privacy policy

how we collect, use, and protect your data

last updated: April 2026

introduction

Withpica Ltd ("we", "us", "our") operates the PICA platform (withpica.com). This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our service.

information we collect

we collect information you provide directly and information collected automatically.

information you provide

  • account information: name, email address, password
  • profile information: creative roles, industry, preferences
  • catalog data: works, recordings, credits, agreements
  • financial data: invoices, payment information (processed by stripe)
  • communications: messages, support requests, feedback

information collected automatically

  • usage data: pages visited, features used, time spent
  • device information: browser type, operating system, device identifiers
  • log data: ip address, access times, error logs
  • cookies and similar technologies: session management, preferences

third-party integrations

  • when you connect third-party services (dropbox, quickbooks, notion, airtable, slack), we access data you authorise
  • google workspace (optional integrations): when you connect gmail, we search and display email threads only when you or your AI explicitly query for them (for example, finding emails linked to a specific contact in your catalog). we do not index your inbox, read email proactively, or store email content beyond the specific threads you surface. when you connect calendar, we sync events related to sessions and tour dates you mark. when you connect drive, we access only the files you explicitly select or import. contact access is limited to names and addresses needed to invite collaborators. we send emails on your behalf only when you explicitly trigger a send action. pica's use and transfer to any other product of information received from google apis adheres to the google api services user data policy (https://developers.google.com/terms/api-services-user-data-policy), including the limited use requirements
  • ai providers (claude, openai, gemini): we transmit your queries but do not store ai provider credentials—you bring your own api keys
  • music metadata services (spotify, youtube, discogs): we access public catalog information for enrichment

how we use your information

we use your information to provide and improve our services.

  • provide, maintain, and improve the pica platform
  • process transactions and send related information
  • send administrative messages, updates, and security alerts
  • respond to comments, questions, and support requests
  • analyse usage patterns to improve user experience
  • detect, prevent, and address technical issues and fraud
  • comply with legal obligations

public directory

pica operates a public directory at withpica.com/directory where opted-in catalog data is visible to anyone without authentication.

what becomes public

  • work titles, ISWCs, and associated writer/composer credits
  • people names, ISNI identifiers, and credited roles
  • recording ISRCs linked to public works
  • organisation names associated with listed works

opt-in mechanics

  • directory listing is strictly opt-in — your data is never made public without your explicit consent
  • organisations enable directory visibility through their directory settings
  • you can remove your catalog from the directory at any time via settings. removal takes effect within 30 days of the request — application-level and public-API removal is immediate; search-engine cache eviction (google, bing) completes within the 30-day envelope

directory analytics

  • we collect anonymous usage data on directory searches and page views
  • analytics include: search queries, pages viewed, country codes (derived from ip), and referrer urls
  • no personal data is collected from directory visitors — visitors are not authenticated
  • analytics are used to improve the directory and may be shared with listed organisations in aggregate form

how we share your information

we do not sell your personal information. we share data only in limited circumstances.

  • service providers: hosting (vercel), database (supabase), payments (stripe), email (postmark)
  • third-party integrations: only when you explicitly connect and authorise
  • public directory: opted-in catalog data (works, credits, identifiers) is publicly visible — see the public directory section above
  • legal requirements: when required by law, court order, or government request
  • business transfers: in connection with merger, acquisition, or sale of assets
  • with your consent: for any other purpose with your explicit permission

data storage and security

we implement industry-standard security measures to protect your data.

  • data is stored on secure servers provided by supabase (postgresql)
  • files are stored in aws s3 with encryption at rest
  • all data transmission uses tls/ssl encryption
  • api keys and credentials are stored in encrypted vault storage
  • we conduct regular security audits and vulnerability assessments
  • access to personal data is restricted to authorised personnel only

your rights (gdpr & uk gdpr)

you have the following rights regarding your personal data.

  • access: request a copy of your personal data
  • rectification: correct inaccurate or incomplete data
  • erasure: request deletion of your personal data ("right to be forgotten")
  • portability: receive your data in a structured, machine-readable format
  • restriction: request limitation of processing
  • objection: object to processing based on legitimate interests
  • withdraw consent: where processing is based on consent

to exercise these rights, visit settings > privacy in your pica workspace or contact us at legal@withpica.com.

cookies and tracking

we use cookies and similar technologies for essential functionality and analytics.

  • essential cookies: required for authentication and session management
  • preference cookies: remember your settings and preferences
  • analytics cookies: help us understand how you use pica (google analytics)
  • you can control cookies through your browser settings

data retention

we retain your data for as long as your account is active or as needed to provide services.

  • account data: retained while your account is active
  • catalog data: retained until you delete it or close your account
  • financial records: retained for 7 years as required by UK tax and accounting law
  • log data: retained for 90 days for security and debugging
  • deleted data: permanently removed within 30 days of deletion request, except where we are legally required to retain specific records (for example, financial records under the 7-year rule above)

international data transfers

your data may be transferred to and processed in countries outside the uk/eea.

  • we use service providers in the united states (aws, vercel, stripe)
  • transfers are protected by standard contractual clauses or adequacy decisions
  • we ensure appropriate safeguards are in place for all transfers

personal data breach notification

in the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. where the breach is likely to result in a high risk to those rights and freedoms, we will also notify affected users without undue delay, per Article 34, via the email address on your account.

children's privacy

pica accounts require users to be at least 16 years old. this is stricter than UK GDPR's digital consent floor (13) — because pica handles royalty splits, rights claims, and legal agreements, we do not believe a 13–15 year old can meaningfully consent to the specific data processing this entails. we do not target users under 13, and do not knowingly accept accounts from or collect personal information from them. if you believe we have collected data from a person under 16, please contact us immediately at legal@withpica.com.

changes to this policy

we may update this privacy policy from time to time. we will notify you of material changes by email or through the platform. your continued use after changes constitutes acceptance.

data processing agreements

if your organisation requires a data processing agreement (dpa) for regulatory or contractual purposes, contact us at legal@withpica.com. we can provide a dpa covering the processing activities described in this policy.

data protection contact

Withpica Ltd is a small business that does not meet the UK GDPR Article 37 threshold for mandatory Data Protection Officer appointment. our designated data protection contact is legal@withpica.com, available for any privacy-related question, access request, or rights inquiry under UK GDPR Articles 15–22. where your request relates to a sub-processor's processing, we will coordinate with the relevant sub-processor to fulfil it.

contact us

if you have questions about this privacy policy or our data practices, contact us at:

email: legal@withpica.com

Withpica Ltd (company no. 09575191), United Kingdom

mcp tool usage logging

when your AI connects to PICA via MCP, we log: tool name, response time, status code, and timestamp. we do not log request bodies or response bodies. where audit trails include identifiers for debugging, personally identifiable fields (email addresses, phone numbers, ISNI, IPI, IPN) are redacted to placeholder markers before persistence. correlation IDs are retained so support can trace an issue without exposing raw data. this data is used for rate limiting, usage analytics, and debugging. it is retained for 90 days. you can view your MCP usage in your settings page.

data we do not collect via MCP

PICA MCP tools collect only the data from the user's context necessary to perform the tool's function. PICA does not pull, reconstruct, or infer the full chat log from any connected AI client. PICA does not collect payment card data, protected health information, government identifiers (such as social security, passport, or national insurance numbers), credentials (API keys, MFA codes, passwords, session tokens), precise device location (GPS coordinates or street-level addresses), or special-category personal data under UK GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health, sex life or orientation). the one exception: where special-category data is strictly necessary for a specific music-industry function, it is collected only with your explicit consent disclosed at or before the point of collection. any such feature is rare and will be flagged to you before the tool runs. this is a standing commitment: every new pica MCP tool is reviewed against these rules before it ships, and any change to the rules themselves would require updating this policy and notifying you.

sub-processors and external services

PICA transmits your data to the following services in the course of providing our platform: supabase (database, authentication), AWS S3 (file storage), stripe (payment processing), postmark (transactional email), spotify API (catalog import), youtube data API (video linking), musicbrainz (metadata enrichment), MLC (rights verification), ACRCloud (audio recognition), ISNI (identifier lookup), wikidata (biographical enrichment), anthropic claude (document analysis), openai (document analysis fallback), sentry (error monitoring), google analytics (usage analytics). we maintain data processing agreements with all sub-processors that handle personal data. each sub-processor's own privacy policy governs data they receive from us; a consolidated list of links to those policies is available on request from legal@withpica.com.

ai provider data handling

when you use features that involve AI processing (document analysis, CSV column mapping, intelligent enrichment), your data is sent to anthropic (claude) or openai as a fallback. data sent to AI providers is used only for the specific operation requested, is not used to train AI models (per our agreements with providers), and is subject to each provider's data retention policy. PICA does not send your data to AI providers for any purpose other than completing the operation you requested.

workspace memory

PICA's MCP memory system stores persistent context about your workspace. this includes notes, preferences, and workflow state that your AI creates during conversations. memory data is stored in your workspace and is accessible only to you and AI clients authenticated with your connection key. you can view, edit, and delete memory entries from your settings page or via MCP tools. memory data is deleted when you close your account, following the standard 30-day retention period.