PicaPica

Privacy Policy

Effective date: 26 June 2026

This Privacy Policy explains how Pica (“we”, “us”) collects, uses, and protects your personal data when you use our website and desktop application. It applies to all users, with additional rights available to residents of the European Economic Area (EEA) and the United Kingdom under the General Data Protection Regulation (GDPR / UK GDPR).

1. Data Controller

The data controller responsible for your personal data is the individual operator of Pica, reachable at mgugalka@gmail.com.

2. What data we collect and why

We collect the minimum data necessary to operate the service:

DataPurposeLegal basis (GDPR Art. 6)
Email addressAccount creation and authenticationArt. 6(1)(b) — contract performance
Password (hashed)Secure sign-inArt. 6(1)(b) — contract performance
Subscription statusVerifying access to paid featuresArt. 6(1)(b) — contract performance
Stripe customer & subscription IDsBilling and payment processingArt. 6(1)(b) — contract performance; Art. 6(1)(c) — legal obligation
IP address (transient)Security and rate limiting on our APIArt. 6(1)(f) — legitimate interests

Your code never leaves your machine. All code indexing, semantic search, and analysis performed by the Pica desktop application runs entirely locally. We do not transmit, receive, or store any source code, file paths, or analysis results on our servers.

3. Data we do not collect

We do not collect, and have no access to:

  • Your source code or project files
  • Search queries or analysis results generated by the local model
  • Usage telemetry or analytics
  • Device identifiers or hardware information

4. Third-party processors

We use the following sub-processors to operate the service. All are bound by GDPR-compliant data processing agreements:

  • Supabase — authentication and database (hosted in eu-central-1, Frankfurt, EU). Stores account and subscription records.
  • Stripe — payment processing. Stripe is the data controller for payment card data. Their privacy policy applies to billing information.
  • Vercel — website and API hosting. Request logs may temporarily include IP addresses for operational purposes.

We do not sell, rent, or share your personal data with any other third parties for marketing or advertising purposes.

5. Data retention

We retain your account data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain certain records for legal or tax compliance purposes (typically up to 7 years for billing records under EU accounting law).

6. International transfers

Your account data is stored in Supabase’s EU (Frankfurt) region and does not leave the EEA by default. Stripe may process billing data in the United States; this transfer is covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Your rights (EEA / UK residents)

Under GDPR and UK GDPR you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at mgugalka@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in Poland: Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl.

8. Cookies

Our website uses a single session cookie set by Supabase to maintain your authenticated session. We do not use tracking, analytics, or advertising cookies. No cookie consent banner is required because the only cookie used is strictly necessary for the service to function.

9. Children

Pica is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The effective date at the top of this page reflects the most recent version.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: mgugalka@gmail.com