Legal

Privacy & Image Use

Last updated: May 2026 · Applies to picta.uk

1. Who We Are

This service is operated by Picta (“we”, “us”, “our”), based in the United Kingdom. We are the data controller for the personal data processed through this platform.

If you have any questions about this notice or how we handle your data, please contact us at hello@picta.uk.

2. What Data We Collect

When you use Picta to upload event photos, we may collect and process the following:

The photographs and images you upload, which may include images of identifiable individuals
Metadata embedded within image files (such as date, time, and device information stored in EXIF data)
The event code you enter to access the upload page
Basic technical data such as your IP address and browser type, retained in server logs for security and troubleshooting purposes

We do not collect your name, email address, or any other directly identifying information unless you choose to provide it.

3. How We Use Your Data

The photographs you upload are processed for the following purposes:

Storage in a secure cloud storage environment (Cloudflare R2) accessible only to the event organiser
Display within the private, PIN-protected event gallery
Use by the event organiser in accordance with Section 5 (Image Use & Licence) below

Server log data is used solely for the purposes of maintaining the security and performance of the platform and is not used for marketing or profiling.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the UK General Data Protection Regulation (UK GDPR):

Consent (Article 6(1)(a)): By uploading images to this platform, you are providing your consent for us to store and use those images in accordance with this notice. You may withdraw your consent at any time by contacting us.
Legitimate Interests (Article 6(1)(f)): We process technical data such as IP addresses and server logs where it is in our legitimate interests to maintain the security and integrity of the platform.

5. Image Use & Licence

This section sets out the terms on which we may use the images you upload. Please read it carefully.

By uploading images to this platform, you grant us a non-exclusive, perpetual, worldwide, royalty-free licence to use, reproduce, edit, adapt, publish, distribute, and display those images for any lawful purpose. This includes, but is not limited to, use in promotional materials, social media, marketing campaigns, portfolios, press releases, and other commercial or non-commercial communications, whether in print or digital form.

You confirm that you have the right to grant this licence — either because you took the photographs yourself, or because you have obtained the necessary permissions from the photographer or rights holder.

Where images depict identifiable individuals other than yourself, you confirm that those individuals have consented to their image being shared and used in this manner. We recommend that event organisers make this privacy notice available to all attendees prior to the event.

We will always use images in a manner that is respectful and lawful. We will not sell or license your images to third parties for their independent commercial use without your explicit consent.

If you wish to withdraw consent for the use of your images after upload, please contact us at hello@picta.uk. We will make reasonable efforts to remove images from any materials in which they have been used, where this is practicable.

6. Image Processing & Compatibility

To ensure fast, reliable delivery and to manage storage responsibly, images uploaded through the standard Picta plan are automatically processed in your browser before transmission. This processing may include resizing, compression, rotation correction, and conversion to a web-compatible format, and is applied client-side — in your browser — before any data is sent to our servers. Where technical constraints prevent processing of a particular file, the image may be transmitted and stored without modification.

This processing is entirely mechanical. No human review, creative input, or editorial judgement is applied at any stage. Picta does not acquire any authorship, ownership, or intellectual property rights over uploaded images as a result of this processing. The copyright in all uploaded images remains with the original rights holder.

Standard plan: Images are resized and compressed where possible before upload. The processed version is the version stored, shared, and available for download from your gallery. The degree of processing applied depends on the image format and the capabilities of your browser.

Premium plan (coming soon): A premium tier will be offered that preserves the full original resolution of every uploaded image, with no client-side compression applied. Full-resolution images are stored and served directly from Cloudflare R2. If you require full-resolution archiving, please contact us at hello@picta.uk to enquire about premium availability.

File format compatibility. We accept images in common formats including JPEG, PNG, WEBP, GIF, and HEIC/HEIF. Not all file formats are universally supported across all browsers, devices, and operating systems. Picta accepts no liability for any image that cannot be displayed, downloaded, or processed due to format incompatibility on the viewer's device, browser, or operating system. Where an image does not display correctly in the gallery, we recommend downloading the file and opening it locally with a compatible application. We also accept no liability for any loss of image quality, metadata, or embedded data resulting from the processing described above, including any loss of location data, timestamps, or other EXIF information.

7. Third Parties

We share data with the following third parties:

Cloudflare, Inc. — our infrastructure provider. All image storage, database, and compute services run on Cloudflare’s global network (Workers, R2, D1). Cloudflare’s privacy policy is available at cloudflare.com/privacypolicy

We do not sell, rent, or trade your personal data to any other third parties.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access — you may request a copy of the personal data we hold about you
Right to rectification — you may ask us to correct inaccurate data
Right to erasure — you may ask us to delete your personal data in certain circumstances
Right to restriction — you may ask us to restrict how we process your data
Right to data portability — you may request a copy of your data in a portable format
Right to object — you may object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at hello@picta.uk. We will respond within one month as required by law.

If you are unsatisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

Terms of Use

The following sections form the terms on which this platform is provided.

1. Data Retention & Deletion

We are committed to retaining uploaded photographs for the shortest time necessary and in accordance with UK GDPR’s storage limitation principle.

Standard retention period: All photographs uploaded through Picta are held in active storage for 7 days from the event’s official end date. During this period the gallery is accessible and photos can be downloaded. After 7 days, individual photos are automatically compiled into a single archive and moved to cold storage for a further 7 days, during which a single download link remains available to the organiser. After this second 7-day period, all photographs are permanently and irreversibly deleted from all storage. This includes deletion from Cloudflare R2 storage and any server-side caches.

Retention beyond this period occurs only in the following circumstances:

Licence use: Where we have selected one or more photographs for use under the licence granted in Section 5 (Image Use & Licence) — for example for advertising, portfolio, marketing, or promotional purposes — those specific photographs may be retained indefinitely for as long as we continue to exercise that licence. This is a lawful basis for extended retention under UK GDPR Article 6(1)(f) (legitimate interests). You will have been made aware of this right at the time of upload through this notice.
Organiser request: The event organiser has explicitly requested extended retention in writing prior to the event end date
Legal obligation: Retention is required to comply with a legal obligation, including a lawful request from a law enforcement agency or court order under applicable UK law
Legal claims: Retention is necessary for the establishment, exercise, or defence of legal claims

Event organiser personal data: Where an event is booked through this platform, the organiser’s personal data (name, address, telephone number, email address, and IP address) is collected for legal compliance purposes and stored in encrypted form. This data is automatically and permanently deleted one month after the event’s end date. The legal basis for this processing is Article 6(1)(c) UK GDPR (legal obligation) and Article 6(1)(f) (legitimate interests — protection against fraud, illegal activity, and to respond to lawful requests from authorities). Organiser data is never shared with third parties except where required by law.

Server access logs are retained for a maximum of 30 days for security and operational purposes, after which they are permanently deleted.

If you wish to request early deletion of your uploaded photographs, please contact us at hello@picta.uk. We will action deletion requests within 5 working days. Please note that where images are being retained under the licence described above, we may be unable to action deletion requests in relation to those specific images, though we will always respond to explain the position.

2. Organiser Responsibilities

Picta is a technology platform providing photo upload and storage infrastructure. The service is provided to event organisers (“Organisers”) who deploy it for use at their events. By using this platform, Organisers acknowledge and agree to the following:

The Organiser is solely responsible for informing event attendees that a photo upload service is in use at the event and for obtaining any necessary consents from those attendees
The Organiser is solely responsible for ensuring that the use of this platform at their event complies with all applicable laws, including UK GDPR, the Data Protection Act 2018, the Online Safety Act 2023, and any other relevant legislation
The Organiser is solely responsible for the content of any photographs uploaded to their event gallery, including ensuring that uploaded content does not infringe the rights of any third party
The Organiser accepts full responsibility for any activities, incidents, or occurrences at events at which this platform is used. Picta accepts no liability whatsoever for events, activities, or outcomes occurring at or in connection with any event
The Organiser is responsible for keeping their event access code, gallery PIN, and admin credentials confidential and for any consequences arising from their unauthorised disclosure
The Organiser agrees not to use this platform to store, process, or distribute any content that is unlawful, harmful, defamatory, obscene, or otherwise prohibited under this policy

Picta reserves the right to suspend or terminate access to the platform for any Organiser who breaches these responsibilities, without notice and without liability.

2a. Acceptable Use

The following content is strictly prohibited on this platform. Uploading, storing, or distributing any of the following will result in immediate removal, account termination, and — where required by law — referral to the appropriate authorities:

Any content that is illegal under the laws of England and Wales, including content that constitutes a criminal offence under any applicable statute
Content depicting or facilitating the sexual abuse or exploitation of children, including any image, video, or material of a sexual nature involving a person under the age of 18
Evidence of assault, violence, or criminal activity — where content appears to depict an unlawful act, we reserve the right to preserve the content and refer the matter to law enforcement without prior notice to the Organiser
Non-consensual intimate imagery — any photograph or video of a person in a state of undress or engaged in intimate activity without their explicit consent
Content promoting, glorifying, or facilitating terrorism, extremism, or political violence
Harassment, targeted abuse, or threatening content directed at any identifiable individual
Defamatory content — material that makes false statements of fact likely to damage the reputation of an identifiable individual or organisation
Content that infringes the intellectual property rights of any third party, including copyright in photographs taken by professional photographers
Content that violates the privacy of any individual, including photographs taken in circumstances where a reasonable expectation of privacy exists

Reporting: A Report button is available on all gallery pages. Anyone who believes content on this platform breaches this policy is encouraged to use it. All reports are reviewed promptly. For urgent concerns involving child safety or serious criminal content, reporters are directed to the relevant authorities. Reports can also be submitted directly to us at legal@picta.uk.

By completing a booking, the Organiser warrants that they will take all reasonable steps to prevent prohibited content from being uploaded through their event and that they will cooperate fully with any investigation arising from content uploaded to their event gallery. The Organiser accepts personal liability for content uploaded through their event code.

White-label and partner operators using Picta’s infrastructure under a licence agreement are themselves responsible for ensuring compliance with this Acceptable Use Policy within their own platform. Each licensee must maintain their own acceptable use policy for their end users that is consistent with, and no less restrictive than, this policy. Picta reserves the right to terminate any licence agreement immediately and without liability where a licensee fails to enforce this policy.

3. Cancellation & Refunds

This service is provided digitally and delivery begins immediately upon booking confirmation, at which point an event is created and the platform is made available to you. By completing your booking you expressly consent to immediate delivery of the digital service and acknowledge that your statutory right to cancel under the Consumer Contracts Regulations 2013 is waived from that point.

No refunds will be issued once a booking has been confirmed, as digital service delivery commences immediately. Where an event has not yet commenced and no photographs have been uploaded, we may at our sole discretion offer a credit note or transfer to an alternative event date, provided the request is made more than 48 hours before the event start date and is submitted in writing to hello@picta.uk.

In the event of a payment dispute raised through your card provider or bank, we reserve the right to provide evidence of service delivery — including booking records, account activity, and usage data — to the relevant financial institution in order to contest the dispute. This processing is carried out under Article 6(1)(f) UK GDPR (legitimate interests — protection against fraudulent chargebacks).

4. Transaction Evidence

At the point of booking, we automatically compile a tamper-evident record of the transaction. This record includes the booking timestamp, the IP address from which the booking was made, the email address provided, confirmation of the event created, and a log of subsequent service activity (uploads, gallery access). This record is stored in encrypted form and is used solely for the purpose of evidencing service delivery in the event of a payment dispute.

This evidence record is automatically and permanently deleted 14 days after the event end date, in line with our standard event data retention policy, unless a payment dispute is active at that time. Where a dispute is active, the evidence record is retained until the dispute is resolved, after which it is immediately deleted.

The legal basis for this processing is Article 6(1)(f) UK GDPR (legitimate interests — fraud prevention and protection of legal claims).

5. Client Account Retention

Client accounts registered on this platform are subject to the following retention and deletion policy:

Active accounts: accounts where the user has logged in or completed a booking within the last 3 months are considered active and are retained normally
Dormant warning: after 3 months of inactivity, the registered email address will receive an automated notification advising that the account has become dormant and inviting the user to log in to keep it active
Cold storage: dormant accounts are suspended after 3 months. Account data is retained in a restricted state for a further 9 months, during which the account cannot be used but can be reactivated by contacting us at hello@picta.uk
Deletion: after a total of 12 months of inactivity, the account and all associated personal data is permanently and irreversibly deleted. A final notification is sent 14 days before deletion
Exception: accounts with a booking completed within the last 12 months are retained for a minimum of 12 months from that booking date regardless of login activity, to allow for resolution of any payment disputes

You may request deletion of your account at any time by contacting us at hello@picta.uk. We will complete deletion within 30 days, subject to any active payment disputes or legal obligations requiring retention.

6. Law Enforcement & Legal Requests

We may be required by law to disclose data to law enforcement agencies, courts, or other public authorities. We will comply with lawful requests from UK authorities made under applicable legislation, including the Investigatory Powers Act 2016 and the Police and Criminal Evidence Act 1984.

We will only disclose the minimum data required to satisfy the lawful request. Where permitted by law, we will notify the affected user that a request has been made.

What we can confirm to law enforcement: Following the completion of the data retention periods described in this notice, we do not retain event photographs, guest upload data, or event-specific personal data. We retain client account registration data for up to 12 months of inactivity. Cloudflare, our infrastructure provider, retains server access logs independently for up to 30 days; these are outside our direct control and may be subject to separate legal requests made directly to Cloudflare.

7. Limitation of Liability

To the fullest extent permitted by applicable law, Picta:

Accepts no liability for any loss, damage, or harm arising from the use or inability to use this platform, including but not limited to loss of photographs, data, or business
Accepts no liability for the conduct, actions, omissions, or decisions of any event organiser or event attendee
Accepts no liability for the content of photographs uploaded by users, or for any infringement of third-party rights arising from such content
Accepts no responsibility for the availability, accuracy, or continuity of third-party infrastructure services used by the platform, including Cloudflare
Makes no warranty, express or implied, that the platform will be available at all times, error-free, or fit for any particular purpose

Nothing in this notice excludes or limits liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot lawfully be excluded or limited under English law.

This platform is governed by and construed in accordance with the laws of England and Wales. Any disputes arising in connection with this platform shall be subject to the exclusive jurisdiction of the courts of England and Wales.

8. Cookies & Tracking

This platform uses a single item of local storage to remember your preferred colour theme (light or dark mode). This is a functional preference only and does not track, identify, or profile you in any way. No third-party cookies or tracking scripts are used on this platform.

9. Changes to This Notice

We may update this privacy notice from time to time to reflect changes in the law or our practices. Where changes are material, we will update the “Last updated” date at the top of this page. We encourage you to review this notice periodically.

This notice is provided as a general framework. You should seek independent legal advice to ensure it meets the specific requirements of your business and the applicable law in your jurisdiction.