Privacy Policy

1. Introduction

Pycter is a photo sharing and synchronization application designed with privacy as a core principle.

Pycter allows users to store and share photos across devices and with other people using end-to-end encryption (E2EE). This means that photos and associated metadata are encrypted on the user's device before transmission and cannot be accessed by Pycter or its servers.

This Privacy Policy explains how personal data is collected, used, stored, and protected when you use:

the Pycter mobile applications (Android and iOS),
the Pycter desktop applications,
and the Pycter website at pycter.com.

This policy is written in accordance with the General Data Protection Regulation (GDPR) and applicable Belgian and European Union data protection laws.

2. Who we are

Data controller: Louis Regout, Belgium.

Contact: privacy@pycter.com

3. Who can use Pycter

Pycter is intended for the general public and is not designed for children. You must be at least 16 years old to use Pycter.

Pycter does not knowingly collect personal data from children under the age of 16. If you believe that a minor has provided personal data, please contact us so it can be removed.

4. What data we collect

4.1 Data you provide

Depending on how you use Pycter, we may process:

Email address (when an account is created)
Authentication information (for example via Firebase Authentication)
Random user identifier
Public cryptographic key
Subscription or payment status (when paid plans are implemented)

Creating an account is not required for the free tier.

4.2 Encrypted user content

The following data may be stored on Pycter servers only in encrypted form:

Photos and thumbnails
Filenames and EXIF metadata
Album names
User display names
Shared album content

Pycter cannot read, view, or access this content or its metadata.

4.3 Technical and operational data

For the proper functioning and security of the service, Pycter may process:

IP address
Device and application identifiers
Push notification tokens (Firebase Cloud Messaging)
Connection and synchronization metadata
Aggregated storage usage and quota information
Device integrity signals used to detect abuse or tampering

This data is not used for advertising or behavioral profiling.

5. End-to-end encryption

Encryption keys are generated on your device.
Keys are never transmitted to or stored on Pycter servers.
Invitation links transmit encryption material directly between users.
Servers store only encrypted data blobs.

Pycter cannot access the content of your photos or their metadata.

6. How sharing works

When you share content within an album:

you explicitly consent to that content being distributed to album members,
the content is encrypted before leaving your device,
Pycter servers only relay encrypted data.

Due to the end-to-end encrypted nature of Pycter, content already synchronized to other users' devices cannot be retroactively revoked. Leaving an album prevents future synchronization but does not remove data already received by others.

7. Data retention

Account data is deleted when the user deletes their account.
Encrypted content remains available while at least one album member retains access.
Synchronization data in transit may be stored temporarily for up to approximately 2 days.
Technical logs may be retained briefly for security and abuse prevention.

8. Account deletion

Users may delete their Pycter account at any time. Upon deletion:

email address and identifiers are removed,
authentication credentials are revoked,
encryption keys stored on the device are destroyed,
subscription information is deleted where legally possible.

Content previously shared with other users may remain on their devices, as Pycter cannot remove encrypted data already synchronized.

9. Third-party services

Pycter relies on a limited number of trusted service providers acting strictly as data processors:

Firebase Authentication & Cloud Messaging (FCM)
Google Play services & Play Integrity API
Apple TestFlight & App Attest
OVH (server hosting, EU)
Amazon Web Services (AWS) – EU region (encrypted object storage)

These services may process technical identifiers strictly necessary for security and functionality. They are not permitted to use data for advertising or profiling.

10. Analytics and tracking

Pycter does not display advertising, sell personal data, track users across apps or websites, or perform behavioral profiling. No advertising identifiers are used.

11. International data transfers

Pycter servers are currently located within the European Union. If the service expands internationally, personal data may be processed outside the EU using appropriate safeguards, including Standard Contractual Clauses and strong encryption.

12. Your rights under GDPR

Under the GDPR, you have the right to access, correct, delete, restrict, or port your personal data, and to withdraw consent at any time. Contact us at privacy@pycter.com to exercise these rights.

You also have the right to lodge a complaint with your local data protection authority. In Belgium: Autorité de protection des données (APD).

13. California residents

If you are a California resident, you have additional rights under the CCPA/CPRA, including the right to access and delete your personal data. Pycter does not sell personal data and does not share personal data for advertising purposes.

14. Changes to this policy

This Privacy Policy may be updated to reflect changes in the service or legal requirements. When significant changes are made, the updated version will be published on this page with a revised "last updated" date.

15. Contact

For any privacy-related questions or requests: privacy@pycter.com