LegalPrivacy Policy
Privacy Policy
Last updated: April 15, 2026
This Privacy Policy describes how Pinnacle MAV Media LLC("we," "us," "our") collects, uses, discloses, and otherwise processes personal information in connection with Pinnora and related websites (collectively, the "Service"). It should be read with our Terms of Service, Cookie Policy, Subprocessors, and, for business customers processing personal data on behalf of others, our Data Processing Addendum.
1. Who is responsible?
For personal information described here, the data controller is Pinnacle MAV Media LLC. Where we process personal data on behalf of a business customer, that customer is the controller and we act as the processor as described in our DPA. Our contacts:
1507 Lampman Ct
Cheyenne, WY 82007
United States of America
- Privacy / data subject requests: privacy@thepinnacle.media
- Data Protection Officer: dpo@thepinnacle.media
- Security incidents: security@thepinnacle.media
- Abuse / safety: abuse@thepinnacle.media
- General contact: technical@thepinnacle.media
2. EU / UK representative
For individuals in the European Economic Area, our GDPR Article 27 representative is: To be appointed (—). For individuals in the United Kingdom, our UK GDPR representative is: To be appointed (—). You may also contact our DPO at dpo@thepinnacle.media.
3. Scope
This policy applies to visitors to our marketing sites, account holders, organization members, billing contacts, support correspondents, and others who interact with the Service. If you are an employee of a Customer, your employer's privacy notice may also apply.
4. Personal information we collect
- Identifiers & account data: name, email address, user ID, organization name, role, profile photo URL, authentication-provider identifiers, hashed password where local auth is used.
- Commercial information: subscription plan, invoices, payment status, credit balances, and transaction history. Card data is processed by our payment processors (listed in our Subprocessors page); we typically receive tokens or last-four digits, not full card numbers.
- Customer Content: text, files, prompts, creative outputs, comments, and configuration you submit to workspaces — which may contain personal information about your clients or end users if you upload it.
- Connected ad-platform data: when you connect a Meta, Google Ads, or TikTok account, we store an encrypted access token plus the campaign / ad-account IDs and performance metrics returned by those APIs.
- Internet or network activity: IP address, device identifiers, browser type, approximate location derived from IP, diagnostic logs, and security telemetry.
- Communications: support tickets, survey responses, and email correspondence.
- Inferences: product-usage patterns used to operate, secure, and improve the Service.
- Sensitive personal information (CCPA/CPRA):we do not intentionally collect categories designated "sensitive" (precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic/biometric data, health, sexual orientation, contents of mail/email/messages not addressed to us). Account credentials and government IDs in support tickets, if voluntarily provided, are processed only to authenticate you and resolve the request and are not used for inference, profiling, or sale.
5. Sources
We collect personal information from you, your organization, your device, our subprocessors (e.g., auth, payments, ad-platform APIs), and, when you connect integrations, from those third parties as authorized by you.
6. Purposes & legal bases
The table below maps each processing purpose to its GDPR Art. 6 legal basis:
| Purpose | Categories | Legal basis (EEA/UK) |
|---|---|---|
| Provide & operate the Service (accounts, modules, AI features) | Identifiers, Customer Content, usage | Contract (Art. 6(1)(b)) |
| Billing, taxes, fraud prevention | Commercial info, identifiers | Contract & legal obligation (Art. 6(1)(b)(c)) |
| Security, abuse detection, integrity of the Service | Network activity, telemetry | Legitimate interests (Art. 6(1)(f)) |
| Service-related transactional email | Identifiers | Contract (Art. 6(1)(b)) |
| Product analytics & improvement (aggregated/de-identified) | Usage, inferences | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails to prospects who opt in | Identifiers | Consent (Art. 6(1)(a)) — withdrawable |
| Compliance with subpoenas, court orders, regulators | Any | Legal obligation (Art. 6(1)(c)) |
7. AI and automated processing
When you use AI features, we and our model and infrastructure subprocessors process prompts, contextual fields, attachments, generated outputs, embeddings of selected outputs, technical metadata, and safety classificationsto deliver, secure, meter, and improve operation of the Service. Modules may chain together (one module's output feeds the next), and a research-oriented module may autonomously fetch content from third-party URLs. Outputs may be inaccurate, biased, or inappropriate; you remain responsible for human review before external use. Full per-provider, per-module, gateway, queue, and embedding detail appears in our AI & automated systems statement; the list of subprocessors involved (gateway operator, model providers, queue operator, research providers) is at Subprocessors.
No customer-data training: we do not use identifiable Customer Content to train or fine-tune general-purpose public models, and we route inference only to API endpoints whose contractual terms prohibit training on customer prompts.
8. How we disclose personal information
- Service providers (subprocessors): hosting, database, authentication, payments, email, logging, security, AI inference, ad-platform APIs, and async job execution — see Subprocessors.
- Organization administrators: certain profile and activity information may be visible to admins of workspaces you join.
- Connected platforms: when you connect Meta, Google, TikTok, etc., data flows to/from those platforms per your authorization scope.
- Legal & safety: when required by law, legal process, or to protect rights, safety, and security.
- Business transfers: in a merger, acquisition, financing, or sale of assets, with notice where required.
We do not sell personal information for money.We do not engage in "sharing" of personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act / CPRA. We do not engage in "targeted advertising," "sale," or "profiling" in furtherance of decisions producing legal or similarly significant effects, as those terms are used in Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, and Delaware DPDPA.
9. Retention
| Category | Default retention |
|---|---|
| Account & profile data | For the life of the account, then a short tail period after closure (excluding legal hold). |
| Customer Content (workspace data, modules, creative) | Per organization settings; deleted in the ordinary course after termination. |
| Billing & invoice records | As required by applicable tax and accounting law (typically several years). |
| Authentication, security, and application error logs | Retained for a period appropriate to incident investigation and compliance, then deleted. |
| AI inference telemetry (request id, model family, latency, tokens) | Short-term retention for debugging and billing reconciliation, then aggregated. |
| Ad-platform tokens (encrypted at rest) | Until you disconnect the integration or revoke the token. |
| Backups | Retained on a rolling basis sufficient for point-in-time recovery, then overwritten. |
Aggregated or de-identified data may be retained indefinitely. Retention is extended where law, dispute, or legal hold requires it. Specific retention periods applicable to enterprise customers can be addressed in a signed order form or security addendum.
10. Security
We implement technical and organizational measures designed to protect personal information. See our Security overview. Report incidents to security@thepinnacle.media. No system is perfectly secure.
11. Breach notification
We will notify affected business customers without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of a personal data breach affecting Customer personal data, with the information required for the customer to fulfil its own notification obligations under GDPR Art. 33-34 or comparable US state law. We will notify individuals where required by applicable law.
12. International transfers
We are based in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the US or other countries, we rely on the EU Standard Contractual Clauses (Modules 2 and 3), the UK International Data Transfer Addendum (IDTA), and the Swiss addendum as applicable, supplemented by technical and organizational measures (encryption in transit and at rest, access controls, audit logging, vendor diligence). A transfer-impact assessment is available on request to dpo@thepinnacle.media. Where a subprocessor is certified under the EU-US Data Privacy Framework, we may also rely on that certification.
13. Rights for individuals in the EEA, UK, and Switzerland
Subject to the GDPR / UK GDPR / Swiss FADP, you have the rights of access, rectification, erasure ("right to be forgotten"), restriction, portability, and to object to processing based on our legitimate interests. Where processing relies on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. You may lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office). To exercise rights, contact privacy@thepinnacle.media; we will verify your identity and respond within the timeframes required by law (generally one month, extendable by two further months for complex requests).
14. U.S. state privacy rights
Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Jersey (NJDPA), Tennessee (TIPA), Indiana (ICDPA), and other states with comprehensive privacy laws have:
- The right to know / access categories and specific pieces of personal information collected.
- The right to delete personal information, subject to exceptions (e.g., legal retention).
- The right to correct inaccurate personal information.
- The right to data portability in a usable format.
- The right to opt out of sale, sharing, targeted advertising, and profiling producing legal or similarly significant effects. We do not engage in any of these activities; an opt-out submission therefore has no effect, but we honor it as a no-op.
- The right to limit use of sensitive personal information (CPRA).
- The right to appeal a denial of any of the above; appeals: dpo@thepinnacle.media.
- The right to non-discrimination for exercising rights.
Submit requests to privacy@thepinnacle.media. We verify requests by matching against information in your account; for sensitive requests we may require a signed declaration. Authorized agents may submit requests on your behalf with proof of authority.
Global Privacy Control (GPC): we treat a recognized GPC browser signal as a valid opt-out of sale/sharing/targeted advertising in jurisdictions where the law requires it.
California "Shine the Light":California residents may request information about disclosures of personal information to third parties for those parties' direct marketing. We do not disclose personal information for those purposes.
Nevada:Nevada residents may opt out of certain "sales" of covered information; we do not currently sell such information as defined in Nevada law.
15. Children
The Service is not directed to children under sixteen (16), and we do not knowingly collect their personal information. We do not knowingly process personal information of children under thirteen (13), as that term is defined under the US Children's Online Privacy Protection Act (COPPA). If you believe we have collected information from a child, contact us to delete it.
16. Automated decision-making & profiling
We do not use automated decision-making that produces legal or similarly significant effects on you without meaningful human review. AI feature outputs are assistive; the human-in-the-loop responsibility rests with you, as described in AI & automated systems. We do not perform profiling for advertising or credit-eligibility decisions.
17. Third-party links
Our websites may link to third-party sites. We are not responsible for their privacy practices.
18. Changes to this policy
We may update this Privacy Policy and will revise the "Last updated" date. Material changes affecting your rights will be notified by email or in-product notice at least thirty (30) days before they take effect, where required by law.
19. Contact
1507 Lampman Ct
Cheyenne, WY 82007
United States of AmericaPrivacy: privacy@thepinnacle.media · DPO: dpo@thepinnacle.media