Pikkot

Legal · Privacy Policy

Privacy Policy

Last updated: 2026-05-11

Data controller

Pikkot is currently operated as a sole proprietorship by Hsiupen Lin, based in Taiwan, under the trade name "豐禾創研". The operator named here is the data controller for the purposes of GDPR, Taiwan PDPA (個資法), and equivalent regimes. Contact: hi@pikkot.com.

1. What we collect

  • Account data: email address, password hash (handled by our auth provider Supabase), tier, optional locale preference.
  • Reference images: the photo you upload to seed each pack. Stored on Cloudflare R2.
  • Generated artwork: stickers + main + tab images + zip bundle.
  • Usage metadata: theme text you supply, set size, language, generation cost trace (tokens / images / duration per AI provider call).
  • Payment data: handled by Lemon Squeezy (Merchant of Record) — we receive only the order id, subscription state, and amount; we never see card numbers, billing addresses for tax purposes, or other PII handled by Lemon Squeezy on the customer's behalf.
  • Operational logs: server-side request logs (URL, status, IP for abuse detection) retained for 30 days. Optional client analytics via PostHog when enabled.

2. How we use it

  • To run the service: route your reference image to AI providers and return artwork;
  • To bill you for paid tiers and prevent quota abuse;
  • To investigate abuse or support requests;
  • To improve the product — anonymised theme / style metadata may inform routing and quality work. Reference images and generated artwork are not used to train any model.

3. Third parties we share data with

For each provider below, we list the jurisdiction so you can assess the cross-border transfer. All transfers outside Taiwan fall under §6 of the Taiwan Personal Data Protection Act (個人資料保護法); we rely on Standard Contractual Clauses or each provider's TW/EU-aligned data processing agreement to keep your data protected. The full structured list — purpose, data categories, jurisdiction, safeguards — is on the Subprocessors page; we commit to 14 days advance email before adding any new processor that touches user-uploaded content.

  • Anthropic (United States) — your reference image and theme text are sent to Claude models strictly for pack planning + moderation. Anthropic's data policy: anthropic.com/legal/privacy.
  • Google Vertex AI (United States, regional) — sticker generation (Imagen / Gemini models). Per Google Cloud DPA.
  • fal.ai (United States) — background-removal model runtime.
  • OpenAI (United States) — reserved capacity for future features; not currently in the active request path.
  • Supabase (Singapore — ap-southeast-1) — auth + Postgres database. Per Supabase's DPA at supabase.com/legal/dpa.
  • Cloudflare R2 (global CDN, primary region: Asia-Pacific) — image / zip storage.
  • Lemon Squeezy (United States) — payment processing as Merchant of Record. They sell to you, we sell to them. Global VAT/sales tax compliance under lemonsqueezy.com/privacy.
  • Resend (United States) — transactional email (sign-up confirmation, pack-ready, refund notice).
  • Vercel (United States) — hosting + edge runtime.
  • Inngest (United States) — workflow orchestration (background pack generation).
  • Sentry, PostHog, Axiom (United States) — error tracking + product analytics (consent-gated) + log shipping.

We do not sell your data and do not share it with advertisers. If you reside in Taiwan, the EU/EEA, or another jurisdiction with a cross-border consent requirement, you have the right to object to these transfers — contact us within 30 days of sign-up and we'll delete your account data instead.

4. Retention

  • Free-tier reference images and artwork: auto-deleted 7 days after generation by a daily cron.
  • Reference images on paid tiers: deleted 30 days after upload.
  • Generated artwork on paid tiers: retained while your account is active plus 30 days after deletion, then purged.
  • Account record: retained while active. On account deletion, personal data is purged within 30 days; usage / payment metadata is anonymised and retained for accounting (see transactions below).
  • Transactions and subscription history: retained for 7 years after the original payment, to satisfy Taiwan's commercial-records retention requirement (商業會計法 §38). After account deletion the linked user identifier is anonymised; the transaction amount, date, and order id remain so we can prove the transaction occurred to tax authorities or Lemon Squeezy. We legally cannot delete these earlier.
  • Audit logs (account.deleted, account.data_exported, content moderation rejections): retained indefinitely as compliance evidence under GDPR Art. 5(2) (accountability) and Taiwan PDPA §27. The audit row's link to the user is set to null on account deletion; the action timestamp + outcome stay.
  • Webhook events (payment provider deduplication): currently retained indefinitely; we plan to age out rows older than 90 days once a retention cron lands. Contains no personal data — only the SHA-256 hash of the verified provider body.

5. Your rights

You may at any time:

  • Access your account data via the dashboard;
  • Request a data export by emailing us;
  • Delete your account from settings (purges all reference images + artwork);
  • Object to processing or restrict processing — contact us; we'll respond within 30 days.

6. Cookies

We use first-party cookies for authentication (Supabase session) and, when consented to, first-party PostHog analytics. We do not use third-party advertising cookies.

7. International transfers

Your data may be processed in regions including Asia-Pacific (Tokyo, where Supabase hosts the database), the United States (Vercel, Inngest, Anthropic, OpenAI, Lemon Squeezy, Resend) and globally distributed CDNs (Cloudflare). We rely on standard contractual clauses where applicable.

8. Security

Passwords are hashed by Supabase Auth (bcrypt). All transport is HTTPS. R2 + database access is via signed credentials never exposed to the client. We do not encrypt at rest beyond what Supabase / R2 provide as defaults.

9. Children

Pikkot is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll remove the account.

10. Changes to this policy

Material changes are communicated by email at least 14 days before they take effect. Continued use constitutes acceptance.

11. Contact

Privacy questions: hi@pikkot.com. For users in the EU, you also have the right to lodge a complaint with your local supervisory authority.

This Privacy Policy is a starting template. Consult a lawyer before relying on it in production — GDPR / CCPA / Taiwan PDPA each have specific notice and consent requirements.

Privacy Policy · Pikkot