Data protection

Privacy Policy

Last updated: March 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

[COMPANY_NAME]
[STREET]
[CITY]
[COUNTRY]
Email: [EMAIL]
Phone: [PHONE]

2. Personal data we collect

2.1 Account data

When you register for a Pitcheon account, we collect your email address and store a hashed version of your password. Authentication is handled by Supabase Auth. We do not store passwords in plain text.

2.2 Deck viewer data

When someone views a deck shared through Pitcheon, we collect: the viewer's email address (entered at the access gate), a hashed version of their IP address, user agent string, and timestamps of access. This data enables deck owners to understand who viewed their content.

2.3 Analytics data

We collect view duration and slide-level engagement data (time spent per slide, scroll depth) to provide deck owners with analytics about how their content is consumed.

2.4 Payment data

Payments are processed by Stripe. We do not store credit card numbers or full payment details on our servers. We receive and store a Stripe customer ID, subscription status, and billing email from Stripe.

2.5 OTP codes

When viewers access an email-gated deck, a one-time passcode (OTP) is sent to their email address. OTP codes are temporary and expire after 10 minutes.

3. Legal basis for processing

We process personal data based on the following legal grounds under Art. 6 GDPR:

Contract performance (Art. 6(1)(b) GDPR) — Processing of account data and deck hosting functionality is necessary for the performance of the contract between you and Pitcheon.
Legitimate interest (Art. 6(1)(f) GDPR) — Collection of analytics data, viewer engagement metrics, and security-related data (IP hashes, user agents) is based on our legitimate interest in providing a functional analytics service and maintaining platform security.
Consent (Art. 6(1)(a) GDPR) — Where we send marketing communications, we do so only with your prior consent. You may withdraw consent at any time.

4. Data recipients and processors

We use the following third-party service providers to operate Pitcheon:

Supabase, Inc. (San Francisco, USA) — Database, authentication, and file storage. Data is processed in EU data centers where available. Data Processing Agreement in place.
Stripe, Inc. (San Francisco, USA) — Payment processing. Stripe is certified under Standard Contractual Clauses (SCCs) for EU-US data transfers.
Resend, Inc. (USA) — Transactional email delivery (OTP codes, notifications). Data Processing Agreement in place.
Vercel, Inc. (San Francisco, USA) — Application hosting and edge delivery. Data Processing Agreement in place.

5. Data transfer to third countries

Some of our service providers are based in the United States. Data transfers to the US are safeguarded by the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and/or supplementary technical measures as required by Art. 46 GDPR. You may request a copy of the applicable safeguards by contacting us at [EMAIL].

6. Data retention

Account data — Retained for the duration of your account. Deleted within 30 days of account deletion.
Deck viewer data and analytics — Retained for as long as the associated deck exists. Deleted when the deck owner deletes the deck or their account.
Payment data — Retained as required by German tax and commercial law (typically 10 years pursuant to §147 AO, §257 HGB).
OTP codes — Automatically deleted after 10 minutes.
Server logs — Deleted after 30 days.

7. Your rights under GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) — You may request information about the personal data we hold about you.
Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate personal data.
Right to erasure (Art. 17 GDPR) — You may request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR) — You may request that we restrict the processing of your data in certain circumstances.
Right to data portability (Art. 20 GDPR) — You may request a copy of your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interest at any time.

To exercise any of these rights, contact us at [EMAIL].

8. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is the data protection authority of the German federal state in which our company is registered, or the authority of your habitual residence.

9. Cookies

Pitcheon uses strictly functional cookies necessary for authentication and session management. These are essential for the operation of the service and do not require consent under Art. 5(3) of the ePrivacy Directive. We do not use tracking cookies, advertising cookies, or third-party analytics tools such as Google Analytics.

10. Data protection contact

For any questions about data protection or to exercise your rights, please contact:
[FULL_NAME]
[EMAIL]