Privacy Policy

• Account data you provide at signup: email address, name, and password (stored hashed by Supabase Auth). Optional profile info you add later: bio, avatar image, and portfolio media.
• Business data you create on Piccs: invoices, clients you save (a name is required; email and phone are optional and you can save a client with phone only), projects, bookings, contracts, expenses, and any files you attach to those records.
• Payment metadata from Stripe: transaction amounts, statuses, payout details, and Stripe-issued IDs. We do not see, receive, or store card numbers, bank account numbers, CVV codes, or KYC documents — those are collected and stored by Stripe directly.
• Connection data from your linked calendars (optional): when you connect Google Calendar, Microsoft Outlook, or Apple iCloud, we store your account email and an encrypted copy of the OAuth credentials or app-specific password needed to read your busy times.
• Usage and security data: server logs (IP address, request timestamps, user agent), authentication events (sign-in successes and failures), and rate-limit counters. Used to operate the service, detect abuse, and meet legal logging requirements.
• Diagnostics from the mobile app: crash reports, performance traces, and session counts via Sentry. Includes device model, OS version, and app version. Does not include the contents of your business records.

• Full card numbers, CVVs, bank account credentials, SSNs, or KYC documents — Stripe handles these.
• Third-party advertising or marketing trackers. We do not run advertising networks, ad pixels, or behavioral profiling.
• Your browsing history outside Piccs, your contacts, your microphone audio, or your precise location.
• We do not sell or rent your data.

• To run the platform — process invoices and payments, deliver bookings, send signed contracts, and show you your numbers.
• To send transactional email — account confirmations, payment receipts, dispute and contract notifications, and (for the annual Piccs Pro plan) the renewal reminders required by Florida § 501.165 for auto-renewing 12-month-or-longer service contracts. We may also send occasional product nudges (e.g., a Pro-tier suggestion if your invoice volume crosses a threshold). All emails include a one-click unsubscribe header for non-essential mail.
• To detect fraud and abuse — using IP addresses, request rate patterns, and authentication audit logs.
• To meet legal obligations — including tax recordkeeping (Stripe handles 1099-K thresholds; you may receive tax forms from Stripe directly) and security incident response. The figures Piccs surfaces (Reports totals, bookkeeping CSV export) are bookkeeping data, not tax advice; we do not calculate taxable income or provide guidance on deductibility — your CPA does.

Piccs uses the following service providers (sub-processors). Each one only sees the data needed for the function they perform.

• Stripe — payment processing, payouts, KYC verification, dispute handling. Merchant of record for client payment data.
• Supabase — authentication and database hosting. All data encrypted at rest by Supabase; calendar OAuth tokens additionally encrypted at the application level.
• Vercel — application hosting, edge logs, and scheduled jobs.
• Resend — transactional email delivery.
• Sentry — error tracking and performance monitoring (web and mobile). Sentry sees stack traces, URL paths (with query strings stripped), HTTP status codes, and mobile device/OS metadata.
• Upstash — Redis-based rate limiting. Sees IP address keys and counter values; no personal data.
• BoldSign — e-signature provider for contracts. Sees the contract PDF and the names + emails of the signers.
• Google, Microsoft, and Apple — only when you opt in to calendar sync. Piccs reads busy times from the provider you connect; we do not read event content.
• PostHog — product analytics (US-hosted). Only loaded after you accept the cookie banner. We capture product events (e.g. invoice created, signed in) linked to an anonymous ID — no names, emails, or financial amounts are sent to PostHog.
• Cloudflare — DNS, email routing, and (where configured) edge proxying.
• VirusTotal — file uploads (avatars, invoice attachments, portfolio media) are scanned for malware. Files that VirusTotal has not seen before may be uploaded to their service for analysis.
• Law enforcement — only when required by valid legal process.

• Your public profile page (piccs.app/<your-slug>) — name, bio, avatar, and portfolio media you choose to display.
• Invoice pay links (piccs.app/pay/<invoice-id>) — accessible to anyone with the link, including any attachments you add.
• Booking pages and contract review links — accessible to anyone with the link.

Files you upload as profile media or invoice attachments are stored in publicly addressable cloud storage. Treat them as if they will be world-readable; do not upload anything you would not share publicly.

• Active account data: kept while your account is open.
• Tax-relevant records (invoices, contracts, disputes, payouts): retained for 7 years from the date of the transaction, as required by U.S. tax-record retention windows. Even after you delete your account, these records persist in anonymized form (no name, no email, no avatar) until the 7-year window expires. Carve-out: records you delete on your own initiative (for example, voiding or permanently deleting an invoice from the invoice detail page) are removed immediately and are not subject to the 7-year retention window. You are responsible for keeping copies if you need them for tax purposes; Stripe retains its own transaction records on its side per their policy regardless.
• Security and audit logs: sign-in events, account-deletion events, and fraud-detection signals are retained for incident-response and fraud-prevention purposes. These logs are append-only at the database layer (tamper-evident for forensic integrity), which means they cannot be retroactively scrubbed of email or IP. They are subject to a rolling retention window of 24 months, after which the daily purge cron removes records older than that threshold.
• Webhook payloads (Stripe and document-signing): redacted of PII when your account is deleted; the metadata around them (event type, status, timestamps) is retained for incident-response. Older payloads beyond 90 days are also purged regardless of account state.
• Refund-fraud fingerprints: when we issue a one-time subscription refund, we record a one-way hash of the email address and the Stripe customer identifier to prevent the same person from refunding again under a new account. These records are kept indefinitely as a fraud-prevention measure — the hash is not reversible to your email.
• Stripe-side records: governed by Stripe’s retention policy (typically 7 years for transaction records).

Access and export. You can download a JSON export of your account data while signed in via /api/account/export. For a request that includes your audit logs or other operational records, email support@piccs.app.

Deletion. You can delete your account at any time from Settings (in-app) or by submitting a request at piccs.app/delete-account. Deletion does the following:

• Closes your auth account and signs you out everywhere.
• Cancels any active Piccs Pro subscription.
• Anonymizes your name, email, and contact details on Piccs-side records (replaced with non-identifying placeholders).
• Anonymizes the contact details (names, emails, phones) of clients in your address book — the people you sent invoices and booking links to. Their records are kept in anonymized form only for the 7-year retention window on the invoices that reference them.
• Redacts the body of Stripe and document-signing webhook payloads that reference your account, keeping only the metadata required for incident response.
• Removes your avatar, portfolio media, and uploaded attachments from public surfaces.
• Rejects the Stripe Connect account associated with Piccs (no new payments accepted; any pending balance pays out per Stripe’s standard policy). Stripe retains transaction records on its side per their retention policy.
• Tax-relevant records (invoices, contracts, disputes, payouts) are retained in anonymized form for 7 years per U.S. tax-record retention windows, then permanently purged.
• One thing deletion does NOT remove: the refund-fraud fingerprint (one-way hash of your email + Stripe customer id) — see “How long we keep it” above. This is what prevents the same person from claiming the one-time subscription refund twice by deleting their account and re-signing up.

Correction. You can edit your profile, clients, invoices, and other records from inside the app. For corrections we cannot make in-app, email support.