Privacy Policy (Consumers)

For consumers (B2C)

1. Controller

The controller within the meaning of the GDPR is the operating company:

2. Data processed, purposes & legal bases

We process personal data only to the extent necessary to provide and bill the software: account/license data (name, email, license key, plan, subscription status) for performance of the contract (Art. 6(1)(b) GDPR); technical usage/activation data for license verification and abuse prevention (Art. 6(1)(f) GDPR); and voluntary information (e.g. support requests, newsletter with consent, Art. 6(1)(a) GDPR).

3. License server, activation & heartbeat

For paid plans, the software contacts our license server to verify the key and entitlement. These requests never contain your project content. For license verification and abuse prevention we process your IP address, a device fingerprint (to bind the license to devices — not a biometric identifier), the app/browser version and activation/heartbeat timestamps. The legal basis is our legitimate interest in preventing misuse (Art. 6(1)(f) GDPR). IP addresses from heartbeats are automatically anonymised after no more than 90 days; administrators access them only on concrete suspicion of license misuse.

License keys are stored server-side to enable validation; in server logs they appear only as a shortened hash, and logs contain no project content.

Beyond license verification, no behavioural tracking or profiling takes place. The software does not transmit your project content, inputs or usage patterns to us for analytics or advertising purposes.

4. Payment processing — Paddle (Merchant of Record)

Payments are processed by Paddle.com Market Ltd. (United Kingdom) as Merchant of Record. In this respect Paddle is an independent controller for payment and order data and not our processor. Data transmitted during checkout (name, email, payment method, billing address, location for tax determination where applicable) is processed by Paddle under its own responsibility. From Paddle we receive order/subscription status and a customer and subscription identifier. The transfer to the United Kingdom is covered by the EU Commission's adequacy decision (renewed on 19 Dec 2025, valid until 27 Dec 2031). Paddle's privacy notice:

paddle.com/legal/privacy

5. Local processing & your own AI access

The project content you enter in the app is processed locally on your device. For integrated AI models the software uses your own provider access/keys; transmission occurs directly from your computer to the respective provider under their privacy terms. We do not receive this content.

As you use your own provider access, the AI providers you select may be located in third countries (e.g. the USA). The legal basis and any safeguards for such a third-country transfer depend on the provider you have chosen and its terms; we are not involved in this transfer.

7. Email & newsletter

License, trial and subscription confirmation emails are sent via our hosting provider's email server; transactional emails about payments (receipts, subscription changes) are sent by Paddle. A newsletter is sent only after express consent (double opt-in) and can be unsubscribed at any time.

8. Recipients & processors

Hosting of the web/license server by webgo GmbH, Wandalenweg 14, 20097 Hamburg (Germany), as processor within the EU; a data processing agreement under Art. 28 GDPR is in place. Paddle.com Market Ltd. is an independent controller for payment processing (see section 4). We do not sell personal data.

9. Storage period

We store account and license data for as long as the account is active; accounting records are retained for the statutory retention period. Trial data is deleted 30 days after expiry if no conversion occurs. Server logs (access/error logs) are deleted after no more than 14 days; IP addresses from license heartbeats are anonymised after no more than 90 days (see section 3).

10. AI transparency

Outputs created with the software may be AI-generated or AI-modified content and may be marked machine-readably (cf. Art. 50 EU AI Act).

11. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21), as well as the right to withdraw a given consent at any time. An email to info@picco-studio.com is sufficient to exercise these rights.

You also have the right to lodge a complaint with a data-protection supervisory authority — e.g. the Commissioner for Personal Data Protection (Cyprus) responsible for the operating company, or the supervisory authority at your place of residence.

12. Cookies, security & changes

We use exclusively technically necessary session cookies (e.g. for login and CSRF protection); these are required for operation and do not require consent. We do not use third-party tracking, analytics or advertising cookies.

We implement appropriate technical and organizational measures (TLS/HTTPS, password hashing, CSRF protection, prepared statements, rate limiting). Payment processing is handled exclusively by Paddle — raw payment data never reaches our servers. This notice may be adapted to the further development of the service; the current version is always available at this address.


© 2026 Teaser-Factory · Picco-Vision UG (haftungsbeschränkt) i.G. · operated by Picco-Studio Production Ltd., Limassol (CY)