Privacy Policy

Last updated: January 2026

1. Data Controller Identity

Picturalia is the data controller for your personal data. You can contact us at: hello@picturalia.com. We operate from Spain and comply with the General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection (LOPD).

2. Data We Collect

We collect: (a) Identification data: name, email, avatar; (b) Uploaded images: original and transformed photographs; (c) Usage data: site interactions, preferences, transformation history; (d) Technical data: IP address, browser type, operating system; (e) Payment data: processed by Lemon Squeezy (we do not store complete banking details).

3. Legal Basis and Purpose of Processing

We process your data under the following legal bases: (a) Contract performance: to provide the image transformation service; (b) Consent: to send marketing communications (you can withdraw it at any time); (c) Legitimate interest: to improve our services, detect fraud, and ensure security; (d) Legal obligation: to comply with tax and legal requirements.

4. Data Retention

We retain your data while your account remains active. After account deletion: (a) Personal data: deleted within 30 days; (b) Images: immediately deleted from active storage; (c) Tax data: retained for 6 years per Spanish legislation; (d) Security logs: up to 12 months.

5. Sharing Data with Third Parties

We share data only with necessary service providers: (a) Supabase (United States): database and file storage - EU Standard Contractual Clauses; (b) Google Gemini API (United States): AI image processing - transfer based on Privacy Shield/SCCs; (c) Lemon Squeezy (United States): payment processing - Merchant of Record; (d) Vercel (United States): web hosting. All our providers comply with GDPR and have Data Processing Agreements (DPAs).

6. Your GDPR Rights

You have the right to: (a) Access: request a copy of your personal data; (b) Rectification: correct inaccurate data; (c) Erasure/Deletion: delete your account and data ("right to be forgotten"); (d) Object: object to the processing of your data; (e) Restriction: request processing restriction; (f) Data portability: receive your data in structured format; (g) Withdraw consent: for marketing communications at any time. To exercise these rights, contact hello@picturalia.com.

7. Automated Decisions and AI

We use artificial intelligence (Google Gemini) to transform images. This processing is automatic and does not involve profiling or decisions producing legal effects. Transformations are based solely on your explicit instructions.

8. Children's Privacy

Our service is NOT directed at children under 14 years old (Spain) or 16 years old (rest of EU). If you become aware that a minor has provided data without parental consent, contact hello@picturalia.com to delete it immediately.

9. Data Security

We implement technical and organizational measures: (a) SSL/TLS encryption in all communications; (b) Encrypted storage of images and sensitive data; (c) Secure authentication via Supabase Auth; (d) Regular backups; (e) Strict access controls; (f) Regular security audits. However, no system is 100% secure.

10. Cookies and Similar Technologies

We use cookies for: (a) Essential: authentication, security (no consent required); (b) Functional: language preferences, settings (implied consent); (c) Analytics: usage metrics, performance (explicit consent); (d) Marketing: (if applicable) ad personalization (explicit consent). You can manage cookies from your browser settings. See our Cookies page for more information.

11. International Transfers

Your data may be transferred outside the European Economic Area (EEA) to the United States. We ensure protection through: (a) EU Commission Standard Contractual Clauses (SCCs); (b) Providers certified under adequacy frameworks; (c) Transfer Impact Assessments (TIAs). You can request information about specific safeguards at hello@picturalia.com.

12. Policy Modifications

We may update this policy periodically. Substantial changes will be notified by email or prominent notice on the website. The "Last updated" date indicates the current version. Continued use of the service after modifications implies acceptance of changes.

13. Complaints and Supervisory Authority

If you believe that the processing of your data violates regulations, you can file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es - Electronic headquarters: https://sedeagpd.gob.es - Address: C/ Jorge Juan, 6, 28001 Madrid, Spain - Phone: +34 901 100 099. You also have the right to file a complaint with the supervisory authority of your country of residence.

14. User Responsibility for Images

By uploading images, you declare: (a) Having all necessary rights to the images; (b) Having consent from photographed individuals (especially minors); (c) Not violating image rights, privacy, or intellectual property of third parties; (d) Complying with data protection regulations when sharing images of others. Picturalia is not responsible for improper use of images by users.

15. Contact and Data Protection Officer

For any questions about this Privacy Policy or to exercise your rights: Email: hello@picturalia.com (Subject: "Data Protection"). We commit to responding within a maximum of 30 days.