga_*) to measure site traffic and user behaviour in aggregate. Google Analytics does not receive your name, email, or any directly identifying information — only anonymous identifiers, page URLs, and interaction events.

We do not use advertising cookies or retargeting pixels.

We use TLS for data in transit, AES-256 encryption for sensitive tokens at rest (Supabase Vault), and row-level security on all database tables. No system is perfectly secure — contact privacy@pinflow.app immediately if you believe your account has been compromised.

PinFlow is not directed at anyone under 16. We do not knowingly collect personal data from minors.

When we make material changes, we will update the version date at the top of this page, notify you by email, and show an in-app prompt requiring your acknowledgement. Your continued use after the effective date constitutes acceptance.

privacy@pinflow.app