Privacy Policy

Effective Date: 4 May 2026

Picmail, based in Hyderabad, India

At Picmail, based in Hyderabad, India (“Picmail,” “we,” “our,” or “us”), your privacy is a priority. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our mobile application and related services (together, the “Services”).

This Policy applies to all users of Picmail. By using the Services, you acknowledge that you have read and understood this Policy.

1. Information We Collect

We collect information directly from you, automatically when you use the Services, and from the third-party integrations (specifically Google and Apple) you choose to enable.

a. Information You Provide

Account Data: When you sign in via Google or Apple, we receive your name, email address, and authentication tokens to manage your session.
Communications with us: Any correspondence you send us, including support requests and feedback via support@picmail.app.
Preferences:Settings such as your “Glimmer” image style preference.

b. Information We Collect Automatically

Device Information: IP address, device type, operating system, and unique device identifiers collected via Firebase and standard system logs.
Usage Data: Logs of when you sync your emails, which features you interact with, and general activity within the application.
Troubleshooting Logs: Technical logs generated during the image generation process, which are retained for a maximum of 30 days to ensure service reliability.

c. Information from Third Parties

Connected Gmail Account: When you link your Gmail account, we access restricted scope data (gmail.readonly). This includes email metadata (sender, recipient, subject, timestamp) and email content (body and preview text). This data is accessed solely to provide the core AI image generation feature.
Google API Limited Use Statement:Picmail's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Contacts: We do not currently sync or store your contacts unless you explicitly interact with features that require them.

2. How We Use Your Information

We use personal information only for legitimate purposes, including:

AI-Powered Image Generation: We process the content of your emails (Subject and Body) to power our core feature: generating artistic images that represent your messages. This processing is performed via Vertex AI (Google Cloud).
Limited Use Disclosure: We only read and transmit your email content to deliver the image generation service. We do not use this data for any other purpose, such as marketing, or to develop, improve, or train generalized AI or machine learning models.
Qualified No-Human Access: No human will read your emails, except as required by law, to investigate a security incident, or to fulfill a specific user-requested support task.
Provide and Operate the Services: Synchronizing your generated images across devices using Firebase Firestore.
Communicate with you: Sending service updates, support responses, and account-related notices.
Security and Compliance: Fraud prevention, detecting abuse, and complying with our legal obligations under GDPR and DPDPA, and the security requirements of CASA.

Legal Bases for Processing (GDPR Art. 13)

We process your personal data on the following bases:

(a) Contract Performance (Art. 6(1)(b)): To deliver the core AI image generation service you have signed up for.
(b) Legitimate Interests (Art. 6(1)(f)): For fraud prevention, security monitoring, and maintaining service reliability.
(c) Legal Obligation (Art. 6(1)(c)): Where required by applicable law (e.g., court orders or tax obligations).

3. How We Share Information

We share personal information only in limited circumstances:

Service Providers and Subprocessors: We work with Google LLC (Firebase and Vertex AI) for infrastructure and AI functionality. We also integrate Apple Inc. for Apple Sign-In authentication; Apple processes authentication data as an independent controller subject to Apple's Privacy Policy.
Legal Purposes: If required by law, subpoena, or government request (e.g., from the Data Protection Board of India or a court of law), or to protect the safety and rights of Picmail and our users.
Business Transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred to a successor entity.

We do not sell your personal information, and we do not share it with third parties for advertising purposes.

4. Data Retention and Deletion

We retain personal information only as long as necessary to provide the Services, comply with our legal obligations, and enforce agreements.

Retention Schedule

Account Identity and Authentication Data: Retained for the duration of your active account.
Transient Email Data: Raw email content (body text) sent for AI image generation is processed in memory only and is not permanently stored beyond the generation lifecycle, subject to the 30-day troubleshooting logs in Section 1b.
AI-Generated Images and Metadata: Retained until account deletion.
Usage and Device Logs: Retained for up to 90 days.
Troubleshooting Logs: 30 days (see Section 1b).
Account Deletion: If you use the in-app “Delete My Data” feature, we immediately and permanently delete your account identity (Firebase Auth), all associated database records (Firestore), and server-side assets. Local data cached on your device is also wiped. Following deletion, residual backups are purged within 30 days.

5. Your Privacy Choices and Rights

Depending on your location (e.g., EU/EEA or India), you have specific rights under the GDPR and the Digital Personal Data Protection Act, 2023 (DPDPA):

Access and Portability:Request a copy of your personal data. You can use our in-app “Export Data” feature to receive a JSON file of your information.
Correction and Deletion: Request that we correct inaccurate data or delete your account.
Right to Restrict / Terminate:You may disconnect your Gmail account at any time through the in-app settings. Doing so will stop all future processing of your email data, but will not retroactively delete previously generated images unless you also use the “Delete My Data” feature.
Right to Object: Where we process your data based on legitimate interests (Art. 6(1)(f)), you have the right to object to that processing at any time. To do so, contact us at support@picmail.app. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Lodge a Complaint: You have the right to contact a supervisory authority (such as an EU Data Protection Authority or the Data Protection Board of India).

To exercise these rights, contact us at support@picmail.app.

6. Security Measures

We implement the strict security safeguards required by the Cloud Application Security Assessment (CASA). This includes encryption of data in transit and at rest, and secure handling of restricted Google API tokens. While we strive to protect your information, no system is completely secure, and we cannot guarantee absolute security.

7. International Users

Picmail is based in Hyderabad, India. We utilize Firebase and Google Cloud servers which may be located in the United States or other regions.

EU/EEA Users: Transfers are governed by Standard Contractual Clauses (SCCs) to ensure a high level of data protection.
Indian Users: We rely on the contractual protections provided by our processors pending finalization of cross-border transfer rules under the DPDPA.

8. Children's Privacy

Our Services are not directed to minors. Age thresholds vary by jurisdiction:

Global: We do not knowingly collect data from children under 13.
EU/EEA Users: We do not knowingly collect data from children under 16 without parental consent.
Indian Users: We do not knowingly collect data from individuals under 18 in accordance with the DPDPA 2023.

If you believe we have inadvertently collected such data, please contact us immediately at support@picmail.app.

9. Cookies and Tracking Technologies

Picmail does not use third-party advertising or tracking cookies. Any local storage used is essential for core functionality, such as maintaining your login session and caching email previews for performance.

10. California Residents' Privacy Rights (CCPA/CPRA)

While we are based in India, we respect the principles of the California Consumer Privacy Act (CCPA). We do not “sell” or “share” your personal information for cross-context behavioral advertising as defined by California law. You may exercise your rights to know, access, delete, and correct your data by emailing us at support@picmail.app.

11. Changes to This Policy

We may revise this Policy from time to time. If we make material changes, particularly to how we handle restricted scope data from Google, we will provide prominent notice within the application prior to the changes taking effect.

12. Contact Us and Grievance Redressal

If you have questions, concerns, or requests regarding this Policy, please reach out to us:

Picmail

Hyderabad, India

Email: support@picmail.app

Grievance Officer (DPDPA): For users in India, data protection complaints may be directed to our Grievance Officer at support@picmail.app. We will acknowledge complaints within 72 hours and resolve them within 30 days.