Privacy Policy
What we collect, why we collect it, and exactly what you can do about it.
Privacy
The short version
We collect your email and usage data to run the Service. We do not sell your data. EU/UK users have full GDPR rights, including access, correction, portability, and erasure. You can request deletion of your account at any time. All data is permanently deleted 90 days after account cancellation.
Quick navigation
- 1. Who We Are
- 2. What We Collect and Why
- 3. How We Use Your Data
- 4. Who We Share Your Data With
- 5. International Data Transfers
- 6. How Long We Keep Your Data
- 7. Your Rights Under GDPR and UK GDPR
- 8. California Residents (CCPA / CPRA)
- 9. Cookies and Tracking
- 10. Security
- 11. Children
- 12. Data Processing Agreement (B2B)
- 13. Changes to This Policy
- 14. Contact and Complaints
Full Policy
Privacy Policy
1. Who We Are
Pinealizer is a website visibility and SEO analysis platform available at pinealizer.com ("Service"). We are the data controller for account data and usage data described in this Policy.
We collect ONLY account data. We do not collect or retain the content of the webpages you audit: with the desktop application, page rendering and audit storage happen locally on your machine; any page content that passes through our servers is processed transiently in memory to produce your report and is not retained. For that transient processing you remain the controller; we act as processor.
Contact: contact@pineido.com
2. What We Collect and Why
We collect the following categories of personal data:
- Account data: email address, full name, and account creation date. Collected when you sign up. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
- Authentication data: hashed password (we never store plaintext passwords) or OAuth tokens if you sign in with Google. Legal basis: contract.
- Operational records: audit timestamps and URLs you submit, features used. Collected automatically as you use the Service. Legal basis: legitimate interest (Art. 6(1)(f)) — needed to operate the Service and prevent abuse.
- Payment data: plan type, billing cycle, and invoice history. We never store card numbers; these are handled by Lemon Squeezy. Legal basis: contract.
- Webpage content: NOT COLLECTED. Pages you audit are rendered locally by the desktop app and stored on your machine; server-side processing of page content is transient (in-memory, for report generation only) and nothing is retained.
- Communications data: emails you send us via the contact form or support. Legal basis: legitimate interest.
- Marketing preference: whether you opted in to marketing updates. Legal basis: consent (Art. 6(1)(a)).
- API keys you add (bring-your-own-key): encrypted with AES-256-GCM at rest, used only to call the provider you connected them for, removable anytime. Legal basis: contract.
- Abuse-prevention signal: at signup we compute a one-way hash from basic device characteristics (screen size, timezone, language, graphics renderer) to prevent duplicate free accounts. The hash cannot be reversed and is not used for tracking or advertising. Legal basis: legitimate interest (fraud prevention).
- Legal acceptance: the timestamp and version of the Terms you accepted at signup. Legal basis: legal obligation / contract.
3. How We Use Your Data
We use the data we collect to:
- Provide, operate, and improve the Service.
- Process payments and manage your subscription via Lemon Squeezy.
- Send transactional emails (audit complete, billing, account security) via Resend.
- Send marketing updates, only with your explicit consent, and only to the extent you have opted in.
- Detect and prevent abuse, fraud, and Terms of Use violations.
- Comply with legal obligations (GDPR data subject requests, erasure requests, legal holds).
5. International Data Transfers
Some of our sub-processors are based in the United States. Where we transfer personal data from the EU/EEA or UK to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.
Supabase stores data in the EU by default. If you require a specific data residency arrangement, contact us at contact@pineido.com.
6. How Long We Keep Your Data
Active account data is retained for as long as your account is open. We review retention annually.
If you cancel your subscription, we retain your data for 90 days. This gives you time to reactivate without losing your audit history. After 90 days, your account and all associated data are permanently and irreversibly deleted by an automated process.
If you request erasure before 90 days, we delete immediately (see Section 8).
Erasure log records (containing only your user ID and a SHA-256 hash of your email) are retained for 7 years for legal audit trail purposes. These cannot be used to re-identify you.
Billing records and invoices may be retained for up to 7 years to meet financial reporting obligations.
7. Your Rights Under GDPR and UK GDPR
If you are in the EU, EEA, or UK, you have the following rights:
- Right of access (Art. 15): request a copy of all personal data we hold about you. Available at GET /api/privacy/my-data (when signed in) or by emailing us.
- Right to rectification (Art. 16): correct inaccurate data. Update your profile in account settings or email us.
- Right to erasure (Art. 17): request permanent deletion of your account and all personal data. Available at DELETE /api/privacy/my-data (when signed in) or by emailing us. We fulfil requests within 30 days.
- Right to portability (Art. 20): receive your data in a machine-readable format (JSON). Available at POST /api/privacy/export (when signed in).
- Right to restriction (Art. 18): request that we stop processing your data while a dispute is resolved.
- Right to object (Art. 21): object to processing based on legitimate interest (e.g. marketing analytics). To opt out of marketing, update your preferences in account settings.
- Right to withdraw consent: where we rely on consent (marketing emails), you may withdraw it at any time by unsubscribing or emailing us.
8. California Residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your personal information, correct inaccurate information, and opt out of the "sale" or "sharing" of personal information.
We do not sell your personal information. We do not share personal information for cross-context behavioural advertising.
To exercise your California rights, email contact@pineido.com with the subject "California Privacy Request". We respond within 45 days.
10. Security
We implement industry-standard security measures: HTTPS everywhere, HTTP-only authentication cookies, hashed passwords (never stored in plaintext), row-level security in our database (Supabase RLS), and regular security reviews.
No method of transmission over the internet is 100% secure. If you become aware of a security issue, please report it to contact@pineido.com.
11. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If we discover that we have collected data from a person under 18, we will delete it immediately.
12. Data Processing Agreement (B2B)
If you use Pinealizer as a business and process personal data of your own customers through the Service, you may require a Data Processing Agreement (DPA) under GDPR.
Request a DPA at contact@pineido.com. We respond within 5 business days.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the effective date at the top of this page. For material changes, we will send a notification to your account email.
14. Contact and Complaints
For any privacy questions, data requests, or to exercise your rights, contact us at contact@pineido.com or use the contact form at /contact. We respond within 5 business days.
If you are in the EU and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Your Rights
Request your data or delete your account.
Email contact@pineido.com or use the contact form. We respond within 5 business days.