Privacy Policy
March 1, 2026
Pinny (the "App") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use our mobile application and related services. This policy is designed to comply with the California Consumer Privacy Act (CCPA), the California Online Privacy Protection Act (CalOPPA), the Children's Online Privacy Protection Act (COPPA), and other applicable privacy laws.
1. Information We Collect
1.1 Information You Provide
| When Collected | Information | Purpose |
|---|---|---|
| Account Registration | Email address, display name, profile photo (optional), social login identifiers (Apple ID, Google ID, Kakao ID) | User identification and authentication |
| Service Usage | Trip itineraries, schedule data, checklists, budget records, journal entries, photographs | Core service functionality |
| Location Data | Device location information (with your explicit consent) | Map-based service features |
1.2 Information Collected Automatically
- Device Information: Device model, operating system and version, App version, unique device identifiers
- Usage Data: App access timestamps, feature usage patterns, error logs, crash reports
- Advertising Identifiers: Identifier for Advertisers (IDFA) on iOS and Google Advertising ID (GAID) on Android, used for ad delivery, measurement, and analytics
- Push Notification Tokens: Firebase Cloud Messaging (FCM) tokens for delivering push notifications
1.3 Methods of Collection
- Through third-party social login providers (Apple, Google, Kakao) during account registration
- Directly from you when you input information into the App
- Automatically through analytics and crash reporting tools (Firebase Analytics, Firebase Crashlytics)
- Through your device's operating system when you grant permissions (e.g., location, camera, photo library)
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service Provision: To provide, maintain, and improve the core features of the App, including trip itinerary management, map-based recording, checklists, budget tracking, and AI-powered recommendations.
- Account Management: To create and manage your Account, verify your identity, process account changes, and provide customer support.
- Service Improvement: To analyze usage patterns and trends, develop new features, and improve the quality and performance of the Service.
- Advertising: To deliver personalized advertisements through Google AdMob and to measure advertising effectiveness. You may opt out of personalized advertising through your device settings.
- Safety and Security: To detect and prevent fraud, abuse, and unauthorized access, and to resolve disputes and enforce our Terms of Service.
- Communications: To send you trip reminders, service-related announcements, and other notifications that you have opted to receive.
3. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | Until account deletion | Service agreement |
| Trip and Travel Data | Until account deletion | Service agreement |
| Access and Usage Logs | 12 months | Security and analytics |
| Advertising Identifiers | 12 months from collection | Advertising analytics |
| Crash Reports | 90 days | Service stability |
Upon account deletion, we will delete or de-identify your personal information within 30 days, except where retention is required by applicable law or for legitimate business purposes such as fraud prevention.
4. Disclosure of Personal Information
We do not sell your personal information. We may share your information in the following circumstances:
- With Your Consent: When you expressly authorize sharing, such as when you share trip itineraries with other Users.
- Service Providers: With third-party service providers who assist us in operating the Service, subject to contractual obligations to protect your information (see Section 5).
- Legal Requirements: When required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of such transaction. We will notify you of any such transfer and any changes to the applicable privacy policy.
5. Third-Party Service Providers (Data Processors)
We engage the following third-party service providers to assist in delivering the Service:
| Service Provider | Services Provided | Data Shared |
|---|---|---|
| Supabase Inc. | Database hosting, user authentication, file storage | Account information, trip data, uploaded files |
| Google LLC | Maps API, advertising (AdMob), analytics (Firebase), crash reporting (Crashlytics) | Location data, advertising identifiers, usage logs, crash reports |
| OpenAI Inc. | AI-powered itinerary recommendations | Trip itinerary data (de-identified) |
| Railway Corp. | Backend server hosting | Service operation data |
Each service provider is contractually obligated to use your information only for the purposes specified and to maintain appropriate security measures to protect your data.
6. International Data Transfers
Your personal information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers.
| Recipient | Country | Data Transferred | Transfer Method |
|---|---|---|---|
| Supabase Inc. | Singapore | Account information, trip data | Encrypted network transmission |
| Google LLC | United States | Location data, usage logs, advertising identifiers | Encrypted network transmission |
| OpenAI Inc. | United States | Trip itinerary data (de-identified) | Encrypted API transmission |
| Railway Corp. | United States | Service operation data | Encrypted network transmission |
7. Your Privacy Rights
7.1 Rights Under CCPA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the purposes for collection, and the categories of third parties with whom we share the information.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions provided by law.
- Right to Opt-Out of Sale: We do not sell your personal information. However, you have the right to direct us not to sell your personal information at any time (Do Not Sell My Personal Information).
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, or provide a different quality of service because you exercised your rights.
- Right to Correct: You have the right to request correction of inaccurate personal information.
7.2 Rights Under Nevada Law (Nevada Residents)
If you are a Nevada resident, you have the right to submit a verified request directing us not to sell your personal information. As stated above, we do not sell your personal information. However, if you wish to submit such a request, please contact us at the email address below.
7.3 How to Exercise Your Rights
You may exercise your rights through the following methods:
- Access Your Information: View your personal information through the App under Settings > Profile.
- Update Your Information: Edit your display name and profile photo through the App under Settings > Profile.
- Delete Your Information: Delete your Account and all associated data through the App under Settings > Account > Delete Account.
- Submit a Request: Contact us at the email address below for any privacy-related requests. We will verify your identity and respond within 45 days, as required by law.
8. Data Deletion Procedures
- Deletion Process: When you delete your Account or submit a deletion request, your personal information will be removed from our active databases and placed in a queue for permanent deletion within 30 days.
- Deletion Method: Electronic records are permanently deleted using industry-standard methods that render the data unrecoverable. Backup copies are purged within 90 days.
- Retention Exceptions: We may retain certain information as required by law, for legitimate business purposes (such as fraud prevention), or to resolve pending disputes.
9. Data Security
- Technical Safeguards
- All data transmissions are encrypted using TLS/SSL (Transport Layer Security)
- Sensitive information is encrypted at rest using AES-256 encryption
- Role-based access controls limit data access to authorized personnel only
- Regular security assessments and vulnerability scanning
- Authentication tokens are stored in device-level secure storage (iOS Keychain, Android Keystore)
- Organizational Safeguards
- Access to personal information is limited to the minimum number of personnel necessary
- Regular security audits and reviews of data handling practices
- Incident response procedures for data breaches
- Breach Notification: In the event of a data breach that compromises your personal information, we will notify you and the appropriate authorities as required by applicable law, including within 72 hours where required.
10. Cookies and Tracking Technologies
The App is a mobile application and does not use web browser cookies. However, we use the following technologies:
- Secure Token Storage: Authentication tokens are stored in your device's secure storage (iOS Keychain / Android Keystore) for session management.
- Mobile Analytics SDKs: Firebase Analytics collects usage data and advertising identifiers to help us understand how the App is used and to deliver relevant advertising.
- Advertising SDKs: Google AdMob uses advertising identifiers (IDFA/GAID) to deliver and measure advertisements.
You can manage your advertising preferences through your device settings:
- iOS: Settings > Privacy & Security > Tracking > Disable tracking for Pinny
- Android: Settings > Google > Ads > Delete advertising ID
11. Advertising and Do Not Track
We deliver advertisements through Google AdMob. These advertisements may be personalized based on your usage patterns and advertising identifiers.
- You may opt out of personalized advertising by adjusting your device's advertising settings as described above.
- We honor the App Tracking Transparency (ATT) framework on iOS. If you deny tracking permission, we will not collect your IDFA for personalized advertising.
- We respect "Do Not Track" signals, although there is currently no uniform standard for how mobile applications should respond to such signals.
12. Children's Privacy
The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA).
- If we discover that we have inadvertently collected personal information from a child under 13, we will promptly delete such information and terminate the associated Account.
- If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at the email address below, and we will take steps to delete such information.
13. CalOPPA Compliance
In compliance with the California Online Privacy Protection Act (CalOPPA), we make the following disclosures:
- Users can visit our App anonymously (without registering an Account), though functionality will be limited.
- This Privacy Policy is accessible through the App and our website.
- We will notify Users of any material changes to this Privacy Policy through in-App notifications.
- Users can change their personal information by logging into their Account in the App.
14. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the App.
15. Privacy Policy Contact
For any questions, concerns, or requests related to this Privacy Policy or the handling of your personal information, please contact us at:
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy within the App and updating the "Effective Date" at the top of this page. We will provide at least seven (7) days' notice before material changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the updated terms.