Privacy Policy

Last updated: May 2026 · Version 5

1. Controller

The controller for data processing on this platform within the meaning of the GDPR is:

PICOFTHEDAY UG
Managing Director: Philipp Scheiner
Teststraße 1, 123456 Testort, Deutschland
Phone: +49 123456789
info@picoftheday.shop
VAT ID: DE1234567

Note for photographers: Photographers who have biometric data (facial features) of their customers processed on the platform are themselves responsible for compliance with data protection requirements under Art. 9 GDPR. They are obliged to obtain the explicit consent of the persons depicted for the processing of biometric data before uploading images.

2. Data collected & purposes

2.1 Photo search (customers)

When you use a selfie to search for photos, your image is transmitted to our server for analysis. There, the AI model InsightFace (ArcFace) generates an anonymous biometric fingerprint (512-dimensional feature vector). The selfie itself is not permanently stored after analysis; only the feature vector is used for the search query. The vector does not enable direct re-identification outside the platform context.

Legal basis: Consent pursuant to Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR. The feature vector is not permanently stored after the search is complete.

2.2 Purchase of photos

When purchasing images, we process your email address (optional, for order confirmations and download links), payment data (processed by Mollie B.V. as payment service provider), and an anonymous session ID. Legal basis: Contract performance Art. 6(1)(b) GDPR.

Download links are valid for 14 days and automatically deactivated thereafter. Order data is retained for tax purposes in accordance with statutory retention periods (max. 10 years).

2.3 Photographer accounts

For registered photographers we process: name, email address, password (hashed), optionally business name, phone number, website, IBAN (encrypted), tax number, and upload metadata of uploaded images. Legal basis: Contract performance Art. 6(1)(b) GDPR, and legitimate interest Art. 6(1)(f) GDPR for security measures (IP logging, audit log).

Publicly visible photographer data: Customers browsing galleries or searching for photos on the platform will see the following information about the respective photographer:

  • Name or business name (depending on profile settings)
  • Average rating and number of ratings (if available)
  • Gallery information such as title, shoot date, and location (where provided by the photographer)

This data is processed on the basis of legitimate interest (Art. 6(1)(f) GDPR), as it is necessary for the operation of the platform and customers' purchasing decisions. Photographers can update their display name and other profile information at any time in their account settings.

2.4 Biometric facial data

Facial features (512-dimensional feature vectors generated by InsightFace ArcFace) detected in uploaded photos are treated as a special category of personal data under Art. 9 GDPR. Processing is based on the explicit consent of the persons depicted, which must be obtained by the respective photographer (Art. 9(2)(a) GDPR). This data is stored for the duration of the gallery and automatically deleted after the configured retention period. Photographers can disable facial recognition for individual galleries at any time — all biometric data for that gallery will then be irreversibly deleted.

2.5 Reporting system (report content)

Users can submit galleries for review via the report form. The following data is processed:

  • Reason for report (required) and optional free-text description
  • IP address of the reporter (automatically captured, for abuse prevention)
  • Email address of the reporter (optional) — used solely to notify the reporter of the outcome and for follow-up questions

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (ensuring platform integrity and legal compliance). Reports and related data are stored permanently to enable full case processing, subsequent notifications, and traceability of moderation decisions. An optionally provided email address can be deleted upon request — contact us at: info@picoftheday.shop.

Photographers are notified by email of any consequences (e.g. removal of individual images, deletion of a gallery, suspension of their account). All moderation actions are recorded in an audit log and retained for accountability purposes.

2.6 Rating system

Users can rate photographers after viewing their galleries via the rating form. The following data is processed:

  • Rating (1–5 stars, required) and an optional comment
  • IP address of the reviewer (automatically captured, to ensure one rating per photographer per user and for abuse prevention)

No email address is required. The rating is displayed publicly as an average next to the photographer's profile in search results; comments are stored internally and not displayed publicly.

Only one rating per IP address and photographer is permitted — subsequent changes are not possible. Legal basis: Consent pursuant to Art. 6(1)(a) GDPR (given by confirming in the rating form). The IP address is stored solely for abuse prevention and is not displayed publicly. To request deletion of a rating, contact: info@picoftheday.shop.

2.7 Print-on-Demand products

When you order a print product (e.g. photo print, mug) on the platform, the following data is transmitted to our print service provider Printful Inc. for order fulfilment:

  • Full delivery address (name, street, postcode, city, country)
  • Email address (if provided, for shipping notifications by Printful)
  • The ordered photo as a high-resolution original file (temporarily used for production)

Legal basis: Contract performance pursuant to Art. 6(1)(b) GDPR. Data is transferred to Printful on the basis of a data processing agreement (DPA) pursuant to Art. 28 GDPR. Printful processes the data solely for production and shipping. For more information on Printful's data processing, see printful.com/policies/privacy.

Delivery addresses are retained for up to 10 years for tax compliance purposes (statutory retention obligation). You may request deletion after expiry of the statutory retention period.

2.8 Address autocomplete (order process)

When you enter a delivery address during the order process, an optional address autocomplete feature is provided. Your input (street fragments) is transmitted to the service Photon by Komoot (photon.komoot.io) to retrieve matching address suggestions.

Photon is an open-source geocoding service operated by Komoot GmbH (Germany). No personal data is permanently stored — only the entered search text is transmitted for address lookup. Address autocomplete is optional; you can also enter your address manually.

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (improving the user experience during the order process). Server location: EU. Further information: photon.komoot.io.

2.9 Login history (photographer accounts)

Each time a photographer successfully logs in, we record the following data to protect the account:

  • IP address of the login
  • Country of origin (derived from the IP address locally via a GeoIP database — no external service)
  • User agent (browser/device, truncated to 255 characters)
  • Timestamp of the login

The last 100 logins are stored per account; older entries are deleted automatically. Photographers can view their login history at any time in the dashboard under Security.

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (account security and fraud detection). This data is not shared with third parties. To request deletion of all login entries, contact: info@picoftheday.shop.

2.10 Feedback feature (photographers)

Registered photographers can submit feedback, improvement suggestions, feature requests, or bug reports via the feedback form in the dashboard. The following data is processed:

  • Message content (max. 2,000 characters)
  • Category (General feedback, Feature request, Improvement, Problem / Bug)
  • Timestamp of submission
  • Link to the photographer profile (for internal processing)

Feedback messages are used exclusively internally for product improvement and are not shared with third parties. Feedback is not answered directly; a ticket system is available for support and assistance. To request deletion of submitted feedback, contact: info@picoftheday.shop.

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (product development and quality improvement).

3. Recipients & data processors

We use the following service providers as data processors for the operation of the platform:

  • netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany — Server hosting / database
  • Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany — Cloud infrastructure / data storage
  • Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA — CDN, DDoS protection, DNS. Bound by a DPA per Art. 28 GDPR. Requests may be routed via servers outside the EU; Cloudflare processes only connection data (IP addresses, request metadata). Transfer to the USA based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
  • Mollie B.V., Keizersgracht 126, Amsterdam, Netherlands — Payment processing
  • Printful Inc., 11025 Westlake Dr, Charlotte, NC 28273, USA — Print production and shipping (only when a print product is ordered). Transfer to the USA based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). DPA pursuant to Art. 28 GDPR in place.
  • Komoot GmbH, Schönhauser Allee 10, 10119 Berlin, Germany — Address autocomplete via Photon (photon.komoot.io) during the order process. Only address search queries are transmitted; no personal data is permanently stored. Server location: EU.

Data processing agreements under Art. 28 GDPR are in place with all processors. All server locations for netcup and Hetzner are within the EU/EEA. For Cloudflare, Inc. and Printful Inc., data transfers to the USA are based on EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR.

4. Cookies & tracking

We use the following cookies:

CookiePurposeCategoryDuration
next-auth.session-tokenAuthentication (photographer login)NecessarySession / 30 days
NEXT_LOCALELanguage preferenceFunctional1 year
pot_sessionShopping cart / anonymous sessionFunctional24 hours

We do not use tracking or advertising cookies. No data is shared with third parties for advertising purposes.

5. Your rights

You have the right to:

  • Access your stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data, to the extent no statutory retention obligations apply (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw any consent given with effect for the future (Art. 7(3) GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, contact: info@picoftheday.shop

6. Data security

All data transfers are encrypted via HTTPS/TLS. Passwords are hashed using bcrypt (cost factor 12). Sensitive banking data such as IBANs is stored with access controls and never exposed in logs or public API responses. We implement state-of-the-art technical and organisational measures to protect your data.

7. Changes to this privacy policy

We reserve the right to update this privacy policy where required due to changes in the legal framework or changes to our services. The current version is always available at this URL.