Privacy policy
Effective 2 July 2026 · Eleven Ways, Ghent, Belgium
The short version
Pinza is local-first. There is no account, no analytics, no telemetry, and no advertising. What you copy stays on your Mac. The few network connections the app can make are listed below — all of them, with what each one sends and how to turn it off.
Your copy history
Everything Pinza saves — URLs, file paths, titles — is stored only on your Mac, in an AES-256-encrypted SQLite database under ~/Library/Application Support/Pinza/. The encryption key is generated on first launch and stored in your macOS Keychain, marked device-only: it never syncs and is never included in backups. The Recently Deleted Bin can additionally require Touch ID.
What Pinza reads on your Mac
- Pinza reads the frontmost app's state (the tab URL, the selected file, the open note) only at the moment you press a shortcut — never in the background.
- If you schedule a pin as a reminder, Pinza writes to Reminders via Apple's EventKit. It never reads your existing reminders.
- The MCP server, when enabled, communicates over a local Unix socket with file-permission checks. It has no network component; nothing leaves your Mac.
Every network connection Pinza can make
This table is exhaustive. "You control it" names the switch in Settings.
| Connection | What is sent | When | You control it |
|---|---|---|---|
| Update check (GitHub Pages) | A standard web request for the update feed; GitHub sees your IP address. | Daily, and when you choose Check for Updates | Settings → About → updates toggle |
| Website favicons | A request to each site already in your history, for its icon. Fetched directly from the site — never via a third-party service. Cached locally. | When a URL appears in your recents | Settings → Recents → Fetch website favicons |
| Rich preview images | A request for artwork (album covers) to the source service's image server. | When you hover an entry with artwork | Settings → Recents → Fetch rich preview images |
| Music links (song.link) | The public URL of the track you copied, sent to the Odesli (song.link) API to offer open-in-other-service links. No personal identifier. | When you copy or hover a music entry | No dedicated switch yet — avoided entirely by not using the music integrations |
| Podcast & book metadata (Apple) | The public show, episode, or book identifier, sent to Apple's iTunes lookup API for titles and artwork. | When you copy a Podcasts or Books item | Podcasts: the rich-previews toggle. Books: no dedicated switch |
| YouTube channel avatars | The public channel ID, to fetch the channel's avatar from YouTube. | When a YouTube entry appears in recents | Settings → Integrations → YouTube avatars |
| Link liveness check | A minimal HEAD request to URLs in your history, to dim dead links. | On hover — only if you enabled it | Settings → Recents. Off by default |
| Google Drive (optional sign-in) | OAuth tokens and file identifiers to Google's APIs, read-only, to copy Drive document contents. Google's privacy policy applies. | Only after you sign in, on copy of a Drive document | Settings → Integrations → sign out |
| Notion (optional sign-in) | OAuth tokens and page identifiers to Notion's API, to export a page as Markdown. Notion's privacy policy applies. | Only after you sign in, on copy of a Notion page | Settings → Integrations → sign out |
| PDF download | A request for the PDF you're copying, saved to your Downloads folder. Sent without your browser cookies. | Only when you explicitly copy a PDF link | Only fires on that explicit action |
| License activation (Gumroad) | Your license key, sent to Gumroad's license API for verification. Gumroad is the merchant of record for purchases — your name, email, and payment details are handled by Gumroad under their privacy policy. | When you activate, deactivate, or — at most weekly — silently re-verify a license | Only applies to Pro purchases |
| Crash reports (Sentry) | Crash stack traces and basic device info. Never clipboard contents, URLs, or paths; user identifiers are stripped before sending. | Only if you opted in. Off by default | Settings → About → Diagnostics |
One nuance for completeness: when Pinza downloads a PDF that needs your browser session, it asks the browser itself to fetch the file — that traffic comes from your browser, with its cookies, not from Pinza.
What Pinza never does
- No analytics or tracking of any kind, first- or third-party.
- No account, no sign-up, no mailing list attached to the app.
- Your clipboard history is never transmitted anywhere.
- No data is sold or shared. There's nothing to sell.
Deleting your data
Delete the app and the folder ~/Library/Application Support/Pinza/. That's everything. The Keychain entries (database key, license) can be removed with Keychain Access.
Changes and contact
If this policy changes, the effective date above changes with it and the history is visible in the site's public repository. Questions: hello@pinza.app.