DPA & SCCs
Request our standard Data Processing Addendum and Standard Contractual Clauses by emailing privacy@pinpic.app.
GDPR Commitment
PinPic as your data processor
This page explains how PinPic complies with the EU General Data Protection Regulation (GDPR) and how you can execute a Data Processing Addendum (DPA) with us.
Our role under GDPR
When you upload personal data into PinPic (for example, staff bios or patient instructions), you act as the Data Controller. PinPic acts as a Data Processor and only processes data based on your documented instructions.
Legal bases for processing
- Contractual necessity: We process account data to deliver the service you purchased.
- Legitimate interests: We use limited analytics to improve reliability and prevent abuse.
- Consent: Optional marketing emails or cookies only run with explicit consent.
Your GDPR toolbox
Subprocessors
We maintain a current list of subprocessors, including hosting, storage, and analytics partners. You’ll be notified of changes at least 30 days in advance.
Data transfers
EU data is hosted in EU data centers by default. When transfers occur, we rely on SCCs and supplementary measures.
Data subject rights
We provide tools to help you honor access, correction, deletion, restriction, and portability requests. If you receive a request, you can:
- Use dashboard exports to provide a copy of the data stored in PinPic.
- Edit or delete specific datasets, or delete the entire project.
- Contact us for assistance; we respond within 30 days.
Security measures
See our Security Overview for full details. Highlights include encryption at rest and in transit, least-privilege access, MFA for staff, and annual penetration tests.
Breach notification
In the unlikely event of a breach involving your data, we will notify you without undue delay, describe the nature of the breach, and outline mitigation steps so you can meet your own obligations.
Need a signed DPA?
Email privacy@pinpic.app with your company name and jurisdiction. We’ll countersign electronically.