Privacy Policy

Pinpoint provides software infrastructure that enables businesses ("Merchants") to create digital entry points for their physical locations. This Privacy Policy explains how Pinpoint collects, uses, and protects information in the context of operating this platform.

Pinpoint operates as a data processor. Merchants who use the Pinpoint platform are the data controllers with respect to any personal information collected from their customers ("End Users"). Merchants determine the purposes and means of processing End User data and bear primary responsibility for compliance with applicable privacy laws.

When End Users interact with a Merchant's Hub page, Pinpoint's infrastructure automatically records certain technical data including: scan timestamp, device type, approximate geographic region (country/province level only), and interaction events (e.g., page views, button clicks). This data is attributed to the Merchant's account and is not used by Pinpoint for any independent purpose.

All data is stored on encrypted infrastructure hosted by Supabase (PostgreSQL) in secure data centers. Pinpoint implements industry-standard technical and organizational security measures including encrypted connections (TLS), access controls, and audit logging. However, no system is completely secure. Pinpoint cannot guarantee absolute security and is not liable for unauthorized access resulting from factors outside its reasonable control.

Merchant account data is retained for the duration of the account plus a reasonable period for legal and administrative purposes. End User data collected through a Merchant's Hub page is retained according to the Merchant's configuration and applicable law. Merchants may request deletion of their data and associated End User data at any time through the Dashboard or by contacting Pinpoint support.

Where Pinpoint processes personal data on behalf of Merchants, Pinpoint does so only on documented instructions from the Merchant (as expressed through their use of the platform and configuration settings). Pinpoint will not process personal data for purposes beyond those necessary to provide the contracted service.

Merchants are responsible for ensuring they have a valid legal basis to collect End User personal information and for providing appropriate privacy notices to their customers prior to collecting data through the Pinpoint platform.

Pinpoint uses the following sub-processors to deliver its service: Supabase (database infrastructure), Vercel (hosting and edge delivery), Resend (transactional email delivery), and Upstash (caching). Each sub-processor is bound by data processing agreements and appropriate security obligations. Pinpoint does not permit sub-processors to use Merchant or End User data for their own purposes.

Pinpoint uses session cookies strictly necessary for authentication and security. We do not use third-party advertising cookies, tracking pixels, or behavioral profiling technology on either the Dashboard or Hub pages.

Merchants have the right to: access all data associated with their account; request correction of inaccurate data; request deletion of their account and associated data; and export their data in machine-readable format. These rights can be exercised through the Dashboard (Settings → Data & Privacy) or by contacting us at privacy@pinpointos.io.

Pinpoint is committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada. Questions or complaints regarding Pinpoint's privacy practices may be directed to our Privacy Officer at privacy@pinpointos.io.

Pinpoint may update this Privacy Policy from time to time. Material changes will be communicated to Merchants via email or Dashboard notification at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

Privacy Officer, Pinpoint Labs Inc.
Email: privacy@pinpointos.io