Privacy policy

Version 1.0 (21 May 2026)

This page explains what personal information we collect, why we need it, who can see it and how you can control it. We collect very little and never sell it. Your data is stored safely in Europe.

1. Introduction

Welcome to Pinitto. This policy explains what information we collect, how we use it and your rights over it.

The company responsible for your information is Mnemoly Community S.R.L., located at Spl. Peneș Curcanu, Nr. 4-5, Timișoara, Timiș County, Romania.

If you administer a community, also see our Data Processing Agreement.

2. What information do we collect

We only collect the information necessary to provide our service.

  • When you create an account, we collect your email address and a hashed password
  • When you use Pinitto, we collect the content you generate, such as the discussions you start, comments, announcements and details about items you list for borrowing. We also optionally collect your display name and phone number if you choose to provide them. We collect basic technical information, like your IP address, to keep the service secure and functional, and from your IP we can infer a generic location (city and country)
  • When you become a paying customer, you complete the transaction through our reseller, Paddle.com. Paddle collects your billing and payment information directly. Pinitto does not receive or store your full credit card details

3. How and why we use your information

We use your information for a few key reasons, all related to providing and improving our service.

  • To run the Pinitto platform, your email and password secure your account, and the content you create populates your community space
  • To communicate with you, we use your email to send service notifications, updates and the weekly community summary
  • To improve our service, we may analyze aggregated and anonymized data to understand how Pinitto is used and where we can make improvements
  • For billing and account administration, we manage your subscription

Pinitto does not make automated decisions, profile users or perform any processing with legal or similarly significant effects on data subjects.

4. Who we share your information with

We do not sell your data. We only share it with a few trusted third-party services (sub-processors) that help us run Pinitto.

  • Amazon Web Services (AWS) hosts our infrastructure (Lambda for compute, RDS PostgreSQL for the database, S3 for file storage, SES for transactional email and KMS for encryption keys). All your data is stored in their data centers in Frankfurt, Germany
  • Hetzner Online GmbH hosts our self-hosted geocoding (Photon) and routing (GraphHopper) infrastructure on servers in Germany. Address queries are processed here when you perform a location or route lookup
  • Paddle.com Market Ltd. is our Merchant of Record. They handle payments and the checkout process for subscriptions. When you upgrade, your payment and billing information is provided directly to Paddle, and the transaction is subject to their privacy policy
  • Cloudflare provides the Turnstile service that protects our registration, authentication and contact pages from spam and bots. The legal basis for this processing is our legitimate interest in ensuring the security of our platform (Art. 6(1)(f) GDPR). To provide this service, Cloudflare processes technical data such as your IP address, user-agent header and browser information. This data is transferred to Cloudflare, Inc., a US-based company, and the transfer is secured by Cloudflare's certification under the EU-U.S. Data Privacy Framework. You can verify their certification on the Data Privacy Framework list. For more details, see Cloudflare's Privacy Policy and the Turnstile Privacy Policy
  • Google provides Gemini, which we use to analyze contact form submissions for spam and abuse. The legal basis for this processing is our legitimate interest in protecting our service from malicious and unwanted content (Art. 6(1)(f) GDPR). Your submission data is processed by Google LLC, a US-based company, and this transfer is safeguarded by their certification under the EU-U.S. Data Privacy Framework. See Google's Privacy Policy for more information

Sensitive fields are encrypted at the database level using per-community keys managed by AWS KMS. Even if our database were accessed without authorisation, content would remain unreadable without the community's specific encryption key.

5. How long we keep your information

We keep your personal information as long as your account is active. When you delete your account, we permanently delete your personal information from our active systems. Specific retention periods are as follows:

  • Activity logs used for billing are retained for 24 months
  • Invoices and financial records are retained for 10 years, as required by Romanian tax law
  • Encrypted community content (posts, discussions, wiki entries, mobility activities and item listings) is deleted when the community deletes the resource or when the account is deleted

6. Your rights over your information (GDPR)

As a user in the EU, you have the following rights under GDPR.

  • The right to access a copy of your personal data
  • The right to correct any incorrect information
  • The right to erasure ("right to be forgotten")
  • The right to restrict data processing
  • The right to data portability, receiving your data in a structured, machine-readable format
  • The right to object to processing based on our legitimate interests
  • The right to withdraw consent at any time, where processing is based on consent
  • The right to lodge a complaint with the Romanian supervisory authority, ANSPDCP (dataprotection.ro), or your local EU data protection authority

You can exercise most of these rights directly from your account settings. For any other requests, contact us via our contact page.

7. Children and minors

Pinitto is intended for adults coordinating community life. You must be 16 or older to use Pinitto, whether you register directly or join through an invitation. We do not knowingly process personal data of users under 16, and any account found to belong to one will be deleted. When a community organiser (for example a housing association or a school) invites members on behalf of their organisation, the organiser is responsible for verifying that each invited member meets our age requirement before sending the invitation.

8. How to contact us

If you have questions about this Privacy Policy, contact us via our contact page.