GDPR & Data Protection Commitment

Picme is committed to respecting and protecting personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

We implement appropriate technical and organizational security measures as required under GDPR Article 32, including encryption of personal data in transit and at rest, access controls limiting data access to authorized personnel only, data minimization practices, and regular testing and evaluation of our security measures.

Event data is stored securely on Amazon Web Services (AWS S3) infrastructure.

Picme processes personal data solely for the purpose of providing the service requested by event organizers and users, including photo distribution, guest album creation, and related event functionality.

Picme processes personal data on the following legal bases:

• Providing the photo delivery service: performance of a contract
• Processing guest selfies and facial recognition matching: explicit guest consent
• Compliance with accounting and tax records: legal obligations

No personal data is processed for any purpose beyond those listed above without prior notice and, where required, explicit consent.

Picme's platform uses automated facial recognition technology to match guest selfies to event photographs. This constitutes the processing of biometric data, a special category of personal data under GDPR Article 9, and is subject to the highest level of data protection.

Before any biometric processing takes place, guests are provided with a clear privacy notice and are required to give explicit, informed consent.

Guests may withdraw this consent at any time by contacting support@picme.pics. All biometric data derived from their selfie will then be permanently deleted within 30 days of such a request.

A Data Protection Impact Assessment (DPIA) has been conducted in respect of this processing activity in accordance with GDPR Article 35.

Event organizers who use Picme's platform act as data controllers in respect of their guests' personal data. Picme acts as a data processor on their behalf, processing data only on documented instructions.

The relationship between Picme and event organizers is governed by a Data Processing Agreement (DPA) as required under GDPR Article 28.

Organizers are contractually required under the DPA to ensure that guests are informed of and have consented to the processing of their personal data before using the platform.

Picme provides organizers with a guest-facing privacy notice template at support@picme.pics.

Users may request access, correction, deletion, or restriction of their personal data by contacting us. We will make reasonable efforts to respond in accordance with applicable law.

Data subjects, including event guests, have the following rights under the GDPR:

• Right of access under Article 15
• Right to rectification under Article 16
• Right to erasure under Article 17
• Right to restriction of processing under Article 18
• Right to data portability under Article 20
• Right to object under Article 21
• Right to withdraw consent at any time

Requests must be submitted to support@picme.pics. We will respond within 30 days.

While we strive to align our practices with GDPR requirements, Picme is a growing company and continuously improves its compliance processes. We do not represent or warrant that our services are fully compliant with every jurisdiction's specific legal requirements.

Nothing in this section shall be interpreted as legal advice.

Picme reviews its data protection practices regularly. If you have concerns about how your personal data is handled, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate at aki.ee, or with the supervisory authority in your country of residence.

Last Updated: March 12, 2026