Privacy Policy

The controller (operator) of your personal data is the operator of the Picosu platform — a sole proprietor or legal entity registered in accordance with Ukrainian law. The controller determines the purposes and means of personal data processing carried out through the Platform.

To contact the data controller or to exercise your personal data rights, please write to: [email protected]. We respond to personal data requests within 30 calendar days of receipt.

In cases where Picosu processes personal data on behalf of a photographer (for example, data of photographer's clients viewing galleries), Picosu acts as a data processor, and the photographer acts as the data controller. In such cases, responsibility for the lawfulness of processing and obtaining consent from data subjects rests with the photographer.

This Policy applies to all personal data we collect through: the picosu.com website and all its subdomains, Picosu mobile applications (if available), the Picosu API, email and other communication channels, and any other platforms or services where we reference this Policy.

This Policy does not apply to third-party websites or services that may be linked from our Platform. We recommend reviewing the privacy policies of such third parties before providing them with any information. Picosu is not responsible for the data processing practices of third parties.

In the course of providing the Service, we may collect and process the following categories of personal data:

• Identification data: first name, last name, studio name, username, avatar.
• Contact data: email address, phone number (if provided), social media links.
• Authentication data: hashed password, OAuth tokens (Google), session tokens, IP address at login.
• Payment data: name on card, card type, last 4 digits of card (we do NOT store full card numbers — processing is handled by Hutko). Transaction history, selected plan.
• User content: photographs, gallery names, descriptions, watermark settings, portfolio texts, price lists, logos.
• Technical data: IP address, browser type and version, operating system, browser language, screen resolution, referral source, device data (user agent), cookies and similar tracking technologies.
• Usage data: access date and time, pages viewed, gallery view count and frequency, downloaded photos, view geography (country/city level based on IP address), interface actions (gallery creation, settings changes).

We do not collect "sensitive" personal data (racial or ethnic origin, political views, religious beliefs, health data, biometric data, etc.). If you inadvertently provide us with such data, we will delete it immediately upon discovery.

We receive your personal data from the following sources:

• Directly from you — during registration, profile completion, content upload, subscription payment, contacting support.
• Automatically — through cookies, web beacons, and similar technologies during your use of the Service.
• From third-party services — when authenticating via Google OAuth, we receive your name, email address, and avatar URL from your Google account.
• From payment processors — Hutko provides us with payment confirmation, transaction status, and limited payment data (without the full card number).

• Creating and managing your account, authentication and authorization of access to Service features.
• Providing core Service functions: cloud photo storage, gallery creation and display, portfolio page generation.
• Payment processing, subscription management, invoicing, and financial transaction accounting.
• Providing statistics and analytics: gallery views, visitor geography, traffic sources, download counts.
• Ensuring Service security: detecting and preventing fraud, abuse, unauthorized access, and other threats.
• Technical support: processing your inquiries, diagnosing issues, improving service quality.
• Service improvement: analyzing usage patterns, testing new features, optimizing performance and interface.
• Communication: sending service messages (registration confirmation, password reset, plan change notifications) and marketing messages (with your consent).

We process your personal data based on one or more of the following legal grounds, in accordance with the Ukrainian Personal Data Protection Act and the GDPR (for EU users):

Specific legal bases for each processing category:

• Performance of contract (Article 6(1)(b) GDPR): processing is necessary to provide the Service, manage your account, process payments, and fulfill our obligations to you.
• Consent (Article 6(1)(a) GDPR): for sending marketing communications, using optional cookies, and analytical tools. You can withdraw your consent at any time.
• Legitimate interest (Article 6(1)(f) GDPR): for ensuring Service security, fraud prevention, Service improvement, and usage analytics.
• Legal obligation (Article 6(1)(c) GDPR): for compliance with legal requirements, including accounting, tax reporting, and responding to lawful requests from law enforcement.

When processing is based on your consent, you have the right to withdraw it at any time by writing to [email protected] or changing settings in your account. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Picosu uses cookies and similar technologies to ensure Service operation, improve user experience, and collect analytical data. Cookies are small text files stored on your device. We use the following types of cookies: (1) Essential cookies — necessary for Service operation (authentication, session settings, language preferences, dark/light mode). These cookies cannot be disabled. (2) Analytical cookies — help us understand how users interact with the Service (visit count, popular pages, traffic sources). We may use Google Analytics or similar tools.

You can manage cookies through your browser settings. However, disabling essential cookies may result in inability to use certain Service features. We also use browser localStorage for storing authentication tokens and interface settings.

Galleries that you create and share may collect limited analytical information about visitors (IP address for country/city-level geography, user agent for device type). This data is used for gallery statistics and is not shared with third parties.

We do not sell, rent, or trade your personal data. We may share your data with third parties only in the following cases:

• Payment processors (Hutko): for processing subscription payments. We transmit the minimum data necessary to complete the transaction.
• Cloud providers (AWS S3, Google Cloud Storage, Hetzner): for storing your photos and Service data. Data is stored in encrypted form.
• Authentication services (Google OAuth): for enabling Google account sign-in.
• Analytics services (Google Analytics): for collecting aggregated Service usage statistics (with your consent).
• Law enforcement and government authorities: if required by applicable law, court order, or lawful request from law enforcement.
• Successors: in the event of merger, acquisition, reorganization, or asset sale of Picosu, your data may be transferred to the successor, of which you will be notified in advance.
• Professional advisors: to lawyers, auditors, and other consultants to the extent necessary to protect Picosu's legitimate interests.

All third parties that receive access to your data are required to comply with applicable confidentiality and security requirements. We enter into appropriate data processing agreements (DPA) with them in accordance with GDPR requirements.

Your data may be processed and stored on servers located outside your country of residence, particularly in the European Union, the United States, or other countries where our cloud providers are located. When transferring data outside the EU/EEA, we ensure an adequate level of protection through the use of: Standard Contractual Clauses (SCC) approved by the European Commission; adequacy decisions; or other appropriate legal mechanisms.

You may obtain a copy of the Standard Contractual Clauses or information about specific legal mechanisms for data transfer by contacting us at [email protected].

We retain your personal data for the period necessary to achieve the purposes described in this Policy or for a longer period if required by applicable law. Specific retention periods:

• Account data (name, email, profile): for the duration of the account + 30 days after its deletion.
• Content (photos, galleries): for the duration of the account + up to 90 days in backups after deletion.
• Payment information and financial records: in accordance with tax legislation requirements — typically 7 years.
• Technical logs and usage data: up to 12 months from the date of collection.

After the retention periods expire, data is deleted or anonymized so that it cannot be linked to a specific individual. Some aggregated and anonymized data may be retained indefinitely for analytics and Service improvement purposes.

In accordance with the Ukrainian Personal Data Protection Act (No. 2297-VI dated 01.06.2010), as a personal data subject, you have the following rights:

• The right to know the sources of collection, location of your personal data, purpose of processing, and the location or place of residence of the data controller or processor.
• The right to receive information about the conditions of access to personal data, including information about third parties to whom your personal data is transferred.
• The right to access your personal data — to receive confirmation of processing and a copy of your data.
• The right to submit a reasoned request for modification or destruction of your personal data to any data controller or processor.
• The right to protect your personal data from unlawful processing and accidental loss, destruction, or damage.
• The right to file complaints regarding personal data processing with the Ukrainian Parliament Commissioner for Human Rights or the courts.
• The right to apply legal remedies in case of violation of personal data protection legislation.
• The right to make reservations regarding restrictions on the right to process your personal data when giving consent.

To exercise any of these rights, contact us at [email protected]. We will review your request within 30 calendar days.

If you are a resident of the European Union or European Economic Area, under the General Data Protection Regulation (GDPR), you have the following additional rights:

• Right of access (Article 15 GDPR): the right to receive confirmation of processing and a copy of your personal data, as well as information about processing purposes, data categories, and recipients.
• Right to rectification (Article 16 GDPR): the right to request correction of inaccurate or completion of incomplete personal data.
• Right to erasure / "right to be forgotten" (Article 17 GDPR): the right to request deletion of your personal data under certain conditions.
• Right to restriction of processing (Article 18 GDPR): the right to request restriction of processing of your data under certain circumstances.
• Right to data portability (Article 20 GDPR): the right to receive your data in a structured, commonly used, and machine-readable format and to transfer it to another controller.
• Right to object (Article 21 GDPR): the right to object to processing of your data on the grounds of legitimate interest or for direct marketing purposes.
• Right not to be subject to automated decision-making (Article 22 GDPR): the right not to be subject to a decision based solely on automated processing, including profiling.
• Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with the relevant data protection supervisory authority in your country.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days (or less if required by law). In exceptional cases, the period may be extended to 60 days, of which you will be notified. Exercise of your rights is free of charge, except for manifestly unfounded or excessive requests.

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include but are not limited to: data encryption in transit (TLS/SSL) and at rest (AES-256), password hashing using PBKDF2 with unique salt, regular data backups, personnel access to personal data limited by the principle of least privilege, security monitoring, and access logging.

Despite the measures taken, no method of data transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach or security incident, we will notify you and the relevant supervisory authorities in accordance with applicable law (within 72 hours for GDPR).

Picosu is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and become aware that your child has provided us with personal data without your consent, please contact us at [email protected], and we will immediately take steps to delete such data.

We reserve the right to update this Privacy Policy at any time. In the event of material changes, we will notify you by email or through the Platform interface. The updated version takes effect upon publication unless otherwise specified.

We recommend regularly reviewing this Policy to stay informed of the current version. Continued use of the Service after the updated Policy takes effect constitutes your acceptance of the changes.

If you have questions, suggestions, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us: Email: [email protected]. We respond to all inquiries within 30 calendar days.

If you believe your data protection rights have been violated, you have the right to file a complaint with: the Ukrainian Parliament Commissioner for Human Rights (for Ukrainian citizens); the relevant data protection supervisory authority in your country (for EU/EEA citizens); or the courts in accordance with applicable law.