privacy policy

how we collect, use, and protect your data

last updated: December 2024

introduction

PICA Ltd ("we", "us", "our") operates the PICA platform (withpica.com). This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our service.

information we collect

we collect information you provide directly and information collected automatically.

information you provide

  • account information: name, email address, password
  • profile information: creative roles, industry, preferences
  • catalog data: works, recordings, credits, agreements
  • financial data: invoices, payment information (processed by stripe)
  • communications: messages, support requests, feedback

information collected automatically

  • usage data: pages visited, features used, time spent
  • device information: browser type, operating system, device identifiers
  • log data: ip address, access times, error logs
  • cookies and similar technologies: session management, preferences

third-party integrations

  • when you connect third-party services (dropbox, google drive, quickbooks, notion, airtable, slack), we access data you authorise
  • ai providers (claude, openai, gemini): we transmit your queries but do not store ai provider credentials—you bring your own api keys
  • music metadata services (spotify, youtube, discogs): we access public catalog information for enrichment

how we use your information

we use your information to provide and improve our services.

  • provide, maintain, and improve the pica platform
  • process transactions and send related information
  • send administrative messages, updates, and security alerts
  • respond to comments, questions, and support requests
  • analyse usage patterns to improve user experience
  • detect, prevent, and address technical issues and fraud
  • comply with legal obligations

how we share your information

we do not sell your personal information. we share data only in limited circumstances.

  • service providers: hosting (vercel), database (supabase), payments (stripe), email (sendgrid)
  • third-party integrations: only when you explicitly connect and authorise
  • legal requirements: when required by law, court order, or government request
  • business transfers: in connection with merger, acquisition, or sale of assets
  • with your consent: for any other purpose with your explicit permission

data storage and security

we implement industry-standard security measures to protect your data.

  • data is stored on secure servers provided by supabase (postgresql)
  • files are stored in aws s3 with encryption at rest
  • all data transmission uses tls/ssl encryption
  • api keys and credentials are stored in encrypted vault storage
  • we conduct regular security audits and vulnerability assessments
  • access to personal data is restricted to authorised personnel only

your rights (gdpr & uk gdpr)

you have the following rights regarding your personal data.

  • access: request a copy of your personal data
  • rectification: correct inaccurate or incomplete data
  • erasure: request deletion of your personal data ("right to be forgotten")
  • portability: receive your data in a structured, machine-readable format
  • restriction: request limitation of processing
  • objection: object to processing based on legitimate interests
  • withdraw consent: where processing is based on consent

to exercise these rights, visit settings > privacy in your pica dashboard or contact us at privacy@withpica.com.

cookies and tracking

we use cookies and similar technologies for essential functionality and analytics.

  • essential cookies: required for authentication and session management
  • preference cookies: remember your settings and preferences
  • analytics cookies: help us understand how you use pica (google analytics)
  • you can control cookies through your browser settings

data retention

we retain your data for as long as your account is active or as needed to provide services.

  • account data: retained while your account is active
  • catalog data: retained until you delete it or close your account
  • financial records: retained for 7 years for legal compliance
  • log data: retained for 90 days for security and debugging
  • deleted data: permanently removed within 30 days of deletion request

international data transfers

your data may be transferred to and processed in countries outside the uk/eea.

  • we use service providers in the united states (aws, vercel, stripe)
  • transfers are protected by standard contractual clauses or adequacy decisions
  • we ensure appropriate safeguards are in place for all transfers

children's privacy

pica is not intended for users under 16 years of age. we do not knowingly collect personal information from children. if you believe we have collected data from a child, please contact us immediately.

changes to this policy

we may update this privacy policy from time to time. we will notify you of material changes by email or through the platform. your continued use after changes constitutes acceptance.

contact us

if you have questions about this privacy policy or our data practices, contact us at:

email: legal@withpica.com

PICA Ltd, United Kingdom