Built for feedback workflows, not surveillance.

1. What Pincushion collects

• Feedback data: pin comments, thread replies, status changes, page URLs, selectors, viewport metadata (width/height at pin-drop time), a capped surrounding DOM snippet with scripts/styles removed (max 8 KB), optional acceptance criteria text the stakeholder writes (max 2 KB), and related metadata needed to locate the feedback on a page and make it implementation-ready for your agent. Likely-files inference (a list of source files your agent might want to edit) is computed locally in your MCP server at read time against your local Git repo — it is never stored in the cloud.
• Implementation traceability: when an agent resolves a pin, optional branch name, commit SHA, and pull-request URL can be recorded on the pin so stakeholders see "Resolved in PR #142". On the Pro plan, the deploy-hook can also write the production deploy URL back to the pin, and Pincushion AI can record a post-deploy verification verdict (verified / regressed / inconclusive) — both with optional plain-text notes.
• Pin screenshots: when you drop a pin, the Chrome extension captures the visible browser viewport as a PNG and uploads it to a Pincushion-hosted storage bucket. The URL of that screenshot is attached to the pin and rendered inline in Slack / Microsoft Teams notifications so reviewers can see what was annotated without clicking through. Screenshots are scoped to the page you were viewing at pin-drop time and never capture other tabs, the desktop, or browser chrome. The bucket is read-public (anyone with the URL can fetch the image) and the path uses random tokens to defeat enumeration.
• Account and billing data: name, email address, plan information, and Stripe transaction records needed to operate paid plans.
• Support and waitlist submissions: the email addresses you submit through support, launch waitlists, or send-to-desktop forms.
• Marketing-site analytics: privacy-friendly Vercel Web Analytics pageviews and CTA events on the public website only.

2. What Pincushion does not do

• We do not sell personal data.
• We do not run advertising trackers on the product.
• We do not use the extension to track your general browsing behavior across unrelated websites.
• We do not collect custom event properties containing personal data from the marketing site.
• Pincushion AI runs in your IDE on your own agent's tokens — for both on-demand /critique and queued post-deploy critiques. Model execution stays local; we never make AI API calls on your behalf. Resulting pin records sync to Pincushion the same way any human-dropped pin does, including selector, body, tags, thread, and any implementation-context metadata captured with that pin.

3. How data is used

Pincushion uses the collected data to operate the extension, sync project feedback, connect MCP tools to the relevant project, process paid subscriptions, answer support requests, and understand how the marketing site performs at a high level.

4. Marketing-site analytics

The public website uses Vercel Web Analytics. That analytics layer is cookie-free and privacy-friendly, and it is limited to pageviews plus a small set of CTA events such as install clicks, checkout clicks, docs navigation, support email clicks, and the success-page extension click. Those events only include simple location metadata such as hero or footer.

5. Slack and Microsoft Teams integrations

When a Slack workspace owner installs Pincushion via the "Add to Slack" flow, the OAuth grant scopes shown on Slack's consent screen are exactly what Pincushion uses. Specifically:

• What we read from Slack: workspace ID and name, the channel ID/name the installer chose, the bot user ID, the email of the installing user (so we can match them to a Pincushion account), and message content posted as thread replies to a Pincushion-anchored notification — used solely to relay that reply as a comment on the corresponding pin.
• What we never read: direct messages we did not initiate, channel history outside of Pincushion-anchored threads, files, audio, video, screen shares, or any data from channels Pincushion was not invited into.
• What we write to Slack: notifications about pin events (ready, mention, follow-up, optionally new and resolved) into the channel chosen at install, direct messages to project members @-mentioned in pin threads, an App Home tab summarizing connected projects and open pins, and replies to @pincushion mentions describing the app. Notifications include an inline image of the pin screenshot (rendered via Slack's image block — Slack fetches the image from our public storage URL, no auth handoff). To remove a screenshot already captured, email privacy@pincushion.io with the pin ID.
• How we store it: bot tokens are stored encrypted at rest in Supabase (US region), accessible only by the service role behind row-level-security deny policies on every Slack-related table. The webhook URL we receive is masked when listed back via the API.
• How to remove it: uninstall the Pincushion app from Slack and we mark the workspace revoked and pause all integrations within seconds. Or remove individual subscriptions via the remove_collaboration_integration MCP tool. For full account-level deletion, email privacy@pincushion.io.
• Microsoft Teams: we post Adaptive Card notifications to a Workflows webhook the user configures. We do not read messages from Teams; the integration is one-directional outbound only.

6. Storage and sharing

Free-tier feedback can remain local. Paid-plan sync and collaboration data are stored with the hosted backend that powers Pincushion. Stripe processes billing. Vercel hosts the marketing site. Support and waitlist email flows use the configured mail provider. Pincushion only shares data with those service providers as needed to operate the service.

7. Access, deletion, and contact

If you need help with access, deletion, or privacy questions, email privacy@pincushion.io. For product or billing issues, contact support@pincushion.io.