GDPR Compliance

Last updated: June 2026 · Effective: June 2026 · Privacy contact: [email protected]

This page is our transparency document under EU GDPR Articles 13 and 14. It explains who controls your data, why we process it, the legal basis for each purpose, how long we keep it, which third-party processors we use, and how to exercise all seven of your data subject rights. We do not sell your data. We do not use your images to train shared AI models.

1. Data Controller

The data controller responsible for your personal data is:

Picshoot
Operating at picshoot.app
General contact: [email protected]
Privacy & data requests: [email protected]

As data controller, Picshoot determines the purposes and means of processing personal data collected through the Picshoot platform and Shopify embedded app. Where we engage third-party processors (listed in Section 6), we do so under written data processing agreements that bind those processors to process data only on our documented instructions.

2. Who This Applies To

This GDPR compliance statement applies to EU and EEA data subjects who use Picshoot as Shopify merchants or brands. This includes individuals who:

Install the Picshoot app from the Shopify App Store;
Create a Picshoot account at picshoot.app from within the EU/EEA;
Are employees or authorised representatives of an EU/EEA-based business that holds a Picshoot subscription.

Picshoot is a B2B platform. The data subjects covered by this document are merchants and their authorised staff — not end consumers of the merchants' stores. If you are a consumer of a Picshoot merchant's Shopify store, that merchant is the data controller for your consumer data; Picshoot does not access consumer order or personal data.

3. Personal Data We Process

3.1 Account and Contact Data

Email address — required at registration; used for authentication, transactional notifications, and (with consent) marketing communications
Name — optional display name provided during onboarding
Password — stored exclusively as a salted scrypt hash; the plaintext is never retained
OAuth identifiers — Google sub-ID or Shopify shop domain when single sign-on is used

3.2 Shopify Store Data

Shopify store domain (e.g., yourstore.myshopify.com)
Store name and owner email address as returned by the Shopify Admin API at installation
Shopify API access token — used exclusively to publish AI-generated product listings to your store on your explicit instruction; never used for any other purpose
Current subscription plan and billing status as reported by Shopify's Billing API

3.3 Garment Images and AI-Generated Content

Garment photographs you upload — stored on Cloudflare R2; private to your account
AI-generated model images — produced from your garments by the Gemini image pipeline; stored on Cloudflare R2
Scene and zoom images — editorial context imagery generated for your products
AI-generated product listing copy — titles, descriptions, SEO metadata, and tags produced by Claude

Your garment images and all AI-generated outputs are private to your account and are never used to train, fine-tune, or benchmark any shared AI model, whether operated by Picshoot or by a third-party processor.

3.4 Usage and Technical Data

Pipeline actions taken (try-on, scene generation, listing generation) and associated credit costs
Feature interaction patterns — collected in aggregated, anonymised form for product improvement
Session tokens and authentication timestamps
IP address, browser type, device type, and country-level location (not street-level)
Server logs — request path, HTTP status, and response time; retained for 30 days

3.5 Data We Do Not Collect

Picshoot does not collect, process, or store:

Payment card numbers or full financial account details (billing is handled by Shopify);
Consumer personal data from your Shopify store (customer names, addresses, purchase history);
Special category data under GDPR Article 9 (health, biometric, ethnic origin, etc.);
Data from individuals under 18 years of age.

4. Legal Bases for Processing

We rely on four legal bases under GDPR Article 6. The table below maps each processing activity to its basis.

Processing Activity	Legal Basis	Details
Providing the AI pipeline service (try-on, scenes, listing copy)	Art. 6(1)(b) — Contract	Necessary to perform the subscription contract you entered into
Account authentication and session management	Art. 6(1)(b) — Contract	Required to identify you and maintain secure access to your account
Billing, plan enforcement, and credit tracking	Art. 6(1)(b) — Contract	Necessary to administer the subscription and enforce plan limits
Publishing AI-generated listings to your Shopify store	Art. 6(1)(b) — Contract	Core service feature performed on your explicit instruction
Security monitoring, fraud detection, and rate limiting	Art. 6(1)(f) — Legitimate Interests	Protecting the platform and all users from abuse; interest does not override your rights
Aggregated product analytics and usage statistics	Art. 6(1)(f) — Legitimate Interests	Improving the service based on how features are used; data is anonymised before analysis
Customer support and dispute resolution	Art. 6(1)(f) — Legitimate Interests	Responding to your queries and resolving service issues
Marketing emails and product updates	Art. 6(1)(a) — Consent	Opt-in only; you may withdraw consent at any time via the unsubscribe link or by emailing [email protected]
Responding to GDPR data subject rights requests	Art. 6(1)(c) — Legal Obligation	Required under GDPR Articles 15–22
Financial record retention for tax and audit purposes	Art. 6(1)(c) — Legal Obligation	Required under applicable financial regulations; billing records retained 7 years
Responding to Shopify GDPR webhooks	Art. 6(1)(c) — Legal Obligation	Mandatory under Shopify Partner Program requirements and GDPR

Where we rely on legitimate interests, you have the right to object to that processing at any time (see Section 5 below). We have conducted legitimate interests assessments for security monitoring and product analytics and concluded that our interests do not override your fundamental rights and freedoms.

5. Your Data Subject Rights

You have seven rights under GDPR. We honour all of them. Email [email protected] to exercise any right — we will respond within 30 days.

🔍

Right of Access (Art. 15)

Request a full copy of all personal data we hold about you, including the categories of data, purposes of processing, retention periods, and any third parties to whom it has been disclosed.

✎

Right to Rectification (Art. 16)

Request correction of inaccurate personal data or completion of incomplete data. You can update your email and display name directly in your account settings; contact us for data held in backend systems.

🗑

Right to Erasure (Art. 17)

Request deletion of your personal data — the "right to be forgotten." We will delete your account data within 30 days and purge garment and generated images within 90 days of a verified erasure request, except where retention is required by law (e.g., financial records).

🔒

Right to Restrict Processing (Art. 18)

Request that we limit how we use your data — for example, while a dispute is being resolved or while you contest the accuracy of data we hold. We will flag the data and halt non-essential processing until the restriction is lifted.

📦

Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) so you can transfer it to another provider. Applies to data processed on the basis of contract or consent.

🚫

Right to Object (Art. 21)

Object to processing based on legitimate interests (security, analytics). We will stop that processing unless we can demonstrate compelling legitimate grounds that override your rights. You may also object at any time to processing for direct marketing.

✓

Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent (marketing emails), withdraw that consent at any time without affecting the lawfulness of prior processing. Use the unsubscribe link in any email or email [email protected].

⚖

Right to Lodge a Complaint (Art. 77)

Lodge a complaint with your national data protection authority (supervisory authority) if you believe we have processed your data unlawfully. We encourage you to contact us first so we can try to resolve it directly.

How to Submit a Rights Request

Email [email protected] with the subject line: "GDPR Rights Request — [type of right]".
Include your registered email address and the Shopify store domain associated with your account so we can locate your data.
For identity verification, we may ask you to confirm a detail only the account holder would know. We will not ask for more information than necessary.
We will acknowledge receipt within 5 business days and provide a substantive response within 30 calendar days. Complex requests may be extended by a further 60 days with prior notice.
Rights requests are free of charge. We may charge a reasonable administrative fee only if a request is manifestly unfounded or excessive.

6. Third-Party Data Processors

We share data with the following sub-processors solely to operate the service. Each processor is bound by a data processing agreement (or equivalent contractual instrument) requiring them to process your data only on our documented instructions, maintain adequate security, and not disclose it to third parties for their own purposes.

Processor	Role	Data Shared	Location
Shopify Inc.	OAuth authentication, App Store billing, product publishing API	Store domain, owner email, access token, billing status	Canada / United States (adequacy + SCCs)
Google LLC (Gemini AI)	AI image generation — try-on, scenes, zoom	Garment images, model images, scene prompts	United States (SCCs / Google EU DPA)
Anthropic PBC (Claude AI)	AI text generation — product listing copy, garment analysis	Garment metadata, style descriptors; no images transmitted to Claude	United States (SCCs / Anthropic DPA)
Cloudflare Inc. (R2)	Object storage for all user images and generated assets	Garment images, AI-generated images, scene images	United States / EU nodes (Cloudflare DPA)
Railway Corp.	Application hosting and SQLite database	Account data, session tokens, usage records stored in DB	United States (SCCs)

We do not transfer personal data to countries outside the EU/EEA that lack an adequacy decision from the European Commission without ensuring that appropriate safeguards are in place, specifically Standard Contractual Clauses (SCCs) approved under GDPR Article 46(2)(c) or an equivalent mechanism recognised under applicable data protection law.

🇺🇸United States transfers: All US-based processors (Google, Anthropic, Cloudflare, Railway) are covered by EU Standard Contractual Clauses. Copies of applicable SCCs are available on request at [email protected].

🇨🇦Canada (Shopify): Canada benefits from a European Commission adequacy decision for commercial organisations under PIPEDA, supplemented by Shopify's Data Processing Addendum.

7. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. The specific periods are:

Account and contact data Active + 2 years Retained for the life of your subscription plus 2 years after your last login, to allow account recovery and resolve any post-cancellation disputes.

Garment images (uploaded) Active + 90 days Retained while your account is active. Following a verified account deletion or erasure request, purged from Cloudflare R2 within 90 days.

AI-generated images Active + 90 days Same schedule as uploaded garment images. You may export generated images at any time from your account before deletion.

Product listing copy Until deleted by you Retained until you delete individual listings or request full account erasure.

Shopify access tokens Until app uninstall Revoked and purged from our database within 48 hours of receiving Shopify's uninstall webhook.

Billing and financial records 7 years Required under applicable tax and financial regulations. This data cannot be deleted on request during the mandatory retention period.

Server logs 30 days Rolling 30-day retention for security monitoring. Automatically purged on a scheduled basis.

Support correspondence 3 years Email threads with our support team retained for 3 years to assist with follow-up queries and dispute resolution.

8. Data Security

We implement technical and organisational measures appropriate to the risk, including:

Encryption in transit — all connections to picshoot.app are over HTTPS/TLS 1.2+
Encryption at rest — Cloudflare R2 encrypts stored objects at rest using AES-256
Password hashing — passwords are hashed with scrypt before storage; plaintext is never logged or retained
HTTP-only secure cookies — session cookies cannot be accessed by client-side JavaScript
SQL injection prevention — all database queries use parameterised statements
Rate limiting — authentication endpoints are rate-limited to prevent credential stuffing
Access controls — Cloudflare R2 bucket access is restricted to authenticated backend services; user assets are not publicly enumerable
Least privilege — Shopify API tokens are scoped to the minimum permissions required (product write, shop read)

No system is unconditionally secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware and will inform affected data subjects without undue delay where required by Article 34 GDPR.

9. Cookies and Local Storage

We use a single session cookie (ps_session) to maintain your authenticated session. This cookie is:

HttpOnly — inaccessible to JavaScript, protecting against XSS attacks
Secure — transmitted only over HTTPS
SameSite=Lax — mitigates CSRF risk
Session-scoped by default — expires when you close your browser, or after 30 days if you select "Remember me"

We also use browser localStorage to remember your UI preferences (theme, pipeline mode toggle). This data is stored locally on your device and is not transmitted to our servers. No third-party analytics cookies, advertising cookies, or tracking pixels are deployed. See our Cookie Policy for full details.

10. Shopify GDPR Webhooks

As a Shopify Partner, Picshoot implements all three mandatory GDPR webhooks required by Shopify:

customers/data_request (POST /webhooks/customers/data_request) — on receipt we compile and make available any personal data associated with the requesting customer within the period required by Shopify
customers/redact (POST /webhooks/customers/redact) — we do not hold consumer customer data, so this webhook is acknowledged and logged but requires no data deletion action
shop/redact (POST /webhooks/shop/redact) — on receipt, we schedule full erasure of all data associated with the merchant's store within 30 days of the webhook, in line with our data retention schedule

All webhook payloads are verified using HMAC-SHA256 against our Shopify API secret before processing.

11. Data Processing Agreement (DPA)

Enterprise customers and organisations subject to GDPR Article 28 that require a formal Data Processing Agreement with Picshoot may request one by emailing [email protected] with the subject line "DPA Request".

Our standard DPA covers:

Subject matter, duration, nature, and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the controller
Sub-processor list and change notification procedure
Technical and organisational security measures (TOMs)
Cross-border transfer mechanisms (SCCs)
Data breach notification obligations
Audit rights and cooperation obligations

We aim to provide a completed DPA within 10 business days of a verified request.

12. Children's Privacy

Picshoot is a business-to-business platform for merchants and brands. We do not knowingly collect or process personal data from individuals under 18 years of age. If you believe a minor has created an account or their data has been submitted to our platform, please contact us immediately at [email protected] and we will take prompt action to delete that data.

13. Right to Lodge a Complaint with a Supervisory Authority

If you are an EU/EEA resident and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the data protection supervisory authority in your EU member state. You can find your local authority at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en — European Data Protection Board member list

We always encourage you to contact us first at [email protected] so that we have an opportunity to address your concern directly and promptly before a formal complaint is filed.

14. Changes to This Document

We may update this GDPR compliance statement when our processing activities change, when we onboard new sub-processors, or in response to regulatory guidance. For material changes, we will notify you by email to your registered address at least 14 days before the change takes effect and update the "Last updated" date at the top of this page. Continued use of the Service following the effective date constitutes acknowledgement of the updated document.

15. Contact and Data Requests

For all GDPR-related enquiries, data subject rights requests, DPA requests, or questions about this document:

Privacy contact: [email protected]
General support: [email protected]
Response time: We acknowledge within 5 business days and respond substantively within 30 calendar days.