Privacy Policy

Effective date: 2026-06-18
Last updated: 2026-06-18
Version: 1.0
Operator: DickPic Pro is a service operated by [YOUR CYPRUS LTD LEGAL NAME], a private company limited by shares organized under the laws of the Republic of Cyprus ("Company", "we", "us", "our").

1. Scope

This Privacy Policy describes how we handle personal data when you create an account, purchase credits, submit content for analysis, receive generated reports, or otherwise interact with the service at dickpicpro.com (the "Service"). It applies across all our product variants — the Model Tool (B2C), the Agency Tool (B2B), and the API (B2B).

This Policy does not cover third-party websites, services, or platforms that link to or integrate with our Service. Your interactions with such third parties are governed by their own privacy policies.

2. Jurisdiction

The Service is operated from the Republic of Cyprus and the Company is subject to the laws of the Republic of Cyprus and applicable European Union law, including the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). For matters concerning the processing of personal data, the GDPR applies to all Data Subjects, regardless of their location.

Use of the Service is subject to applicable local law in the user's jurisdiction. Users are responsible for compliance with the laws of their own country, including, where applicable, restrictions on the type of content that may be processed through the Service.

3. Our Role — Split Between Service Operation and Content Processing

We operate under a "split-role" model that reflects how the Service actually works:

3.1 Service operation — we are the Controller

For the data we need to operate the Service itself, we are the controller. We decide the purposes and means of processing for these data:

• Account data (email, password hash, display name, account identifiers);
• Billing and credit-balance records;
• Authentication and security data (sessions, login attempts, audit logs);
• Master Terms of Service acceptance records.

3.2 Content processing — we are the Processor

For the content you submit and the reports we generate from it, we act as a processor on your behalf. You determine what to submit, what prompt to apply, what template to use, and (for Agency / API customers) on whose behalf the analysis is being run. We process this content strictly on your instructions, expressed through your use of the Service interface or API.

This applies uniformly across products:

• Model Tool — you instruct us via the upload form, prompt selector, and template selector.
• Agency Tool — the agency instructs us via the same UI plus model-selection. The agency, not us, has the relationship with the depicted person and is responsible for obtaining consent.
• API — the API customer instructs us via API parameters, and is responsible for obtaining consent from depicted persons in their own product.

Acceptance of the Master Terms of Service incorporates our Data Processing Agreement, which formalizes the processor relationship and your responsibilities as the controller of submitted content.

4. What We Do NOT Do With Your Content

These are firm commitments — they are central to how we operate, not optional opt-outs:

• We do not train AI models on your submitted content. Our analysis pipeline is stateless inference; submitted images are not added to any training dataset.
• We do not profile users. We do not build behavioral or interest profiles from your usage. We do not run analytics that link your activity to advertising or marketing categories.
• We do not sell personal information. We do not share personal data for cross-context behavioral advertising.
• We do not combine data across users. Your account and analyses are isolated; there is no cross-tenant aggregation that would link your data to other users' data.
• We do not identify depicted persons. The analysis describes the visible content of submitted images; it does not perform facial recognition, biometric matching, or any other identification of the persons depicted. The generated PDF does not contain biometric features or persistent identifiers of subjects.
• We do not show advertising. The Service has no ad network integration.

5. Data We Process and How Long We Keep It

5.1 Account data — controller scope

• Email address (required for login)
• Password — stored only as a salted bcrypt hash; we never store plaintext
• Display name (optional, user-chosen)
• Account identifiers, status flags, timestamps
• Master Terms of Service acceptance records (timestamp, version, IP)
• Marketing acquisition snapshot (optional) — if you arrived via a marketing link with UTM parameters, or from an external website, we capture the campaign tags and the referring website at first visit. This snapshot is frozen at registration and is used solely to measure which marketing channels bring users to the service. See § 5.1.1 below.

Retained for the life of your account; soft-deleted on account closure with a 30-day grace period during which deletion may be rescinded; then hard-deleted, with billing records retained as required by law (see § 5.4).

5.1.1 Marketing acquisition snapshot

When you first arrive at the service, we may capture a small set of technical signals related to where you came from:

• UTM parameters from the URL query string (utm_source, utm_medium, utm_campaign, utm_term, utm_content) — these are tags we attach to our own marketing links to measure campaign performance.
• HTTP Referer header sent by your browser, but only if it points to an external website (internal navigation within our own service is not stored).
• The page you first landed on within our service (path only, no query string).
• The timestamp of first capture.

If you register an account, this snapshot is attached to your account as a single, frozen record — it is never updated by subsequent visits or actions. If you do not register, the snapshot lives only in your browser session and is discarded automatically when the session expires (after 7 days).

Purpose: attribution analytics — understanding which marketing channels lead to registrations. We do not use this data for targeted advertising, profiling, or any decision that affects you as a user.

Retention: for the life of the account; deleted together with the account on hard purge.

Opt-out: we do not capture this if no UTM parameters are present and the referring website is empty or matches our own domain. You can also prevent capture entirely by configuring your browser to not send the Referer header, or by visiting the service directly without clicking through a marketing link.

5.2 Submitted content (images) — processor scope

Images you upload for analysis are processed transiently:

• Forwarded to our analysis service for AI processing
• Analyzed and the result returned to the generation pipeline
• Deleted from the processing pipeline immediately after analysis — we do not retain raw uploaded images at rest

5.3 Generated content (PDF reports) — processor scope

The PDF report we generate from your analysis is stored in cloud object storage for a retention period that depends on your active package:

After expiration, the PDF is automatically deleted from storage and the corresponding analysis-metadata row is removed from our database. You may also delete a specific analysis at any time before expiration via the "Recent Analyses" view in your dashboard (the PDF, the preview thumbnail, and all related operational data are removed; financial records are retained as described in section 5.4).

5.4 Billing and operational records — controller scope

6. Sharing and Subprocessors

We do not sell personal information. We do not share your personal data for cross-context behavioral advertising. We share personal data only in the following limited cases:

• Subprocessors who provide infrastructure (object storage, payment processing, transactional email, electronic-signature) and are bound by appropriate confidentiality and data-protection terms. Our current and planned subprocessor list is published at /legal/subprocessors.
• Legal compliance — where we are required by valid legal process to disclose data, or where we believe in good faith that disclosure is necessary to protect rights, safety, or to comply with mandatory reporting laws. This includes voluntary cooperation in the detection and reporting of apparent child sexual abuse material under the framework of EU Regulation (EU) 2021/1232, including reports to designated clearinghouses such as the National Center for Missing & Exploited Children (NCMEC) and members of the INHOPE network.
• Business transfer — in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, which will be bound by terms substantially equivalent to this Policy.

7. International Data Transfers

We process personal data primarily within the European Union. Our infrastructure is operated from the Republic of Cyprus, and our object storage subprocessor is configured to store data in EU regions. Some operational services may be provided by subprocessors based outside the European Economic Area (EEA); the regions are listed at /legal/subprocessors.

Where personal data is transferred to subprocessors outside the EEA, transfers are governed by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) or another lawful transfer mechanism under Chapter V of the GDPR. Additional information for Customers acting as Controllers is set out in our Data Processing Agreement.

If you access the Service from outside the European Union, your personal data will be transferred to and processed within the EU. By using the Service from outside the EU, you acknowledge that the data-protection laws of the European Union may differ from those of your jurisdiction.

8. Your Rights

Subject to verification of identity and to applicable exceptions under the GDPR, you have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you (Art. 15).
• Rectification — request correction of inaccurate or incomplete data (Art. 16).
• Erasure — request deletion of your account or of individual analyses (Art. 17). Account deletion: 30-day grace period followed by hard-deletion of personally identifying account fields. Individual analyses: removable on demand from the "Recent Analyses" view in your dashboard. Non-identifying billing records are retained as required by law.
• Restriction of processing (Art. 18).
• Portability — request a copy of your data in a portable format, where applicable (Art. 20).
• Objection — object to processing based on legitimate interests (Art. 21).
• Withdrawal of consent — where processing is based on consent, you may withdraw it at any time (Art. 7(3)).
• Right not to be subject to automated decision-making producing legal or similarly significant effects (Art. 22) — we do not currently engage in such decision-making.
• Where we act as Processor (for content processing), rights requests should primarily be addressed to your Controller (for Agency users — your agency; for users of an API integrator — that integrator); we will assist them in responding. See /legal/gdpr for the full GDPR framework.

To exercise these rights, contact us via the channel listed in section 12. We may need to verify your identity before responding. We will respond within 30 days of a verifiable request, with an extension of up to a further two months for complex requests where permitted by Art. 12(3) GDPR (with notice within the first month).

9. Security

We implement organizational and technical measures designed to protect your data, including TLS encryption in transit, password hashing, access controls, secure infrastructure, and minimization of stored data through transient image processing. Full details are at /legal/security.

No system can guarantee absolute security. In the event of a security incident affecting your personal data, we will respond promptly and notify the competent supervisory authority and affected users where required by Art. 33 and Art. 34 GDPR.

10. Children's Privacy

The Service is offered exclusively to adults aged 18 or older. We do not knowingly permit minors to use the Service or to appear as content subjects in uploaded material. By creating an account, you represent that you are at least 18 years old. If we become aware that an account has been created by a minor or that uploaded content depicts a minor, we will suspend the account, delete the content, cooperate with Cyprus law enforcement and competent authorities, and report apparent child sexual abuse material to designated clearinghouses (such as NCMEC and members of the INHOPE network) on a voluntary basis under the framework of EU Regulation (EU) 2021/1232.

Concerns regarding suspected minor involvement should be reported immediately via the contact channel in section 12.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via the Service (banner notification or email to registered users) and the "Last updated" date at the top will be revised. Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the updated Policy.

12. Contact

For privacy questions or to exercise your rights, contact us via:

• Web form: /legal/contact
• Email: privacy@[YOUR DOMAIN]
• Postal mail: [YOUR CYPRUS LTD LEGAL NAME], Attn: Privacy, [YOUR MAILING ADDRESS LINE 1], [POSTAL CODE] [CITY], Cyprus.

You also have the right to lodge a complaint with your national data protection supervisory authority. The supervisory authority for the Company is the Cyprus Data Protection Commissioner (https://www.dataprotection.gov.cy). See /legal/gdpr § 8 for details.