Privacy Policy
Effective Date: March 12, 2026
1. Introduction
Pineline is a mobile-first gear planning and readiness platform for outdoor enthusiasts. It connects your owned gear inventory, trip-specific packing lists, live product catalogs and pricing, and actionable recommendations — all optimized for one-handed usage during packing moments.
Pineline is operated by Terralata, LLC (“we,” “us,” or “our”). This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data.
2. Information We Collect
Profile Data
When you create or update your profile we may collect your username, display name, trail name, bio, preferred weight unit, and whether your account is anonymous.
Gear Inventory
Items you add to your gear closet include the item name, brand, category, weight, price, status (e.g., owned, wish-listed), notes, image URL, and any custom field overrides you apply.
Lists & Kits
Packing lists you create include the list name, description, visibility setting, trip metadata (such as destination and dates), and the individual list items along with their packed state.
Shortlist Candidates
When you compare products using the shortlist feature, we store your product comparison selections.
Images
Gear photos you upload are stored in Supabase Storage and associated with the relevant inventory item.
Device & Usage Analytics
We collect app lifecycle events, screen views, and feature-usage metrics. Analytics events are associated with a pseudonymous user identifier (your Supabase UID). While we do not include directly identifying information such as names or email addresses, this identifier may constitute personal data under certain privacy frameworks including GDPR.
Waitlist & Communications
If you join our waitlist or subscribe to updates via the pineline.app website, we collect your email address. This is the only information collected — no account creation is required.
3. How We Use Your Information
- App functionality: powering your gear closet, packing lists, kit management, and product recommendations.
- Cross-device sync: keeping your data consistent across all devices where you are signed in.
- Product analytics: understanding how features are used so we can improve the app experience.
- Affiliate link attribution: tracking which product links lead to purchases so we can sustain the service (see Section 6).
- Launch updates: sending product launch announcements and updates to waitlist subscribers who opted in.
Legal Basis for Processing (EEA Users)
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| App functionality (gear closet, lists, sync) | Contractual necessity — required to provide the service you requested |
| Cross-device sync | Contractual necessity |
| Product analytics | Legitimate interest — improving app quality and user experience |
| Affiliate link attribution | Legitimate interest — sustaining a free service through commission revenue |
| Error monitoring | Legitimate interest — maintaining service stability and security |
| Waitlist email communications | Consent — you actively opted in by submitting the waitlist form |
You may object to processing based on legitimate interest at any time by contacting privacy@pineline.app.
4. Anonymous vs. Identified Users
Anonymous Users
On first launch, Pineline assigns a Supabase user ID with the flag is_anonymous=true. Your data is stored locally and synced to the cloud under this anonymous identifier. This identifier is pseudonymous — it does not contain your name, email, or other directly identifying information, but it is a persistent unique identifier associated with your data and may constitute personal data under frameworks such as GDPR. You can use core features without providing any personal information.
Identified Users
You may choose to create a full account via Apple Sign-In (email and name, both of which may be withheld by Apple at your discretion), Google Sign-In (email), or email and password. Linking an identity upgrades your anonymous account so that all existing data is preserved.
OAuth Tokens
When you sign in with Apple or Google, provider refresh tokens are stored server-side solely for the purpose of revoking access upon account deletion.
5. Third-Party Services
We enter into Data Processing Agreements (DPAs) with each third-party service provider that processes personal data on our behalf, in accordance with GDPR Article 28. Copies of these agreements are available upon request by contacting privacy@pineline.app.
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database, file storage (hosted in the US) | All user-generated content described in Section 2 |
| PostHog | Product analytics (host: us.i.posthog.com) | Supabase UID, app lifecycle events, screen views, feature-usage metrics. No directly identifying information (names, emails) is logged; see Section 2 for details on pseudonymous identifiers. |
| Sentry | Error monitoring | Crash stack traces, device and OS metadata, app version. No PII or user-generated content. |
| Vercel Analytics | Web analytics for the pineline.app website | Anonymized page views, referrer URL, country. No cookies, no PII. |
| Apple / Google OAuth | Sign-in identity providers | Authentication credentials exchanged during the sign-in flow |
| Buttondown | Email waitlist and launch communications | Email address only |
6. Affiliate Links & Tracking
Pineline may display links to third-party retailers. When you tap an affiliate link, we record:
- Client-side: a PostHog
affiliate_link_tappedevent containing the item ID, retailer, and source context. - Server-side: a row in our
affiliate_click_eventstable containing your user ID, catalog item ID, affiliate link ID, retailer, source context, and timestamp.
FTC Disclosure: Pineline earns a commission on purchases made through these links at no extra cost to you.
We do not sell your data to third parties. We do not engage in targeted advertising.
7. Data Storage & Security
Cloud data is stored in Supabase, hosted in the United States. A local copy of your data is kept on-device via WatermelonDB to support offline access.
All network communication is encrypted in transit using TLS. On the server, Row Level Security (RLS) policies ensure that each user can access only their own data.
International Data Transfers: Your data is transferred to and stored in the United States. For users in the European Economic Area (EEA), these transfers are protected by Standard Contractual Clauses (SCCs) included in our Data Processing Agreements with service providers, in compliance with GDPR requirements following the Schrems II decision.
8. Data Retention & Deletion
Your data persists for as long as your account exists. Anonymous shared lists that have not been accessed for 180 days may be automatically removed. Internally, we use soft deletes for sync conflict resolution; soft-deleted records are not visible to users and are periodically purged.
Account Deletion
You can delete your account at any time from the app’s settings screen. When you do, an Edge Function cascade-deletes all of your data, including:
- Profile, gear inventory, packing lists, list items, and kits
- Shortlist candidates
- Stored Apple/Google OAuth provider tokens (after revoking them)
- Local on-device database
- PostHog analytics data (via the PostHog GDPR person deletion API)
Data Retained After Deletion
After account deletion, the following data is not immediately erased:
- Affiliate click events — rows in the
affiliate_click_eventstable are retained in de-identified form (your user ID is removed) for up to three (3) years for affiliate attribution and commission reporting obligations, after which they are permanently purged.
Waitlist Emails
You can unsubscribe from waitlist communications at any time using the unsubscribe link in any email. Upon unsubscribing, your email address is removed from Buttondown. You may also request removal by contacting privacy@pineline.app.
9. Your Rights
Under the GDPR (EEA Residents)
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Request erasure of your data
- Request data portability in a machine-readable format
- Restrict or object to certain processing activities
Under the CCPA (California Residents)
You have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Not be discriminated against for exercising your privacy rights
How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@pineline.app. We will respond within the timeframe required by applicable law.
10. Children’s Privacy
Pineline is not directed at children under the age of 13 (or 16 in jurisdictions where a higher age of digital consent applies, such as certain EEA member states). We do not knowingly collect personal information from children under these age thresholds. If you believe a child under the applicable age has provided us with personal data, please contact us at privacy@pineline.app and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via a prominent in-app notification (such as a banner or dialog) and, where you have provided an email address, by email. The “Effective Date” at the top of this page indicates when the policy was last revised.
12. Cookies & Tracking Technologies
The Pineline mobile app does not use cookies. Our marketing website at pineline.app uses Vercel Web Analytics, a privacy-focused analytics service that collects anonymized page view data without cookies or personal identifiers. No cross-site tracking is performed on either the app or the website.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: privacy@pineline.app
- Operator: Terralata, LLC
- Mailing Address: 2108 N St STE N, Sacramento, CA 95816