Privacy Policy

0. Joint controllers

TINS HUB is jointly operated by Smart Earners Team Inc. (Delaware, USA) and Smart Innovation Technologies Limited (Federal Republic of Nigeria), acting as joint data controllers. The applicable controller for billing data is determined by the payment processor used for your subscription: Smart Earners Team Inc. for Stripe (international) and Smart Innovation Technologies Limited for Paystack (Africa). For all other personal data, you may direct requests to either entity at support@tinshub.com.

1. Scope

This policy applies to personal data we collect when you visit www.tinshub.com, create an account, use the Service, or otherwise interact with us. "Personal data" means any information relating to an identified or identifiable natural person.

2. Data we collect

• Account & profile: email, password hash, name, username, optional avatar, last-active timestamp.
• Niche profile: niche, platform, audience, style, geography, format you provide for content generation.
• Generated content & usage logs: trends and ideas generated for you, prompts, retries, decision metadata, saved ideas with sort order.
• Billing metadata: subscription tier, plan changes, invoice references, processed webhook events. We do not store full card numbers — they are handled directly by our payment processors.
• Payment-identity snapshot: name, email and country exactly as they appeared at each successful payment, recorded against the transaction for chargeback defence.
• Session & security telemetry: refresh tokens (bcrypt-hashed), login activity, IP address, user agent, content security policy violation reports, rate-limit counters, gate-block events.
• Notifications: web push subscription endpoints, in-app notification state, blog email subscription preferences.
• Team & referrals: team membership, invite codes you create or accept, referral attribution and reward records.
• Developer API (Power tier): API key hashes (`tp_` prefix) and usage counters.
• Support correspondence: messages you send us.
• Cookies & storage: see our Cookie Policy.

2a. Embeddable Widget visitors (public trending widget)

When a third-party website embeds our free public trending widget, our servers automatically receive and log the embedding page's hostname (parsed from the HTTP Referer) and the IP address of the visitor loading the widget, together with a short-lived embed token and request metadata (timestamp, requested platform slug, user agent). We act as an independent controller for this data and use it solely to (i) prevent abuse, scraping and token replay, (ii) enforce the Widget terms in §10a of our Terms of Service, and (iii) produce aggregate counts of embedding sites for our internal abuse panel. We do not set cookies or other persistent identifiers on the embedding site, do not fingerprint widget visitors, do not link this data to any TINS HUB account, and do not share it with embedders or third parties. Retention: 30 days; aggregate per-domain counters (no IPs) are kept for as long as the domain remains an active embedder. Lawful basis: Art. 6(1)(f) GDPR — our legitimate interest in protecting the Service from abuse.

3. Legal bases (GDPR Art. 6)

Retention after account closure: When you close your account, personal identifiers (name, email, avatar) are anonymized within 30 days. Billing-of-record (subscriptions, payments, login/IP, webhook events, dispute correspondence) is retained for 600 days to comply with payment-network chargeback rules — Visa and Mastercard allow disputes to be filed up to 540 days after a charge in some categories. After 600 days, all remaining records for the closed account are permanently deleted.

Payment identity snapshot: When you make a payment, we record the name, email and country as they appeared on that payment against the transaction itself. This snapshot lives with the financial record (up to 600 days) so we can defend chargebacks even after your account is anonymized. It is not used for any other purpose, is never shared outside dispute responses to your card network, and is deleted when the financial record is purged at 600 days.

4. AI processing disclosure

To deliver trend discovery and content generation, we transmit your niche profile, prompts, and related context to third-party AI inference providers operating in the United States and the European Union. Under our processor contracts:

• Inputs and outputs are not used to train third-party foundation models.
• Providers act strictly as processors on our behalf.
• Generated outputs may resemble outputs produced for other users; AI outputs are statistical and not guaranteed to be unique, accurate, or non-infringing — please verify before use.

See Sub-processors for the current list and regions.

5. How we share data

We do not sell personal data. We share it only with: (a) our sub-processors performing services on our behalf under written contracts (see below), (b) payment processors for billing, (c) authorities where required by law, and (d) successors in connection with a corporate transaction (with continued protection obligations).

6. Sub-processors

We engage carefully selected sub-processors for hosting, AI inference, email delivery, payments, push notifications, and object storage. The current list is published at /sub-processors and updated when changes occur. Material additions are announced at least 30 days before activation where reasonably feasible.

7. International transfers

Personal data may be transferred to, stored in, or processed in countries outside your own — including the United States, the European Union, and Nigeria. Where required, we rely on Standard Contractual Clauses (EU SCCs / UK IDTA) or equivalent safeguards approved by the relevant supervisory authority, together with supplementary measures such as encryption in transit and at rest.

8. Retention

Where applicable tax, accounting or anti-fraud law requires us to retain a specific record for longer than the periods above, that legal obligation prevails over our default retention. In practice this affects only minimal billing metadata (e.g. invoice totals, VAT identifiers) needed to satisfy bookkeeping rules in our entities' jurisdictions; personal identifiers attached to those records are anonymized at the 30-day soft-delete window.

9. Your rights

Depending on your jurisdiction (GDPR/UK GDPR, CCPA/CPRA, Nigeria NDPA, and similar), you have the right to: access, rectification, erasure, restriction, portability, objection, withdraw consent, and lodge a complaint with your supervisory authority. To exercise rights, use Profile → Export Data / Delete Account, or email support@tinshub.com. We respond within 30 days (extendable by a further 60 days where lawful).

10. Children

The Service is not directed to anyone under 18. If we learn we have collected personal data from a person under 18 without verified parental or guardian consent, we will delete it promptly.

11. Security

We apply administrative, technical, and organizational measures appropriate to the risk. See our Security page for details.

12. Cookies, analytics & advertising

Strictly necessary cookies (authentication, CSRF) are always set. With your opt-in consent — collected via the cookie banner — we additionally use Google Analytics 4 to measure aggregate site usage and Google Ads to measure the performance of paid ads we run. Both are operated by Google LLC and, for EEA/UK visitors, Google Ireland Limited as joint data processors / controllers under standard contractual clauses.

Lawful basis: consent (GDPR Art. 6(1)(a)) for EEA/UK/Swiss visitors; legitimate interest with opt-out elsewhere. We use Google Consent Mode v2 — defaults are denied in the EEA, UK and Switzerland (Google receives no identifiers from your browser unless you accept) and granted elsewhere with opt-out available at any time.
Retention: GA4 user-and-event data is retained for 14 months (the maximum GA4 allows); the cookies themselves expire after up to 13 months. You can withdraw consent at any time via "Manage cookie preferences" in the footer or on the Cookie Policy page; withdrawal stops further collection but does not delete already-aggregated reports.
International transfers: Google may transfer data to the United States; we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses for those transfers.

See our separate Cookie Policy for the full list of cookies, durations, and the "Manage cookie preferences" control.

13. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. Affected users will be informed where the breach is likely to result in a high risk.

14. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email and an in-app prompt requiring acceptance before continued use. The version and effective date appear at the top of this page.

15. Contact

Privacy questions: support@tinshub.com. Signed-in users can generate a per-customer Data Processing Addendum (DPA) from Settings → Legal & Compliance; counter-signed copies remain available on request.