Privacy Policy
1. Introduction
PinWash is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the PinWash platform.
This Policy applies to all users including Customers and Operators.
2. Who We Are — Data Controller
PinWash is operated by [Legal Company Name], a company registered in [Cyprus] under registration number [•], with registered office at [•]. Trading name: PinWash.
Privacy contact: privacy@pinwash.co
We have not appointed a Data Protection Officer as we are not currently required to do so under GDPR. Privacy enquiries may be sent to privacy@pinwash.co.
3. Data We Collect
3.1 All Users
Full name, email address, phone number, password (stored as a secure cryptographic hash), device type and operating system, push notification tokens, app usage data, and support correspondence.
3.2 Customers Only
Vehicle information (make, model, size, colour, licence plate, year), vehicle pin location at the time of each booking, wash booking and status history, in-app Balance history, Stripe payment intent identifiers (not full card details), ratings and feedback, in-app messages with Operators, and referral data.
3.3 Operators Only
Date of birth and nationality, government-issued identity documents (ID front, back, and selfie), emergency contact information, availability preferences and transport information, PIN code (stored as a secure cryptographic hash), GPS location during active sessions, session history and earnings, equipment contribution progress, performance metrics, and damage claim records.
3.4 Vehicle Photographs
Operators take before-and-after photographs of vehicles for service verification, quality control, dispute resolution, fraud prevention, and platform safety. These may show the vehicle exterior, licence plate, surrounding parking area, and visible vehicle condition. Operators must not photograph people, private interiors, or unrelated vehicles except where unavoidable.
3.5 What We Do Not Collect
We do not store your full payment card number, CVV, expiry date, or bank account credentials. These are handled directly by Stripe.
4. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Processing bookings and payments | Contract performance (Art. 6(1)(b)) |
| Service status notifications | Contract performance / legitimate interests |
| Customer location for Zone features | Contract performance / consent |
| Vehicle pin location for booking | Contract performance (Art. 6(1)(b)) |
| Operator GPS during active sessions | Contract performance / legitimate interests |
| Operator identity verification | Legitimate interests / legal obligation |
| Before-and-after photographs | Contract performance / legitimate interests |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Platform improvement | Legitimate interests / consent |
| Legal and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Direct marketing | Consent (Art. 6(1)(a)) |
5. How We Use Your Data
We use your data to provide the Platform and services, ensure safety and security, send service communications, improve the Platform, and comply with legal obligations.
6. No Sale of Data
We do not sell your personal data. We do not share your personal data with third parties for their own advertising purposes.
7. How We Share Your Data
7.1 Between Customers and Operators
When a booking is confirmed we share with the Operator: vehicle make, model, size, colour, licence plate, and pin location. We do not share your email, phone number, or payment details with Operators.
We share with the Customer during an active wash: Operator first name and last initial, rating, and real-time GPS location during the wash only.
7.2 Service Providers
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | United States (SCCs apply) |
| Firebase (Google) | Push notifications | United States (SCCs apply) |
| Supabase | Database and authentication | European Union (Ireland) |
| Railway | Backend processing | United States (SCCs apply) |
7.3 Legal Requests
We may disclose data if required by law or court order, disclosing only data reasonably necessary to comply.
8. International Data Transfers
Your data is stored primarily within the European Union. Transfers outside the EEA rely on Standard Contractual Clauses approved by the European Commission and additional safeguards including encryption and access controls.
9. Data Security
We implement TLS encryption in transit, encrypted storage of sensitive data, row-level security controls, cryptographic hashing of passwords and PINs, role-based access controls, and regular security audits.
10. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 2 years |
| Wash history and payments | 7 years (legal and tax compliance) |
| In-app messages | 1 year after wash completion |
| Vehicle pin location | 12 months after wash completion |
| Operator GPS session data | 12 months |
| Operator identity documents | Duration of relationship + up to 3 years |
| Support correspondence | 3 years |
| Marketing consent records | Until withdrawn + 1 year |
When data is no longer required we delete it, anonymise it, or securely archive it with restricted access where legally required.
11. Location Data
Customer device location is used only when the App is open for Zone-based features. We do not track Customer location continuously.
Operator GPS is tracked during active sessions only to enable real-time tracking, job assignment, and safety functionality. Tracking stops when the session ends. Operator location is shared with the Customer during the active wash only.
12. Automated Decision-Making
We do not currently use solely automated decision-making that produces legal or similarly significant effects on users.
13. Your GDPR Rights
You have the right to access, rectify, erase, restrict processing of, and port your personal data. You may object to processing based on legitimate interests or for direct marketing. To exercise these rights contact privacy@pinwash.co. We respond within 30 days.
14. Marketing
We send marketing communications only with your consent. Withdraw consent at any time through App settings or by contacting privacy@pinwash.co.
15. Children
The Platform is not for anyone under 18. Contact privacy@pinwash.co if you believe we hold data about a child.
16. Supervisory Authority
You may lodge a complaint with the relevant supervisory authority. In Cyprus: Office of the Commissioner for Personal Data Protection · www.dataprotection.gov.cy · commissioner@dataprotection.gov.cy
17. Changes to This Policy
We will notify you of significant changes through the App or by email before they take effect. The current version is always available at pinwash.co/privacy.html.
18. Contact
Email: privacy@pinwash.co
Website: pinwash.co