Privacy Policy
Effective Date: June 26th, 2025
This Privacy Policy (the “Policy”) outlines how PicPerf (“we,” “us,” or “our”) collects, uses, and protects personal information obtained from users (“you” or “user”) of the PicPerf website and services. We are committed to safeguarding your privacy and ensuring the confidentiality of your personal information in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
Data Controller: Alex MacArthur, PicPerf
Contact Information: macarthur.me/contact
1. Information We Collect
Section titled “1. Information We Collect”a. Personal Information:
- Account Information: When you create an account, we collect your name and email address.
- Payment Information: Payment details are processed by Stripe. We do not store payment card information directly.
- Communication Data: Email addresses provided when requesting a website analysis or contacting support.
- Images: Photos and images you upload or provide URLs for optimization purposes.
b. Usage Information:
- Analytics Data: We collect non-personal information including browser type, device information, and usage patterns through Plausible Analytics (a privacy-focused service that doesn’t use cookies or store IP addresses).
- Performance Data: Technical data about image optimization requests and system performance (without personal identifiers).
- Website Interaction: Data about how you interact with our website and services through event tracking.
c. IP Address Policy: We do not log, store, or retain IP addresses in our systems. While IP addresses may be temporarily processed by our infrastructure providers (AWS, Cloudflare) for technical delivery purposes, PicPerf does not collect or store this information.
Legal Basis for Processing (GDPR Article 6):
- Consent: For marketing communications and non-essential analytics.
- Contract Performance: For providing our image optimization services.
- Legitimate Interests: For improving our services, fraud prevention, and security.
2. How We Use Your Information
Section titled “2. How We Use Your Information”a. Service Provision:
- Delivering and optimizing the PicPerf services you have requested
- Processing images and managing your account
- Providing customer support and technical assistance
- Processing payments and handling billing
b. Communication:
- Sending service-related announcements and account updates
- Responding to your inquiries and support requests
- Sending marketing communications (only with your explicit consent)
- Providing analysis results and reports
c. Service Improvement:
- Analyzing usage patterns to improve our services
- Conducting research and development
- Ensuring service security and preventing fraud
3. Data Sharing and Third-Party Services
Section titled “3. Data Sharing and Third-Party Services”GDPR Compliance Summary: PicPerf acts as a data processor for business customers. We maintain comprehensive Data Processing Agreements (DPAs) and provide full transparency about our sub-processors and their locations to ensure GDPR compliance.
a. Third-Party Service Providers: We share your information with trusted third-party providers who assist us in operating our services:
- Stripe: Payment processing (United States, Ireland) - Subject to Stripe’s privacy policy and GDPR compliance measures
- AWS (Amazon Web Services): Image transformation, optimization, and storage (United States, Europe) - GDPR-compliant infrastructure with appropriate data processing agreements
- Cloudflare: Caching, image storage, and CDN services (Global network with EU presence) - Privacy-focused infrastructure with GDPR compliance measures
- Plausible Analytics: Privacy-focused website analytics (European Union) - Does not process IP addresses or personal data
Data Processing Agreement: For business customers who integrate PicPerf into their websites, we act as a data processor. We provide Data Processing Agreements (DPAs) upon request that include:
- Details of processing activities
- Sub-processor information and locations
- Security measures and incident response procedures
- Data subject rights fulfillment procedures
All third-party providers are contractually bound to protect your information and use it only for the specified purposes.
b. Data Transfers: Some of our service providers may be located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for international data transfers, including:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Other legally recognized transfer mechanisms
c. Legal Requirements: We may disclose your information if required by law or in response to valid legal requests from public authorities.
3A. GDPR Compliance for Business Customers
Section titled “3A. GDPR Compliance for Business Customers”When You Use PicPerf on Your Website: If you integrate PicPerf into your website, you remain the data controller, and PicPerf acts as your data processor. Here’s what this means for GDPR compliance:
IP Address Handling:
- PicPerf does not log, store, or retain visitor IP addresses
- IP addresses may be temporarily processed by our infrastructure (AWS, Cloudflare) for technical delivery only
- No IP address data is accessible to or retained by PicPerf
Sub-Processor Transparency: Our complete list of sub-processors and their locations:
- Stripe (United States/Ireland) - Payment processing only
- AWS (United States/Europe) - Image processing and storage infrastructure
- Cloudflare (Global/United States) - CDN and caching services
- Plausible Analytics (European Union) - Privacy-focused analytics for our own website only
Data Processing Agreement (DPA): We provide comprehensive DPAs for all business customers. To requset one, contact us at macarthur.me/contact with “DPA Request” in the subject line.
4. Data Retention
Section titled “4. Data Retention”a. Account Data: We retain your personal information for as long as your account is active or as needed to provide services to you.
b. Optimized Images: Images stored in cloud storage will remain available for up to one year following their processing even if you suspend or cancel your subscription. To request deletion, you must contact us directly.
c. Communication Data: Email addresses collected for site analysis are used only for sending results and are not permanently stored.
d. Analytics Data: Usage analytics are retained indefinitely for service improvement purposes.
e. Legal Obligations: We may retain certain information for longer periods when required by law or to resolve disputes and enforce our agreements.
Deletion: When data is no longer needed for its original purpose and there are no legal obligations to retain it, we will securely delete or anonymize it.
5. Your Rights Under GDPR
Section titled “5. Your Rights Under GDPR”If you are a resident of the European Union, you have the following rights regarding your personal data:
a. Right of Access: You can request information about the personal data we hold about you and receive a copy of that data.
b. Right to Rectification: You can request correction of inaccurate or incomplete personal data.
c. Right to Erasure (‘Right to be Forgotten’): You can request deletion of your personal data under certain circumstances.
d. Right to Restrict Processing: You can request that we limit how we use your personal data in certain situations.
e. Right to Data Portability: You can request a copy of your personal data in a structured, machine-readable format.
f. Right to Object: You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.
g. Right to Withdraw Consent: Where processing is based on consent, you can withdraw your consent at any time.
h. Right to Lodge a Complaint: You can file a complaint with your local data protection authority if you believe we have violated your privacy rights.
To exercise these rights, contact us at macarthur.me/contact. We will respond to your request within 30 days.
6. Security Measures
Section titled “6. Security Measures”We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption of data in transit and at rest
- Regular security assessments and updates
- Access controls and authentication procedures
- Staff training on data protection practices
- Incident response procedures for data breaches
Data Breach Notification: In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you within 72 hours as required by GDPR.
However, please be aware that no data transmission over the internet or electronic storage method is completely secure, and we cannot guarantee absolute security.
7. Cookies and Tracking
Section titled “7. Cookies and Tracking”Analytics: We use Plausible Analytics, a privacy-focused service that does not use cookies or track personal information. This service collects anonymous usage statistics to help us improve our website.
Marketing: We do not use tracking cookies for advertising or marketing purposes without your explicit consent.
No Third-Party Tracking: Images served through PicPerf on your websites do not collect cookies or personal information from your visitors.
8. Business Customer Data Processing
Section titled “8. Business Customer Data Processing”When PicPerf Acts as Data Processor: For business customers who integrate PicPerf into their websites, we may process personal data on behalf of the customer (data controller). In these cases:
IP Address Handling: We do not log, store, or retain IP addresses in our systems.
Data Processing Agreement (DPA): We provide comprehensive DPAs for business customers that include:
- Detailed description of processing activities
- Complete list of sub-processors with locations
- Security measures and technical safeguards
- Procedures for handling data subject requests
- Incident notification procedures
- Data return and deletion procedures upon contract termination
Sub-Processor Transparency: Our current sub-processors include:
- Stripe (United States/Ireland) - Payment processing
- AWS (Amazon Web Services) (United States/Europe) - Image transformation, optimization, and storage infrastructure
- Cloudflare (Global/United States) - Caching, image storage, and CDN services
- Plausible Analytics (European Union) - Privacy-focused analytics
Contact for DPA: Business customers requiring a Data Processing Agreement should contact us at macarthur.me/contact with “DPA Request” in the subject line.
Data Minimization Commitment: We are committed to data minimization and only process personal data that is strictly necessary for service delivery. We do not create user profiles, track browsing behavior across sites, or engage in any form of behavioral advertising.
9. Children’s Privacy
Section titled “9. Children’s Privacy”PicPerf’s services are not intended for use by individuals under the age of 16 (or the applicable age of digital consent in their jurisdiction). We do not knowingly collect personal information from children under this age. If we become aware that we have inadvertently collected personal information from a child under the applicable age, we will take prompt steps to delete the information from our systems and notify the appropriate authorities if required.
10. International Data Transfers
Section titled “10. International Data Transfers”As we operate globally, your personal information may be transferred to and processed in countries outside your home country, including the United States. We ensure that such transfers comply with applicable data protection laws through:
- Adequacy decisions by relevant authorities
- Standard Contractual Clauses approved by the European Commission
- Other appropriate safeguards as required by law
11. Marketing Communications
Section titled “11. Marketing Communications”Consent: We only send marketing communications with your explicit opt-in consent.
Opt-Out: You can unsubscribe from marketing communications at any time by:
- Clicking the unsubscribe link in any marketing email
- Contacting us directly at macarthur.me/contact
- Adjusting your account preferences
Transactional Communications: We may still send service-related communications necessary for your account and services.
12. Changes to this Privacy Policy
Section titled “12. Changes to this Privacy Policy”We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or service offerings. When we make material changes, we will:
- Update the effective date at the top of this policy
- Notify you by email if you have an account with us
- Post a notice on our website
- For significant changes affecting your rights, we may require your renewed consent
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
13. Contact Information and Data Protection Officer
Section titled “13. Contact Information and Data Protection Officer”General Inquiries: If you have any questions, concerns, or requests related to this Privacy Policy, please contact us at macarthur.me/contact.
Data Protection Matters: For specific data protection inquiries or to exercise your rights under GDPR, you can contact our Data Protection Officer at the same contact information.
Supervisory Authority: If you are in the EU and believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection supervisory authority.
Response Time: We will respond to your privacy-related requests within 30 days. If we require additional time, we will inform you and explain the reason for the delay.
Thank you for using PicPerf!
Alex MacArthur, PicPerf
Last Updated: June 26th, 2025