Pinvale is operated by Mesquite Dev LLC, an Arizona limited liability company. This page explains what data we collect, why we collect it, and what we do with it. If anything's unclear, email [email protected] and we'll get you an answer.
What we collect
- Account data: your email, display name, hashed password, your authentication provider if you sign in with one, and an optional profile photo (avatar) you choose to upload. Avatars are stored in a publicly-readable location so the app can display them.
- Workspace content: the leads, notes, tasks, events, and tags you create inside Pinvale.
- Billing data: handled by Stripe. We never see or store your card number.
- Operational logs: server-side error and request logs needed to keep the app running. Retained for 30 days.
What we don't collect
- No third-party advertising trackers.
- No session replay or heatmaps.
- No marketing pixels on the marketing site.
- No selling or sharing your data for cross-context behavioral advertising, ever.
Subprocessors
The third parties we rely on to operate Pinvale:
- Supabase (US), database and authentication hosting.
- Cloudflare (US, global edge), application hosting and edge delivery.
- Cloudflare Web Analytics (US), cookieless, privacy-respecting page view and Core Web Vitals tracking. No cookies, no cross-site profiling.
- Stripe (US), payment processing and subscriptions.
- Resend (US), transactional email delivery (account confirmations, invites, password resets).
- Sentry (US), server-side and client-side error monitoring. Opaque account identifier only, no email.
- LocationIQ (US/EU), address geocoding for the map view.
- CARTO and OpenStreetMap (US/EU), basemap tile delivery while you pan or zoom the map.
- Anthropic (US), AI-assisted CSV column mapping. We only send column headers and a few sample rows, never your full CSV.
Integrations you authorize
Workspace operators can mint API keys from Settings, authorizing third-party applications of their choice (for example Zapier, custom scripts, AI agents) to read, write, or delete lead records on their behalf. When this happens the workspace operator, not Pinvale, is the controller responsible for the integration. API activity is logged in an internal audit table and keys can be revoked at any time.
Workspace members can also generate iCal subscription URLs to subscribe a calendar application (Google, Apple, Microsoft, anything that speaks RFC 5545) to a live feed of workspace events plus tasks assigned to or created by that member. The calendar provider receives copies of those records. Tokens are revoked automatically when a member is removed from the workspace.
How addresses are geocoded
When you add or import an address, we send the address string to a geocoding provider to convert it into latitude and longitude. The provider does not retain the lookup. We cache the result on your workspace so we don't re-bill the lookup if you re-edit the same lead.
Where your data lives
Your workspace data is stored in a managed Postgres database on Supabase, with row-level security enforcing that only you and your invited workspace members can read or write your rows. Backups are encrypted at rest. Data is hosted in US regions.
Cookies
Pinvale uses a session cookie to keep you signed in and a preference cookie for theme (light / dark / system). No third-party cookies, no tracking cookies.
Your rights
You can export all your workspace data as CSV from settings any time. You can delete your account, which removes your workspace data within 30 days, by emailing us. Residents of California, the EU, and the UK have additional rights under CCPA/GDPR; reach out and we'll honor them.
Lead-capture forms
If you build a Pinvale lead-capture form and embed or share the link, your leads are data subjects, you are the controller, and Pinvale is the processor (acting on your instructions plus our Terms of Service plus our Data Processing Agreement). The notice we show your leads when they submit the form lives at app.pinvale.com/lead-form-privacy; you are still responsible for showing your own privacy notice on your site.
International users and cross-border transfers
Pinvale is operated from the United States by Mesquite Dev LLC. If you access the Service from outside the US, your data is transferred to the US. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses and the UK ICO's International Data Transfer Addendum, as set out in our DPA. Pinvale is also pursuing certification under the EU-US Data Privacy Framework; once granted, customers can rely on the DPF in addition to the SCCs.
Do Not Sell or Share My Personal Information
Pinvale does not sell your personal information, and Pinvale does not share your personal information for cross-context behavioral advertising. This is true for every visitor and every customer, regardless of state.
California residents have the right to opt out of the sale or sharing of their personal information under the CCPA. Because we do not engage in either, there is no opt-out switch to flip. If you want this confirmed in writing for your records, or you believe we are processing your information in error, email [email protected] and we'll respond within 30 days.
We also honor the Global Privacy Control (GPC) browser signal where it applies, even though our default posture means no opt-out is technically required.
Changes
If we change anything material, we'll update the date at the top of this page and email account holders. Substantive changes take effect 30 days after notice.
Contact
Questions about this policy or about how your data is handled go to [email protected].
This page is a plain-language summary. The canonical legal version is also linked from the in-app billing page.