At Picme, protecting your information is a top priority.
All event data, including photos, guest lists, and related event details, is securely stored using Amazon Web Services (AWS S3) infrastructure. These servers are designed with advanced technical and organizational security measures to help safeguard your data against unauthorized access, loss, or misuse.
We implement appropriate technical and organizational security measures as required under GDPR Article 32, including encryption of data in transit and at rest, access controls limiting data access to authorized personnel only, and regular testing and evaluation of our security practices.
We apply strict access controls and permission-based policies to ensure that only authorized personnel can access specific information when necessary for service delivery.
Picme's platform uses automated facial recognition technology to match guest selfies to event photographs. This process involves the processing of biometric data, which is a special category of personal data under GDPR Article 9.
Such processing occurs only where the guest has been informed and has provided explicit consent before uploading a selfie.
Guests may withdraw this consent at any time by contacting support@picme.pics. Any biometric data derived from their selfie will then be permanently deleted in line with our retention rules.
Picme does not use, sell, distribute, or share your photos, guest lists, or event information with third parties without your explicit consent, except where required by law or necessary to provide the service.
Data is shared only with service providers acting as data sub-processors on our behalf, including Amazon Web Services for cloud storage, under written agreements that bind them to the same data protection standards.
A full list of sub-processors is available on request at support@picme.pics.
Event photos, guest selfies, and associated personal data are retained for a maximum of 30 days from the date of the event, or according to any storage extension purchased by the owner of the photos, after which they are permanently and irreversibly deleted from our systems.
Biometric data derived from guest selfies is deleted immediately after the event, or immediately upon withdrawal of consent, whichever is sooner.
Organizer account data such as name, email, and payment records is retained for up to three years for legal and accounting purposes.
Some AWS servers may be located outside the European Economic Area. Where personal data is transferred outside the EEA, such transfers are governed by Standard Contractual Clauses approved by the European Commission to ensure an equivalent level of data protection.
In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, Picme will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
Where the breach poses a high risk to affected individuals, those individuals will also be notified directly without undue delay.
We are committed to maintaining the confidentiality, integrity, and security of your data at every stage of your event experience.
Last Updated: March 12, 2026