Privacy Policy
Effective date: 26 June 2026
This Privacy Policy explains how Pica (“we”, “us”) collects, uses, and protects your personal data when you use our website and desktop application. It applies to all users, with additional rights available to residents of the European Economic Area (EEA) and the United Kingdom under the General Data Protection Regulation (GDPR / UK GDPR).
1. Data Controller
The data controller responsible for your personal data is the individual operator of Pica, reachable at mgugalka@gmail.com.
2. What data we collect and why
We collect the minimum data necessary to operate the service:
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address | Account creation and authentication | Art. 6(1)(b) — contract performance |
| Password (hashed) | Secure sign-in | Art. 6(1)(b) — contract performance |
| Subscription status | Verifying access to paid features | Art. 6(1)(b) — contract performance |
| Stripe customer & subscription IDs | Billing and payment processing | Art. 6(1)(b) — contract performance; Art. 6(1)(c) — legal obligation |
| IP address (transient) | Security and rate limiting on our API | Art. 6(1)(f) — legitimate interests |
Your code never leaves your machine. All code indexing, semantic search, and analysis performed by the Pica desktop application runs entirely locally. We do not transmit, receive, or store any source code, file paths, or analysis results on our servers.
3. Data we do not collect
We do not collect, and have no access to:
- Your source code or project files
- Search queries or analysis results generated by the local model
- Usage telemetry or analytics
- Device identifiers or hardware information
4. Third-party processors
We use the following sub-processors to operate the service. All are bound by GDPR-compliant data processing agreements:
- Supabase — authentication and database (hosted in eu-central-1, Frankfurt, EU). Stores account and subscription records.
- Stripe — payment processing. Stripe is the data controller for payment card data. Their privacy policy applies to billing information.
- Vercel — website and API hosting. Request logs may temporarily include IP addresses for operational purposes.
We do not sell, rent, or share your personal data with any other third parties for marketing or advertising purposes.
5. Data retention
We retain your account data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain certain records for legal or tax compliance purposes (typically up to 7 years for billing records under EU accounting law).
6. International transfers
Your account data is stored in Supabase’s EU (Frankfurt) region and does not leave the EEA by default. Stripe may process billing data in the United States; this transfer is covered by Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Your rights (EEA / UK residents)
Under GDPR and UK GDPR you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any of these rights, email us at mgugalka@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in Poland: Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl.
8. Cookies
Our website uses a single session cookie set by Supabase to maintain your authenticated session. We do not use tracking, analytics, or advertising cookies. No cookie consent banner is required because the only cookie used is strictly necessary for the service to function.
9. Children
Pica is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The effective date at the top of this page reflects the most recent version.
11. Contact
For any privacy-related questions or to exercise your rights, contact us at: mgugalka@gmail.com