1. Controller
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:
mypinio GmbH Pappelallee 78/79 10437 Berlin, Germany
Email: [email protected] Website: https://mypinio.com
The appointment of a Data Protection Officer is currently not required pursuant to Art. 37 GDPR in conjunction with Β§ 38 BDSG. For all data protection inquiries, please contact the email address above.
2. Scope
This privacy policy applies to the use of the mypinio.com platform, including all products and services provided through the platform. These include:
- Surveys (create, manage, and analyze surveys)
- Polls (voting system with embed functionality)
- Communities (member communities with forums, events, and modules)
- Experience Management / XM (customer experience management)
- Closed-Loop Feedback
- Insights (meta-reporting and AI analyst)
- mypinio AI (hybrid chat with knowledge base)
- Synthetic Data (AI-powered data generation)
This privacy policy applies to registered users (workspace owners and members), website visitors, survey respondents, community members, and poll participants.
3. Legal bases for processing
We process personal data exclusively on the basis of the following legal grounds under Art. 6(1) GDPR:
| Legal basis | Scope |
|---|---|
| Art. 6(1)(a) β Consent | Cookie consent (analytics, marketing, preferences); newsletter signup; optional AI features |
| Art. 6(1)(b) β Performance of contract | Account management and authentication; provision of platform products; conducting surveys and analyses; payment processing via Stripe |
| Art. 6(1)(c) β Legal obligation | Retention of billing data; audit logs; deletion records (DeletionRecord) |
| Art. 6(1)(f) β Legitimate interest | Platform security and abuse prevention (rate limiting, API key validation); error detection via Sentry (PII-scrubbed); infrastructure monitoring |
4. Data we collect
4.1 Account data
When you register and use the platform, we collect:
- Name and email address β for account management and communication (stored encrypted)
- OAuth account data β when signing in via third-party providers (e.g. Google)
- Workspace association β for tenant data separation
- Session data β to maintain authenticated sessions (httpOnly, Secure, SameSite cookies)
4.2 Usage data
- Created content β surveys, polls, community posts, XM projects, feedback entries
- AI usage β prompts to AI features (analyst, mypinio AI, synthetic data), logged per workspace in the AiUsage table
- Media files β uploaded images and files (stored on Cloudflare R2)
4.3 Technical data
- IP address β not stored in full; only the country of origin is derived for analytics purposes
- Device and browser information β to ensure technical compatibility
- Error reports β via Sentry, with automatic PII scrubbing (no emails, names, or IP addresses)
4.4 Survey respondents
Survey respondents are anonymous by default. Participation is identified solely by a randomly generated response code. IP addresses are not stored on the SurveyResponseSession. Segments and contact data are controlled exclusively by the survey creator.
4.5 Community members
Community members authenticate via magic link or community password. Password hashes use bcryptjs with a cost factor of at least 12. When a member leaves or is deleted, all associated data is permanently deleted (hard delete).
5. Cookies and consent management
We use a cookie consent system with four categories. Non-essential cookies are disabled by default and are only set after explicit consent.
| Category | Default | Description |
|---|---|---|
| Necessary | Always active | Session cookies, CSRF protection, cookie consent storage. Cannot be disabled. |
| Analytics | Disabled | First-party analytics for usage optimization. No Google Analytics, no GTM, no Meta Pixel. |
| Marketing | Disabled | Currently not in use. Reserved for future consent-based integrations. |
| Preferences | Disabled | Storage of user preferences such as language settings. |
Consent can be withdrawn at any time via the cookie banner or platform settings. The consent decision is stored locally in the browser (localStorage).
Note: We do not use Google Analytics, Google Tag Manager, Meta Pixel, or any other third-party tracking tools.
6. Use of artificial intelligence
Several platform features use AI models from Anthropic (Claude). These include:
- AI analyst in Insights (data analysis and recommendations)
- mypinio AI (hybrid chat with AI fallback)
- Synthetic Data (AI-powered generation of synthetic survey data)
- AI-powered survey creation and template suggestions
What is sent to Anthropic
- User prompts and query content from the features listed above
- Minimized data: no email addresses, names, or payment information are transmitted
How usage is logged
- All AI calls are logged per workspace in the AiUsage table
- API keys are used exclusively server-side and are never included in client-side code
Legal basis: Art. 6(1)(b) GDPR (performance of contract β provision of AI-powered platform features) or Art. 6(1)(a) GDPR (consent β for optional AI usage).
7. Sub-processors and recipients
We engage the following service providers as sub-processors pursuant to Art. 28 GDPR. A data processing agreement (DPA) is in place with each sub-processor.
| Service provider | Data processed | Location | Purpose |
|---|---|---|---|
| Railway | All platform data (infrastructure) | USA / EU | Hosting and database |
| Cloudflare | Request metadata, DNS | Global (EU routing) | CDN, DDoS protection, DNS |
| Cloudflare R2 | Media files, GDPR exports | EU | Object storage |
| Stripe | Payment data, email | USA (EU SCC) | Payment processing |
| SendGrid | Email address, name | USA (EU SCC) | Transactional emails |
| Anthropic | User prompts (minimized) | USA (EU SCC) | AI processing |
| Sentry | Error data (PII-scrubbed) | USA (EU SCC) | Error monitoring |
An up-to-date sub-processor list can be requested at any time via [email protected].
8. International data transfers
mypinio is headquartered in Germany. Some sub-processors process data in the USA (Railway, Stripe, SendGrid, Anthropic, Sentry). For these transfers, we employ the following safeguards:
- EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
- Adequacy decision of the European Commission, where available (e.g. EU-US Data Privacy Framework)
- Additional technical measures: encryption in transit and at rest, data minimization, PII scrubbing before transfer
Cloudflare R2 is configured for EU-only storage. The main database is operated on Railway in the EU region.
9. Retention periods
We store personal data only as long as necessary for the respective purpose. The following specific periods apply:
| Data type | Retention period | Note |
|---|---|---|
| Session tokens | 30 days | NextAuth maxAge; automatic cleanup |
| GDPR export files (R2) | 48 hours | Automatic deletion by daily cron job |
| Stripe events | 90 days | Weekly cleanup by cron job |
| Audit logs | Indefinite | Legal compliance requirement |
| Deletion records | Indefinite | Legal proof of data protection compliance |
| Rate limit data | Per time window | Redis TTL, automatic cleanup |
| Account data | Until deletion | Deletable via self-service or request |
10. Your rights as a data subject
Under the GDPR, you have the following rights:
10.1 Right of access (Art. 15 GDPR)
You have the right to obtain information about the personal data we process. Use the self-service function under Settings > Privacy or contact [email protected].
10.2 Right to rectification (Art. 16 GDPR)
You may request the correction of inaccurate data or the completion of incomplete data. Profile data can be changed directly in your account settings.
10.3 Right to erasure (Art. 17 GDPR)
You may request the deletion of your personal data. We offer two deletion options:
- Immediate deletion: Your account and all associated data are deleted immediately and irrevocably.
- Deletion with grace period (14 days): Your account is deactivated and deletion is scheduled. During the grace period, you can cancel the deletion via a link sent by email.
Data deleted includes: all workspace data (surveys, polls, communities, XM, feedback, media), all user-scoped data (sessions, AI usage, notifications), authentication data, and the user record itself (anonymized).
Not deleted: Deletion records (DeletionRecord) and audit logs β these are permanently retained as legal proof of compliance.
10.4 Right to data portability (Art. 20 GDPR)
You may request an export of your data in a machine-readable format (JSON). Use the export function under Settings > Privacy. The export includes: profile data, OAuth accounts, workspace and community memberships, assistant sessions, created surveys (metadata), notifications, and audit logs.
The export is stored encrypted on Cloudflare R2 and is available via a single-use download link for 48 hours. The storage key is never exposed to the client β the download is streamed server-side. A maximum of one export per 24 hours is permitted.
10.5 Right to object (Art. 21 GDPR)
You have the right to object to the processing of your data based on legitimate interests (Art. 6(1)(f)) at any time. We will cease processing unless there are compelling legitimate grounds.
10.6 Right to restriction (Art. 18 GDPR)
You may request the restriction of processing, in particular if the accuracy of the data is contested or the processing is unlawful.
10.7 Withdrawal of consent
Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.
10.8 Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority, in particular with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte fΓΌr Datenschutz und Informationsfreiheit).
11. Self-service privacy center
Registered users can exercise their data protection rights directly via the platform's built-in GDPR center, accessible under Settings > Privacy. The following functions are available:
| Function | Description |
|---|---|
| Data export | JSON export of all personal data with single-use download link (valid for 48 hours) |
| Account deletion | Immediate or scheduled deletion (14-day grace period) with email cancellation |
| Session management | Revocation of all other active sessions |
| Contact | Direct contact for formal data protection requests |
12. Data security
We employ extensive technical and organizational measures to protect your data:
Encryption and access control
- PII fields (e.g. email addresses) are stored encrypted
- API keys are stored exclusively as SHA-256 hashes β the plaintext is never persisted after creation
- Community passwords: bcryptjs with cost factor β₯ 12
- Session cookies: httpOnly, Secure, SameSite
- HSTS (Strict-Transport-Security) with a max-age of 2 years
Network and application security
- Rate limiting on all authentication, AI, and mutation endpoints
- Workspace scoping: every database query is restricted to the respective workspace
- Input validation with Zod on all API routes
- XSS protection through HTML sanitization (DOMPurify) and safe Markdown rendering
- Open redirect protection: only relative paths permitted as redirect targets
- Stripe webhook verification with signature checking and event deduplication
Monitoring
- Sentry error reports with automatic PII scrubbing (beforeSend hook)
- No logging of emails, names, phone numbers, or IP addresses
- Audit logging of all security-relevant actions
13. Children and minors
Our services are not directed at persons under the age of 16. We do not knowingly collect personal data from persons under 16. Should we become aware that data of a person under 16 has been collected, we will delete it without delay. Pursuant to Art. 8 GDPR in conjunction with Β§ 2(1) TTDSG, the age threshold in Germany for consent to the processing of personal data in information society services is 16 years.
14. Audit logging
To ensure compliance and protect against misuse, we log security-relevant actions in an immutable audit log. Actions logged include: data export requests, deletion requests and their execution, API key creation and revocation, admin actions, and changes to workspace memberships and roles.
Audit logs never contain the content of the action, only the resource ID and the type of action. Users can view their own audit logs via the data export.
15. Third-party services on the website
Some images on our website are served via Next.js image optimization. Your browser requests the optimized image from our domain; our servers may retrieve the original file from the provider (e.g. Unsplash). Your device does not establish a direct connection to third-party providers for these images.
We do not use social media widgets (Facebook Like button, Twitter widgets, etc.). No third-party tracking tools (Google Analytics, Meta Pixel, Flurry, etc.) are used.
16. Changes to this privacy policy
We reserve the right to update this privacy policy as needed, in particular when our processing activities, legal requirements, or technologies change. In the event of material changes, we will notify registered users by email and update the date at the top of this document.
17. Contact
For all data protection inquiries, exercise of your data subject rights, or complaints, please contact:
mypinio GmbH Pappelallee 78/79 10437 Berlin, Germany Email: [email protected]
Please indicate "Privacy Request" in the subject line so we can process your inquiry as quickly as possible.