GDPR Compliance

This page explains how Picflow approaches GDPR and data protection, including how we handle customer and end-user data on the Platform.

All team members involved in the development, operation, and maintenance of Picflow are aware of GDPR requirements relevant to their responsibilities. Security and privacy considerations are part of our development process, and code changes are reviewed before deployment to reduce the risk of security or compliance issues.

Picflow processes personal data relating to two main groups:

Picflow does not sell personal data. Picflow may use analytics and advertising pixels for marketing measurement and to improve targeting on third-party platforms (for example, Google or Meta), as described in our Privacy Policy and Cookie Policy.

Picflow processes the following customer data:

For security and operational purposes, Picflow maintains limited system logs (e.g. IP address, user agent, timestamps). These logs are used for security, debugging, abuse prevention, and legal compliance, and are retained for a limited period (up to one year unless legally required otherwise).

Depending on how a Picflow customer configures their Projects, Picflow may process the following end-user data:

This data is processed on behalf of Picflow customers. In most cases:

End-user data is stored for as long as the Picflow customer chooses to retain it, or until the account or content is deleted. Picflow is responsible for securing the data and restricting access, while Picflow customers are responsible for ensuring that the data they collect is lawful, relevant, and appropriate.

Picflow clearly communicates how it processes customer data in its Privacy Policy.

Picflow customers are responsible for informing their own end-users about how personal data is processed when using Picflow Projects (e.g. via their own privacy notices or terms).

Picflow respects the rights of individuals under the GDPR.

Picflow customers can access, update, download available content, request a copy of their personal data (where applicable), or delete their personal data through the Picflow application or by contacting us.

Where Picflow acts as a data processor (for example, for data relating to gallery participants and collaborators), requests from end-users should generally be directed to the relevant Picflow customer. Picflow will assist customers in fulfilling such requests where required by law.

Picflow does not use personal data for profiling or automated decision-making that produces legal or similarly significant effects.

Picflow responds to valid data access requests within the legally required timeframe (up to one month). Requests are handled free of charge unless they are manifestly unfounded or excessive.

Picflow processes personal data based on one or more of the following lawful bases:

Picflow customers are responsible for ensuring they have a lawful basis for collecting and processing end-user data within their Projects, particularly if that data is reused outside of Picflow.

Where consent is required, Picflow relies on Picflow customers to obtain valid consent from end-users before submitting their data to the Platform.

Picflow may allow customers to prefill or upload end-user data (e.g. invitations). Customers must ensure this data was collected lawfully and with appropriate consent.

Picflow is a business-to-business service and is not intended for use by children. If minors are invited to Projects, Picflow customers are responsible for complying with applicable child data protection laws.

Picflow has technical and organizational measures in place to reduce the risk of unauthorized access to personal data.

In the event of a personal data breach, Picflow will notify affected customers without undue delay after becoming aware of the breach, in accordance with GDPR requirements. Customers are responsible for notifying their own end-users where required.

Picflow applies data protection principles during system design and development. This includes minimizing data collection, restricting access, and securing stored and transmitted data.

Security and privacy considerations are integrated into architectural and development decisions to protect the confidentiality, integrity, and availability of personal data.

Picflow’s primary hosting location is Ireland (EU). Customer Content (such as uploaded images and videos) is stored in Ireland (EU) and is not transferred outside the EU for hosting or storage.

Picflow is based in Switzerland, and some subprocessors may process data in other regions (including the United States). For more on international transfers and safeguards, see our Privacy Policy. Where Picflow acts as a processor for Customer Content and End-user personal data processed within Customer Projects on behalf of a customer, see our Data Processing Addendum. For a list of subprocessors, see Subprocessors.