Document 02 — Privacy Policy

Privacy Policy

Atelier Pin · atelier-pin.com · Last updated: 12 June 2026 · Compliant with Swiss nDSG and EU GDPR where applicable

Article 1

Introduction and Data Controller

Atelier Pin (“we,” “us,” “our”) takes your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service at atelier-pin.com.

This Policy is compliant with the Swiss Federal Act on Data Protection (nDSG, in force September 2023) and, where applicable to EU residents, the General Data Protection Regulation (GDPR).

Article 2

Data We Collect and Why

2.1 Account Data (collected at registration):

  • Email address — required to create and manage your account
  • Name — as provided during registration or via Google Sign-In
  • Google account identifier — if you use Google Sign-In (we do not receive your Google password)
  • Profile information — as optionally provided by you

2.2 Subscription and Billing Data:

  • Subscription tier and status
  • Subscription start date, renewal dates, and cancellation date
  • Payment method details — processed and stored exclusively by Stripe; Atelier Pin does not store your full payment card details
  • Billing history and invoice records
  • Subscription changes and upgrade/downgrade history

2.3 Usage Data (collected automatically):

  • Number of content items generated per session and cumulatively
  • Content generation failures and error logs (for service improvement)
  • Last login date and time
  • Feature usage patterns (which tools and templates are used)
  • IP address and approximate geographic location
  • Browser type and device information

2.4 Content Data:

  • Images and videos you upload to the Service
  • Website URLs you enter for the Scraping Feature
  • Text, titles, and descriptions you input or that are generated
  • Generated content files created during your sessions

2.5 Connected Social Account Data (via Zernio — only if you connect a platform):

  • The platform name (Pinterest, Instagram, Facebook, TikTok, Bluesky, etc.)
  • The Zernio internal account identifier for your connection
  • Your display name / handle on the connected platform
  • Your profile picture URL on the connected platform (for display inside Atelier Pin)
  • The list of boards (Pinterest) or destinations available on the connected account, so you can choose where to publish
  • Connection status (active, expired, revoked) and timestamps
  • Records of posts queued or published on your behalf through Atelier Pin and their delivery status

OAuth access and refresh tokens for connected platforms are not held by Atelier Pin. They are stored by our publishing sub-processor Zernio (ARBICHAT, S.L., Spain) under Zernio's own security controls and privacy policy (see Article 5 and Article 11). Atelier Pin only stores the metadata listed above. Connected-account data is used solely to operate the publishing feature. It is never sold, shared with unrelated third parties, or used for advertising profiling. You can disconnect any connected platform at any time from Settings → Connected accounts; we instruct Zernio to revoke tokens immediately and the connection metadata we held for you is deleted within 24 hours.

2.6 Newsletter Data (optional):

  • Email address — collected separately and only with your explicit opt-in consent via your dashboard
  • Newsletter subscription status and date of consent

2.7 Communication Data:

  • Emails and messages you send to info@atelier-pin.com
  • Support requests and their content

Article 3

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance — processing necessary to provide the Service you have subscribed to (account data, billing data, usage data for service operation)
  • Legitimate interests — processing necessary for fraud prevention, security, service improvement, and error monitoring (usage logs, error logs)
  • Legal obligation — processing required by applicable Swiss law, including financial record-keeping
  • Consent — newsletter communications, where you have given explicit opt-in consent that you may withdraw at any time

Article 4

How We Use Your Data

We use your data exclusively for the following purposes:

  • Creating and managing your account
  • Providing and operating the Service
  • Processing subscription payments and managing billing
  • Sending transactional emails (password resets, payment confirmations, subscription notifications) via notify.atelier-pin.com
  • Sending newsletters and marketing communications — only where you have explicitly opted in
  • Monitoring and improving Service performance and reliability
  • Detecting and preventing fraud, abuse, and security incidents
  • Complying with legal obligations
  • Responding to your support requests and communications

We do not sell your personal data to third parties. We do not use your data for advertising profiling. We do not share your data with third parties except as described in Article 5.

Article 5

Third-Party Service Providers

We share limited personal data with the following trusted third-party service providers solely for the purpose of operating the Service:

  • Stripe Inc. — payment processing. Stripe processes your payment data under their own privacy policy. Atelier Pin does not store full card details. Stripe is certified PCI DSS Level 1.
  • Supabase Inc. — database and authentication infrastructure. Your account and usage data is stored on Supabase servers.
  • Google LLC — Google Sign-In authentication (optional). If you use Google Sign-In, limited profile data is shared with Google under their privacy policy.
  • Zernio (ARBICHAT, S.L.), Carrer Mallorca 2A, 17230 Palamós, Girona, Spain (Tax ID CIF B75253252) — social-publishing infrastructure (optional, only active once you connect at least one social account). When you connect a platform, the OAuth handshake is performed on Zernio and the resulting access tokens are stored by Zernio under their own privacy policy and security controls. Atelier Pin sends Zernio only the data strictly necessary to execute the publishing actions you have instructed (image URL, caption, hashtags, schedule time, target account/board). Zernio acts as a sub-processor on our behalf. See Zernio's Privacy Policy, Terms of Service, and Legal Disclosure.
  • Pinterest Inc., Meta Platforms Inc., TikTok Ltd., Bluesky Social PBC and similar destination platforms — only if you choose to publish to them. When you publish, the image and post metadata you have prepared are transmitted to the destination platform, which then processes that data under its own privacy policy.
  • Email service provider — transactional email delivery via notify.atelier-pin.com.

All service providers are contractually bound to process your data only for the purposes of providing their services to Atelier Pin and to maintain appropriate security measures.

Some providers are located outside Switzerland and the EU. Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with nDSG and GDPR requirements.

Article 6

Data Retention

We retain your personal data for the following periods:

  • Account data — retained for the duration of your account and deleted within 90 days of account deletion request
  • Billing and payment records — retained for 10 years as required by Swiss accounting and tax law
  • Connected social-account metadata — deleted within 24 hours of disconnect. OAuth tokens themselves are held by Zernio, not by Atelier Pin; we instruct Zernio to revoke them at the moment you disconnect.
  • Usage logs and error logs — retained for 12 months then anonymised or deleted
  • Content data (uploaded images, videos, generated content) — retained while your account is active; deleted within 90 days of account deletion
  • Newsletter consent records — retained until you withdraw consent plus 3 years for compliance purposes
  • Support communications — retained for 3 years

Article 7

Your Rights

Under the Swiss nDSG and, where applicable, the EU GDPR, you have the following rights regarding your personal data:

  • Right of access — you may request a copy of the personal data we hold about you
  • Right to rectification — you may request correction of inaccurate data
  • Right to erasure — you may request deletion of your personal data, subject to legal retention obligations
  • Right to data portability — you may request your data in a structured, machine-readable format
  • Right to object — you may object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent (e.g. newsletter), you may withdraw consent at any time without affecting prior processing
  • Right to disconnect any connected social account — if you have connected one or more platforms (Pinterest, Instagram, Facebook, TikTok, Bluesky, etc.), you may disconnect any of them at any time from Settings → Connected accounts. We instruct our publishing sub-processor Zernio to revoke the access tokens immediately and delete the connection metadata we held for you within 24 hours. You can also revoke Atelier Pin's / Zernio's access directly from the destination platform's own account settings at any time.
  • Right to lodge a complaint — you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or if you are an EU resident, with your local data protection authority

To exercise any of these rights, contact us at info@atelier-pin.com. We will respond within 30 days.

Article 8

Cookies and Tracking

Atelier Pin uses minimal cookies and tracking technologies strictly necessary for the operation of the Service:

  • Session cookies — required for authentication and keeping you logged in
  • Functional cookies — required for Service functionality such as remembering your preferences

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies that profile you for advertising purposes.

If we add analytics tools in the future, this policy will be updated and you will be notified.

Article 9

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Secure, encrypted data storage via Supabase infrastructure
  • Access controls limiting data access to authorised systems only
  • Regular security monitoring

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority as required by law.

Article 10

Newsletter and Marketing Communications

We send marketing and newsletter communications only to users who have explicitly opted in via the newsletter subscription option in their account dashboard.

You may unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by changing your preferences in your dashboard. Unsubscribing from newsletters does not affect delivery of transactional emails related to your account.

We do not send unsolicited marketing emails. We do not share your email address with third parties for marketing purposes.

Article 11

Social Publishing via Zernio

Atelier Pin offers an optional social-publishing integration that lets you publish generated content to your own accounts on Pinterest, Instagram, Instagram Stories, Facebook, Facebook Stories, TikTok, Bluesky, and similar platforms. This integration is brokered through Zernio (operated by ARBICHAT, S.L., Carrer Mallorca 2A, 17230 Palamós, Girona, Spain — Tax ID CIF B75253252). It is fully opt-in per platform: it is only active for the platforms you have explicitly connected under Settings → Connected accounts.

11.1 What we ask each platform for. When you connect a platform, Zernio (on our behalf) requests only the OAuth scopes strictly necessary to perform the publishing actions you have asked for. For Pinterest these typically include boards:read, pins:read, pins:write and user_accounts:read; for Meta platforms the equivalent pages, instagram_content_publish and business_management scopes; for TikTok the video.publish / video.upload scopes; for Bluesky the credentials you provide for the app-password flow. The exact list of scopes is shown to you by the destination platform at the moment you authorise the connection.

11.2 Where OAuth tokens are stored. Access and refresh tokens issued by destination platforms are stored by Zernio under Zernio's own security controls, not by Atelier Pin. Atelier Pin holds only the connection metadata listed in Article 2.5. Tokens are automatically purged by Zernio after repeated refresh failures.

11.3 How we use connected-account data. Connected-account data is used exclusively to operate the publishing feature you have asked for. We do not sell, rent, or share it with unrelated third parties. We do not use it for advertising profiling. We do not analyse the content of pins or posts already on your account beyond what is strictly necessary to publish what you have prepared in Atelier Pin.

11.4 Publishing is always under your control. No post is ever published without your explicit action. Every scheduled item remains visible, editable, and cancellable in your Schedule view until the scheduled time, and is published only at that exact time or when you press Publish now.

11.5 Disconnecting and revocation. You can disconnect any platform at any time from Settings → Connected accounts. On disconnect, we instruct Zernio to revoke the access tokens immediately and we delete the connection metadata we held for you within 24 hours. You can also revoke Atelier Pin's / Zernio's access directly from the destination platform's own account settings at any time.

11.6 Zernio's own legal terms. By connecting a platform through Atelier Pin you also accept Zernio's Privacy Policy, Terms of Service, and Legal Disclosure. Zernio is established in the European Union (Spain).

Article 12

How Your Images Are Stored and Served

To publish to Pinterest, Instagram, Facebook, TikTok and similar platforms, those platforms must be able to fetch your image over the public internet at the moment of publication. For this technical reason, both the source images you upload and the final generated content are stored on a public-by-URL storage bucket.

12.1 What "public-by-URL" means in practice. The file is not listed, indexed, or made discoverable. The URL contains an unguessable random token. However, any party who comes into possession of that exact URL can view the file without logging in. This is the same hosting model used across the industry by Buffer, Later, Planoly, Tailwind, Canva exports and similar tools, and it is required for publishing to function on every major social platform.

12.2 What this is not. We never expose lists of your images to other users. We never index or search across your images. We never share URLs outside of (a) you, (b) the platforms you have explicitly chosen to publish to, and (c) Zernio acting on your instruction at the moment of publication.

12.3 Deletion. When you delete an image from your Library, the database record is removed immediately and the underlying file is removed from the storage bucket within 24 hours. Once removed, the URL stops returning the file.

12.4 Your responsibility. Because URLs are public-by-URL, you should treat any image you upload to Atelier Pin the same way you would treat an image you intend to publish — that is, do not upload material you would not be comfortable being viewable by anyone who comes into possession of the URL.