Privacy Policy
Effective date: July 6, 2026
1. What this policy covers
This policy explains what personal data Pictefor ("we", "us") collects when you use the Pictefor web platform and desktop application, why we collect it, and the choices you have.
2. Data we collect
- Account data — email address, name (if provided), organization role (owner, manager, member), and authentication records. Stored with our database provider, Supabase.
- Usage data — processing-unit consumption, feature usage, device sessions (device identifier and label, used to enforce per-seat device limits), and an activity log of administrative actions within your organization.
- Billing data — handled by Paddle.com as merchant of record. We never see or store your full payment details; we receive subscription status and invoice metadata.
- Content you process — the documents, images, video, audio, and web pages you submit for extraction, and the datasets produced from them.
3. How AI processing works
When you run an extraction, the relevant content (text, image regions, or video frames) is transmitted through our relay service to third-party AI providers — currently Groq and Google (Gemini) — solely to produce your extraction results. We use these providers' API offerings, under terms which do not permit them to use API content to train their models. Your source files are processed transiently for extraction; results are stored where you choose (locally in the desktop app, or synced to your organization's cloud workspace).
4. Why we process data (legal bases)
- to provide the Service under our contract with you (accounts, extraction, sync, seat management);
- legitimate interests: securing the Service, preventing abuse, enforcing seat/device limits, and improving reliability;
- legal obligations: tax and accounting records (via Paddle);
- consent, where required (e.g. marketing emails — optional).
5. Sharing
We share data only with the processors needed to run the Service: Supabase (database and authentication), Cloudflare (relay infrastructure), Groq and Google (AI extraction, content only), Paddle (billing, as merchant of record), and Vercel (website hosting). We do not sell personal data. Within your organization, owners and managers can see member activity and usage consistent with the seat model.
6. Retention
Account and usage data are kept while your account is active and deleted or anonymized within 90 days of account deletion, except where law requires longer retention. Synced datasets are retained for 30 days after subscription termination to allow export, then deleted. Content submitted for extraction is not retained by us beyond processing.
7. Your rights
Depending on your jurisdiction (including under the GDPR), you may have rights to access, correct, export, restrict, object to processing of, or delete your personal data. Organization members should direct requests to their account owner where the organization controls the data; otherwise contact us directly and we will respond within 30 days.
8. Security
Data in transit is encrypted with TLS. Database access is protected by row-level security and scoped service credentials; administrative operations are audit-logged. No system is perfectly secure — if we become aware of a breach affecting your data we will notify you without undue delay.
9. Cookies
The platform uses strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies.
10. Changes and contact
We will announce material changes to this policy on the platform or by email before they take effect. Privacy questions and requests: support@pictefor.com.