privacy policy
how we collect, use, and protect your data
last updated: February 2026
introduction
Withpica Ltd ("we", "us", "our") operates the PICA platform (withpica.com). This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our service.
information we collect
we collect information you provide directly and information collected automatically.
information you provide
- account information: name, email address, password
- profile information: creative roles, industry, preferences
- catalog data: works, recordings, credits, agreements
- financial data: invoices, payment information (processed by stripe)
- communications: messages, support requests, feedback
information collected automatically
- usage data: pages visited, features used, time spent
- device information: browser type, operating system, device identifiers
- log data: ip address, access times, error logs
- cookies and similar technologies: session management, preferences
third-party integrations
- when you connect third-party services (dropbox, quickbooks, notion, airtable, slack), we access data you authorise
- google workspace (gmail, calendar, contacts, drive): when connected, we read your email to process music industry communications, sync calendar events for tour dates and sessions, access contacts for collaboration, and read or write files you explicitly select for catalog attachments. we send emails on your behalf only when you explicitly trigger a send action. we do not store email content beyond processing. pica's use and transfer to any other product of information received from google apis will adhere to the google api services user data policy (https://developers.google.com/terms/api-services-user-data-policy), including the limited use requirements
- ai providers (claude, openai, gemini): we transmit your queries but do not store ai provider credentials—you bring your own api keys
- music metadata services (spotify, youtube, discogs): we access public catalog information for enrichment
how we use your information
we use your information to provide and improve our services.
- provide, maintain, and improve the pica platform
- process transactions and send related information
- send administrative messages, updates, and security alerts
- respond to comments, questions, and support requests
- analyse usage patterns to improve user experience
- detect, prevent, and address technical issues and fraud
- comply with legal obligations
how we share your information
we do not sell your personal information. we share data only in limited circumstances.
- service providers: hosting (vercel), database (supabase), payments (stripe), email (sendgrid)
- third-party integrations: only when you explicitly connect and authorise
- legal requirements: when required by law, court order, or government request
- business transfers: in connection with merger, acquisition, or sale of assets
- with your consent: for any other purpose with your explicit permission
data storage and security
we implement industry-standard security measures to protect your data.
- data is stored on secure servers provided by supabase (postgresql)
- files are stored in aws s3 with encryption at rest
- all data transmission uses tls/ssl encryption
- api keys and credentials are stored in encrypted vault storage
- we conduct regular security audits and vulnerability assessments
- access to personal data is restricted to authorised personnel only
your rights (gdpr & uk gdpr)
you have the following rights regarding your personal data.
- access: request a copy of your personal data
- rectification: correct inaccurate or incomplete data
- erasure: request deletion of your personal data ("right to be forgotten")
- portability: receive your data in a structured, machine-readable format
- restriction: request limitation of processing
- objection: object to processing based on legitimate interests
- withdraw consent: where processing is based on consent
to exercise these rights, visit settings > privacy in your pica dashboard or contact us at privacy@withpica.com.
data retention
we retain your data for as long as your account is active or as needed to provide services.
- account data: retained while your account is active
- catalog data: retained until you delete it or close your account
- financial records: retained for 7 years for legal compliance
- log data: retained for 90 days for security and debugging
- deleted data: permanently removed within 30 days of deletion request
international data transfers
your data may be transferred to and processed in countries outside the uk/eea.
- we use service providers in the united states (aws, vercel, stripe)
- transfers are protected by standard contractual clauses or adequacy decisions
- we ensure appropriate safeguards are in place for all transfers
children's privacy
pica is not intended for users under 16 years of age. we do not knowingly collect personal information from children. if you believe we have collected data from a child, please contact us immediately.
changes to this policy
we may update this privacy policy from time to time. we will notify you of material changes by email or through the platform. your continued use after changes constitutes acceptance.
data processing agreements
if your organisation requires a data processing agreement (dpa) for regulatory or contractual purposes, contact us at legal@withpica.com. we can provide a dpa covering the processing activities described in this policy.
contact us
if you have questions about this privacy policy or our data practices, contact us at:
email: legal@withpica.com
Withpica Ltd (company no. 09575191), United Kingdom