Privacy Policy – Pycter

Last updated: 27 January 2026

1. Introduction

Pycter is a photo sharing and synchronization application designed with privacy as a core principle.

Pycter allows users to store and share photos across devices and with other people using end-to-end encryption (E2EE). This means that photos and associated metadata are encrypted on the user’s device before transmission and cannot be accessed by Pycter or its servers.

This Privacy Policy explains how personal data is collected, used, stored, and protected when you use:

• the Pycter mobile applications (Android and iOS),
• the Pycter desktop applications,
• and the Pycter website available at https://pycter.com.

This policy is written in accordance with the General Data Protection Regulation (GDPR) and applicable Belgian and European Union data protection laws.

2. Who we are

Data controller:

Louis Regout
Belgium

Contact email:
privacy@pycter.com

3. Who can use Pycter

Pycter is intended for the general public and is not designed for children.

You must be at least 16 years old to use Pycter.

Pycter does not knowingly collect personal data from children under the age of 16. If you believe that a minor has provided personal data, please contact us so it can be removed.

4. What data we collect

4.1 Data you provide

Depending on how you use Pycter, we may process:

• Email address (when an account is created)
• Authentication information (for example via Firebase Authentication)
• Random user identifier
• Public cryptographic key
• Subscription or payment status (when paid plans are implemented)

Creating an account is not required for the free tier.

4.2 Encrypted user content

The following data may be stored on Pycter servers only in encrypted form:

• Photos
• Thumbnails
• Filenames
• EXIF metadata
• Album names
• User display names
• Shared album content

This data is protected using end-to-end encryption.

Pycter cannot read, view, or access this content or its metadata.

4.3 Technical and operational data

For the proper functioning and security of the service, Pycter may process:

• IP address
• Device and application identifiers
• Push notification tokens (Firebase Cloud Messaging)
• Connection and synchronization metadata
• Aggregated storage usage and quota information
• Device integrity and security signals used to detect abuse or tampering

This data is not used for advertising or behavioral profiling.

5. End-to-end encryption

Pycter uses end-to-end encryption by default.

• Encryption keys are generated on user devices.
• Encryption keys are never transmitted to or stored on Pycter servers.
• Invitation links transmit encryption material directly between users.
• Servers store only encrypted data blobs.

As a result:

Pycter cannot access the content of your photos or their metadata.

6. How sharing works

Pycter allows users to create shared albums.

When you share content within an album:

• you explicitly consent to that content being distributed to the members of that album,
• the content is encrypted before leaving your device,
• Pycter servers only relay encrypted data.

If new members are added to an album later, they may gain access to content previously shared within that album once they receive the album’s encryption keys.

Due to the end-to-end encrypted nature of Pycter:

• content already synchronized to other users’ devices cannot be retroactively revoked,
• leaving an album prevents future synchronization but does not remove data already received by others.

7. Data retention

Pycter retains data only for as long as necessary:

• Account data is deleted when the user deletes their account.
• Encrypted content remains available while at least one album member retains access.
• Synchronization data in transit may be stored temporarily for up to approximately 2 days.
• Technical logs may be retained briefly for security and abuse prevention.

Encrypted photo content is never decrypted during storage or transit.

8. Account deletion

Users may delete their Pycter account at any time.

When an account is deleted:

• email address and identifiers are removed,
• authentication credentials are revoked,
• encryption keys stored on the device are destroyed,
• subscription information is deleted where legally possible.

Content previously shared with other users may remain on their devices, as Pycter cannot remove encrypted data already synchronized.

9. Third-party services

Pycter relies on a limited number of trusted service providers acting strictly as data processors:

• Firebase Authentication
• Firebase Cloud Messaging (FCM)
• Google Play services
• Apple TestFlight
• OVH (server hosting)
• Amazon Web Services (AWS) – EU region (encrypted object storage)

Pycter also uses platform security services such as:

• Google Play Integrity API (application integrity and abuse prevention)
• Apple App Attest (application authenticity verification)

These services may process technical identifiers strictly necessary for security and functionality. They are not permitted to use data for advertising or profiling.

10. Analytics and tracking

Pycter:

• does not display advertising,
• does not sell personal data,
• does not track users across apps or websites,
• does not perform behavioral profiling.

No advertising identifiers are used.

Security and integrity mechanisms are used solely to protect the service and are not used for tracking, profiling, or advertising.

11. International data transfers

Pycter servers are currently located within the European Union.

If the service expands internationally, personal data may be processed outside the EU using appropriate safeguards, including Standard Contractual Clauses and strong encryption.

12. Your rights under GDPR

Under the GDPR, you have the right to:

• access your personal data,
• request correction of inaccurate data,
• request deletion of your data,
• restrict or object to processing,
• request data portability,
• withdraw consent at any time.

You may exercise these rights by contacting:

privacy@pycter.com

You also have the right to lodge a complaint with your local data protection authority.

In Belgium:

Autorité de protection des données (APD)
https://www.autoriteprotectiondonnees.be

13. California residents

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to access and delete your personal data.

Pycter does not sell personal data and does not share personal data for advertising purposes.

14. Changes to this policy

This Privacy Policy may be updated to reflect changes in the service or legal requirements.

When significant changes are made, the updated version will be published on this page with a revised “last updated” date.

15. Contact

For any privacy-related questions or requests, please contact:

privacy@pycter.com