Privacy Policy

This Privacy Policy ("Policy") describes how PicaDeck ("PicaDeck," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our visual database schema management platform, including our website, applications, and all related services (collectively, the "Service").

By accessing or using the Service, you consent to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service. This Policy should be read in conjunction with our Terms of Service.

2.1 Information You Provide

• Account Information: When you register, we collect your name, email address, and password (stored in hashed form). You may optionally provide a profile display name.
• Organization & Team Data: If you create or join an organization, we collect the organization name, member roles, and team structure information.
• Schema Content: The database schemas, tables, columns, relationships, and other content you create or import through the Service.
• Payment Information: When you subscribe to a paid plan, payment details are collected and processed directly by our payment processor, Paddle. We do not store your full credit card number, bank account details, or other sensitive payment credentials on our servers.
• Communications: When you contact us for support or feedback, we collect the content of your communications along with your email address.

2.2 Information Collected Automatically

• Usage Data: We collect information about how you interact with the Service, including features used, pages visited, actions taken (e.g., creating projects, committing changes), and timestamps.
• Device & Browser Information: We collect device type, operating system, browser type and version, screen resolution, and language preferences.
• IP Address & Location: We collect your IP address, which may be used to determine your approximate geographic location for analytics and security purposes.
• Log Data: Our servers automatically record information including your IP address, request timestamps, URLs visited, and referring pages.
• Cookies & Similar Technologies: We use cookies and similar technologies to maintain your session, remember your preferences (such as theme settings), and improve the Service. See Section 6 for details.

We use the information we collect to:

• Provide and maintain the Service: Hosting your schemas, managing your account, processing your requests, and delivering the core features of the platform.
• Process transactions: Managing your subscription, processing payments through Paddle, and sending billing-related communications.
• Improve the Service: Analyzing usage patterns to identify bugs, optimize performance, and develop new features.
• Communicate with you: Sending account-related notifications, security alerts, support responses, and (optionally) product updates. You can opt out of non-essential communications at any time.
• Ensure security: Detecting and preventing fraud, abuse, and unauthorized access to the Service.
• Comply with legal obligations: Meeting applicable legal requirements and responding to lawful requests.

We will not use your schema content or project data for purposes unrelated to providing the Service, such as training machine learning models, selling data, or advertising.

We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

4.1 With Your Team

When you join or create an organization, certain information (your name, email, role, and activity) is visible to other members of that organization as necessary for collaboration. Project and schema data is shared with team members who have appropriate access permissions.

4.2 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service, subject to confidentiality agreements. These providers are authorized to use your information only as necessary to provide services to us. See Section 5 for a list of our service providers.

4.3 Legal Requirements

We may disclose your information if required by law, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

We use the following third-party services to operate the platform. Each service has its own privacy practices:

We encourage you to review the privacy policies of these third-party services to understand their data practices.

6.1 What We Use

• Essential Cookies: Required for authentication and session management. These cannot be disabled as they are necessary for the Service to function.
• Preference Cookies: Store your settings such as theme preference (light/dark mode), canvas zoom level, and layout preferences.
• Local Storage: Used to persist application state such as theme settings and temporary editor data for performance optimization.

6.2 What We Don't Use

We do not use third-party advertising cookies or cross-site tracking technologies. We do not serve ads, and we do not track your browsing activity across other websites.

6.3 Managing Cookies

You can control cookies through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of the Service.

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at Rest: Your data stored in our databases is encrypted at rest.
• Password Security: Passwords are hashed using bcrypt with salt, ensuring we never store plaintext passwords.
• Access Controls: We implement role-based access controls within our systems and limit employee access to personal data on a need-to-know basis.
• Session Management: Sessions are secured with JWT tokens and expire automatically.

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee its absolute security, but we are committed to promptly addressing any security incidents.

We retain your information as follows:

• Account Data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• Schema & Project Data: Retained as long as your account is active. Deleted projects and schemas are soft-deleted (marked as inactive) and permanently removed after 30 days.
• Billing Records: Retained for up to 7 years to comply with tax and accounting regulations, as required by law.
• Server Logs: Retained for up to 90 days for security and debugging purposes, then automatically purged.
• Communication Records: Support tickets and correspondence are retained for up to 2 years.

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Data Portability: Export your schemas and project data at any time using the Service's built-in export features (SQL, Prisma, JSON formats).
• Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.
• Object to Processing: Object to certain types of processing, such as direct marketing communications.
• Restriction: Request restriction of processing in certain circumstances.

To exercise any of these rights, please contact us at support@picadeck.com. We will respond to your request within 30 days.

For EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR). Our legal bases for processing include: performance of a contract (providing the Service), legitimate interests (improving the Service, ensuring security), and consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

For California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information as defined under the CCPA.

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we may have collected information from a child under 16, please contact us at support@picadeck.com.

Your information may be transferred to and processed in countries other than your country of residence. Our service providers operate in various jurisdictions, including the United States and European Union. When we transfer your information internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent measures, to protect your data in accordance with applicable data protection laws.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.