Data processing agreement (DPA)

Version 1.0 (21 May 2026)

This page is for community administrators and moderators. It explains the formal agreement between Pinitto and the people who create or moderate a community, covering how we handle the personal data of community members on their behalf.

This Data Processing Agreement ("DPA") is entered into between:

  • The "Customer" (acting as Data Controller), defined as the user who creates a community on the Pinitto platform. The Customer is responsible for the actions of any moderators or administrators they appoint, who act on the Customer's behalf
  • And Mnemoly Community S.R.L. (acting as Data Processor), the provider of the Pinitto platform

This DPA is incorporated into our Terms of Service and applies to the processing of personal data on behalf of the Customer.

1. Definitions

Terms such as "Personal Data", "Data Controller", "Data Processor" and "Processing" shall have the meanings given to them in the EU General Data Protection Regulation (GDPR).

2. Subject matter and scope

  • Subject matter. The provision of the Pinitto platform and services as described in the Terms of Service
  • Duration. This DPA is effective for the duration of the Customer's subscription to the Service
  • Purpose. The purpose of the processing is to enable the Customer to create and manage their private community space, including communication, resource sharing and organization among its members
  • Categories of data subjects. The members and users of the Customer's community invited to use the Service
  • Types of Personal Data. Email addresses, names (which may include address identifiers), nicknames, phone numbers, location data (mobility departure and destination addresses, item pickup locations), user-generated content (posts, comments, wiki entries, mobility activity details, item listings) and technical data (IP addresses)

The Customer is responsible for ensuring that every member they invite is eligible to use Pinitto under our Terms of Service, including the minimum age requirement and any parental or guardian consent required by local law. Pinitto does not collect or verify proof of eligibility.

Where the Customer acts on behalf of a collective (such as a housing association, school, NGO or any organisation that invites members on its behalf), the Customer warrants that they have obtained individual, written, GDPR-compliant consent from each member before importing their data or sending them invitations, and retains the record of that consent. The Customer indemnifies Pinitto against any supervisory-authority investigations, fines or third-party claims arising from member data uploaded or invited without proper legal basis.

3. Obligations of the processor (Pinitto)

Pinitto, as the Data Processor, agrees to:

  • Process Personal Data only on the documented instructions of the Customer (Controller)
  • Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality
  • Implement and maintain appropriate technical and organizational measures to ensure the security of the Personal Data. Sensitive fields (names, contact details, post content, discussion content, wiki content, borrowable descriptions and mobility activity details) are encrypted at the database level using per-community keys managed by AWS KMS. Data is transmitted over TLS and stored at rest with AES-256 encryption on servers located within the Federal Republic of Germany
  • Notify the Customer of any requests from data subjects to exercise their rights under GDPR and provide assistance to the Customer in fulfilling these requests
  • Notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach
  • Upon termination of the service, instantly and permanently delete all Personal Data. No data export will be available post-termination
  • Make available to the Customer all information necessary to demonstrate compliance with GDPR and allow for and contribute to audits conducted by the Customer

The Customer's documented instructions are set out in this DPA, the Terms of Service and the platform's normal operational configuration. The Customer may issue additional written instructions through the privacy contact in section 5.

4. Sub-processing

The Customer hereby grants general authorisation for Pinitto to engage third-party sub-processors to provide the Service. Pinitto confirms that all sub-processors are bound by data protection obligations equivalent to those in this DPA.

Pinitto will maintain a list of its current sub-processors and will give the Customer at least 30 days' written notice before adding or replacing any sub-processor. The Customer may object on reasonable data-protection grounds during that period. If the Customer objects, Pinitto may propose an alternative arrangement or terminate the Service with a pro-rata refund of any prepaid fees.

Our current sub-processors are:

  • Amazon Web Services (AWS) hosts our infrastructure (Lambda, RDS PostgreSQL, S3, SES, KMS) in Frankfurt, Germany
  • Hetzner Online GmbH hosts our self-hosted geocoding (Photon) and routing (GraphHopper) infrastructure in Germany
  • Paddle.com Market Ltd. serves as our Merchant of Record for payment and subscription processing
  • Cloudflare, Inc. provides spam and bot protection on registration, authentication and contact pages
  • Google LLC provides AI-based spam and content moderation on contact form submissions

Where sub-processors are based outside the European Economic Area, international transfers are protected by the EU-U.S. Data Privacy Framework (for US-based sub-processors), the UK adequacy decision (for UK-based sub-processors), or, as a fallback, the EU Standard Contractual Clauses.

5. Data protection officer

Pinitto is not required to appoint a Data Protection Officer under GDPR Art. 37. The privacy contact for all data protection matters is contact [at] pinitto [dot] com.

6. Governing law

This DPA shall be governed by the laws of Romania and the European Union.