Information We Collect

Account Data

When you create an account, we collect:

• Email address — Used for authentication, account recovery, and email notifications (e.g., issue updates, new comments).
• First and last name — Displayed to other users alongside your issue reports and comments.
• Avatar (optional) — A profile image you may choose to upload.
• Role — Your permission level (guest, member, or admin), assigned by administrators.
• Terms of Service acceptance — A timestamp of when you accepted the Terms of Service.

Content You Create

When you use PinPoint, you may submit:

• Issue reports — Descriptions of problems with pinball machines, including title, description, severity, and status.
• Comments — Text responses on issue reports.
• Images — Photos uploaded to illustrate issues. Images are stored in Vercel Blob Storage and may include file metadata (file name, size, MIME type). We do not extract or store EXIF data from uploaded images.

Automatically Collected Data

• IP addresses — Used temporarily for rate limiting to prevent abuse (e.g., login attempts, issue submissions, image uploads). IP-based rate limit data is stored in Upstash Redis and automatically expires after short windows (15 minutes to 1 hour). We do not maintain long-term logs of IP addresses.
• Error and performance data — We use Sentry for error tracking to help us identify and fix bugs. Sentry collects error stack traces, browser/device information, and page URLs where errors occur. We have disabled the collection of personally identifiable information (PII) in Sentry.

Cookies and Local Storage

• Authentication session cookies — Managed by Supabase Auth to keep you logged in. These are essential for the service to function and cannot be disabled.
• Preference cookies — Used to remember your UI preferences, such as sidebar state and last visited page. These cookies expire after one year.
• Security cookies — Cloudflare Turnstile sets cookies to verify you are a real person when submitting forms (e.g., reporting issues, logging in). These are essential for spam prevention.
• Cookie consent — A cookie that records whether you have acknowledged this notice. Expires after one year.
• Local storage — Used by your browser to store certain app data on your device, such as in-progress report form drafts or similar UI state. This data stays on your device, is not shared with third parties, and you can clear it at any time through your browser settings.

We do not use any analytics cookies, advertising cookies, or third-party tracking technologies based on cookies or local storage.

How We Use Your Information

• To operate and maintain PinPoint as an issue tracking tool for APC.
• To authenticate your identity and manage your account.
• To send you email notifications about issues you are watching or assigned to (you can manage your notification preferences in your account settings).
• To prevent abuse through rate limiting.
• To identify and fix errors and improve service reliability.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

Third-Party Services

PinPoint relies on the following third-party services to operate. Each service has its own privacy policy governing how it handles data:

• Supabase (Authentication and Database) — Manages user authentication and stores application data. Hosted on AWS infrastructure.
• Vercel (Hosting) — Hosts the PinPoint web application and provides blob storage for uploaded images.
• Sentry (Error Tracking) — Captures error reports to help us diagnose and fix issues. PII collection is disabled.
• Upstash Redis (Rate Limiting) — Stores temporary rate limit counters keyed by IP address. Data expires automatically.
• Resend (Email Delivery) — Delivers notification emails on our behalf.
• Cloudflare (Security) — Provides CAPTCHA challenges (Turnstile) to protect forms from automated abuse.

Data Retention

• Account data — Retained for as long as your account is active.
• Issue reports and comments — Retained indefinitely as part of the community's maintenance history. If you delete your account, your contributions may be anonymized rather than deleted to preserve the historical record.
• Uploaded images — Retained while associated with active issues. Soft-deleted images are marked for permanent removal and may be deleted during future cleanup cycles; we do not currently guarantee a specific deletion timeframe.
• Rate limit data — Automatically expires after 15 minutes to 1 hour depending on the endpoint.
• Error tracking data — Retained according to Sentry's default retention policy (90 days).

Your Rights

You have the right to:

• Access your data — Request a copy of the personal data we hold about you.
• Correct your data — Update your name through your account settings. For other account details, contact us to request corrections.
• Delete your account — Request deletion of your account and associated personal data.
• Manage notifications — Control which email notifications you receive through your account settings.

To exercise any of these rights, please contact us at the email address listed below.

Children's Privacy

PinPoint is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify users through the application. Continued use of PinPoint after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

Tim Froehlich
timothyfroehlich@gmail.com

See also our Terms of Service.