Last updated: June 17, 2026
This Privacy Policy fully and clearly describes how personal data is processed by Undici S.r.l.s., a sole-shareholder company incorporated under Italian law, with Sole Director Marco Cavanna (the "Controller"), in connection with the use of the PinTips digital platform (the "Service").
Personal data is processed in compliance with Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and applicable Italian and European law.
The Controller of the processing of personal data is:
Undici S.r.l.s.
Sole-shareholder company – Italian law
Sole Director: Marco Cavanna
Registered office: Piazza Mazzini 7, 10023 Chieri (TO) - Italy
VAT / Tax code: 13016610019
Competent court: Turin (Italy)
For any request concerning the processing of personal data and to exercise the rights granted by the GDPR, the Controller can be contacted at privacy@pin.tips.
This Privacy Policy applies to:
This Privacy Policy governs only the processing of personal data carried out by the Controller and does not extend to processing carried out independently by third parties under their own policies.
During registration and use of the Service, the Controller may process personal data provided directly by the user, such as:
Providing such data is necessary to create the Account and deliver the Service.
If the user chooses to register or sign in using the "Sign in with Google" feature (Google OAuth), PinTips accesses a minimal set of the user's Google Account data. How such data is accessed, used, stored and shared is described in detail in the dedicated section § 5 (Google account data).
The Service allows Map Authors to create maps, add pins and associate text, images, descriptions, opening hours, contact details or other information.
Such content may include, at the Map Author's discretion, personal data of third parties or of the user themselves.
The Map Author acts as an independent data controller with respect to any personal data contained in the published Content, assuming full responsibility for it.
PinTips does not pre-screen Content and does not determine the purposes of processing of any data included in it.
Points of interest may also be created through place search on third-party mapping services: the relevant details are described in § 6.
When accessing and using the Service, the Controller may automatically collect technical and navigation data, including:
Such data is processed solely for security, monitoring, maintenance and improvement of the Service.
When subscribing to a paid plan, the Controller processes the data needed to comply with tax and accounting obligations, such as: company name or name, VAT number or tax code, recipient code (SDI), billing email, country and address.
Part of such data (e.g. address and VAT number) may be collected directly by Stripe during checkout. After payment, the Controller generates an immutable fiscal snapshot of the data required to issue an invoice, where applicable. Invoices are issued manually by the Controller; there is no automatic transmission of data to third parties other than Stripe.
To provide Map Authors with aggregate statistics about their own maps (number of views and pin interactions), the Controller collects metrics server-side, with a first-party and data-minimizing approach:
session_hash).The session_hash is a non-reversible value derived through a hash function from IP address, user agent, the current date and a secret value (salt); it is scoped to a single day (it cannot link visits across different days) and does not directly identify the user. Its sole purpose is to de-duplicate statistics.
For aggregate statistical purposes only, the public-map open event (carrying no identifying data and distinguished solely by the pseudonymous session_hash) is additionally transmitted server-side to the product-analytics provider (PostHog, EU region): this transmission too uses no cookies and no device storage on the visitor's device, and builds no individual profile.
These metrics do not use cookies and are not used for individual profiling.
Legal basis: the legitimate interest of the Controller and of the Map Authors in measuring the essential use of the Service (Art. 6(1)(f) GDPR).
When viewing a public map, the Guest may optionally enable their device's geolocation to orient themselves relative to the pins. This feature:
Guests can view maps without registering and without creating an Account.
In such cases, the Controller processes only technical and navigation data and the aggregate metrics described in § 3.6, without directly identifying the user, except as necessary for security and operation of the Service.
Where the Map Author gives consent, the Controller processes the email address and name to send marketing communications, split into two independent and optional categories: "PinTips updates" (news about product features) and "Newsletter" (articles, tips and news). The related subscription preferences and, where available, email engagement metrics (opens, clicks) are also processed. Consent is collected separately and is not bundled with acceptance of the Terms of Service, is given per category, and can be withdrawn at any time (see § 4.5).
Personal data is processed for the following purposes:
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Legal basis: the Controller's legitimate interest (Art. 6(1)(f) GDPR).
Legal basis: legal obligation (Art. 6(1)(c) GDPR).
Legal basis: consent, for technologies that require it (Art. 6(1)(a) GDPR); legitimate interest for essential, aggregate analytics only. Consent mechanisms are described in the Cookie Policy.
Legal basis: consent (Art. 6(1)(a) GDPR), given separately for each category. The user may withdraw consent at any time via the unsubscribe link present in every email, without affecting the lawfulness of processing based on consent before its withdrawal.
This section specifically describes how PinTips accesses, uses, stores and shares Google user data, in compliance with the Google API Services User Data Policy and the Google APIs Terms of Service.
PinTips offers a "Sign in with Google" feature to allow registration and authentication without creating a dedicated password. Access to Google data occurs only if the user actively chooses this option, based on the non-sensitive scopes openid, email and profile.
Through Sign in with Google, PinTips accesses only the following basic Google Account information:
PinTips does not request and does not access any other data (e.g. contacts, calendar, Drive, Gmail, photos): no sensitive or restricted scopes are used.
Google Account data is used solely for the following purposes:
The Google profile picture is neither stored nor displayed: PinTips uses the user's name initials as the default avatar; the user may optionally upload their own image, which is stored separately.
PinTips does not use Google data for advertising or marketing, does not use it for individual profiling, and does not use it to train artificial intelligence or machine learning models.
PinTips' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
The user may at any time revoke PinTips' access to their Google Account from Google Account → Security → Third-party apps with account access, and may unlink the Google account from their PinTips profile settings.
To display maps and search for addresses and points of interest, the Service relies on the third-party mapping services of Google Maps Platform (Places API and Geocoding API).
When a Map Author searches for an address or a point of interest, PinTips sends Google the text typed in the search field and the geographic coordinates of the displayed area, for the sole purpose of returning relevant results. Such transfers are governed by the provider's terms and privacy policy (Google).
This use of Google Maps Platform does not constitute access to a Google Account's data and occurs through an application key, independently of any Sign in with Google described in § 5.
When a Map Author saves a point of interest, PinTips stores the place's name, address and coordinates together with the place identifier provided by the provider (place ID). In accordance with Google's terms, photos, ratings or opening hours provided by Google are not stored.
Personal data is processed using IT and electronic tools, in compliance with the principles of lawfulness, fairness, transparency, minimization and security.
The Controller adopts appropriate technical and organizational measures to ensure a level of security proportionate to the risk, including row-level access control (RLS) on the database, encryption in transit, and tokenization of payment data by the payment provider.
Personal data is retained only for as long as strictly necessary for the purposes for which it is collected.
In particular:
The Controller relies on technology service providers that process personal data on its behalf, as data processors under Art. 28 GDPR, unless otherwise indicated.
Used for deployment, hosting and distribution (CDN) of the App. Vercel may process technical data, IP addresses and access logs. Vercel is a US-based company.
Used as the database, the authentication system (Supabase Auth) and storage for profile pictures, pin photos and map previews. Data is stored on cloud infrastructure located within the European Economic Area (eu-central-1).
Used for payment processing, checkout and subscription management. Stripe acts as an independent data controller for payment data, under its own Privacy Policy. PinTips does not access full payment-instrument data.
Used for: (i) authentication via "Sign in with Google" (see § 5) and (ii) mapping and place-search services through Google Maps Platform (see § 6).
Product analytics is performed through PostHog (EU region). Client-side collection (which uses device storage) is subject to the user's consent and is disabled by default; see the Cookie Policy. The only exception is the aggregate, anonymous public-map open event, transmitted server-side with no cookies and no device storage, on the basis of legitimate interest (§ 3.6).
The Service's emails — both transactional (account confirmation, welcome, system messages) and marketing (where the user has given consent, § 4.5) — are sent through Resend, which processes the email address, name, subscription preferences and email engagement data. Resend acts as a data processor, in the EU region.
Some of the Service's providers are based outside the European Economic Area.
In such cases, the transfer of personal data takes place in compliance with Art. 44 et seq. of the GDPR, through appropriate safeguards such as:
The Service uses cookies and similar technologies for technical and functional purposes and, where applicable and subject to consent, statistical purposes.
Detailed information is available in the dedicated Cookie Policy.
Data subjects may exercise the rights granted by Art. 15–22 GDPR, including:
Requests can be sent to the Controller at privacy@pin.tips.
The Service is intended for users aged 14 or over. Younger users may use the Service only under the responsibility of a parent or legal guardian. The Controller does not knowingly collect data of minors below that age without appropriate authorization.
The Controller reserves the right to amend this Privacy Policy at any time. Changes will be published on the website or within the App and will take effect from the date of publication.
Data subjects have the right to lodge a complaint with the competent Data Protection Authority.
Last updated: June 17, 2026
This Privacy Policy fully and clearly describes how personal data is processed by Undici S.r.l.s., a sole-shareholder company incorporated under Italian law, with Sole Director Marco Cavanna (the "Controller"), in connection with the use of the PinTips digital platform (the "Service").
Personal data is processed in compliance with Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and applicable Italian and European law.
The Controller of the processing of personal data is:
Undici S.r.l.s.
Sole-shareholder company – Italian law
Sole Director: Marco Cavanna
Registered office: Piazza Mazzini 7, 10023 Chieri (TO) - Italy
VAT / Tax code: 13016610019
Competent court: Turin (Italy)
For any request concerning the processing of personal data and to exercise the rights granted by the GDPR, the Controller can be contacted at privacy@pin.tips.
This Privacy Policy applies to:
This Privacy Policy governs only the processing of personal data carried out by the Controller and does not extend to processing carried out independently by third parties under their own policies.
During registration and use of the Service, the Controller may process personal data provided directly by the user, such as:
Providing such data is necessary to create the Account and deliver the Service.
If the user chooses to register or sign in using the "Sign in with Google" feature (Google OAuth), PinTips accesses a minimal set of the user's Google Account data. How such data is accessed, used, stored and shared is described in detail in the dedicated section § 5 (Google account data).
The Service allows Map Authors to create maps, add pins and associate text, images, descriptions, opening hours, contact details or other information.
Such content may include, at the Map Author's discretion, personal data of third parties or of the user themselves.
The Map Author acts as an independent data controller with respect to any personal data contained in the published Content, assuming full responsibility for it.
PinTips does not pre-screen Content and does not determine the purposes of processing of any data included in it.
Points of interest may also be created through place search on third-party mapping services: the relevant details are described in § 6.
When accessing and using the Service, the Controller may automatically collect technical and navigation data, including:
Such data is processed solely for security, monitoring, maintenance and improvement of the Service.
When subscribing to a paid plan, the Controller processes the data needed to comply with tax and accounting obligations, such as: company name or name, VAT number or tax code, recipient code (SDI), billing email, country and address.
Part of such data (e.g. address and VAT number) may be collected directly by Stripe during checkout. After payment, the Controller generates an immutable fiscal snapshot of the data required to issue an invoice, where applicable. Invoices are issued manually by the Controller; there is no automatic transmission of data to third parties other than Stripe.
To provide Map Authors with aggregate statistics about their own maps (number of views and pin interactions), the Controller collects metrics server-side, with a first-party and data-minimizing approach:
session_hash).The session_hash is a non-reversible value derived through a hash function from IP address, user agent, the current date and a secret value (salt); it is scoped to a single day (it cannot link visits across different days) and does not directly identify the user. Its sole purpose is to de-duplicate statistics.
For aggregate statistical purposes only, the public-map open event (carrying no identifying data and distinguished solely by the pseudonymous session_hash) is additionally transmitted server-side to the product-analytics provider (PostHog, EU region): this transmission too uses no cookies and no device storage on the visitor's device, and builds no individual profile.
These metrics do not use cookies and are not used for individual profiling.
Legal basis: the legitimate interest of the Controller and of the Map Authors in measuring the essential use of the Service (Art. 6(1)(f) GDPR).
When viewing a public map, the Guest may optionally enable their device's geolocation to orient themselves relative to the pins. This feature:
Guests can view maps without registering and without creating an Account.
In such cases, the Controller processes only technical and navigation data and the aggregate metrics described in § 3.6, without directly identifying the user, except as necessary for security and operation of the Service.
Where the Map Author gives consent, the Controller processes the email address and name to send marketing communications, split into two independent and optional categories: "PinTips updates" (news about product features) and "Newsletter" (articles, tips and news). The related subscription preferences and, where available, email engagement metrics (opens, clicks) are also processed. Consent is collected separately and is not bundled with acceptance of the Terms of Service, is given per category, and can be withdrawn at any time (see § 4.5).
Personal data is processed for the following purposes:
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Legal basis: the Controller's legitimate interest (Art. 6(1)(f) GDPR).
Legal basis: legal obligation (Art. 6(1)(c) GDPR).
Legal basis: consent, for technologies that require it (Art. 6(1)(a) GDPR); legitimate interest for essential, aggregate analytics only. Consent mechanisms are described in the Cookie Policy.
Legal basis: consent (Art. 6(1)(a) GDPR), given separately for each category. The user may withdraw consent at any time via the unsubscribe link present in every email, without affecting the lawfulness of processing based on consent before its withdrawal.
This section specifically describes how PinTips accesses, uses, stores and shares Google user data, in compliance with the Google API Services User Data Policy and the Google APIs Terms of Service.
PinTips offers a "Sign in with Google" feature to allow registration and authentication without creating a dedicated password. Access to Google data occurs only if the user actively chooses this option, based on the non-sensitive scopes openid, email and profile.
Through Sign in with Google, PinTips accesses only the following basic Google Account information:
PinTips does not request and does not access any other data (e.g. contacts, calendar, Drive, Gmail, photos): no sensitive or restricted scopes are used.
Google Account data is used solely for the following purposes:
The Google profile picture is neither stored nor displayed: PinTips uses the user's name initials as the default avatar; the user may optionally upload their own image, which is stored separately.
PinTips does not use Google data for advertising or marketing, does not use it for individual profiling, and does not use it to train artificial intelligence or machine learning models.
PinTips' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
The user may at any time revoke PinTips' access to their Google Account from Google Account → Security → Third-party apps with account access, and may unlink the Google account from their PinTips profile settings.
To display maps and search for addresses and points of interest, the Service relies on the third-party mapping services of Google Maps Platform (Places API and Geocoding API).
When a Map Author searches for an address or a point of interest, PinTips sends Google the text typed in the search field and the geographic coordinates of the displayed area, for the sole purpose of returning relevant results. Such transfers are governed by the provider's terms and privacy policy (Google).
This use of Google Maps Platform does not constitute access to a Google Account's data and occurs through an application key, independently of any Sign in with Google described in § 5.
When a Map Author saves a point of interest, PinTips stores the place's name, address and coordinates together with the place identifier provided by the provider (place ID). In accordance with Google's terms, photos, ratings or opening hours provided by Google are not stored.
Personal data is processed using IT and electronic tools, in compliance with the principles of lawfulness, fairness, transparency, minimization and security.
The Controller adopts appropriate technical and organizational measures to ensure a level of security proportionate to the risk, including row-level access control (RLS) on the database, encryption in transit, and tokenization of payment data by the payment provider.
Personal data is retained only for as long as strictly necessary for the purposes for which it is collected.
In particular:
The Controller relies on technology service providers that process personal data on its behalf, as data processors under Art. 28 GDPR, unless otherwise indicated.
Used for deployment, hosting and distribution (CDN) of the App. Vercel may process technical data, IP addresses and access logs. Vercel is a US-based company.
Used as the database, the authentication system (Supabase Auth) and storage for profile pictures, pin photos and map previews. Data is stored on cloud infrastructure located within the European Economic Area (eu-central-1).
Used for payment processing, checkout and subscription management. Stripe acts as an independent data controller for payment data, under its own Privacy Policy. PinTips does not access full payment-instrument data.
Used for: (i) authentication via "Sign in with Google" (see § 5) and (ii) mapping and place-search services through Google Maps Platform (see § 6).
Product analytics is performed through PostHog (EU region). Client-side collection (which uses device storage) is subject to the user's consent and is disabled by default; see the Cookie Policy. The only exception is the aggregate, anonymous public-map open event, transmitted server-side with no cookies and no device storage, on the basis of legitimate interest (§ 3.6).
The Service's emails — both transactional (account confirmation, welcome, system messages) and marketing (where the user has given consent, § 4.5) — are sent through Resend, which processes the email address, name, subscription preferences and email engagement data. Resend acts as a data processor, in the EU region.
Some of the Service's providers are based outside the European Economic Area.
In such cases, the transfer of personal data takes place in compliance with Art. 44 et seq. of the GDPR, through appropriate safeguards such as:
The Service uses cookies and similar technologies for technical and functional purposes and, where applicable and subject to consent, statistical purposes.
Detailed information is available in the dedicated Cookie Policy.
Data subjects may exercise the rights granted by Art. 15–22 GDPR, including:
Requests can be sent to the Controller at privacy@pin.tips.
The Service is intended for users aged 14 or over. Younger users may use the Service only under the responsibility of a parent or legal guardian. The Controller does not knowingly collect data of minors below that age without appropriate authorization.
The Controller reserves the right to amend this Privacy Policy at any time. Changes will be published on the website or within the App and will take effect from the date of publication.
Data subjects have the right to lodge a complaint with the competent Data Protection Authority.