Last updated: 2025-03-11
Privacy Policy
Privacy Policy
1. Data Controller
The data controller for personal data is:
Instamark S.r.l.
Via Risorgimento traversa terza 1/A, 25049 Iseo (BS), Italy
VAT: IT04165110984
Email: privacy@pinci.ai
Website: pinci.ai
2. Personal Data Processed
Pinci processes the following categories of personal data:
2.1 Registration and account data
Name, surname or username chosen by the User;
Email address;
Password (stored in encrypted form — not accessible to Pinci);
Date of birth (for verification of the minimum age of 18 years);
Date and time of registration and login.
2.2 Service usage data
Text prompts entered by the User;
Images uploaded as references by the User;
Content generated by the Platform;
Generation history;
Credits purchased, used and remaining;
Account preferences and settings.
2.3 Payment data
Payment data (e.g. credit card details, bank account information) is processed directly by the authorised payment processor (Stripe). Pinci does not have direct access to full payment data but receives only confirmation of payment, amount, transaction identifier and credit status.
2.4 Technical and browsing data
IP address;
Browser type and operating system;
Pages visited and features used;
Session data;
Data collected through cookies and tracking technologies (governed by the separate Cookie Policy).
3. Purposes and Legal Bases for Processing
3.1 Performance of a contract (Art. 6(1)(b) GDPR)
Personal data is processed in order to:
enable registration and account management;
deliver the AI generation Service;
manage the purchase and use of credits;
provide technical support;
verify compliance with the Terms and Conditions.
3.2 Legitimate interests (Art. 6(1)(f) GDPR)
Pinci has a legitimate interest in:
preventing fraud, abuse and violations of the terms of use;
ensuring the security of the Platform and its users;
moderating content for compliance with the Community Guidelines;
improving its services through aggregated and anonymised analysis of usage data.
3.3 Legal obligation (Art. 6(1)(c) GDPR)
Pinci processes personal data in order to comply with obligations imposed by applicable law, including tax, accounting and reporting obligations to the competent authorities in the event of illegal content.
3.4 Consent (Art. 6(1)(a) GDPR)
Where the legal bases referred to above do not apply, Pinci will request the User's explicit consent for specific processing activities, including the use of Generated Content for marketing activities under Article 4.2 of the Content License Agreement.
4. Data Processors (Sub-Processors)
Pinci uses the following data processors for the delivery of the Service:
MongoDB, Inc. (MongoDB Atlas)
Role: cloud database for storage of account and usage data.
Registered office: Union Square, 1633 Broadway, New York, USA. Infrastructure on EU servers (Frankfurt/Dublin).
Safeguards: MongoDB is ISO 27001 and SOC 2 Type II certified. Processing takes place on EU servers; any transfers outside the EU/EEA are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission.
Stripe, Inc. (Stripe)
Role: payment processor for credit purchases.
Registered office: USA (with European entity Stripe Payments Europe, Limited, subject to GDPR).
Safeguards: US transfers covered by SCCs; PCI DSS Level 1 certified. Payment data is processed in compliance with PCI DSS standards.
Google LLC (Google Analytics 4)
Role: statistical analysis of Platform usage.
Registered office: USA (with data transfer to US servers).
Safeguards: data transfer to the USA is covered by Standard Contractual Clauses (SCCs) adopted by the European Commission. Pinci uses Google Analytics with IP anonymisation enabled and disables data sharing with Google for advertising purposes. Users may opt out of tracking through the cookie settings.
Wavespeed AI (Wavespeed)
Role: processing of prompts and images for AI content generation.
GDPR note: Wavespeed receives prompts and images as functional data for the AI generation service, but does NOT receive identifying personal data of Users (name, email, account ID). Content sent to Wavespeed is deleted within 7 days. This does not constitute a systematic transfer of personal data within the meaning of the GDPR; however, Pinci adopts contractual measures to ensure the confidentiality of the data processed.
5. International Data Transfers
The main transfers of personal data to third countries (outside the EU/EEA) involve Google Analytics (USA). Such transfers are carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914/EU, which provide adequate safeguards pursuant to Article 46 GDPR.
Pinci monitors international data transfers and updates this Privacy Policy should there be any changes to the transfer mechanisms or the list of providers.
6. Data Retention Periods
6.1 Account data
Registration and account data is retained for the entire duration of the active account and, following closure, for a maximum period of 12 months to comply with legal obligations and manage any disputes.
6.2 Generated content
Generated Content and Input Content are retained for a maximum of 15 days, after which they are automatically deleted from Pinci's systems. Users are advised to download and store any Generated Content of interest to them.
6.3 Payment data
Accounting and tax documentation relating to transactions is retained for the period required by applicable tax law (10 years under Italian tax regulations).
6.4 Technical logs
Access and system logs are retained for a maximum of 90 days for security and debugging purposes.
7. Rights of Data Subjects
Pursuant to Articles 15–22 GDPR, the User has the right to:
Access (Art. 15): obtain confirmation that Pinci is processing data relating to them and receive a copy thereof;
Rectification (Art. 16): request the correction of inaccurate or incomplete data;
Erasure (Art. 17): request the deletion of their data ("right to be forgotten"), subject to legal retention obligations;
Restriction (Art. 18): request restriction of processing in certain circumstances;
Portability (Art. 20): receive their data in a structured, machine-readable format;
Objection (Art. 21): object to processing based on legitimate interests;
Withdrawal of consent: withdraw consent given at any time, without prejudice to the lawfulness of processing carried out prior to withdrawal.
Requests relating to data subject rights should be sent to: privacy@pinci.ai
Pinci will respond within 30 days of receipt of the request, as required by Article 12 GDPR.
8. Data Security
Pinci implements appropriate technical and organisational measures to protect Users' personal data against unauthorised access, loss, destruction or disclosure, including:
encryption of data in transit (TLS/HTTPS);
password encryption using secure algorithms (bcrypt/argon2);
access control to systems based on the principle of least privilege;
monitoring of suspicious activity and intrusion detection systems;
periodically reviewed security policies.
In the event of a personal data breach that may result in a high risk to the rights of data subjects, Pinci will notify the competent supervisory authority within 72 hours and, where necessary, the affected Users, as required by Articles 33–34 GDPR.
9. Minors
The Service is reserved for persons who are at least 18 years of age. Pinci does not knowingly collect personal data from minors. Should Pinci become aware that it has collected data from a minor, it will immediately delete such data and close the account.
10. Data Protection Officer (DPO)
In light of the characteristics of the processing described in this Privacy Policy, Pinci has assessed that the conditions requiring the mandatory designation of a Data Protection Officer (DPO) under Article 37 GDPR are not met.
For any questions relating to personal data protection, Users may contact Pinci's privacy contact at: privacy@pinci.ai
11. Right to Lodge a Complaint with the Supervisory Authority
Without prejudice to any judicial remedy, the User has the right to lodge a complaint with the competent supervisory authority if they consider that the processing of their data infringes the GDPR. As Pinci is established in Italy, the lead supervisory authority is:
Garante per la Protezione dei Dati Personali (Italian Data Protection Authority)
Piazza Venezia 11, 00187 Rome, Italy
Tel: +39 06 69677 1
Email: garante@gpdp.it
Website: www.garanteprivacy.it
Users established in other EU Member States may also lodge a complaint with the supervisory authority of the Member State in which they habitually reside or work.
12. Updates to this Privacy Policy
Pinci reserves the right to update this Privacy Policy at any time to reflect regulatory, technical or organisational changes. Material updates will be communicated by email or in-app notice. Users are encouraged to periodically review the updated version available at pinci.ai/privacy.