This Privacy Policy explains how Pitturino ("we", "the Service") collects, uses, stores and shares personal data of users ("You", "the User") in accordance with the GDPR (Regulation (EU) 2016/679) and applicable national law.
1. Data Controller
The data controller is:
Pitturino
Email: privacy@pitturino.com
Website: pitturino.com
2. Data Collected and Purpose of Processing
2.1. Data provided directly by the User
| Data category | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation, service communications | Performance of a contract (Art. 6.1.b GDPR) |
| Password (hashed) | Secure authentication | Performance of a contract |
| Name / display name | Personalization of the experience | Performance of a contract |
| Billing data (name, address) | Issuing invoices/receipts | Legal obligation (Art. 6.1.c GDPR) |
2.2. Data collected automatically
| Data category | Purpose | Legal basis |
|---|---|---|
| IP address | Security, abuse prevention | Legitimate interest (Art. 6.1.f GDPR) |
| Browser type, OS | Technical optimization of the Service | Legitimate interest |
| Visited pages and session duration | Usage analysis and Service improvement | Consent (Art. 6.1.a GDPR) |
| Log data (errors, timestamps) | Technical diagnostics and security | Legitimate interest |
2.3. Uploaded images and projects
Images uploaded by the User and saved projects (pixel art, paint-by-numbers) are processed solely to provide the Service. They are not analyzed for marketing purposes nor shared with third parties except as necessary to deliver the Service (cloud storage, server-side processing).
2.4. Payment data
Payment data (card number, IBAN, etc.) are never stored by Pitturino. Payments are handled directly by Stripe, Inc., a PCI-DSS certified payment processor. See Stripe's Privacy Policy at https://stripe.com/privacy
3. Processing Methods
Personal data are processed using electronic and automated means, with appropriate technical and organizational measures to ensure security, integrity and confidentiality.
4. Data Retention
| Data category | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| Billing and transaction data | 10 years (legal obligation) |
| Security and access logs | 12 months |
| User images and projects | Until project or account deletion |
| Analytics cookies | See Cookie Policy |
After account deletion, personal data are removed within 30 days, except for data we must retain by law (e.g., tax records).
5. Sharing with Third Parties
We do not sell, rent or lease users' personal data for marketing purposes. We share data only with the following processors necessary to provide the Service:
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Supabase, Inc. (USA) | Database, authentication, storage | https://supabase.com/privacy |
| Stripe, Inc. (USA) | Payment processing | https://stripe.com/privacy |
| Vercel, Inc. (USA) | Hosting and CDN | https://vercel.com/legal/privacy-policy |
All providers operate under data processing agreements compliant with the GDPR and ensure adequate protection measures for transfers to third countries (Standard Contractual Clauses or adequacy decisions where applicable).
6. International Transfers
Some of our providers (Supabase, Stripe, Vercel) are based in theUnited States. Transfers are carried out on the basis of Standard Contractual Clauses (SCCs) and/or certifications under the EU‑US Data Privacy Framework where applicable.
7. Data Subject Rights
Under Articles 15–22 of the GDPR, you have the right to:
- Access (Art. 15): Obtain confirmation whether personal data concerning you are being processed and receive a copy
- Rectification (Art. 16): Correct inaccurate or incomplete data
- Erasure (Art. 17): Request deletion of personal data (the "right to be forgotten")
- Restriction (Art. 18): Request limitation of processing in certain circumstances
- Portability (Art. 20): Receive your personal data in a structured, machine‑readable format
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw consent: At any time, without affecting the lawfulness of processing prior to withdrawal
To exercise your rights, write to: privacy@pitturino.com. We will respond within 30 days of receipt. You also have the right to lodge a complaint with the competent supervisory authority.
8. Security Measures
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS 1.2+), secure password hashing via Supabase, role‑based access controls, continuous monitoring, and regular backups.
9. Minors
The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, contact us at privacy@pitturino.com to request removal.
10. Changes to this Privacy Policy
We may update this Privacy Policy. Material changes will be communicated by email or in‑app notice. The "Last updated" date at the top indicates the current version.
11. Contact
For questions about how we process your personal data:
Email: privacy@pitturino.com
Website: pitturino.com
© 2026 Pitturino. All rights reserved.