This Privacy Policy explains how Helmcraft GmbH ("Pinchy", "we", "us") collects, uses, and protects personal data in connection with the Pinchy software, the Pinchy websites at heypinchy.com, docs.heypinchy.com, and buy.heypinchy.com, and related services. We take your privacy seriously and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz, DSG).
The controller responsible for personal data processing under this Privacy Policy is:
Helmcraft GmbH
Hietzinger Hauptstraße 101/1
1130 Vienna, Austria
Commercial Court of Vienna, FN 588989k
VAT identification number: ATU78631027
Email: privacy@heypinchy.com
This Privacy Policy applies to personal data that we process as a data controller, including in the following situations:
This Privacy Policy does not apply to personal data that you process within your own self-hosted Pinchy installation. In that context, you are the data controller, and Pinchy has no access to the data you process with the software.
We process the following categories of personal data.
Website visit data. When you visit one of our websites, our servers log technical information such as your IP address, browser type, operating system, referrer URL, and the pages you visit. This data is used to operate and secure the websites. The legal basis for this processing is our legitimate interest in operating a stable and secure service (Art. 6(1)(f) GDPR).
Trial request data. When you request a trial license key, we process your name and email address. This data is used to issue the trial key, to send it to you, and to follow up with you about your trial experience. The legal basis is the performance of pre-contractual measures at your request (Art. 6(1)(b) GDPR) and our legitimate interest in understanding trial usage (Art. 6(1)(f) GDPR).
Subscription and billing data. When you purchase a Pinchy subscription, we process your name, email address, company name, billing address, VAT identification number (if provided), and payment information. This data is used to conclude and perform the subscription contract, to issue invoices, and to comply with accounting and tax obligations. The legal basis is contract performance (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).
Communication data. When you contact us by email or through our contact form, we process the content of your communication, your name, and your email address. This data is used to respond to your enquiry and to maintain records of communication with customers. The legal basis is contract performance (Art. 6(1)(b) GDPR) or our legitimate interest in communication with interested parties (Art. 6(1)(f) GDPR).
License key metadata. Pinchy license keys are cryptographically signed tokens that contain the customer identifier, subscription identifier, plan, user seat limit, and expiry date. No personal data beyond the billing contact's identifier is embedded in the license key itself. License keys are validated offline by your Pinchy instance and no telemetry is collected from customer installations by default.
We use the following service providers to operate our business. These providers act as data processors on our behalf or as independent controllers, as indicated.
Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, processes payment transactions on our behalf. Stripe is a data processor under a Data Processing Agreement. Stripe may transfer data to Stripe, Inc. in the United States under the EU-U.S. Data Privacy Framework.
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, provides static hosting for our websites (S3 and CloudFront) and serverless compute for trial license key generation (Lambda, region eu-central-1 / Frankfurt). Data processed in this context remains within the European Union.
Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany, provides server hosting for our Odoo subscription backend, which holds customer subscription and billing data, and for our own Pinchy application instances. Our infrastructure is operated in Hetzner's data centre in Nuremberg, Germany. All data processed on these servers remains within the European Union.
Migadu Mail GmbH, Lindenfeldstrasse 25, 8050 Zurich, Switzerland, provides email hosting for our business communication. Email data may transit through Migadu's Swiss infrastructure. Switzerland benefits from an adequacy decision of the European Commission.
Umami Software, Inc., operator of the self-hostable analytics platform Umami, is used by us to collect aggregated, anonymised website usage statistics. Our Umami instance is self-hosted on our Hetzner infrastructure in Nuremberg, Germany. Umami does not use cookies, does not track individual users across sessions, and does not collect personal data within the meaning of the GDPR. No data is transferred outside our own infrastructure.
Resend, 2261 Market Street #5039, San Francisco, CA 94114, USA, provides transactional email delivery. Resend is certified under the EU-U.S. Data Privacy Framework.
We have concluded Data Processing Agreements with all processors where required by Article 28 GDPR.
Where personal data is transferred outside the European Economic Area, such transfers are safeguarded by an adequacy decision of the European Commission (e.g., Switzerland), by the EU-U.S. Data Privacy Framework (e.g., Stripe, Inc. in the United States), or by Standard Contractual Clauses adopted by the European Commission. A copy of the applicable safeguards may be requested from privacy@heypinchy.com.
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law.
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at privacy@heypinchy.com.
You also have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria, www.dsb.gv.at.
Our websites use only technically necessary cookies required to operate the website and the checkout flow.
For website analytics we use Umami, a privacy-focused analytics tool that we self-host on our own infrastructure. Umami records aggregated and anonymised information such as page views, referring domains, browser language, and country, derived from your IP address without storing the address itself. Umami does not use cookies, does not create persistent identifiers, and does not track you across sessions or websites. We therefore consider that Umami does not process personal data within the meaning of the GDPR. Our legal basis for operating Umami is our legitimate interest in understanding aggregate website usage to improve our content and offering (Art. 6(1)(f) GDPR).
We do not use third-party analytics cookies, marketing cookies, retargeting pixels, or cross-site tracking technologies. Should we introduce technologies that require consent under § 165 Telekommunikationsgesetz 2021 (TKG 2021) in the future, we will obtain your consent via a cookie banner before activation.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include encryption in transit via TLS, encrypted storage of credentials, access controls on our systems, and regular security reviews.
We may update this Privacy Policy from time to time to reflect changes in our processing activities or in legal requirements. Material changes will be communicated to active customers by email to the billing contact. The current version is always available at heypinchy.com/privacy.
For any questions regarding this Privacy Policy or the processing of your personal data, please contact:
privacy@heypinchy.com
Helmcraft GmbH
Hietzinger Hauptstraße 101/1
1130 Vienna, Austria