Legal · Privacy Policy

Privacy Policy

Last updated: 2026-05-14

Data controller

Pikkot is currently operated as a sole proprietorship by Hsiu-Pen Lin (林修本), based in Taiwan, under the trade name "豐禾創研". The operator named here is the data controller for the purposes of GDPR, Taiwan PDPA (個資法), and equivalent regimes. Contact: fenghe.tech.studio@gmail.com.

EU/EEA representative (GDPR Art. 27): Pikkot has not yet appointed an EU/EEA representative. Until one is appointed and listed here, paid checkout from EU/EEA IP addresses is technically refused at the server level. EU/EEA visitors may still browse legal pages and contact us about data-subject requests via the email above. We will list the representative's name, address, and dedicated email on this page when appointment is completed.

1. What we collect

Account data: email address, password hash (handled by our auth provider Supabase), tier, optional locale preference.
Reference images: the photo you upload to seed each pack. Stored on Cloudflare R2.
Generated artwork: stickers + main + tab images + zip bundle.
Usage metadata: theme text you supply, set size, language, generation cost trace (tokens / images / duration per AI provider call).
Payment data: handled by Lemon Squeezy (Merchant of Record) — we receive only the order id, subscription state, and amount; we never see card numbers, billing addresses for tax purposes, or other PII handled by Lemon Squeezy on the customer's behalf.
Operational logs: server-side request logs (URL, status, IP for abuse detection) retained for 30 days. Optional client analytics via PostHog when enabled.

2. How we use it

To run the service: route your reference image to AI providers and return artwork;
To bill you for paid tiers and prevent quota abuse;
To investigate abuse or support requests;
To improve the product — aggregated or de-identified theme / style metadata may inform routing and quality work. Reference images and generated artwork are not used to train any model.

3. Third parties we share data with

For each provider below, we list the jurisdiction so you can assess the cross-border transfer. All transfers outside Taiwan fall under §6 of the Taiwan Personal Data Protection Act (個人資料保護法); we rely on Standard Contractual Clauses or each provider's TW/EU-aligned data processing agreement to keep your data protected. The full structured list — purpose, data categories, jurisdiction, safeguards — is on the Subprocessors page; we commit to 14 days advance email before adding any new processor that touches user-uploaded content.

Anthropic (United States) — your reference image and theme text are sent to Claude models strictly for pack planning + moderation. Anthropic's data policy: anthropic.com/legal/privacy.
Google Vertex AI (United States, regional) — sticker generation (Imagen / Gemini models). Per Google Cloud DPA.
fal.ai (United States) — background-removal model runtime.
OpenAI (United States) — listed on our Subprocessors page as reserved standby capacity; not currently in the active request path (no user data sent today).
Supabase (Singapore — ap-southeast-1) — auth + Postgres database. Per Supabase's DPA at supabase.com/legal/dpa.
Cloudflare R2 (global CDN, primary region: Asia-Pacific) — image / zip storage.
Lemon Squeezy (United States) — payment processing as Merchant of Record. They sell to you, we sell to them. Global VAT/sales tax compliance under lemonsqueezy.com/privacy.
Resend (United States) — transactional email (sign-up confirmation, pack-ready, refund notice).
Vercel (United States) — hosting + edge runtime.
Inngest (United States) — workflow orchestration (background pack generation).
Sentry, PostHog, Axiom (United States) — error tracking + product analytics (consent-gated) + log shipping.

We do not sell your data and do not share it with advertisers. If you reside in Taiwan, the EU/EEA, or another jurisdiction with a cross-border consent requirement, you have the right to object to these transfers — contact us within 30 days of sign-up and we'll delete your account data instead.

4. Retention

Reference images on paid tiers: deleted 30 days after upload.
Generated artwork on paid tiers: retained while your account is active. When you delete your account, generated artwork (and the R2 zip bundles) are deleted as part of the deletion flow, typically within minutes. In any case the deletion completes within 30 days of your request.
Account record: retained while active. On account deletion, personal data is purged within 30 days; usage / payment metadata is anonymised and retained for accounting (see transactions below).
Transactions and subscription history: retained for 5–7 years after the original payment to satisfy applicable tax and commercial-records law (Taiwan 商業會計法 §38 requires 5 years for electronic records; we apply 7 years to align with common tax-audit windows and where local law requires longer). After account deletion the linked user identifier is anonymised; the transaction amount, date, and order id remain so we can prove the transaction occurred to tax authorities or Lemon Squeezy. We legally cannot delete these earlier.
Audit logs (account.deleted, account.data_exported, content moderation rejections): retained for 1 year, or longer if required for active security investigations or regulatory inquiries, as compliance evidence under GDPR Art. 5(2) (accountability) and Taiwan PDPA §27. After the retention period the row is purged; the audit row's link to the user is set to null on account deletion.
Consent records (consent.oneshot_checkout, consent.subscription_checkout): retained for 7 years after the relevant transaction, or for at least 3 years and 1 year after subscription termination where California's Automatic Renewal Law (BPC §17602) applies, whichever is longer. Each record carries the consent text version, locale, SHA-256 hash of the displayed text, SKU, price, HMAC-fingerprinted IP, and user agent — enough to prove what you saw and agreed to without storing your raw IP. After account deletion the user-id link is set to null; the consent evidence itself remains.
Webhook events (payment provider deduplication): currently retained indefinitely; we plan to age out rows older than 90 days once a retention cron lands. Contains no personal data — only the SHA-256 hash of the verified provider body.

5. Your rights

You may at any time:

Access your account data via the dashboard;
Request a data export by emailing us;
Delete your account from settings (purges all reference images + artwork);
Object to processing or restrict processing — contact us; we'll respond within 30 days.

6. Cookies

We use first-party cookies for authentication (Supabase session) and, when consented to, first-party PostHog analytics. We do not use third-party advertising cookies.

7. International transfers

Your data may be processed in regions including Asia-Pacific (Singapore — ap-southeast-1, where Supabase hosts the database), the United States (Vercel, Inngest, Anthropic, Lemon Squeezy, Resend) and globally distributed CDNs (Cloudflare). We rely on Standard Contractual Clauses and, where applicable, on the EU-US Data Privacy Framework certification held by the relevant US processor.

8. Security

Passwords are hashed by Supabase Auth (bcrypt). All transport is HTTPS. R2 + database access is via signed credentials never exposed to the client. We do not encrypt at rest beyond what Supabase / R2 provide as defaults.

9. Children

Pikkot is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll remove the account.

10. Changes to this policy

Material changes are communicated by email at least 14 days before they take effect. Continued use constitutes acceptance.

11. Contact

Privacy questions: fenghe.tech.studio@gmail.com. For users in the EU, you also have the right to lodge a complaint with your local supervisory authority.

This Privacy Policy is a starting template. Consult a lawyer before relying on it in production — GDPR / CCPA / Taiwan PDPA each have specific notice and consent requirements.