GDPR Information

Effective date: 2026-06-18
Last updated: 2026-06-18
Version: 1.0

Plain-language summary DickPic Pro is operated by [YOUR CYPRUS LTD LEGAL NAME], a private company limited by shares established in the Republic of Cyprus. The Company is established within the European Union and is therefore subject to the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). This page describes how the GDPR applies to our processing of personal data, the lawful bases on which we rely, and the rights available to Data Subjects.

1. Establishment and Application of GDPR

DickPic Pro is operated by [YOUR CYPRUS LTD LEGAL NAME], a private company limited by shares organized under the laws of the Republic of Cyprus. The Company is established within the European Union and the GDPR applies to all of its processing of personal data in the context of the activities of that establishment, regardless of where the processing takes place or where the Data Subject resides (Art. 3(1) GDPR).

2. Roles — Split Between Service Operation and Content Processing

Our role under GDPR is split between two distinct scopes (see also Privacy Policy § 3 and the Data Processing Agreement):

  • Service operation — we are the Controller of account data, billing records, audit logs, and security data.
  • Content processing — we are the Processor for submitted images, generated PDF reports, and analysis metadata. The user (or, in Agency / API context, the business Customer) is the Controller. The terms of our processing are set out in the DPA.

This split applies uniformly across products. It reflects the fact that the user determines what to submit, what prompt to apply, what template to use, and on whose behalf — and we follow those instructions without using the content for our own purposes.

3. Lawful Bases

For our processing as Controller, we rely on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)) — for processing necessary to provide the Service the user has requested or to fulfill our obligations to a business Customer.
  • Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, service integrity, and product improvement, balanced against the rights and freedoms of Data Subjects.
  • Legal obligation (Art. 6(1)(c)) — for retention of records required by tax, accounting, or other applicable law, and for mandatory reporting where applicable.
  • Consent (Art. 6(1)(a) and, where relevant, Art. 9(2)(a)) — where we ask for consent for specific optional processing.

For content processing where we act as Processor, the lawful basis is determined by the Customer (Controller). Customers are required by the DPA to ensure they have a valid lawful basis for the Processing they instruct.

4. Special Category Data

Some of the content submitted to the Service may, depending on circumstances, constitute "special category data" within the meaning of GDPR Art. 9. The submission of such content is governed by our Master Terms of Service: the user (or Customer) represents that all required consents have been obtained from the persons depicted, and that the submission is lawful in their jurisdiction. Where we act as Processor, ensuring that an appropriate Art. 9 lawful basis exists is the Customer's responsibility as Controller.

5. Data Subject Rights

Subject to verification of identity and to applicable exceptions, Data Subjects can exercise the following rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent at any time, where consent is the basis (Art. 7(3))
  • Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22) — we do not currently engage in such decision-making

For requests that concern data we hold as Controller (account data, billing, security), submit your request directly to us via the contact channel in the Privacy Policy.

For requests that concern content processing where we act as Processor (submitted images, generated PDFs), the request is most effectively addressed to the Customer who instructed the Processing on your behalf (for Agency users, your agency; for users of an API integrator, that integrator). We will assist them in responding.

We will respond to direct requests within one month of a verifiable request, extendable by a further two months for complex requests, with notice within the first month (Art. 12(3) GDPR).

6. International Transfers

The Service operates from the Republic of Cyprus, an EU Member State. Submission of personal data to the Service therefore constitutes processing within the European Union and is not, in itself, an international transfer for the purposes of Chapter V of the GDPR.

Where personal data is transferred to subprocessors outside the European Economic Area, transfers are governed by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) or another lawful transfer mechanism under Chapter V GDPR, with us acting as data exporter. The current list of subprocessors and their processing locations is published at /legal/subprocessors.

The DPA between us and Customers acting as Controllers is structured to support such onward transfers without further action by the Customer where we act as Processor.

7. EU Representative and Data Protection Officer

Because the Company is established in the European Union (the Republic of Cyprus), the requirement under Art. 27 GDPR to appoint an EU Representative does not apply.

The appointment of a Data Protection Officer (DPO) under Art. 37 GDPR is mandatory only where the Controller's core activities require regular and systematic monitoring of Data Subjects on a large scale, or consist of large-scale processing of special category data. We assess our DPO obligations on an ongoing basis and will appoint a DPO if and when our processing activities meet the Art. 37 thresholds. Until that time, privacy and data-protection matters are handled internally and may be addressed via the contact channel in the Privacy Policy.

8. Right to Lodge a Complaint

Data Subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of their personal data infringes the GDPR (Art. 77 GDPR).

The supervisory authority for the Company in its capacity as established in the Republic of Cyprus is:

Office of the Commissioner for Personal Data Protection of the Republic of Cyprus
Address: Iasonos 1, 1082 Nicosia, Cyprus
Website: https://www.dataprotection.gov.cy
Email: [email protected]

We encourage Data Subjects to contact us first via the channel in the Privacy Policy so that we may address concerns directly.