This page explains how Picflow approaches GDPR and data protection, including how we handle customer and end-user data on the Platform.
TLDR
Picflow supports GDPR-aligned practices for customers and end-users.
For many end-user workflows, customers are controllers and Picflow is a processor.
We use technical and organizational measures to protect personal data.
Details are complemented by our Privacy Policy and Subprocessors.
1. Awareness
All team members involved in the development, operation, and maintenance of Picflow are aware of GDPR requirements relevant to their responsibilities. Security and privacy considerations are part of our development process, and code changes are reviewed before deployment to reduce the risk of security or compliance issues.
2. Information we hold
Picflow processes personal data relating to two main groups:
Customers – account holders who create and manage Projects
End-users – people invited to view, comment on, or collaborate in Projects
Picflow does not sell personal data. Picflow may use analytics and advertising pixels for marketing measurement and to improve targeting on third-party platforms (for example, Google or Meta), as described in our Privacy Policy and Cookie Policy.
2.1 Customers
Picflow processes the following customer data:
Name, email address, and optional profile information (e.g. profile image)
Account and subscription information
Billing details (such as company name, address, country)
Payment card data is not stored by Picflow. All payment processing is handled by Stripe, which acts as an independent data controller for payment information.
For security and operational purposes, Picflow maintains limited system logs (e.g. IP address, user agent, timestamps). These logs are used for security, debugging, abuse prevention, and legal compliance, and are retained for a limited period (up to one year unless legally required otherwise).
2.2 End-users
Depending on how a Picflow customer configures their Projects, Picflow may process the following end-user data:
Name and email address (e.g. for commenting, approvals, or invitations)
Any information voluntarily submitted by end-users through comments, annotations, or feedback tools
Optional metadata provided by the customer (e.g. reviewer labels or statuses)
This data is processed on behalf of Picflow customers. In most cases:
Picflow acts as a data processor.
Picflow customers act as data controllers.
End-user data is stored for as long as the Picflow customer chooses to retain it, or until the account or content is deleted. Picflow is responsible for securing the data and restricting access, while Picflow customers are responsible for ensuring that the data they collect is lawful, relevant, and appropriate.
3. Communicating privacy information
Picflow clearly communicates how it processes customer data in its Privacy Policy.
Picflow customers are responsible for informing their own end-users about how personal data is processed when using Picflow Projects (e.g. via their own privacy notices or terms).
4. Individuals’ rights
Picflow respects the rights of individuals under the GDPR.
Picflow customers can access, update, download available content, request a copy of their personal data (where applicable), or delete their personal data through the Picflow application or by contacting us.
Where Picflow acts as a data processor (for example, for data relating to gallery participants and collaborators), requests from end-users should generally be directed to the relevant Picflow customer. Picflow will assist customers in fulfilling such requests where required by law.
Picflow does not use personal data for profiling or automated decision-making that produces legal or similarly significant effects.
5. Subject access requests
Picflow responds to valid data access requests within the legally required timeframe (up to one month). Requests are handled free of charge unless they are manifestly unfounded or excessive.
6. Lawful basis for processing personal data
Picflow processes personal data based on one or more of the following lawful bases:
Contractual necessity (to provide the Picflow service)
Legitimate interests (e.g. security, service improvement)
Consent, where required (e.g. optional end-user participation features)
Picflow customers are responsible for ensuring they have a lawful basis for collecting and processing end-user data within their Projects, particularly if that data is reused outside of Picflow.
7. Consent
Where consent is required, Picflow relies on Picflow customers to obtain valid consent from end-users before submitting their data to the Platform.
Picflow may allow customers to prefill or upload end-user data (e.g. invitations). Customers must ensure this data was collected lawfully and with appropriate consent.
8. Children
Picflow is a business-to-business service and is not intended for use by children. If minors are invited to Projects, Picflow customers are responsible for complying with applicable child data protection laws.
9. Data breaches
Picflow has technical and organizational measures in place to reduce the risk of unauthorized access to personal data.
In the event of a personal data breach, Picflow will notify affected customers without undue delay after becoming aware of the breach, in accordance with GDPR requirements. Customers are responsible for notifying their own end-users where required.
10. Data location and transfers
Picflow’s primary hosting location is Ireland (EU). Picflow is based in Switzerland, and some subprocessors may process data in other regions (including the United States). Where required by applicable law, Picflow uses appropriate safeguards for international transfers, such as adequacy decisions (where applicable) and the European Commission’s Standard Contractual Clauses. See our Privacy Policy, Data Processing Addendum, and Subprocessors.
11. Data Protection by Design
Picflow applies data protection principles during system design and development. This includes minimizing data collection, restricting access, and securing stored and transmitted data.
Security and privacy considerations are integrated into architectural and development decisions to protect the confidentiality, integrity, and availability of personal data.
Contact
If you have questions or concerns about this GDPR Compliance, please get in touch with us by email at privacy@picflow.com.