Privacy Policy

Last updated: April 2026 (rev. 2) · Bjørkå Flatin ENK / Tinn

Tinn is a product specification and mood board tool for interior architects and designers. This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have.

1. Who is responsible for your data

Data controller: Bjørkå Flatin ENK, org. no. 933 152 893, Norway.
Contact: simon@bjorkaflatin.no

If you have questions about how your data is handled, or want to exercise any of your rights, email the address above. We will respond within 30 days.

2. What data we collect and why

Account and profile data

Email address — required to create an account and send you sign-in links.
Full name and company name — provided by you at registration, used to personalise the interface and identify you in shared projects.
Sign-in provider — we record whether you signed in via email or Google so we can route authentication correctly.

Legal basis: performance of a contract (GDPR Art. 6(1)(b)) — these are necessary to provide the service.

Project and specification data

Everything you create inside Tinn — projects, products, mood boards, notes, supplier links, images.
This is your professional work product. We store it to make the service function and do not access it except to diagnose technical problems at your request.

Legal basis: performance of a contract (Art. 6(1)(b)).

Onboarding and preference data

Role, project type, team size, and currency preference — collected optionally on first login to personalise the experience.
You can skip this at any time. It does not affect access to the service.

Legal basis: legitimate interest (Art. 6(1)(f)) — improving the product for professional users.

Usage and technical data

Basic server logs (IP address, browser type, page visited, timestamp) collected automatically by our hosting provider (Vercel). Retained for up to 30 days.
No third-party analytics scripts (no Google Analytics, no tracking pixels).

Legal basis: legitimate interest (Art. 6(1)(f)) — diagnosing errors and ensuring security.

Client portal data

If you share a project via the client portal, your clients' email addresses and their votes/comments are stored. You are responsible for informing your clients that their data is processed through Tinn.

Legal basis: performance of a contract (Art. 6(1)(b)) between you and your clients.

3. Who we share your data with

We do not sell or rent your data. We use the following third-party processors:

Supabase — database, authentication, and file storage. Data is stored in the EU (Frankfurt region). SOC 2 Type 2 compliant.
Vercel — application hosting and CDN. Server logs held for up to 30 days.
Resend — transactional email (magic links, project invitations). Only your email address is shared.
Google — optional "Sign in with Google". If you use this, Google shares your name, email, and profile picture with us. Governed by Google's own privacy policy.
Cloudflare R2 — object storage for project images (mood boards, plan drawings, site photos). Images are stored in the EU region. GDPR compliant.

All processors are required by contract to process your data only on our instructions and to protect it in accordance with GDPR.

4. How long we keep your data

Account and profile data — kept for as long as your account exists. Deleted within 30 days of account deletion.
Project data — kept for as long as your account exists. You can delete individual projects at any time.
Server logs — up to 30 days, then automatically deleted by Vercel.
Audit logs — security-related events (logins, exports) kept for 90 days.

You can delete your entire account and all associated data from Settings → Delete Account. Deletion is permanent and cannot be undone.

5. Cookies and local storage

Session cookie (sb-*) — set by Supabase to keep you signed in. Expires after 30 days of inactivity.
Auth marker cookie (tinn_auth) — a lightweight indicator used by our server to route you correctly. Contains no personal data.

No advertising cookies. No cross-site tracking. No consent banner is shown because we only use strictly necessary cookies.

6. International data transfers

Your data is primarily stored within the EU (Supabase Frankfurt). Vercel may route requests through servers in other regions as part of its CDN, but does not persistently store personal data outside the EU. Any transfers outside the EEA are covered by Standard Contractual Clauses (SCCs).

7. Your rights under GDPR

If you are in the EU/EEA (or Norway), you have the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data. You can also do this yourself via Settings → Delete Account.
Data portability — request your data in a machine-readable format (JSON export available via Settings → Export Data).
Restriction — ask us to pause processing while a complaint is pending.
Objection — object to processing based on legitimate interest.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right, email simon@bjorkaflatin.no. We will respond within 30 days. You also have the right to lodge a complaint with the Norwegian Data Protection Authority: Datatilsynet (datatilsynet.no), or the supervisory authority in your country of residence.

8. Security

We implement industry-standard security measures: HTTPS everywhere, row-level security on the database, scoped API keys, rate limiting on sensitive endpoints, and audit logging of security events. No system is perfectly secure; if you discover a vulnerability, please report it to simon@bjorkaflatin.no.

9. Children

Tinn is a professional tool intended for adults. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy. If changes are material, we will notify registered users by email at least 14 days before they take effect. The "last updated" date at the top always reflects the current version.

Questions? simon@bjorkaflatin.no · Terms of Service