Privacy Policy

Piktara is operated by Nisqure Ltd, a company registered in England and Wales. For privacy inquiries, contact us at privacy@piktara.com.

• Account data: Email address and name from your authentication provider (Google via Supabase Auth). We do not store passwords.
• Photos: When you submit a curation job, your selected photos are temporarily downloaded from Google Photos to our secure cloud storage for processing.
• Usage data: Job metadata (photo count, processing time, settings), feedback actions (winner confirmations, swaps), and analytics events.
• Payment data: Processed by Stripe. We store only the Stripe payment intent ID, not your card details.

• To process your photo curation jobs and deliver results.
• To authenticate you and manage your account.
• To process payments and issue refunds.
• To send transactional emails (job status updates).
• To improve our service through aggregated, anonymized analytics.

Your photos receive the following protections:

• Photos are encrypted in transit using TLS 1.2+.
• Photos are stored in Cloudflare R2 (encrypted at rest) during processing.
• Processing runs on isolated GPU instances that are destroyed after each job.
• All photos, thumbnails, and reports are automatically deleted 7 days after job completion.
• We do not use your photos to train AI models.
• We do not share your photos with third parties.

• Contract performance (Art. 6(1)(b)): Processing your photos is necessary to deliver the service you requested.
• Legitimate interest (Art. 6(1)(f)): Aggregated analytics to improve service quality.
• Consent (Art. 6(1)(a)): Marketing emails, if you opt in.

You have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten").
• Restrict processing.
• Data portability — receive your data in a structured format.
• Object to processing based on legitimate interest.
• Withdraw consent at any time.

To exercise any of these rights, email privacy@piktara.com. We will respond within 30 days.

We use the following third-party processors:

• Supabase (AWS eu-west-1) — database and authentication.
• Cloudflare R2 — photo and report storage.
• Modal (US) — GPU processing. Photos are processed in memory and not persisted.
• Stripe — payment processing.
• Resend — transactional email delivery.
• Vercel — web application hosting.
• Railway — API server hosting.

Some processors operate outside the EEA. Transfers are protected by Standard Contractual Clauses (SCCs) or adequacy decisions.

We use only essential cookies for authentication (Supabase session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

We implement encryption in transit (TLS), encryption at rest (R2, Supabase), HMAC-signed OAuth state parameters, Fernet-encrypted stored tokens, rate limiting, and security headers (CSP, HSTS, X-Frame-Options).

We may update this policy from time to time. Material changes will be communicated via email. The "last updated" date at the top indicates the latest revision.

For privacy inquiries: privacy@piktara.com

For general support: ask@piktara.com

Nisqure Ltd
England and Wales