Skip to main content

Privacy Statement

How PinMeTo collects, uses, shares, and protects personal data under the EU GDPR and other applicable privacy laws.

Introduction

Effective Date: January 1, 2026
Last Updated: April 19, 2026

PinMeTo is a SaaS platform that helps multi-location brands manage and sync their location data, online conversations, and customer engagement across hundreds of services and directories, ensuring their brand stays accurate, visible, and connected wherever discovery happens.

We are committed to protecting personal data and maintaining transparency about how we collect, use, and safeguard information in accordance with the EU General Data Protection Regulation (GDPR) and applicable privacy laws in all markets where we operate.

This Privacy Statement explains our data practices when you:

  • Visit our website or use our platform
  • Contact us for sales, support, or partnership inquiries
  • Apply for employment with PinMeTo
  • Are an end user of our customers' services

1. Who We Are

Data Controller: PinMeTo AB
Headquarters: Adelgatan 9, 211 22 Malmö, Sweden
Data Protection Contact: privacy@pinmeto.com

PinMeTo operates with offices across Europe:

  • Malmö, Sweden: Headquarters
  • Gdańsk, Poland: Sales and Customer Success
  • Helsinki, Finland: Sales

We are expanding operations into the Middle East and India to serve customers in these growing markets.

2. Understanding Our Role: Controller vs. Processor

When PinMeTo Acts as Data Controller

We are the Controller when we determine the purposes and means of processing personal data:

  • Website visitors: When you browse pinmeto.com or our Help Center
  • Business contacts: Sales prospects, partners, vendors
  • Job applicants: Career page visitors and candidates
  • Platform users: Our customers' employees who access and use PinMeTo's platform

When PinMeTo Acts as Data Processor

We act as a Processor on behalf of our customers (the Controllers) when processing:

  • End consumer data: Information about individuals searching for or interacting with our customers' business locations on Google, Facebook, Apple Maps, and other networks
  • Review and conversation data: Consumer reviews, messages, and interactions managed through our platform

When acting as Processor, we process data solely according to our customers' documented instructions through Data Processing Agreements (DPAs).

3. What Personal Data We Collect

3.1 Website Visitors

Data CategoryExamplesPurposeLegal Basis
Identity dataName, email addressContact form submissions, demo requestsConsent, Legitimate interest
Technical dataIP address, browser type, device informationWebsite functionality, securityLegitimate interest
Usage dataPages visited, time spent, navigation pathsWebsite improvement, analyticsLegitimate interest
Cookie dataSession IDs, preference settingsSession management, functionalityConsent (non-essential)

3.2 Customer Organization Contacts

Data CategoryExamplesPurposeLegal Basis
Business contact dataName, work email, phone, job title, companyAccount management, contract executionContract performance
Communication recordsEmail correspondence, support tickets, call notesCustomer support, service deliveryContract performance, Legitimate interest
Billing informationCompany billing address, payment contactInvoicing and payment processingContract performance

3.3 Platform Users (Customer Employees)

Data CategoryExamplesPurposeLegal Basis
Account dataEmail, username, password (hashed)Platform access and authenticationContract performance
Profile dataName, role, permissions, profile preferencesPlatform functionality, access controlContract performance
Usage dataLogin times, feature usage, actions performedPlatform optimization, security monitoringLegitimate interest
Location data (optional)User location if managing locationsLocation assignment in platformContract performance

3.4 Job Applicants

Data CategoryExamplesPurposeLegal Basis
Application dataName, email, phone, CV, cover letterRecruitment evaluationConsent, Pre-contractual measures
Assessment dataInterview notes, test results, referencesCandidate evaluationConsent, Pre-contractual measures

3.5 Data We Process as Processor (on behalf of customers)

Note: The following data is controlled by our customers. We process it only according to their instructions.

Data CategoryExamplesNetworks/ProductsOur Role
Business location dataStore name, address, phone, hours, descriptionsGoogle, Facebook, Apple, Bing, HERE, TomTom (100+ networks)Processor
Consumer interaction dataReviews, ratings, Q&A responsesReviews productProcessor
Consumer messagesDirect messages, inquiries to businessesConversations productProcessor
Social media postsPost content, images, scheduling dataPosts productProcessor
Analytics dataLocation performance metrics, engagement dataPlatform analyticsProcessor

4. How We Use Personal Data

4.1 Service Delivery

  • Platform access: Authentication, authorization, and account management
  • Data synchronization: Updating business information across 100+ networks including Google Business Profile, Facebook, and Apple Business
  • Multi-channel management: Enabling review monitoring, message management, and social posting
  • API connectivity: Providing Location API for customer system integrations
  • Customer support: Technical assistance, troubleshooting, training

4.2 Business Operations

  • Contract management: Sales process, contract execution, billing
  • Customer relationship: Account management, service improvements
  • Legal compliance: Meeting regulatory obligations, responding to lawful requests
  • Business development: Market analysis, product development insights

4.3 Communications

  • Service notifications: Platform updates, security alerts, maintenance windows
  • Marketing communications: Product updates, webinars, industry insights (opt-in basis)
  • Customer success: Best practice sharing, feature education

5. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR:

Contract Performance (GDPR Art. 6(1)(b))

Processing necessary to provide our services under customer agreements.

Legitimate Interests (GDPR Art. 6(1)(f))

  • Website functionality and security
  • Business development and improvement
  • Direct marketing to business contacts (with opt-out)

Legal Obligation (GDPR Art. 6(1)(c))

  • Tax and accounting requirements
  • Responding to lawful requests from authorities
  • Data breach notifications

Consent (GDPR Art. 6(1)(a))

  • Optional cookies and tracking
  • Marketing communications (where required)
  • Job application processing (retention beyond 3 months after a recruitment decision requires explicit consent)

6. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this statement or as required by law.

Data TypeRetention PeriodBasis
Active customer account dataDuration of contract plus 90 daysContract performance
Billing and financial records7 years after contract endLegal obligation (accounting)
Marketing contacts (no engagement)3 years from last interactionLegitimate interest
Job applications (unsuccessful)3 months after application, plus 2 years if consent is givenConsent, Pre-contractual
Website analytics26 monthsLegitimate interest
Support tickets3 years after resolutionContract performance

After retention periods expire, we securely delete or anonymize personal data.

7. Who We Share Data With

7.1 Essential Service Partners (Data Processors)

We share personal data with carefully selected service providers who assist in delivering our services. All processors are bound by Data Processing Agreements (DPAs) and process data only on our instructions.

Infrastructure & Hosting

  • AWS (Amazon Web Services): Cloud infrastructure hosting in EU regions (Ireland primary)
  • Security measures: ISO 27001, SOC 2, encryption at rest and in transit

Communication & Support

  • Email service providers: business communication
  • Customer support platforms: ticket management, help center
  • Video conferencing tools: customer meetings, support sessions

Analytics & Monitoring

  • Analytics platforms: website and platform usage insights
  • Security monitoring: threat detection, performance monitoring

7.2 Network Partnerships

Our core service involves synchronizing business data to 100+ networks and platforms including:

  • Search & Maps: Google Business Profile, Apple Business, Bing Places, HERE, TomTom, Overture Maps, Foursquare
  • Social Media: Facebook, Instagram (Meta platforms)
  • Specialized Networks: Industry-specific directories and platforms

Important: When we transmit data to these networks, they become independent Controllers with their own privacy policies and practices. We recommend reviewing their privacy statements.

7.3 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity. We will notify affected parties and ensure continued protection.

7.4 Legal Requirements

We may disclose personal data when required by law or to:

  • Comply with legal process or government requests
  • Enforce our terms and conditions
  • Protect the rights, property, or safety of PinMeTo, customers, or others
  • Detect, prevent, or address fraud or security issues

8. International Data Transfers

8.1 Within the EEA

PinMeTo is headquartered in Sweden. We maintain operations and may transfer data between our offices in:

  • Sweden (HQ, Malmö)
  • Poland (Sales, Customer Success)
  • Other EU locations

All intra-EU transfers comply with GDPR requirements.

8.2 Transfers Outside the EEA

Current Practice: We primarily store and process data within the EU using AWS European infrastructure. We strictly manage and minimize international data transfers.

No Routine Transfers: Personal data is not routinely transferred outside the EEA. All primary processing occurs within EU data centers (AWS Ireland).

Growing Operations: As we expand to Middle East and India markets, we may establish local processing capabilities to serve regional customers. Any such transfers will be implemented with appropriate GDPR safeguards.

Safeguards for Exceptional Transfers (if required):

  • Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with all non-EU processors
  • Adequacy decisions: Transfers only to countries recognized by the EU as providing adequate protection
  • Additional measures: Encryption, access controls, and technical safeguards for any international transfers

8.3 Third-Party Networks

When synchronizing data to global networks (Google, Meta, etc.), data may be transferred internationally according to those platforms' practices. Our customers remain the Controllers of this data.

9. Security Measures

Protecting personal data is fundamental to our operations. PinMeTo is ISO 27001:2022 certified, demonstrating our commitment to internationally recognized information security standards. We implement comprehensive technical and organizational measures.

For detailed information about our security practices, see our ISO 27001:2022 Certification page.

9.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls: Role-based access, multi-factor authentication, least privilege principle
  • Infrastructure security: AWS VPC isolation, security groups, network segmentation
  • Secure development: Security testing, code reviews, vulnerability scanning
  • Monitoring: 24/7 security monitoring, intrusion detection, log analysis

9.2 Organizational Safeguards

  • ISO 27001:2022 certification: Certified Information Security Management System (ISMS) with regular surveillance audits
  • Security policies: Comprehensive security policies and procedures aligned with ISO 27001 controls
  • Employee training: Regular security awareness training and phishing simulations
  • Vendor management: Third-party risk assessments, security requirements in contracts
  • Incident response: Documented procedures for security incident handling

9.3 Product Development Security

  • Security by design: Security considerations from earliest development stages
  • Risk assessment: Mandatory risk assessment for new features (per Product Development Handbook)
  • Change management: Structured change management process with risk-based controls

10. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

10.1 Right to Be Informed

You have the right to clear information about how we use your personal data (this statement provides that information).

10.2 Right of Access

Request copies of your personal data and information about how we process it.

How to exercise: Email privacy@pinmeto.com with "Data Access Request" in the subject line. We respond within 30 days.

10.3 Right to Rectification

Request correction of inaccurate or incomplete personal data.

10.4 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data in certain circumstances:

  • Data no longer necessary for the original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing based on legitimate interests
  • Data processed unlawfully

Limitations: We may retain data when required by law or for legal claims.

10.5 Right to Restriction of Processing

Request that we limit how we use your data in certain situations:

  • You contest data accuracy
  • Processing is unlawful but you don't want erasure
  • We no longer need data but you need it for legal claims
  • You've objected to processing pending verification

10.6 Right to Data Portability

Receive your personal data in machine-readable format and transmit it to another controller where:

  • Processing is based on consent or contract, and
  • Processing is automated

10.7 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Direct marketing: You can always opt out of marketing communications via unsubscribe links or by contacting us.

10.8 Rights Related to Automated Decision-Making

PinMeTo does not currently make solely automated decisions with legal or similarly significant effects. If this changes, we will provide specific information and safeguards.

10.9 Right to Lodge a Complaint

If you believe we have not complied with data protection laws, you can file a complaint with:

Swedish Authority for Privacy Protection (IMY)
Website: www.imy.se
Email: imy@imy.se

Or your local EU/EEA supervisory authority.

How to exercise: Contact us directly via email at privacy@pinmeto.com. For platform users, you can update some data directly in account settings or via support. You can also exercise your rights via this page.

11. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. See our detailed Cookie Policy for information about:

  • Types of cookies we use
  • Purposes of each cookie
  • How to manage cookie preferences
  • Third-party cookies

Essential cookies: Necessary for website functionality (no consent required).
Non-essential cookies: Analytics, marketing (consent required).

12. Changes to This Privacy Statement

We may update this statement to reflect changes in our practices or legal requirements.

Notification: We will notify you of material changes via:

  • Email to registered account contacts
  • Prominent notice on our website
  • In-platform notifications

Your acceptance: Continued use of our services after notification constitutes acceptance of changes.

13. Contact Us

14. Regional Specific Information

14.1 Middle East Operations

For customers and users in Middle East markets, additional local requirements may apply. We comply with applicable regulations in:

  • UAE: Federal Data Protection Law
  • Qatar: Personal Data Privacy Protection Law
  • Saudi Arabia: Personal Data Protection Law
  • Egypt: Data Protection Law
  • Lebanon: Relevant data protection requirements
  • Oman: Personal Data Protection Law
  • Turkey: KVKK
  • United Kingdom: UK GDPR

14.2 India Operations

For Indian customers and users, we comply with the Digital Personal Data Protection Act (DPDPA) and related regulations.

Appendix A: Definitions

Controller: The entity that determines the purposes and means of processing personal data.

Processor: An entity that processes personal data on behalf of the Controller.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, transmission, or deletion.

Data Subject: An identifiable natural person whose personal data is processed.

GDPR: General Data Protection Regulation (EU) 2016/679.

DPA: Data Processing Agreement.

This Privacy Statement was prepared to provide transparency about PinMeTo's data practices and to fulfill our obligations under applicable data protection laws. If you have questions or concerns, please contact us using the information provided above.

Related Privacy Documents

This Privacy Statement is the master document for how PinMeTo handles personal data. The following notices cover specific scenarios in more detail:

Frequently Asked Questions

Is PinMeTo GDPR compliant?
Yes. PinMeTo is headquartered in Sweden and built around GDPR from the ground up. We process personal data lawfully, store and process data within the EU on AWS European infrastructure (Ireland primary), and offer Data Processing Agreements (DPAs) to all customers. We are also ISO 27001:2022 certified.
Where is my data stored?
Personal data is stored and processed within the European Union, primarily on AWS infrastructure in Ireland. Data is not routinely transferred outside the EEA. If exceptional transfers are required, we use European Commission-approved Standard Contractual Clauses (SCCs) and additional safeguards such as encryption.
Is PinMeTo a Controller or a Processor of my data?
It depends on the relationship. PinMeTo is the Controller of data about website visitors, sales prospects, job applicants, and platform user accounts. PinMeTo acts as a Processor on behalf of customers when handling end consumer data such as reviews, messages, and location interactions managed through the platform.
How do I request access to or deletion of my personal data?
Email privacy@pinmeto.com with the request type in the subject line (for example, "Data Access Request" or "Data Deletion Request"). We respond within 30 days. You can also submit requests via the data privacy page.
How long does PinMeTo retain personal data?
Retention varies by data type. Active customer account data is retained for the duration of the contract plus 90 days. Billing records are kept for 7 years (legal obligation). Website analytics are retained for 26 months. Unsuccessful job applications are deleted after 3 months unless explicit consent is given to retain them for up to 2 additional years. Full retention periods are listed in section 6 above.
Is PinMeTo ISO 27001 certified?
Yes. PinMeTo is ISO 27001:2022 certified, with a formal Information Security Management System (ISMS) and regular surveillance audits. Read more on our ISO 27001:2022 certification page.
Does PinMeTo sell personal data?
No. PinMeTo does not sell personal data. We only share data with the service providers, network partners, and authorities described in section 7 of this statement, and only as required to deliver the service or to meet legal obligations.
How can I file a privacy complaint?
You can contact us first at privacy@pinmeto.com so we can investigate. If you believe we have not complied with data protection laws, you may also file a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se or with your local EU/EEA supervisory authority.

Learn More About PinMeTo

Discover how PinMeTo helps multi-location brands manage their online presence.

Book a Demo