Legal
Privacy Policy
Last updated: June 15, 2026
Data Controller: Anidit Picture · Data protection contact: privacy@pictaway.com
1. Introduction
Pictaway is operated by Anidit Picture, a business registered in Hong Kong SAR. We are committed to protecting your privacy and handling your personal data transparently and lawfully.
This Privacy Policy explains:
- What personal data we collect
- Why we collect it and our legal basis for processing
- Who we share it with
- How long we keep it
- Your rights regarding your data
- How we protect it
For specific data processing activities (such as uploading facial images), we obtain your explicit consent through checkboxes within the Service interface.
2. Data Controller and Data Protection Officer
Data Controller: Anidit Picture, Hong Kong SAR.
Data Protection Contact: privacy@pictaway.com — response within 30 days (or sooner where required by law).
We do not currently have a formally appointed Data Protection Officer under GDPR (our core activities do not involve large-scale systematic monitoring). For EU residents, you may also lodge a complaint with your local supervisory authority — see Section 11.
3. What Personal Data We Collect
3.1 Data You Provide Directly
| Category | Examples | Required/Optional |
|---|---|---|
| Account Data | Email address, name (if provided) | Required |
| Reference Photos | Facial images, couple portraits, related photographs | Required for order fulfillment |
| Order Data | Destination selections, style preferences, plan type | Required for order fulfillment |
| Communication Data | Emails, support inquiries, revision requests | Optional |
| Marketing Consent | Opt-in preference for promotional emails | Optional — separate consent |
| Age Verification | Confirmation of age ≥ 18 | Required |
3.2 Sensitive Personal Data — Facial Images
Your uploaded Reference Photos contain facial images, classified as special category / sensitive personal data under GDPR Article 9 and Hong Kong PDPO.
We process facial images only with your explicit consent, obtained through checkboxes during order creation:
- "I understand my photos will be processed by AI and reviewed by a Pictaway artist"
- "I have the right to use these photos and consent to Pictaway creating portraits from them"
Your facial images are used exclusively for generating your ordered portraits. Never for AI model training, marketing, or sharing with third parties beyond our processing pipeline.
Your responsibility for others' data: if your uploaded photos contain images of other people, YOU bear sole and complete responsibility for obtaining their fully informed consent.
3.3 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Technical Data | IP, browser, OS, device, screen | Service operation, security, analytics |
| Usage Data | Pages visited, features used, time on site | Service improvement, analytics |
| Cookie Data | Session tokens, preferences, analytics IDs | See Cookie Policy |
| Payment Metadata | Transaction amounts, plan, status | Order processing, accounting |
3.4 Data We Do NOT Collect or Retain
- Complete credit card numbers (handled entirely by Stripe)
- Government ID numbers, social security numbers, or passport data
- Precise geolocation data
- Persistent biometric templates or facial-recognition profiles for identification
Important note on facial features: our AI sub-processors (e.g. Higgsfield, Replicate) necessarily perform transient face-feature extraction on your Reference Photos in order to generate your portraits. We do not store, reuse, or build any persistent biometric template, embedding, or face-recognition database from this processing, and our processors are contractually prohibited from doing so. After your retention window (see §6) the underlying photos are deleted and any in-memory features used during generation are discarded by the sub-processor.
4. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Generate AI Portraits | Reference Photos, selections | Explicit consent (GDPR Art. 6(1)(a), 9(2)(a)) |
| Process and Deliver Orders | Account, order, payment metadata | Contract performance |
| Human Quality Review | Reference Photos, Generated Portraits | Contract; Legitimate interest |
| Order Communications | Email, order data | Contract performance |
| Marketing Emails | Email + opt-in flag | Separate consent |
| Customer Support | Communication, order history | Contract; Legitimate interest |
| Service Improvement | Usage, technical (anonymized) | Legitimate interest |
| Security & Fraud Prevention | Technical, usage patterns | Legitimate interest; Legal obligation |
| Legal Compliance | As required | Legal obligation |
| Age Verification | Age confirmation checkbox | Legal obligation |
4.1 Marketing Communications
We send marketing emails ONLY to users who explicitly opted in during onboarding. Withdraw consent anytime via the unsubscribe link or by emailing hello@pictaway.com.
5. Data Sharing and Sub-Processors
We share your personal data only with the service providers necessary to operate our Service. For the full list and processing terms, see our Data Processing Agreement.
5.1 Current Sub-Processors
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Database, auth, storage | USA, Global (AWS) | SCCs; SOC 2; ISO 27001 |
| Cloudflare, Inc. | CDN, R2 image storage | Global | SCCs; ISO 27001 |
| Stripe, Inc. | Payment processing | USA, Global | SCCs; PCI-DSS Level 1 |
| Higgsfield, Inc. | AI generation (primary) | USA | SCCs; contractual DPA |
| Replicate, Inc. | AI generation (backup) | USA | SCCs; contractual DPA |
| Brevo (Sendinblue) | Email marketing | France (EU) | EU adequate |
| Resend, Inc. | Transactional email | USA | SCCs |
5.2 AI Processing Sub-Processors
Our AI providers (Higgsfield and Replicate) receive Reference Photos via API, process them, return Generated Portraits, and delete input from active systems. They are contractually prohibited from retaining your photos or training models on them.
5.3 No Sale of Personal Data
We do NOT sell, rent, or trade your personal data.
5.4 Legal Disclosures
We may disclose data if required by law, court order, or governmental regulation, or to protect rights, safety, or against legal liability.
6. International Data Transfers
Your data may be transferred to and processed outside your country. For transfers from the EEA, UK, or Switzerland, we rely on EU Standard Contractual Clauses (Implementing Decision 2021/914), the UK IDTA, and technical safeguards (TLS 1.3 in transit, AES-256 at rest).
Under Hong Kong PDPO (Cap. 486), data transferred outside Hong Kong is protected by comparable contractual provisions.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Reference Photos (uploaded selfies) | Deleted within 30 days after delivery |
| Generated Portraits | 90 days after delivery, then permanently deleted |
| Account Data | While active + 2 years after last activity |
| Payment Records | 7 years (Hong Kong tax) |
| Order Metadata | 2 years after completion |
| Email Communications | 1 year |
| Marketing Consent Records | While active + 3 years after withdrawal |
| Technical Logs | 90 days |
| Cookie Data | Per Cookie Policy |
You may request earlier deletion anytime by emailing privacy@pictaway.com. We process deletion requests within 30 days, subject to legal retention obligations.
8. Your Data Protection Rights
8.1 GDPR Rights (EEA Residents)
- Access (Art. 15) — request a copy of your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion ("Right to be Forgotten")
- Restrict Processing (Art. 18)
- Data Portability (Art. 20) — receive data in JSON
- Object (Art. 21) — to legitimate-interest processing
- Withdraw Consent (Art. 7(3)) — at any time
- Lodge a Complaint (Art. 77) — with your local supervisory authority
8.2 CCPA/CPRA Rights (California)
Right to Know, Delete, Opt-Out (we don't sell), and Non-Discrimination. Email privacy@pictaway.com with "CCPA Request". Response time: 45 days.
8.3 Hong Kong PDPO Rights
Request access, correction, and information about our data handling. Email privacy@pictaway.com.
8.4 Response Timeline
GDPR: 30 days · CCPA: 45 days · PDPO: 40 days.
9. Security Measures
| Measure | Details |
|---|---|
| Encryption in transit | TLS 1.3 |
| Encryption at rest | AES-256 |
| Access control | Role-based; Row-Level Security (RLS); admin restricted |
| Authentication | Passwordless email; JWT token-based API |
| Payment security | PCI-DSS Level 1 via Stripe; we never handle raw card data |
| Sub-processor vetting | SOC 2 / ISO 27001 review |
| Automated deletion | Scheduled jobs enforce retention schedule |
No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
10. Breach Notification
We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (GDPR), and notify affected users without undue delay if the breach is likely to result in high risk.
11. Complaints and Supervisory Authorities
Please contact us first at privacy@pictaway.com. If unsatisfied, you may lodge a complaint with your local data protection authority.
- EEA: Your national DPA — list at edpb.europa.eu/about-edpb/about-edpb/members_en
- Hong Kong: Office of the Privacy Commissioner for Personal Data — pcpd.org.hk
- UK: ICO — ico.org.uk · 0303 123 1113
12. Age Restriction — Children's Privacy
Our Service is NOT intended for individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If discovered, we immediately delete it, terminate the account, and notify the individual where appropriate.
13. Cookies and Tracking Technologies
14. Automated Decision-Making
Our AI generation involves automated processing of Reference Photos, but human reviewers are involved in QC before final delivery. You retain the right to request human review.
15. Third-Party Links
Our Service may contain links to third-party websites not operated by us. We are not responsible for their privacy practices.
16. Changes to This Privacy Policy
When we make material changes we will: post the updated policy with a new "Last Updated" date; notify registered users by email; and display a notice on our website for a reasonable period.
17. Contact Information
| Purpose | Contact |
|---|---|
| Data rights requests | privacy@pictaway.com |
| Data breach concerns | privacy@pictaway.com (Subject: "URGENT — Data Breach") |
| General privacy questions | privacy@pictaway.com |
| Account deletion | hello@pictaway.com (Subject: "Account Deletion Request") |
Anidit Picture, Hong Kong SAR.
Appendix A — GDPR-Specific Disclosures
Lawful Bases for Processing (Article 6):
| Activity | Lawful Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) |
| Order fulfillment (Reference Photos) | Contract (Art. 6(1)(b)) |
| Processing facial images | Explicit consent (Art. 6(1)(a) + 9(2)(a)) |
| Human quality review | Contract; Legitimate interest |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Service improvement (anonymized) | Legitimate interest |
| Security & fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
Our legitimate interests include maintaining and improving the Service, ensuring security, preventing fraud, and conducting anonymized analytics. You may object at any time.
Appendix B — CCPA-Specific Disclosures
Categories of Personal Information collected (past 12 months):
| Category | Collected? | Sold? | Disclosed for Business Purpose? |
|---|---|---|---|
| Identifiers (name, email, IP) | Yes | No | Yes (sub-processors) |
| Personal Information (Cal. Civ. Code §1798.80(e)) | Yes (photos) | No | Yes (AI processors) |
| Commercial Information | Yes (order history) | No | Yes (payment processor) |
| Internet/Electronic Activity | Yes (usage data) | No | No |
| Geolocation Data | No | — | — |
| Biometric Information | Yes (facial images for generation) | No | Yes (AI processors, temporarily) |
| Inferences | No | — | — |
For business customers: view our Data Processing Agreement.