PicToText LogoPicToText

Privacy Policy

Last updated: July 13, 2025

PicToText (“Pic To Text”, “we”, “us”, or “our”) provides OCR and document processing tools at pictotext.io. We are committed to safeguarding personal data in line with GDPR, CCPA, and other applicable regulations. This Privacy Policy explains what data we collect, how we use it, and the rights that are available to you. If you have any questions, contact us at [email protected].

1. Data controller & contact

PicToText is the controller of personal data processed through our web app, API, support inbox, and billing tools. You may reach our data protection contact exclusively via email at [email protected].

2. Information we collect

  • Account & profile data. Name and email collected when you create an account or sign in via OAuth.
  • Billing & payment data. We use Paddle.com as our merchant of record. Paddle collects payment card details, billing address, tax identifiers, and fraud signals on our behalf. We only receive tokens, subscription status, and transaction summaries.
  • Uploaded images and OCR output. Files you submit for conversion plus generated text, file metadata, and processing results. These items are encrypted at rest and deleted per the retention schedule below.
  • Usage & device information. IP address, browser type, language, referrer URL, system events, and request logs needed for security, troubleshooting, and rate limiting.
  • Support data. Messages, attachments, and transcripts sent via email.
  • Cookies & analytics. Essential cookies maintain authentication. Optional analytics cookies (e.g., Google Analytics) only run with consent and gather aggregated usage stats.

3. How we use your data & legal bases

We process personal data only when one of the following legal bases applies:

  • Contractual necessity. Provide OCR conversions, manage accounts, deliver API responses, and issue invoices or receipts.
  • Legitimate interests. Improve features, monitor abuse, keep services secure, and calculate aggregated analytics. We balance these interests against user rights.
  • Legal obligations. Maintain tax/audit records, comply with AML, and respond to lawful requests.
  • Consent. Send marketing emails, store optional cookies, or retain uploaded files longer than the default window when you explicitly opt in.

4. Payments & refunds

Paddle.com acts as our reseller and merchant of record. When you purchase credits or a subscription, Paddle processes the transaction, determines applicable taxes, and shares the outcome (paid, failed, refunded) with us. All card data is stored by Paddle under PCI-DSS. Refund requests must be submitted within 14 days of the original purchase unless your local law requires longer. To request a refund, open a ticket at [email protected] or paddle.net’s support portal with the order number. Approved refunds are routed through Paddle and typically appear within 5–10 business days.

5. Retention

  • User accounts: retained while your account is active and for up to 24 months after inactivity.
  • Billing records: stored for at least seven years to satisfy tax and accounting rules.
  • Uploaded files & OCR output: deleted automatically after 30 days unless you manually save them or grant consent for longer retention.
  • Support requests: kept for 24 months to resolve issues and maintain audit trails.

6. Sharing & international transfers

We share data with vetted processors only when needed: Paddle (payments), Cloudflare R2 (storage), Google (OAuth login), Google Vision/Document AI (OCR processing that you explicitly trigger), customer support tools, and analytics services. All processors are bound by data protection agreements. When data leaves the EEA/UK, we rely on adequacy decisions or EU Standard Contractual Clauses.

7. Security

We encrypt data in transit (TLS 1.2+) and at rest, implement role-based access controls, maintain audit logs, and perform periodic penetration testing. Nevertheless, no system is completely secure; please notify us immediately if you suspect unauthorized access.

8. Your rights

Depending on your jurisdiction, you may request access, correction, deletion, restriction, portability, or objection to processing. You can also withdraw consent or lodge a complaint with your local supervisory authority. Submit any request by emailing [email protected]. We verify identity before completing requests.

9. Cookies & tracking

Essential cookies keep you signed in and secure. Non-essential cookies (analytics, marketing) load only after you provide consent through our cookie banner. You may disable cookies in your browser, but some features may not function properly.

10. Children’s privacy

Our services are not directed to children under 13 (or the minimum age required by local law). We do not knowingly collect data from children. If you believe a child provided personal data, please contact us and we will delete it.

11. Changes to this policy

We will post updates on this page and notify account owners via email or dashboard alerts at least 10 days before material changes take effect. Continued use after the effective date constitutes acceptance of the updated Privacy Policy.