Our Privacy Policy

The German version of the privacy policy shall be decisive. The English version is provided for understanding purposes only.

In this privacy policy we (picdrop) inform you about the processing of your personal data while using our website.

Personal data is information that relates to an identified or identifiable person. This includes, in particular, information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or e-mail address. Statistical data we collect, for example, when you visit our website and which cannot be associated with your person, does not fall under the concept of personal data.

You can print or save this privacy policy by using the usual functionality of your browser.

1. Contact person

Contact person and person responsible for the processing of your personal data when you visit this website in accordance with the EU Data Protection Basic Regulation (GDPR) is picdrop (PicDrop GmbH, Am Kupfergraben 4/4a, 10117 Berlin, Germany Telefon: 0049 (0) 30 – 555 74 793, E-Mail: privacy@picdrop.com).

2. Transfer of data – legal basis

The collected data will only be passed on to third parties if

  • you have given your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
  • the transfer of data pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not transferring your data;
  • we are legally obliged to transfer your data in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR; or
  • this is legally admissible and, according to Art. 6 para. 1 sentence 1 lit. b GDPR, necessary for the processing of contractual relationships with you or for the implementation of pre-contractual measures which are carried out at your request.

Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned, this may include in particular data processing centres that store our website and databases, as well as IT service providers that maintain our systems. If we transfer data to our service providers, they may use the data exclusively for the fulfilment of their tasks. The service providers have been carefully selected and authorized by us. They are contractually bound to our instructions, have suitable technical and organisational measures in place to protect the rights of the persons concerned and are regularly checked by us.

In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings if this is necessary for legal prosecution or enforcement.

3. Save & delete data

As a matter of principle, we only store personal data for as long as it is required to fulfil contractual or legal obligations for which we have collected the data. Afterwards, we delete the data immediately, unless the data is still required for evidence purposes for civil law claims or because of statutory retention obligations until the expiry of the statutory limitation period.

For evidence purposes, we must retain contract data for a further three years from the end of the year in which the business relationship with you ends. Any claims become statute-barred after the statutory standard period of limitation at this point in time at the earliest.

Even after this period, we still have to store your data in some cases for accounting reasons. We are obliged to do so because of statutory documentation obligations which may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the Money Laundering Act and the Securities Trading Act. The periods stipulated there for the retention of documents range from two to ten years.

4. Data processing

4.1 Visiting the website picdrop.com

Whenever you use our website, we collect access data that your browser automatically transfers to enable you to visit the website. The access data includes in particular:

  • IP address of the requesting device,

  • date and time of the request,

  • referrer URL (the previously visited page),

  • information about the browser and operating system used.

The data processing of this access data is necessary to enable you to visit the website and to ensure the permanent functionality and security of our systems. For the purposes described above, the access data is also temporarily stored in internal log files in order to compile statistical data on the use of our website, to further develop our website with regard to the usage habits of our visitors and for general administrative maintenance of our website.

The legal basis is art. 6 para. 1 p. 1 lit. f GDPR for our above described legitimate interests or art. 6 para. 1 p. 1 lit. b GDPR in the context of pre-contractual measures or for the fulfilment of a contract with you.

The information stored in the log files does not allow any direct conclusion about your person and is stored for 90 days.

4.2 Registration & client account with picdrop

You can register for our product to be able to use the full range of functions of our website. We will ask for your first and last name, your email address and preferred picdrop address; optionally your company name. When you sign up for one of our payment accounts, we also ask for your billing data and address. Without these data a registration is not possible. The legal basis of the processing is Art. 6 para. 1 sentence 1 lit. b GDPR.

For financial transactions ( paid accounts ) we offer the common online payment methods (e.g. direct debit and credit card payment). We work together with various payment service providers that provide us with your payment data or to whom we transmit your payment data. Without these payment data and payment service providers, payment and contract processing is not possible. The legal basis for this data processing is art. 6 para. 1 sentence 1 lit. b GDPR.

Our payment service providers are in particular:

  • GoCardless SAS, 23-25 Avenue Mac-Mahon, Paris, 75017, France; German Office: GoCardless GmbH, Herzogspitalstr. 24, 80331 Munich (https://gocardless.com)
    Further information about the processing of your personal data by GoCardless as well as your right to revoke your consent can be found at gocardless.com/legal/privacy/.

  • Stripe Payments Europe, Ltd., The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (stripe.com)
    Further information about the processing of your personal data by GoCardless as well as your right to revoke your consent can be found at https://stripe.com/de/privacy

4.3 Access to the picdrop Web App by invited external users

If a photographer shares a gallery with you or invites you to use the account without being registered at picdrop, you will receive a link from that photographer. With a click on the link you can access our website. In this case we collect the same data as described under 4.1.

5. Cookies & implemented technologies

For some of our services it is necessary that we use so-called cookies. A cookie is a small text file that is stored by the browser on your device. Cookies are not used to run programs or load viruses onto your computer. The main purpose of our own cookies is rather to provide you with an offer specially optimised for you. By using cookies, we want to make your use of our website more comfortable and individual (e.g. when logging in for login authentication). These services are based on our legitimate interests described above. The legal basis is art. 6 para. 1 sentence 1 lit. f GDPR.

In order to improve our website, we also use cookies and comparable tracking technologies for the statistical recording and analysis of general usage behaviour based on access data. We also use analysis services to evaluate the use of our various marketing channels. We value your privacy, so we ask for your permission to use these technologies. The legal basis is art. 6 para. 1 sentence 1 lit. a GDPR.

You can change or revoke this consent at any time by accessing the cookie settings at the bottom of the page or in the account settings of the Web App.

Cookies can be stored for a different time period. Usually, temporary cookies are only stored for the duration of an online session and deleted afterwards. They are therefore often called session cookies. Persistent cookies, on the other hand, remain on your computer until a certain expiration date is reached. We use both, but still differentiate according to the purposes of data processing.

5.1 Technically necessary cookies and cookies for preferences

Technically necessary cookies are those that are necessary for the operation of the website. Cookies for preferences save your individual settings on our website. Both types of cookies are important for navigating our websites and enable you to see our website in the correct language, navigate our offers, take out a subscription or send galleries in the desired format. Basic functions such as the display and selection of the subscription model on our website and the login in picdrop are not possible without them. The legal basis for this is art. 6 para. 1 sentence 1 lit. f GDPR.

We therefore set the following cookies:

selectedpaymentinterval: This cookie stores the payment interval in the checkout process – annually, semi-annually, monthly.

pdcookiecheck: This is a pre-stage cookie for HTTPISRETINA, which first checks whether cookies may be set at all.

HTTPISRETINA: This cookie checks whether the browser returns a display with high pixel density.

stripe_mid: This session cookie is set for communication with the payment provider Stripe.

tobysess: This app session cookie is used for authentication and other session data.

testcookie: This cookie is an availability test at autologin for user and customer access.

browserredirecttest: This test cookie is set for activated or blocked cookies.

embed-privacy: This persistent cookie stores the consent that embedded third party content may always be loaded.

locale: This persistent cookie stores the visitor’s current language settings.

preferred_share: This persistent cookie stores the preferred sharing option for galleries – copy link or email – so that the dialog can open directly in this option.

browserwarningread: This persistent cookie is only set in Internet Explorer 11 after the browser warning was shown and clicked.

noticeable_uid_T7XDPSwjqcBwbnlgeihF: This session cookie is set for communication with the In-App-Notification provider Noticeable.

5.2 Third Party Cookies & Tracking

Cookies for analytical purposes help us to gain information and to find out how you and possibly also your customers use our websites. For example, it is recorded which sub-pages are visited most frequently and for how long, the loading time of the pages or whether error messages are displayed. The legal basis for this is your consent in accordance with art. 6 para. 1 p. 1 lit. a GDPR.

We use the following cookies for analysis:

_ga: This persistent third party cookie is set for 2 years to track user behavior via Google Analytics.

_gid: This persistent third party cookie is set for 24 hours to track user behavior via Google Analytics.

_gat: This third party cookie is set for 1 minute to reduce the number of queries to the Google servers.

_gtag.js: This third party cookie is set for 1 week to to merge metrics and code query segments via the Google Tag Manager.

These cookies are offered by the following third-party providers:

Google Analytics is a service of Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland)

Data processing purpose: Website analysis and optimization, as well as measuring the success of email campaigns and building user profiles

Technology used: Cookies and pixel

Collected data: Referrer URL, pages and sub-pages visited, click paths, frequency and duration of page visits, date and time of access, downloads, purchase activity, usage data, device information, device, browser or widget data, anonymized IP addresses, website or app activity, advertising IDs, location information, mobile network information (mobile carrier, phone number, app version number), data about interaction with Google services, crash reports, system activity, search queries, and labeled locations, information about objects near the device (Wi-Fi access points, cell towers, and Bluetooth-enabled devices)

Place of processing: Ireland, United States of America

Storage duration: The data is deleted as soon as it is no longer needed for logging.

Recipient: Google Ireland Limited, Alphabet Inc., Google LLC

Transfer to third countries: United States of America 

Further information:

Opt-out link: https://tools.google.com/dlpage/gaoptout

Privacy policy: https://policies.google.com/privacy

Cookie policy: https://policies.google.com/technologies/cookies


Google Ads is a service of Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland)

Data processing purpose: Ads in the Google advertising network (e.g. in search results, in videos, on web pages, etc.) and conversion measurement of ads

Technology used: Cookies 

Collected data: Ads viewed, cookie ID, date and time of visit, device information, geographic location, anonymized IP address, search terms, ads viewed, customer ID, impressions, online identifiers, browser information, mobile network information (mobile carrier, phone number, app version number), data about interaction with apps, browsers, and devices with Google services, crash reports, system activities, referrer URL, activities in Google services (search queries and labeled locations), information about objects near devices (WLAN access points, radio masts, and Bluetooth-enabled devices).

Place of processing: Ireland, United States of America

Storage duration: The data is deleted as soon as it is no longer needed for logging.

Recipient: Google Ireland Limited, Alphabet Inc., Google LLC

Transfer to third countries: United States of America 

Further information:

Opt-out link: https://safety.google/privacy/privacy-controls/

Privacy policy: https://policies.google.com/privacy and https://business.safety.google/adscontrollerterms/

Types of processing data processed: https://privacy.google.com/businesses/adsservices

Cookie policy: https://policies.google.com/technologies/cookies


Google Tag Manager is a service of Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland)

Data processing purpose: System for the management and implementation of so-called website tags via an interface for the integration of other services within the online offer

Technology used: Cookies and pixel

Collected data: Aggregated tag data

Place of processing: Ireland, United States of America

Storage duration: The data is deleted as soon as it is no longer needed for logging.

Recipient: Google Ireland Limited, Alphabet Inc., Google LLC

Transfer to third countries: United States of America 

Further information:

Opt-out link: https://safety.google/privacy/privacy-controls/

Privacy policy: https://policies.google.com/privacy

Types of processing data processed: https://privacy.google.com/businesses/adsservices

Cookie policy: https://policies.google.com/technologies/cookies


Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

Data processing purpose: Conversion measurement and optimization for logged-in Facebook users who are redirected to specific landing pages when accessing Facebook ads

Technology used: Pixel

Collected data:  IP address, web browser and browser, information, page location, referrer URL, interactions with ads, services and products, user click behavior, ads viewed, content viewed, items clicked, device information, geographic location, HTTP headers, marketing information, non-confidential custom data, pages visited, pixel ID, marketing campaign success, usage data and behavior, Facebook cookie information, Facebook user ID

Place of processing: Ireland

Storage duration: The data is deleted as soon as it is no longer needed for logging.

Recipient: Meta Inc.

Transfer to third countries: United States of America

Further information: https://www.facebook.com/about/privacy/

Opt-out link: For Facebook users https://www.facebook.com/ds/preferences

Privacy policy: https://facebook.com/about/privacy/

Cookie policy:: https://facebook.com/policies/cookies/


Visual Website Optimizer (VWO) by Wingify Software Pvt. Ltd. (KLJ TOWER, 1104, North, Netaji Subhash Place, Pitampura, Delhi, 110034, India)

Data processing purpose: Website analytics and and optimization; running A/B tests to improve user experience

Technology used: Cookies and pixel

Collected data: sites visited, click path, number and duration of website visits, date and time of access, website interactions, usage data and behaviour, device information, device and browser information, anonymized IP-address, website activities, geographic and demographic information

Place of processing: Belgium

Storage duration: The data is deleted as soon as it is no longer needed for logging.

Recipient: Wingify Software Pvt. Ltd.

Transfer to third countries: United States of America

Opt out link: https://www.picdrop.com?vwo_opt_out=1 or https://vwo.com/de/opt-out/ 

Privacy policy: https://vwo.com/de/privacy-policy/#locale_lang


SAASFLOW OÜ, an Estonian private limited company registered under number 16 834 664 with the Registry of Trade and Companies of Estonia, domiciliated at Harju maakond, Tallinn, Kesklinna linnaosa, Jõe tn 3-305, 10151
Head office: 92, avenue Charles de Gaulle, 92522 Neuilly-sur-Seine Cedex, France

Data processing purpose: To povide interactive procuct demos and step-by-step guides

Collected data: IP address and identification data; session, browser, usage and navigation data

Place of processing: EU (France, Ireland and Belgium)

Storage duration: The data is deleted as soon as it is no longer needed for logging.

Recipient: SAASFLOW OÜ

Transfer to third countries: None

Opt out link: please contact contact@guideflow.com

Privacy policy: https://www.iubenda.com/privacy-policy/62163346

Further information: https://www.guideflow.com/company/security-and-compliance

5.3 Payment providers

We work with various payment service providers that provide us with your payment data or to whom we transfer your payment data. Without these payment data and payment service providers, payment and contract processing is not possible. The legal basis for this data processing is art. 6 para. 1 sentence 1 lit. b GDPR.

We only use the following providers:

Stripe Payments Europe (Stripe Payments Europe, Ltd., The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland)

Data processing purpose: Technology for the operation of online payment systems

Technology used: Form to enter credit card data

Collected data: payment method, date of purchase, total amount of the purchase, information about the payment method

Place of processing: Ireland

Storage duration: The data will be deleted as soon as they are no longer required for the purpose of processing.

Recipient: Stripe Payments Europe Ltd.

Transfer to third countries: -

Further information: privacy policy under https://stripe.com/de/privacy

GoCardless SAS (GoCardless SAS, 23-25 Avenue Mac-Mahon, Paris, 75017, France; German Office: GoCardless GmbH, Herzogspitalstr. 24, 80331 Munich, Germany)

Data processing purpose: Technology for the processing of SEPA transactions

Technology used: Rest-API for the transmission of payment data

Collected data: payment method, date of purchase, total amount of the purchase, information about the payment method

Place of processing: Germany, France

Storage duration: The data will be deleted as soon as they are no longer required for the purpose of processing.

Recipient: GoCardless SAS

Transfer to third countries:  -

Further information: privacy policy under gocardless.com/legal/privacy/

5.4. Further connections/technologies

5.4.1 Video and streaming platforms

We provide you with various online content on video and streaming platforms in order to provide information and to be able to get in contact with you. The videos do not start automatically, but only after your explicit consent. The legal basis for this is art. 6 para. 1 sentence 1 lit. a GDPR. Under certain circumstances, you may have already given your consent to a platform operator for data processing. In this case too, art. 6 para. 1 sentence 1 lit. a GDPR is the legal basis.

We use the following tools:

Vimeo Inc. (555 West 18th Street, New York, New York 10011, United States of America)

Data processing purpose: Video player service, displaying videos especially in the FAQ section of our website via an integrated plugin

Technology used: Cookies, double opt-in procedure

Collected data: Referrer, URL, IP address

Place of processing: United States of America

Storage duration: The data will be deleted as soon as they are no longer required for the purpose of processing.

Recipient: Vimeo Inc.

Transfer to third countries: United States of America

Further information: privacy policy under https://vimeo.com/privacy

YouTube Video is a service of Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland)

Data processing purpose: Video player service, displaying videos especially in the FAQ section of our website via an integrated plugin

Technology used: Cookies (if "Enhanced Privacy Mode" is not activated), double opt-in procedure

Collected data: Referrer, URL, anonymized IP address

Place of processing: Ireland

Storage duration: The data will be deleted as soon as they are no longer required for the purpose of processing.

Recipient: Alphabet Inc., Google LLC, Google Ireland Limited

Transfer to third countries: United States of America

Further information: 

Opt-out link: https://safety.google/privacy/privacy-controls/ 

Privacy policy: https://policies.google.com/privacy

Cookie policy: https://policies.google.com/technologies/cookies

 

Podigee UG (Pfuelstraße 5/III, 10997 Berlin, Germany)

Data processing purpose: Podcast hosting service provider forwarding podcast episodes to other streaming platforms, display of podcast episodes especially in the podcast part of our website via embedded player

Technology used: iFrame, opt-in procedure

Collected data: IP address

Place of processing: Germany

Storage duration: The data will be deleted as soon as they are no longer required for the purpose of processing.

Recipient: Podigee UG

Transfer to third countries: -

Further information: privacy policy under https://www.podigee.com/en/about/privacy

5.4.2 Social Media

When visiting our social media sites, the platform host will store cookies in your browser. This is often done across devices for market research and advertising purposes of your usage behaviour or your interests. Persons can also be affected by this if they are not registered as users on the platform. Your data may also be processed outside the European Union. When choosing our social media platforms, however, we make sure that the operators comply with European data protection standards.

The legal basis for this is art. 6 para. 1 sentence 1 lit. f GDPR. You may have already given your consent to a platform operator for data processing, in which case art. 6 para. 1 sentence 1 lit. a GDPR is the legal basis.

5.4.3. In-App-Notification

We will notify you about current issues, updates and new features in your picdrop account. We work together with various service providers for this purpose. The legal basis for this data processing is art. 6 para. 1 sentence 1 lit. f GDPR.

We only use the following providers for this:

Noticeable (Noticeable, 28 Avenue Ziem, 06800 Cagnes-sur-mer, France)

Data processing purpose: Changelog, information sharing

Technology used: Cookie, Pop-Up

Collected data: Session ID, location, browser and device type, last picdrop news, language

Place of processing: France

Storage duration: The data will be deleted as soon as they are no longer needed for processing.

Recipient: Noticeable

Transfer to third countries: -

Further information:

Privacy policy: https://noticeable.io/privacy

6. Newsletter

During the term of the contract, you may receive by e-mail technical advice and information on support services and the scope of the service used, any extension options and other information concerning the provision of picdrop, if you have expressly chosen this option. You can cancel the receipt of these emails at any time with effect for the future. The legal basis for the data processing described in this section is art. 6 para. 1 sentence 1 lit. a GDPR.

For communication with you we use:

Mailchimp  is a service of The Rocket Science Group LLC (675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308, United States of America)

Data processing purpose: Advertising and email campaigns

Technology used: Form

Collected data: IP address, operating system, browser ID, date and time of email, access key performance indicators services, visited pages

Place of processing: United States of America

Storage duration: The data will be deleted as soon as they are no longer needed for processing.

Recipient: Mailchimp Inc., The Rocket Science Group LLC

Transfer to third countries: United States of America

Further information:

Privacy policy: https://www.intuit.com/privacy/statement/

Cookie policy: https://mailchimp.com/legal/cookies/

7. Survey

We occasionally conduct surveys. For this purpose we use Google Forms and SatisMeter. The data collected with the Google form is stored on a cloud storage provided for us by Google, “Google Drive”. Participation in the surveys is voluntary and anonymous. Legal basis for the data processing described in this section is art. 6 para. 1 p. 1 lit. a GDPR.

Google Forms and Google Drive is a service of Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland)

Data processing purpose: Conducting Surveys

Technology used: Online-Form, Cookie

Collected data: answers given, referrer URL, pages and subpages visited, frequency and duration of page visits, device information, time of access

Place of processing: Ireland, United States of America

Storage duration: The data is deleted as soon as it is no longer required for logging and for the evaluation of the survey.

Recipient: Google Ireland Limited, Alphabet Inc., Google LLC.

Transfer to third countries: United States of America

Further information:

Privacy policy: https://policies.google.com/privacy/

SatisMeter (SatisMeter s.r.o., Česká 1113/1, Prague 5, 158 00, Czech Republic)

Data processing purpose: Conducting Surveys, determining NPS

Technology used: Online-Form, Cookie

Collected data: Device type, operating system, response date, given response, language, user ID, plan

Place of processing: Czech Republic

Storage duration: The data will be deleted as soon as they are no longer needed for processing.

Recipient: SatisMeter s.r.o.

Transfer to third countries: -

Further information:

Privacy policy: https://www.satismeter.com/privacy-policy/

8. Contacting us

You have different ways of getting in contact with us. In this context, we process your contact data and the data you provide when contacting us exclusively for the purpose of communicating with you. The legal basis for the data processing described in this section is art. 6 para. 1 sentence 1 lit. b GDPR.

9. Rights

You have the right to request information about the processing of your personal data by us at any time. We will provide you with an explanation of the data processing and an overview of the data stored about your person.

You have the right to have your data corrected or to have the processing of your data restricted if the data stored by us is incorrect or no longer up to date.

You can also request the deletion of your data. If, in exceptional cases, deletion is not possible due to other legal regulations, the data will be blocked so that it is only available for this legal purpose.

You also have the right to data transferability, i.e. that we will send you a digital copy of the personal data provided by you upon request.

In order to make your rights described here valid, you can contact us at any time using the contact details above.

Finally, you have the right to complain to a competent data protection authority. In Berlin is the responsible supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.

In accordance with art. 7 para. 2 GDPR, you have the right to revoke any consent you have given to us at any time. As a result, we will no longer continue to process the data which was based on this consent in the future. The revocation of consent does not affect the legality of the processing that took place on the basis of the consent until the revocation.

If we process your data on the basis of legitimate interests in accordance with art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your data in accordance with art. 21 GDPR, if there are reasons for doing so resulting from your particular situation or if the objection is directed against direct advertising. In the latter case you have a general right of objection, which we will implement even without giving reasons.

If you would like to exercise your right of revocation or objection, it is sufficient to send an informal message to the contact details given above.

10. Data security

We operate current technical measures to ensure data security, in particular to protect your personal data from dangers during data transmission and from third parties gaining knowledge of it. These measures are adapted to the current state of the art. To secure the personal data you provide on our website, we use Transport Layer Security (TLS), which encrypts the information you enter.

11. Changes to the privacy policy

From time to time we update this privacy policy, for example when we adapt our website or when legal or regulatory requirements change.

Updated: January 2024