This DPA explains how Picflow processes personal data on behalf of customers when providing the service, and how subprocessors are involved. If you're an Enterprise Customer, please contact your account manager.
TLDR
This DPA applies to self-serve customers using Picflow.
Customers generally control the personal data they upload or collect in Projects.
Picflow processes some data through vetted Subprocessors.
1. Scope
This Data Processing Addendum (“DPA”) forms part of the Picflow Terms of Service and applies to self-serve customers (the “Customer”) when Picflow processes personal data on Customer’s behalf as a processor.
2. Roles
Customer is the controller for Customer Content and End-user personal data processed within Customer Projects.
Picflow is the processor for such data, processing it on Customer’s instructions as described in the Terms and this DPA.
Picflow may act as a controller for its own account administration, billing, and marketing website operations.
3. Processing details
3.1 Subject matter and duration
Picflow processes personal data to provide the Service for the subscription term and any reasonable wind-down period. By default, personal data within Customer Projects is retained in the Service as long as Customer keeps it there and Customer’s account is active. Picflow may also retain limited residual data (for example, in backups and certain logs) as described in Section 8 (Deletion and return) and as necessary for legal compliance and security.
3.2 Nature and purpose
Processing may include hosting, storage, transmission, display, access control, logging, support, and operational security.
3.3 Categories of data subjects
Customer Users and End-users (e.g., guests, reviewers, external collaborators) whose data is submitted to or generated within Customer Projects.
3.4 Categories of personal data
May include names, email addresses, account identifiers, Project participation data, comments/annotations, and technical logs (e.g., IP address and user agent) as needed to operate and secure the Service.
4. Customer instructions
Customer instructs Picflow to process personal data to provide the Service and related support, and as otherwise documented in the Terms, product documentation, and Customer’s use/configuration of the Service.
5. Picflow obligations
Picflow will:
process personal data only on documented instructions from Customer, unless required by law;
ensure personnel are bound by confidentiality obligations;
implement reasonable technical and organizational security measures;
provide reasonable assistance with data subject requests where applicable;
notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data.
6. Subprocessors
Customer authorizes Picflow to use subprocessors to deliver the Service. A current list is maintained in Subprocessors.
7. International transfers
Picflow and its subprocessors may process personal data in countries outside the country where Customer, Users, or End-users are located. Where required by applicable law, Picflow uses appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses (and other lawful transfer mechanisms where applicable).
8. Deletion and return
This Section 8 explains Picflow’s default retention, Customer-controlled deletion, and limited residual retention for Customer personal data processed under this DPA:
Default retention (platform-level). Customer personal data within Customer Projects (including End-user personal data tied to Customer Content) is retained in the Service as long as Customer’s account is active and Customer chooses to keep that content in the Service. Picflow may also retain certain technical logs and security records for a limited operational period as needed to provide, secure, and support the Service.
Customer-controlled deletion. Customer controls deletion through the Service (for example, by deleting Customer Content, removing End-users from Projects, or deleting the Customer account). Deletion requests initiated by Customer apply to the relevant Customer Content and End-user personal data tied to that content. Upon termination, Customer may download Customer Content to the extent the Service provides download functionality, for a reasonable period, after which Picflow will delete Customer personal data from active systems within a reasonable timeframe, unless retention is required by law or for backups.
Residual and legal retention. Even after deletion, some personal data may persist temporarily in (a) backups (which may be retained for up to one year) and (b) certain logs and security records for a limited period. This residual retention is limited, time-bound, and used only for legitimate purposes such as security, fraud prevention, legal compliance, dispute resolution, and enforcing applicable terms. Picflow will delete or anonymize such residual data in accordance with its retention practices once it is no longer needed.
Contact
If you have questions or concerns about this Data Processing Addendum, please get in touch with us by email at privacy@picflow.com.