Picme is committed to respecting and protecting personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").
We implement appropriate technical and organizational security measures as required under GDPR Article 32, including encryption of personal data in transit and at rest, access controls limiting data access to authorized personnel only, data minimization practices, and regular testing and evaluation of our security measures.
Event data is stored securely on Amazon Web Services (AWS S3) infrastructure under strict access policies.
Picme processes personal data solely for the purpose of providing the service requested by event organizers and users, including photo distribution, guest album creation, and related event functionality.
Picme processes personal data on the following legal bases:
No personal data is processed for any purpose beyond those listed above without prior notice and, where required, explicit consent.
Picme's platform uses automated facial recognition technology to match guest selfies to event photographs. This constitutes the processing of biometric data, a special category of personal data under GDPR Article 9, and is subject to the highest level of data protection.
Before any biometric processing takes place, guests are provided with a clear privacy notice and are required to give explicit, informed consent.
Guests may withdraw this consent at any time by contacting support@picme.pics. All biometric data derived from their selfie will then be permanently deleted within 30 days of such a request.
A Data Protection Impact Assessment (DPIA) has been conducted in respect of this processing activity in accordance with GDPR Article 35.
Event organizers who use Picme's platform act as data controllers in respect of their guests' personal data. Picme acts as a data processor on their behalf, processing data only on documented instructions.
The relationship between Picme and event organizers is governed by a Data Processing Agreement (DPA) as required under GDPR Article 28, which sets out the obligations and rights of each party.
Organizers are contractually required under the DPA to ensure that guests are informed of and have consented to the processing of their personal data, including photographs and biometric facial recognition data, before using the platform.
Picme provides organizers with a guest-facing privacy notice template for this purpose, available on request at support@picme.pics.
Users may request access, correction, deletion, or restriction of their personal data by contacting us. We will make reasonable efforts to respond in accordance with applicable law.
Data subjects, including event guests, have the following rights under the GDPR:
Requests must be submitted to support@picme.pics. We will respond within 30 days in accordance with GDPR Article 12.
While we strive to align our practices with GDPR requirements, Picme is a growing company and continuously improves its compliance processes. We do not represent or warrant that our services are fully compliant with every jurisdiction's specific legal requirements, and users are encouraged to ensure that their own use of the platform complies with applicable laws.
Nothing in this section shall be interpreted as legal advice or as a guarantee of regulatory compliance.
Picme reviews its data protection practices regularly. If you have concerns about how your personal data is handled, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate at aki.ee, or with the supervisory authority in your country of residence.
Last Updated: March 12, 2026