Privacy Policy

Last updated: 3 April 2026

1. Data Controller

pin360 is operated by Kyle Greig, sole trader, based in the United Kingdom. For privacy matters contact us at support@pin360.io.

Where this policy refers to "pin360", "we", "us", or "our", it means Kyle Greig trading as pin360, the data controller responsible for your personal data.

2. Data We Collect

2.1 Account Information

When you create an account we collect your name, email address, and a hashed password. If you sign up via a social provider we receive the profile data that provider shares (typically name and email). We also store your IP address and user-agent string with each authenticated session.

2.2 Organisation Data

Organisation name, slug, logo, and details of team members (name, email, role) added by an administrator. Organisation branding settings (logo, colours, report title) are also stored.

2.3 User-Generated Content

360-degree panoramic images, flat photographs, PDF floor plans, marker annotations, inspection notes, severity ratings, panorama comments, and AI-generated inspection reports that you create within the platform.

2.4 Payment Information

Payment card details are collected and processed directly by Stripe. We never see or store full card numbers. We store only your Stripe customer ID, subscription ID, plan tier, and billing period dates on our servers.

2.5 Analytics & Cookies

With your consent, we use PostHog for product analytics and session replay. PostHog sets cookies to track page views, feature interactions, and anonymised session recordings (all form inputs are masked). PostHog analytics are only activated after you give consent via our cookie banner.

We also use Vercel Analytics, which collects anonymous web-vital metrics without setting cookies or using fingerprinting. Vercel Analytics loads without requiring consent as it does not process personal data.

2.6 Marketing Attribution

If you arrive via a campaign link we store the UTM parameters (utm_source, utm_medium, utm_campaign) against your user record to understand which channels bring users to pin360.

2.7 Email & Newsletter

We send transactional emails (password reset, team invitations, subscription confirmations, lifecycle onboarding emails) via Resend. We track delivery status, opens, clicks, bounces, and complaints via Resend webhooks to maintain email deliverability and suppress bounced addresses.

2.8 Waitlist Data

If you joined our waitlist we collected your email, name, role, company, and referral source. This data is retained only for the purpose of granting early access and is deleted once your account is created.

3. Lawful Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b)): Account creation, service provision, file storage, payment processing, and transactional emails — all necessary to deliver the service you signed up for.
  • Consent (Article 6(1)(a)): PostHog analytics cookies and session recordings are only activated after you give explicit consent via our cookie banner. You may withdraw consent at any time by clearing the "pin360_consent" cookie or contacting us.
  • Legitimate interests (Article 6(1)(f)): Aggregate usage analysis via Vercel Analytics (cookieless and non-identifying), security logging (IP address and user-agent stored per session), email deliverability monitoring (bounce/complaint tracking), and marketing attribution (UTM parameters). Our legitimate interest is maintaining and improving a secure, reliable service; this is balanced against your rights as these activities involve minimal intrusion.
  • Legal obligation (Article 6(1)(c)): Retention of billing records for 7 years under UK financial record-keeping requirements.

4. How We Use Your Data

  • Provide, operate, and improve the pin360 platform and its features.
  • Authenticate your identity and manage organisation membership.
  • Process payments and manage subscriptions via Stripe.
  • Send transactional emails (password reset, team invitations, subscription confirmations, onboarding sequences).
  • Generate AI-powered inspection reports and photo analyses when you use those features (see section 5).
  • Analyse aggregate usage patterns to improve product features (PostHog, with consent; Vercel Analytics, cookieless).
  • Monitor email deliverability and suppress bounced addresses.
  • Enforce our Terms of Use and comply with legal obligations.

We do not sell your personal data to third parties. We do not use your content for advertising purposes.

5. AI Processing

pin360 offers optional AI-powered features including photo defect analysis, smart notes generation, and inspection report generation. When you use these features:

  • Photographs and marker data from your project are sent to third-party AI providers (currently OpenAI for vision analysis, and xAI for text generation) via an API gateway.
  • Data is sent only for the specific analysis you request and is processed in real time. We do not send bulk data or entire projects to AI providers.
  • AI providers process data under their API terms, which prohibit using API inputs to train models. Your data is not used to train any AI model.
  • AI analysis results (text output and token counts) are stored in our database for your reference and to track usage against your plan quota.

6. Third-Party Services

We use the following sub-processors to deliver the service. Each service receives only the minimum data necessary:

  • Vercel (United States) — Hosting, edge infrastructure, and cookieless web analytics.
  • Neon (United States) — Serverless PostgreSQL database storing all application data.
  • Cloudflare R2 (global edge network) — Object storage for uploaded images and PDFs.
  • Stripe (United States) — Payment processing and subscription management. Subject to Stripe's Privacy Policy.
  • Resend (United States) — Transactional and lifecycle email delivery.
  • PostHog (United States / EU) — Product analytics and session replay (consent required).
  • OpenAI (United States) — AI vision analysis for inspection photographs (only when you use AI features).
  • xAI (United States) — AI text generation for inspection reports (only when you use AI features).

7. International Data Transfers

Several of our sub-processors are based in the United States, which means your personal data may be transferred outside the United Kingdom. These transfers are protected by appropriate safeguards as required by UK GDPR:

  • Where available, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum, as adopted by the Information Commissioner's Office.
  • All our US-based sub-processors maintain SOC 2 or equivalent security certifications and have signed data processing agreements committing to GDPR-equivalent data protection standards.

8. Data Retention

  • Account & project data: Retained while your account is active. After cancellation, retained for 30 days to allow reactivation, then permanently deleted.
  • Uploaded files: Permanently deleted from Cloudflare R2 within 30 days of account cancellation (or sooner upon request).
  • Billing records: Retained for 7 years to comply with UK financial record-keeping requirements (HMRC).
  • Session data: Auth sessions expire automatically and are purged from the database.
  • Analytics data: PostHog retains event data according to its own retention policies. Vercel Analytics data is aggregated and non-identifying.
  • AI analysis results: Stored in our database for the lifetime of your account. Deleted alongside your account data.
  • Email event logs: Delivery, open, and bounce records retained for 12 months for deliverability monitoring, then purged.
  • Waitlist data: Deleted once your account is created, or within 12 months if an account is never created.

You may request earlier deletion at any time (see Your Rights below).

9. Data Security

We take appropriate technical and organisational measures to protect your personal data:

  • All data in transit is encrypted via TLS 1.2 or higher (HTTPS everywhere).
  • Passwords are hashed using a strong one-way hashing algorithm before storage. We never store plaintext passwords.
  • Database connections use encrypted channels. Access is restricted to application-level credentials only.
  • File storage on Cloudflare R2 uses encryption at rest. Access to stored objects requires authenticated API calls scoped to your organisation.
  • PostHog session recordings mask all form inputs by default to prevent capture of sensitive data.
  • Administrative access to production systems is limited to the data controller and protected by strong authentication.

10. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Ask us to correct inaccurate or incomplete data.
  • Right to erasure— Request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing — Ask us to limit how we use your data in certain circumstances.
  • Right to data portability — Receive your data in a structured, commonly used, machine-readable format.
  • Right to object — Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — Where we rely on consent (e.g. analytics cookies), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email support@pin360.io. We will respond within one calendar month. If we need more time (up to two further months for complex requests), we will let you know within the first month.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

11. Cookies

We use the following categories of cookies:

  • Strictly necessary cookies: Authentication session cookies set by Better Auth, and the "pin360_consent" cookie that stores your cookie preference. These are essential for the platform to function and do not require consent under PECR.
  • Analytics cookies: PostHog sets cookies to track page views, feature usage, and session recordings. These are only set after you give explicit consent via our cookie banner. You can withdraw consent at any time, and we will remove PostHog cookies from your browser.

Vercel Analytics does not set cookies and is not classified as a tracking technology under PECR.

12. Children's Privacy

pin360 is a business-to-business service designed for professional use. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@pin360.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14. Contact

For any privacy-related questions, data subject requests, or concerns, contact us at support@pin360.io.