picstaRELIVE THE MOMENT← Home

Privacy Policy

Last updated: 9 June 2026

1. Introduction

Picsta is a photo gallery platform with face recognition and shareable event galleries. This policy explains what personal information we collect, how we use it, how long we keep it, who we share it with, and the rights you have over it. It applies to everyone who uses Picsta — account holders, photographers, and viewers who open a shared gallery.

"We", "us" and "our" mean Picsta. "You" means the person reading this policy.

2. Contacting us

You can reach us at [email protected] for any question about this policy, your data, or to exercise the rights described in section 9.

3. Information we collect

We only collect what we need to run the service:

  • Account information — name, email, and any optional profile details you choose to add (phone, brand name, social links, bio).
  • Authentication data — a salted hash of your password (if you sign up with email), or a Google account identifier (if you sign in with Google). We never see your Google password.
  • Photos and metadata you upload — the image file, plus EXIF data the camera embedded (timestamps, dimensions, GPS coordinates if present, camera model).
  • Selfie image and face embedding — only if you opt into the "Find Me" feature. This is biometric data and is covered in detail in section 4.
  • Gallery activity — events you create or join, albums you save, share-link access codes, favorites, comments and reactions.
  • Communications — emails you send us, and metadata about transactional emails we send you (delivery status).
  • Payment information — if you buy a paid plan, we record the plan, amount, currency, status and timestamps of the transaction, plus an identifier from our payment gateway and limited device information used to detect fraud and reconcile payments. We do not store your full card, UPI or bank-account details — those are handled by our payment gateway (see section 7).
  • Technical data — IP address, user-agent, browser type, the pages you visit on Picsta, and timestamps. We use this for security, abuse prevention and debugging.

4. Face data ("Find Me" feature)

Face data is sensitive. We treat it as biometric information under the EU/UK GDPR (Article 9 special category data), the California CCPA/CPRA, and the Illinois Biometric Information Privacy Act (BIPA). This section explains exactly what we do with it.

4.1 When and why we collect it

When you opt into Find Me you choose to upload a selfie. From that selfie we extract a numeric vector — a "face embedding" — that mathematically represents the geometry of your face. We use this embedding for one purpose only: to find photos of you inside galleries you already have permission to view.

You have to actively opt in. Find Me is off by default. We never extract a face embedding from your account without your explicit consent, and we will never turn it on for you automatically.

4.2 What we do NOT do with it

  • We do not sell or rent your selfie or your face embedding.
  • We do not use it to train, fine-tune or improve any face-recognition model.
  • We do not share it with advertisers, data brokers or marketing partners.
  • We do not use it to identify you in galleries you don't have access to.
  • We do not run it against any external image search, social network, or public photo source.

4.3 How to delete it

You can delete your selfie and face embedding at any time from Settings → My Face. When you delete your selfie:

  • The selfie image file is removed from our storage.
  • The face embedding vector is removed from our database.
  • Any face-match records that linked you to photos in other people's events are also removed, so your identity is no longer attached to those photos.
  • Deletion is permanent and irreversible. We cannot restore a deleted selfie or embedding, even if you ask us to.

If you delete your account (section 9), your selfie and embedding are deleted along with the rest of your account.

4.4 Photos of you in other people's galleries

If you delete your selfie, photos that contain your face still exist in the gallery owner's event — we cannot remove them on your behalf, because they belong to the gallery owner. What we can do is sever the connection between those photos and your identity. If you want a specific photo removed, ask the gallery owner directly. If you can't reach them, contact us at [email protected].

5. How we use your information & legal bases

We process your data on the following legal bases:

  • Performance of a contract — to provide the gallery, sharing, search and download features you signed up for.
  • Your consent — for the Find Me feature (selfie + embedding), and for any optional marketing email we send. You can withdraw consent at any time.
  • Legitimate interests — to keep the service secure (abuse prevention, rate limiting, fraud detection, debugging), and to send transactional messages about your account (verification, password reset, share notifications).
  • Legal obligation — to respond to lawful requests from regulators or courts, and to retain records we're required to keep.

6. How long we keep your information

  • Account profile, events, albums and photos — kept while your account is active. When you delete your account, this data is permanently removed and cannot be recovered.
  • Selfie image and face embedding — see section 4. Removed permanently as soon as you delete your selfie or your account.
  • Security and access logs — kept for a limited period for security and audit purposes, then deleted.
  • Support email threads — kept while needed to help you, and for a reasonable period afterwards in case you reply.

7. Who we share data with

We do not sell your personal data. We share it only with the service providers we need to run Picsta, and only with the minimum data each one needs:

  • Hosting & infrastructure — the provider that hosts our database and stores your photos and embeddings.
  • Google Identity Services — when you choose "Sign in with Google", we verify your Google identity token with Google. Google learns that you signed into Picsta.
  • Face recognition — face embeddings may be generated by an external recognition provider. When that happens, only the embedding (a numeric vector) is sent — never your raw selfie or any account identifier that would let the provider tie it back to you.
  • Transactional email — the provider that delivers verification, password reset and share notification emails on our behalf.
  • Payments — when you buy a paid plan, your payment is processed by Razorpay. The card, UPI or bank details you enter go directly to Razorpay; we receive only the result of the transaction (success/failure, amount, and a payment reference). Razorpay processes your data under its own privacy policy.

Each provider is bound by their own data-processing terms and may only use your data to deliver the service to us.

8. Cookies & analytics

Picsta uses one essential cookie to keep you signed in (your authentication token). We do not use third-party advertising or tracking cookies. We do not embed Facebook, Twitter, TikTok or other social tracking pixels on this site.

9. Your rights

You have the following rights over your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct anything inaccurate from your profile settings.
  • Erasure ("right to be forgotten") — permanently delete your account and everything in it yourself, from Settings → Privacy & Security. You do not need to contact us. If you created an account by mistake, you can remove it the same way.
  • Portability — download your photos in their original format from your gallery.
  • Withdraw consent — for face data, delete your selfie from Settings → My Face at any time.
  • Object / restrict — ask us to pause or limit processing while a dispute is resolved.
  • Lodge a complaint — with your local data-protection authority (in the UK that's the ICO; in the EU it's the supervisory authority of your country of residence).
  • California residents additionally have the rights to know, delete, and opt out of sale or sharing of personal information under CCPA/CPRA. We do not sell your personal information.

Most of these you can exercise directly in the app. For anything else, email [email protected] and we'll respond within 30 days.

10. Children

Picsta is not intended for children under 16 years old (or the equivalent minimum age in your country, whichever is higher). We do not knowingly collect data from children under that age. If you believe a child has created an account, please contact us and we will delete it.

11. Security

We protect your data with industry-standard measures: TLS for all data in transit, salted password hashes, least-privilege access for staff, and monitoring of our systems. No service is perfectly secure, but we take this seriously.

If we discover a personal-data breach that's likely to affect you, we will notify you (and any required regulator) within the timeframes set by applicable law — typically within 72 hours under the GDPR.

12. Photos of other people

When you upload a photo, it may contain other people's faces. You are responsible for having the right consent or legal basis to upload identifiable images of others. See our Terms of Service for the full obligation.

If you find a photo of yourself on Picsta that you want removed, the fastest route is to ask the gallery owner. If you can't reach them, email us at [email protected] and we will help.

13. Changes to this policy

We may update this policy as the service evolves. The "Last updated" date at the top will change. For material changes we'll notify you in-app and by email before the new version takes effect, and we'll ask you to re-accept it.

14. Contact

Questions about this policy or your data: [email protected]