Privacy Policy

This Policy is adopted to ensure the protection of human and civil rights and freedoms during the processing of personal data, including the right to privacy and the protection of personal and family secrets.

The Policy is open and publicly available. Using the Service constitutes the user's unconditional consent to this Policy and to the conditions of personal data processing described herein. If the user does not agree, they should refrain from using the Service.

The personal data operator (within the meaning of Article 3 of Law No. 152-FZ) is the sole proprietor whose details are listed below.

• Personal data means any information directly or indirectly relating to an identified or identifiable individual (the data subject).
• Processing means any action or set of actions performed on personal data, with or without automation, including collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer, depersonalization, blocking, deletion, and destruction.
• User means an individual who uses the Service, including site visitors, registered users, and guest users.
• Cookies means small text files that the user's browser stores when visiting the Service.

The Operator processes the following categories of personal data:

• identification data: name, displayed name in the Service, account identifier;
• contact data: e-mail address, Telegram identifier, identifiers of third-party authentication accounts (VK, Yandex, Google);
• technical data: IP address, browser and operating system type and version, request timestamps, device and session identifiers, cookies and similar technologies;
• usage data: generation history, request parameters, view statistics, behavioral events on the site;
• user content: photos and text prompts uploaded by the user, results of image generation;
• payment data: payment fact, transaction identifier, payment status, payment method. The Operator does not receive or store bank card details — they are processed by the acquiring bank Tinkoff Bank.

• providing access to the Service, registering and identifying the user;
• rendering image-generation services using artificial-intelligence technologies;
• tracking and debiting internal credits, processing payments, and refunds;
• ensuring the operability, security, and protection of the Service against fraud and abuse;
• informing the user about generation status, Service updates, and important notifications;
• communicating with the user on support matters and processing requests;
• improving the Service quality, performing analytics and statistical research on de-identified data;
• sending marketing and informational messages where the user has provided explicit consent;
• fulfilling obligations imposed by Russian law.

• consent of the data subject (clause 1, part 1, Article 6 of Law No. 152-FZ);
• necessity to perform a contract to which the data subject is a party, including the public offer for use of the Service (clause 5, part 1, Article 6);
• necessity to exercise the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the data subject are not violated (clause 7, part 1, Article 6);
• compliance with statutory obligations of the Operator under Russian law.

Personal data is processed both with and without automation, including the actions listed in section 3 of this Policy. The Operator does not process special categories of personal data or biometric personal data (Articles 10 and 11 of Law No. 152-FZ) without separate written consent from the data subject.

Photos uploaded by the user are used solely for generating the requested result and are not transferred to third parties, except as expressly provided by this Policy and applicable law.

The Operator may engage the following processors, with whom appropriate confidentiality and security agreements have been concluded:

• acquiring bank and payment services — to process payments under Russian Federal Law No. 161-FZ "On the National Payment System";
• cloud-infrastructure and hosting providers — to ensure operability of the Service;
• AI-technology providers — to process user requests for image generation;
• web-analytics services (in de-identified form) — to analyze user behavior and improve the Service;
• mailing and notification services — to send transactional and marketing messages.

The Operator does not transfer personal data to third parties for any other purposes without the data subject's consent, except as required by Russian law (e.g., upon request of authorized state bodies).

The Operator informs the user that, while providing image-generation services, personal data may be transferred to countries that ensure an adequate level of protection of data-subject rights. Such transfers are carried out in strict compliance with Article 12 of Law No. 152-FZ and only to the extent necessary to achieve the purposes specified in this Policy.

Personal data is processed for the period necessary to achieve the purposes of processing and is stored no longer than required.

• account data — for the lifetime of the account and up to 12 months after deletion (to resolve potential disputes);
• payment documents and payment records — within the periods required by the Russian Tax Code and accounting legislation (at least 5 years);
• access logs and technical journals — up to 12 months;
• user content (photos and generated images) — until deleted by the user or until the account is closed.

Upon expiration of the processing period or upon withdrawal of consent, the personal data is destroyed or de-identified in a manner that prevents its recovery, unless otherwise required by law.

The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other unlawful actions, including:

• appointing a person responsible for organizing personal-data processing;
• access control over personal data;
• using encrypted communication channels (TLS/HTTPS);
• storing passwords as cryptographic hashes;
• regular backups and integrity checks;
• security-event monitoring and incident response.

Under Article 14 of Law No. 152-FZ, the user has the right to:

• receive information about the processing of their personal data;
• demand clarification, blocking, or destruction of their personal data when it is incomplete, inaccurate, outdated, or unlawfully processed;
• withdraw consent to processing previously given;
• lodge a complaint with Roskomnadzor or in court regarding the Operator's actions or inaction;
• exercise other rights granted by Russian law.

Data-subject requests should be sent to support@picoria.com. The Operator must process the request within 10 working days from receipt.

The Service uses cookies and similar technologies for operability, session maintenance, analytics, and quality improvement. A detailed description of the cookies used is provided in our Cookie Policy.

The Operator may unilaterally amend this Policy. The current version is always available at picoria.com/en/privacy. The last updated date is shown at the top of the document. Continued use of the Service after changes are published constitutes acceptance of the new version.

For any questions related to personal-data processing, please contact support@picoria.com.