Privacy Policy

Effective Date: March 28, 2026

Working Theory Labs, LLC ("Company," "we," "us," or "our"), a Delaware limited liability company, operates the Pins platform ("Service"). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our Service. By using Pins, you agree to the practices described in this policy.

1. Information We Collect

Information You Provide

• Account information: email address and password (stored as a cryptographic hash, never in plaintext)
• Profile information: name, username, bio, and avatar image
• Social links: Instagram, X (Twitter), YouTube, TikTok, and personal website URLs
• Event interactions: events you save (RSVP), comments, and replies
• Social connections: users you follow, users who follow you, and follow requests
• Search queries: text you enter when searching for events or users
• Reports: content you report and any description you provide
• Communications: messages you send to us via email for support or inquiries

Information Collected Automatically

Geolocation data. With your explicit permission (via your browser's location prompt), we collect your approximate location (latitude and longitude) to detect your nearest city using a 150-kilometer proximity threshold. This is used solely to show you events near you. You may deny location permission at any time through your browser settings and instead select a city manually. We do not continuously track your location.

Analytics and session data. We use Datadog Real User Monitoring (RUM) to collect usage analytics, including page views, click interactions, resource loading performance, and error tracking. Datadog records user sessions with a "mask-user-input" privacy level, meaning text you type into form fields is masked in recordings. We track usage events such as event discovery interactions, social actions, search usage, and settings changes. Sensitive data such as authentication tokens and email addresses are redacted from analytics logs.

Device and browser information. Browser type, operating system, screen resolution, and similar technical data, collected via our analytics provider.

Local storage. We store authentication tokens (access and refresh tokens) in your browser's local storage to keep you signed in. We do not use cookies for tracking purposes.

Information from Third Parties

We do not currently receive personal information from third parties. If we integrate additional sign-in methods (such as Google Sign-In) in the future, we will update this policy accordingly.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Show you events near your location based on your city selection or geolocation
• Enable social features such as following other users, commenting on events, and receiving notifications
• Send you notifications based on your preferences (e.g., event reminders, comment replies, follow requests)
• Monitor and analyze usage patterns to improve and develop the Service
• Detect, prevent, and address security issues, abuse, and technical problems
• Enforce our Terms of Service
• Send account-related communications (verification codes, security alerts, service updates)
• Comply with legal obligations

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Performance of a contract: processing necessary to provide the Service you signed up for, including account management, event discovery, and social features
• Legitimate interests: analytics and performance monitoring, fraud and abuse prevention, and service improvement, where these interests are not overridden by your rights
• Consent: geolocation data collection (via your browser permission prompt) and any future marketing communications
• Legal obligation: where processing is required to comply with applicable laws

4. How We Share Your Information

We do not sell your personal information.

We may share your information in the following circumstances:

• Service providers: We share data with third-party service providers who help us operate the Service, including Datadog, Inc. (analytics, performance monitoring, and session replay) and Apple Inc. (Apple MapKit for map display). These providers process data on our behalf and are contractually obligated to protect your information.
• Other users: Your profile information, username, comments, and social connections may be visible to other users based on your privacy settings. You can set your profile to private in Settings, which limits visibility of your activity.
• Legal requirements: We may disclose your information if required by law, subpoena, court order, or governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.
• Protection of rights: To protect the rights, property, or safety of Working Theory Labs, LLC, our users, or the public.
• With your consent: In other circumstances with your explicit consent.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. You can delete your account at any time through Settings, which will remove your data from our active systems.

After account deletion, some data may be retained in backups for a limited period and will be deleted in accordance with our backup retention schedule. Analytics data is retained per Datadog's standard retention policies. We may also retain certain information as required by law or for legitimate business purposes, such as fraud prevention.

6. Your Rights and Choices

All Users

• Access and update your profile information through Settings
• Control your profile visibility (public or private) through Settings
• Delete your account through Settings
• Control location sharing by managing your browser's location permissions
• Manage notification preferences (push and email) through Settings

European Economic Area, UK, and Swiss Users (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights:

• Right of access: request a copy of your personal data
• Right to rectification: correct inaccurate or incomplete personal data
• Right to erasure: request deletion of your personal data ("right to be forgotten")
• Right to data portability: receive your personal data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to restrict processing: request that we limit the processing of your personal data
• Right to withdraw consent: withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal
• Right to lodge a complaint: file a complaint with your local data protection supervisory authority

To exercise these rights, contact us at contact@workingtheorylabs.io with the subject line "GDPR Request."

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know: what personal information we collect, how we use it, and with whom we share it
• Right to delete: request deletion of your personal information
• Right to opt-out of sale: we do not sell your personal information
• Right to limit use of sensitive personal information: geolocation data is classified as sensitive personal information under the CCPA. You can limit its collection by denying your browser's location permission. We use geolocation only for the disclosed purpose of city detection for event discovery.
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights

Categories of personal information collected (as defined by the CCPA): identifiers (email, name, username); geolocation data; internet or electronic network activity information (usage data, analytics); and user-generated content (comments, profile information).

To exercise these rights, contact us at contact@workingtheorylabs.io with the subject line "CCPA Request."

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

For users in the EEA, UK, or Switzerland, data transfers to the United States are made pursuant to Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms approved by the European Commission. Our analytics provider, Datadog, processes data in accordance with its own data processing agreement, which includes Standard Contractual Clauses.

8. Security

We implement reasonable technical and organizational measures to protect your personal information, including:

• Passwords are stored using cryptographic hashing (never in plaintext)
• Authentication tokens are stored in browser local storage (not transmitted as cookies)
• Session replay data masks user input fields automatically
• Sensitive data (authentication tokens, email addresses) is redacted from analytics and error logs

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

9. Children's Privacy

The Service is not intended for children under the age of 13 (or under 16 in the European Union and European Economic Area). We do not knowingly collect personal information from children under these ages. If we discover that we have collected personal information from a child under the applicable minimum age, we will promptly delete that information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@workingtheorylabs.io.

10. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal. There is no uniform standard for responding to DNT signals. We do not currently respond to DNT signals. We do not track users across third-party websites.

11. Email Communications

We may send you account-related transactional emails, such as verification codes, password reset confirmations, and security alerts. These communications are essential to the operation of your account and cannot be opted out of.

You can manage your notification preferences (including email notifications for social activity and events) through the Settings page.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service. Your continued use of the Service after any changes constitutes your acceptance of the updated policy. The "Effective Date" at the top of this page indicates when this policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us: