Privacy Policy

Last Updated: February 1, 2026
Effective Date: February 1, 2026

This Privacy Policy explains how Pinporn.app ("we", "us", "our") collects, uses, shares, and protects your personal information. This policy applies to all users worldwide and complies with applicable data protection laws including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Introduction & Scope

Pinporn.app is an adult-oriented social media platform designed for users 18 years of age and older. We are committed to protecting your privacy and handling your personal information transparently and securely.

This Privacy Policy applies to:

  • All users of the Pinporn.app website and services
  • Visitors to our website (even if not registered)
  • Content creators and consumers
  • Users in all geographic locations, with specific provisions for EU/UK, California, and Canadian residents

Age Restriction: Our services are only available to individuals who are at least 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal information from minors. If you are a parent or guardian and believe we have collected information about a minor, please contact us immediately at [email protected].

2. Data Controller Information

Data Controller:
Pinporn.app

Email: [email protected]

Data Protection Officer (DPO):
If you have data protection questions, contact us at [email protected]

EU Representative (GDPR Art. 27):
Contact [email protected] for EU data protection matters

UK Representative (UK GDPR):
Contact [email protected] for UK data protection matters

3. Legal Bases for Processing

Under the GDPR and UK GDPR, we process your personal data based on the following legal grounds (GDPR Article 6):

a) Consent (Art. 6(1)(a))

You have given clear consent for us to process your personal data for specific purposes, such as:

  • Email marketing and promotional communications
  • Non-essential cookies and analytics
  • Optional personalization features

b) Contract Performance (Art. 6(1)(b))

Processing is necessary to perform our contract with you (Terms of Service), including:

  • Creating and managing your account
  • Providing access to content and features
  • Processing payments for premium services
  • Delivering customer support

c) Legal Obligations (Art. 6(1)(c))

Processing is necessary to comply with legal obligations, such as:

  • Age verification (18 U.S.C. § 2257 compliance)
  • Tax reporting and financial record-keeping
  • Responding to law enforcement requests
  • CSAM reporting to NCMEC (National Center for Missing & Exploited Children)

d) Legitimate Interests (Art. 6(1)(f))

Processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your fundamental rights and freedoms. Legitimate interests include:

  • Platform security and fraud prevention
  • Content moderation and community safety
  • Analytics and service improvement
  • Internal research and development
  • Network and information security

4. Data We Collect

We collect the following categories of personal information:

4.1 Account Data

When you create an account, we collect:

  • Email address (required for account creation and verification)
  • Username (public display name)
  • Password (stored as a secure cryptographic hash, never in plain text)
  • Profile information (bio, avatar, banner image - optional)
  • Date of birth (for age verification purposes)
  • Creator verification data (for monetized accounts: government-issued ID, tax information)

4.2 Content Data

When you upload or interact with content, we collect:

  • Uploaded pins (images, videos, links)
  • Boards (collections, titles, descriptions)
  • Comments and reactions (likes, shares, follows)
  • Metadata (timestamps, geolocation if provided, file properties)
  • Search queries (to improve search functionality)

4.3 Technical Data

Automatically collected when you use our services:

  • IP address (for security, fraud prevention, age gate compliance)
  • Device information (browser type, operating system, device type)
  • Browser fingerprint (for security and fraud detection)
  • Cookies and similar technologies (see Section 11)
  • Session data (stored in Redis for performance)

4.4 Usage Data

To improve our services and personalize your experience:

  • Analytics data (page views, time on site, navigation paths - aggregated in Elasticsearch)
  • Search history (to improve recommendations)
  • Interaction patterns (content you view, like, or save)
  • Referral source (how you found our site)

4.5 Communication Data

When you contact us or participate on the platform:

  • Messages and correspondence (support tickets, direct messages if feature enabled)
  • Notifications preferences (email, push notifications)
  • Feedback and survey responses (voluntary)

4.6 Payment Data (for Premium/Creator Services)

If you make purchases or receive payments:

  • Payment method (last 4 digits of card, payment processor details)
  • Billing address (for tax compliance)
  • Transaction history (purchases, payouts)
  • Tax information (for creators: W-9, W-8BEN, VAT number if applicable)

Note: Full payment card details are processed and stored by our payment processor (e.g., Stripe, PayPal), not by us directly. We comply with PCI DSS standards.

5. How We Use Your Data

We use your personal data for the following purposes:

Service Provision

  • Create and maintain your account
  • Provide access to content and features
  • Process uploads, comments, and interactions
  • Enable search and discovery features

Content Recommendations (Elasticsearch-Powered)

  • Personalize your content feed based on interests and interactions
  • Suggest content creators and boards you may enjoy
  • Improve search relevance and discovery

Note: You have the right to object to automated decision-making and profiling under GDPR Art. 22. See Section 9.

Safety & Moderation

  • Detect and prevent spam, fraud, and abuse
  • Enforce our Terms of Service and Community Guidelines
  • Identify and remove prohibited content (CSAM, NCII, copyright infringement)
  • Protect user safety and platform security

Legal Compliance

  • Verify age and comply with 18 U.S.C. § 2257
  • Respond to law enforcement requests and legal process
  • Report CSAM to NCMEC CyberTipline
  • Maintain records required by law

Analytics & Improvement

  • Analyze usage patterns and trends (aggregated, pseudonymized data)
  • Improve platform performance and user experience
  • Conduct research and development
  • Monitor and improve search quality

Communications

  • Send transactional emails (password resets, account notifications)
  • Provide customer support
  • Send marketing communications (with your consent; you can opt out anytime)
  • Notify you of policy changes or service updates

6. Data Sharing & Disclosure

We do not sell your personal data to third parties. We may share your information in the following limited circumstances:

6.1 Service Providers

We share data with third-party service providers who process data on our behalf under strict contractual obligations:

  • Cloud hosting providers (AWS, Google Cloud, or similar) - for infrastructure and storage
  • CDN providers (Cloudflare, etc.) - for content delivery and DDoS protection
  • Payment processors (Stripe, PayPal) - for payment processing (PCI DSS compliant)
  • Email service providers (for transactional and marketing emails)
  • Analytics services (aggregated, pseudonymized data)
  • Customer support tools (ticketing systems)

6.2 Legal Disclosures

We may disclose your information to comply with legal obligations:

  • Law enforcement - in response to valid legal requests (subpoenas, court orders, search warrants)
  • NCMEC reporting - mandatory reporting of suspected CSAM to the CyberTipline
  • DMCA compliance - disclosure to copyright holders in takedown procedures
  • Legal proceedings - when necessary to establish, exercise, or defend legal claims
  • Safety emergencies - when we believe disclosure is necessary to prevent imminent harm

6.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. You will be notified via email and/or prominent notice on our site of any such change in ownership or control of your personal information.

6.4 Third-Party Analytics

We use analytics tools to understand usage patterns:

7. International Data Transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.

For EU and UK Residents:

If we transfer your personal data outside the European Economic Area (EEA) or United Kingdom, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework - for transfers to certified US organizations
  • Standard Contractual Clauses (SCCs) - approved by the European Commission (GDPR Arts. 44-50)
  • UK International Data Transfer Agreement (IDTA) - for transfers from UK
  • Adequacy decisions - transfers to countries deemed adequate by the European Commission or UK

For Canadian Residents (PIPEDA):

When we transfer your personal information outside of Canada, we take steps to ensure it receives a comparable level of protection, including through contractual commitments with service providers.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

Retention Periods:

  • Active account data: Retained indefinitely while your account is active
  • Deleted account data: Retained for 90 days after account deletion (to allow recovery), then permanently deleted
  • Content (pins, boards, comments): Deleted when you delete them, or when account is permanently deleted after 90-day grace period
  • IP address and security logs: Retained for 12 months for security and fraud prevention
  • Payment records: Retained for 7 years for tax and accounting compliance
  • Legal hold data: Retained as required by law (e.g., in response to litigation hold notices)
  • Backup retention: Data in backups is retained for up to 30 days and then automatically deleted

9. Your Privacy Rights

Depending on your location, you have specific rights regarding your personal data. These rights vary by jurisdiction:

9.1 GDPR Rights (EU/UK Residents)

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right to Access (Art. 15)

You can request a copy of all personal data we hold about you, including information about how we use it and who we share it with.

Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure / "Right to Be Forgotten" (Art. 17)

You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary for the purposes it was collected, or if you withdraw consent.

Right to Restriction of Processing (Art. 18)

You can request that we limit how we use your data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability (Art. 20)

You can request a copy of your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) for transfer to another service.

Right to Object (Art. 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making and Profiling (Art. 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. You can request human review of automated decisions.

Right to Withdraw Consent

Where we rely on consent as our legal basis for processing, you can withdraw that consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your rights. For a list of EU supervisory authorities, visit https://edpb.europa.eu/about-edpb/about-edpb/members_en

Response Timeline: We will respond to GDPR requests within 30 days (extendable to 60 days for complex requests).

9.2 CCPA/CPRA Rights (California Residents)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the following rights:

Right to Know

You can request disclosure of:

  • Categories of personal information we collected about you
  • Categories of sources from which we collected personal information
  • Business or commercial purposes for collecting or selling personal information
  • Categories of third parties with whom we share personal information
  • Specific pieces of personal information we collected about you

Right to Delete

You can request deletion of personal information we collected from you, subject to certain exceptions (e.g., legal obligations, fraud prevention).

Right to Opt-Out of Sale

We do not sell your personal information as defined by the CCPA. If this changes, we will provide a "Do Not Sell My Personal Information" link.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights (e.g., by denying services, charging different prices, or providing different quality of service).

Right to Correct

You can request correction of inaccurate personal information (CPRA addition).

Right to Limit Use of Sensitive Personal Information

You can limit our use of sensitive personal information to only what's necessary to provide services (CPRA addition).

Response Timeline: We will respond to CCPA requests within 45 days (extendable to 90 days for complex requests).

9.3 PIPEDA Rights (Canadian Residents)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights:

Right to Access

You can request access to your personal information we hold and information about how it's being used.

Right to Correct

You can challenge the accuracy and completeness of your personal information and request corrections.

Right to Withdraw Consent

You can withdraw consent for certain uses of your personal information, subject to legal or contractual restrictions.

Right to File a Complaint

You can file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

Response Timeline: We will respond to PIPEDA requests within 30 days.

How to Exercise Your Rights

To exercise any of these rights, please submit a request through one of the following methods:

  • Data Subject Request Portal: Submit a request
  • Email: [email protected]
  • Account Settings: You can access, update, or delete certain data directly in your account settings

Identity Verification: To protect your privacy, we may need to verify your identity before processing your request. We will request information such as your email address and may send a verification link to the email associated with your account.

Authorized Agents: You may designate an authorized agent to make a request on your behalf. The agent must provide proof of authorization (e.g., power of attorney).

10. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data:

Encryption

  • TLS/SSL encryption for data in transit
  • Encryption at rest for sensitive data
  • Secure password hashing (bcrypt)

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication for staff
  • Redis session management

Monitoring & Auditing

  • Regular security audits
  • Intrusion detection systems
  • Activity logging and monitoring

Infrastructure Security

  • Firewall protection
  • DDoS mitigation (Cloudflare)
  • Regular security patches

Data Breach Notification: In the event of a data breach that affects your personal data, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours for GDPR breaches).

Note: While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your password and account credentials.

11. Cookies & Tracking Technologies

We use cookies and similar technologies to provide, improve, and protect our services. For detailed information about our use of cookies, please see our Cookie Policy.

Cookie Consent: We obtain your consent for non-essential cookies through our cookie consent banner. You can manage your cookie preferences at any time through our Cookie Preference Center (coming soon - Phase 2).

12. Children's Privacy

Age Restriction: Our services are only available to individuals who are at least 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal information from minors.

COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe we have collected information about a minor, please contact us immediately at [email protected], and we will delete such information promptly.

See our Parental Controls page for information on protecting minors from accessing adult content online.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes: If we make material changes to this policy, we will notify you by:

  • Email notification to the address associated with your account
  • Prominent notice on our website
  • In-app notification (if applicable)

Effective Date: The "Last Updated" date at the top of this policy indicates when it was last revised. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

14. Contact Information

Privacy Inquiries:
Email: [email protected]

Data Protection Officer (DPO):
Email: [email protected]

Data Subject Requests (Access, Deletion, etc.):
Portal: Submit a request
Email: [email protected]

General Support:
Email: [email protected]

15. Jurisdiction-Specific Addenda

15.1 For California Residents

CCPA Disclosure Categories:

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers (email, username, IP address)
  • Commercial information (purchase history)
  • Internet activity (browsing history, search queries)
  • Geolocation data (approximate location from IP)
  • Inferences (preferences, characteristics)

Do Not Sell My Personal Information:

We do not sell your personal information as defined by the CCPA. We do not share personal information with third parties for monetary or other valuable consideration.

California "Shine the Light" Law:

Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

15.2 For EU and UK Residents

Supervisory Authority Contact Information:

If you are located in the EU or UK and have concerns about our data processing practices, you have the right to lodge a complaint with your local supervisory authority:

15.3 For Canadian Residents

Privacy Commissioner of Canada:

If you have concerns about our compliance with PIPEDA, you may contact the Office of the Privacy Commissioner of Canada:

Website: https://www.priv.gc.ca
Phone: 1-800-282-1376

This Privacy Policy is provided in compliance with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection laws. For questions or concerns, please contact [email protected].