Legal
This policy explains how Pictro collects, uses, stores, and protects personal data in compliance with the LGPD (Lei Geral de Proteção de Dados — Brazilian Law 13.709/2018) and, when applicable, the GDPR (Regulation (EU) 2016/679) for data subjects in the European Economic Area.
Last updated May 19, 2026
Version 2, effective 19 May 2026. Version 1 (effective 1 October 2025) is preserved as a historical record for users who accepted it before this date.
This is version 2 (v2) of the Privacy Policy, in force from 19 May 2026.
Key changes from v1: (a) explicit legal-basis mapping per processing activity aligned with the controller’s Record of Processing Activities (ROPA); (b) description of the production migration to GCP southamerica-east1 (São Paulo) and explicit scoping of international transfers to AI provider calls; (c) internal target of up to 48 hours to prepare preliminary notification of a security incident, without prejudice to the regulatory window defined by the ANPD (LGPD Art. 48); (d) per-data-class retention windows aligned with the ROPA; (e) dedicated section for data subjects in the European Economic Area; (f) verified reaffirmation of the "MFA mandatory on admin sensitive mutations" control, now enforced by a server-side `require_fresh_totp` gate.
The historical v1 text remains accessible upon request to the DPO at cvoalliance@cvoalliance.com.br.
Pictro is an AI photoshoot and image restoration platform operated by CVO Alliance Ltda. (Brazilian CNPJ 57.782.960/0001-78). We process personal data to deliver these experiences, manage customer accounts, process payments, and comply with applicable laws.
This policy applies to everyone who interacts with the service, including customers, experts, administrators, beta participants, and site visitors.
Controller: CVO Alliance Ltda., Brazilian CNPJ 57.782.960/0001-78, active registration since 22/10/2024, primary CNAE 6319-4/00, headquartered at Quadra CRS 516, Bloco B, Sala 66/69, Pavimento 1, Anexo Parte C0267 — Asa Sul — Brasília — DF, Brazil.
Data Protection Officer (DPO, internal to the data controller as defined by LGPD Art. 41 and ANPD Resolution 18/2024): CVO Alliance Ltda. itself, acting as its own internal DPO. Official channel: cvoalliance@cvoalliance.com.br. The channel accepts data-subject requests, formal communications from the Brazilian National Data Protection Authority (ANPD), and contact from the controller.
We only collect data necessary to deliver the service effectively and securely.
Account information: email, name (optional), password hash (Argon2id), preferred language, role (customer, expert, admin), verification and approval status.
Photoshoot or restoration assets: reference photos you upload, prompts and style parameters, AI-generated images, technical metadata about the job.
Payment data: email and Stripe identifiers (session, intent, customer). Full card numbers (PAN) and CVV never reach Pictro — they are handled directly by Stripe.
Usage data: device information, access logs (routes and timestamps), engagement metrics under analytics consent.
Support data: communications with our support team and experts.
Biometric features: facial features extracted from the photos you upload, used exclusively to condition generation of images of yourself. We do NOT perform 1:N identification, face authentication, identity verification, surveillance, or cross-subject matching.
Each activity has a specific legal basis. The full breakdown is in the Record of Processing Activities (ROPA), available on request to the DPO.
AI photoshoot and restoration generation — Performance of contract (LGPD Art. 7, V) for service delivery, combined with specific, informed, and unequivocal consent (Art. 11, I) for processing facial features extracted from your uploaded photos. Consent is logged in an append-only SHA-256 hash chain and re-collected on every policy version change.
Account registration and authentication (signup, login, password recovery) — Performance of contract (Art. 7, V).
Payments and billing — Performance of contract (Art. 7, V) and tax legal obligation (Art. 7, II); Stripe webhooks are retained for 10 years as fiscal and regulatory evidence.
Transactional communications (signup confirmation, password reset, job completion, fraud alert) — Performance of contract (Art. 7, V).
Telemetry and operational logs — Legitimate interest of the controller (Art. 7, IX), with a documented balancing test; IP addresses are anonymized after 90 days for long-term use.
Pseudonymized dataset for model improvement (beta only) — Specific, informed, and revocable consent (Art. 7, I). Strictly optional, never conditions use of the service (LGPD Art. 8 §6).
Marketing and product research — Consent (Art. 7, I), with opt-out available at any time.
Operate AI photoshoot and restoration generation, including extraction of facial features to condition generation and expert review when applicable.
Charge for credits consumed and meet tax obligations.
Provide customer support, onboarding, incident response, and account recovery.
Detect fraud and abuse, enforce usage limits, and protect platform integrity.
Run aggregate analytics and product research, only after explicit consent for non-essential cookies.
Using pseudonymized copies of your photos to improve our AI models is a separate, optional authorization (LGPD Art. 8 §6). You can use the service normally without granting it.
During your free beta period (7 days per account), you may separately authorize Pictro to use pseudonymized copies of your uploaded photos and your generated photoshoots/restorations to improve our AI models.
Pseudonymized means that, before any training use, we strip name, email, direct identifiers, and any metadata that could link the copy back to your account. The copy is held in a separate bucket dedicated exclusively to training, with its own IAM scope.
The training authorization is NOT required to use Pictro. If you do not grant it, the service works the same way and no training copy is kept.
At the end of your beta, if you have not revoked the authorization, we create the pseudonymized copy and then delete the photos and results associated with your account. If you did not grant the authorization, we only delete the photos and results associated with your account.
You may revoke the authorization at any time from your privacy settings. After revocation, all existing pseudonymized copies tied to you enter a 30-day quarantine and are permanently deleted at the end of that window.
The legal basis for training processing is exclusively your consent (LGPD Art. 7, I), revocable at any time. The pseudonymized dataset is NEVER used for 1:N identification, biometric authentication, identity verification, surveillance, profiling of third parties, or cross-subject matching.
Pictro production runs in Brazil, on GCP region southamerica-east1 (São Paulo). Account data, uploaded photos, and generated images are stored in Brazil. International transfers are limited to AI, payment, and transactional-email provider calls.
Your personal data — including e-mail, uploaded photos, extracted facial characteristics, and generated images — is stored on Google Cloud Platform servers in the southamerica-east1 region (São Paulo, Brazil). Application operational logs and observability traces are, by default, retained in the same region.
Known exception (to be closed before the production cutover): the pseudonymized training-dataset bucket (beta only, under optional consent) remains in a region outside Brazil during the initial transition; the ROPA tracks this exception and its target migration to southamerica-east1 before cutover. Details live in `docs/BRAZIL_DATA_RESIDENCY.md`.
To generate your images, we send your prompts and reference photos to AI models. Whenever the requested model is available in Brazil, we process your request on Vertex AI in southamerica-east1, with no international transfer. When the requested model is not yet available in Brazil, we process the request on Vertex AI in a Google Cloud region in the United States, and we record this fact in our audit log.
Additionally, we use OpenAI (United States) as our image-generation provider (model gpt-image-2) and for content moderation. OpenAI does not yet offer data processing in Brazil; therefore every call to OpenAI is an international transfer of data. We are working to enroll our production account in the OpenAI Zero Data Retention (ZDR) programme before the production cutover; when ZDR is active, it ensures that your prompts and responses are not used to train OpenAI models and are not retained for the otherwise-default 30-day internal OpenAI audit period, subject to the exceptions documented by OpenAI. Until ZDR activation is verified in the OpenAI console, the provider’s standard retention conditions should be considered in force.
These international transfers take place on the basis of LGPD art. 33, sub-item V (specific and prominent consent of the data subject). You consent to these transfers by continuing to use Pictro after this screen. You may revoke your consent at any time by contacting our Data Protection Officer at cvoalliance@cvoalliance.com.br.
We never sell personal data. International transfers exist only for AI provider calls, payment processing, and transactional email, each with its own safeguards.
Processors handling data on Pictro’s behalf:
• Google Cloud Platform (Brazil — southamerica-east1) — hosting, database, storage. Processor, with Google’s DPA.
• Stripe Inc. (USA) — payment processing. Processor. PAN/CVV never reach Pictro. Stripe DPA.
• Resend (USA) — transactional email delivery. Processor. Resend DPA.
• OpenAI (USA) — AI image generation and content moderation. Processor. Account enrolled in Zero Data Retention (ZDR): prompts and completions are not retained on OpenAI’s side. No training of provider models on Pictro API data by default.
• Google Gemini / Vertex AI — we prefer calling Vertex AI in the southamerica-east1 region (Brazil). When a required model is not yet available in the BR region, we fall back to the external Gemini API (USA); each fallback emits an internal `gemini_external_api_transfer` audit event for an Art. 33 paper trail.
Legal bases for international transfers (LGPD Art. 33): standard contractual clauses and DPAs with each processor; specific consent for use of your data in AI provider calls (Art. 33, V), collected when you accept these Terms and this Privacy Policy.
We do not share personal data with third parties for marketing or sale. The processors above act exclusively to deliver the service.
Each data category has a defined retention window; at the end of the window, data is durably erased or anonymized, as applicable.
Account data (email, name, password hash) — retained while the account is active. After deletion (DSAR), anonymization or erasure within 30 days, unless retention is required by law.
Uploaded reference photos — bound to the account and delivered via authenticated session; deleted by the durable `erasure_log` when you erase the account, at end of beta without training consent, or via bucket lifecycle policies (current configuration visible in `docs/BRAZIL_DATA_RESIDENCY.md`; the effective production window follows the value configured in infrastructure-as-code).
Generated images — bound to the account and delivered via authenticated session; deleted by the durable `erasure_log` when you erase the account, or via lifecycle policies of the output bucket (same canonical source as above).
Extracted biometric features — bound to the account; deleted alongside the account on an erasure DSAR.
Pseudonymized training-set copies (beta with consent only) — retained while consent stays active; 30-day quarantine after revocation; immediate hard-delete on an erasure DSAR.
Application logs and operational telemetry — 90 days (rotated by daily sweepers).
Administrative and security audit logs — 12 months, with annual rotation.
Stripe webhooks (tax compliance) — 10 years, immutable, per Brazilian tax and regulatory rules.
Transactional email outbox (Resend) — 90 days per delivery event.
You may exercise the rights below through the DPO channel (cvoalliance@cvoalliance.com.br) or through the in-app privacy center. Our internal target is to respond to valid requests within 15 business days, extendable per LGPD Art. 19 §3; processing may take longer for complex requests or requests that depend on external processors, and the extension will be communicated to the data subject.
Confirmation that processing exists and access to your data (Art. 18, I and II) — we deliver a structured DSAR package (JSON) that maps the operations we hold on you.
Correction of incomplete, inaccurate, or outdated data (Art. 18, III) — available from your profile; corrections not covered by the UI can be requested to the DPO.
Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data (Art. 18, IV).
Data portability (Art. 18, V) — DSAR package in structured, interoperable JSON.
Erasure of data processed on the basis of consent (Art. 18, VI) — handled by the `ErasureService` with a durable `erasure_log` and retries; the account remains in an `erasure_pending` state until every entry completes.
Information about public and private entities with which we share data (Art. 18, VII) — Section 7 of this policy.
Information about your right to refuse consent and the consequences (Art. 18, VIII).
Revocation of consent (Art. 18, IX) — available directly in-app for training consent; other consents may be revoked via the DPO channel.
To exercise any right, write to cvoalliance@cvoalliance.com.br or use the in-app privacy center. If you are unsatisfied with our response, you may petition the Brazilian National Data Protection Authority (ANPD).
We apply technical and administrative controls in line with the ROPA, fail-closed by default.
Authentication: Argon2id password hashing, TOTP (RFC 6238) with Fernet at-rest storage and dedicated rate limit, HMAC-SHA256 recovery codes with pepper and single-use semantics.
Session: httpOnly + Secure + SameSite=Lax cookies, session-bound CSRF over HMAC, refresh-token rotation with reuse detection and family revocation.
Role-based access control (RBAC), enforced server-side on every protected route.
MFA mandatory for administrators and fresh-TOTP reauthentication required on sensitive admin mutations (granting and deducting credits, role or account-state changes, pricing edits, production prompt changes, DSAR workflow, kill-switch, and others). The gate is enforced through a server-side `require_fresh_totp` dependency and verified by a coverage test that walks the entire admin route tree on every run. Full list of covered endpoints lives in the internal document `docs/ADMIN_REAUTH_COVERAGE.md`.
Encryption in transit (TLS) and at rest for sensitive data and secrets (Fernet, with key rotation).
Upload validation through magic-byte checks, safe re-encoding, and EXIF stripping.
SSRF defense; NFKC normalization and zero-width-character stripping on all public endpoints; signed-webhook validation with replay protection.
Multi-layer content moderation (L1 OpenAI Omni Moderation, L2 LLM classifier with Gemini→OpenAI fallback, L3 role-contextualized prompts) with fail-closed policy and SHA-256 recurrence trap.
Continuous monitoring via OpenTelemetry + Cloud Logging/Trace + Managed Prometheus, with alerts for Stripe signature failures, rate-limit spikes, and worker retry ratios, per `docs/RUNBOOK_MONITORING.md`.
In the event of a security incident that may create relevant risk or harm to data subjects, we will notify the ANPD and affected subjects within a reasonable window defined by the authority, with an internal target of within 48 hours from internal incident confirmation.
The notice to data subjects will include, at minimum: nature of the affected data, information about the data subjects involved, the technical and security measures used, the risks tied to the incident, reasons for any delay, and the measures already taken or to be taken to reverse or mitigate the effects.
Operational runbook: `docs/INCIDENT_RESPONSE_RUNBOOK.md`.
Pictro is intended for adults. By accepting these Terms you confirm that you are at least 18 years old. We do not intentionally process data of users under 18.
If we learn that we have collected data from a user under 18, we will close the account and erase the associated data.
For data subjects in the European Economic Area (EEA), we apply Regulation (EU) 2016/679 (GDPR) in addition to the LGPD.
Legal bases (GDPR Art. 6) — performance of contract, consent, legitimate interest, and legal obligation, depending on the activity described in Section 4.
Special categories (GDPR Art. 9): facial features extracted from your uploaded photos are processed on the basis of explicit consent.
GDPR data-subject rights — access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making. Exercise them through the same channels described in Section 9.
Restriction of processing (GDPR Art. 18) — the LGPD has no direct analog to this right. For EEA data subjects (and as a regulatory courtesy for Brazilian data subjects), the operational analog combines three actions: (a) revoke the consent for using your data in model training from the Privacy Preferences panel; (b) revoke the marketing-email consent from the same panel or via the unsubscribe link in any marketing email; and (c) request erasure (DSAR) if you want to terminate processing entirely. Operational details live in `docs/LGPD_ROPA.md` Section 11.
International transfers (GDPR Chapter V) — when EEA personal data is processed by operators outside the EEA (Stripe, Resend, OpenAI, external Gemini fallback), we rely on Standard Contractual Clauses (SCCs), where executed, with each operator. SCC execution with each operator and the Schrems II assessment are still in progress and are a prerequisite for active marketing targeted at the EEA.
Representative in the European Union (GDPR Art. 27): formal designation of our EU representative for EEA data subjects is in progress. Until the named representative is published, contacts may be directed to the DPO at cvoalliance@cvoalliance.com.br.
Supervisory authority: EEA data subjects may lodge complaints with their national data protection authority.
Data subjects in the European Economic Area or any other GDPR jurisdiction may object at any time to the processing of their personal data based on the controller’s legitimate interests (GDPR Art. 6(1)(f)).
If you are in the European Economic Area or any other GDPR jurisdiction, you have the right to object at any time to our processing of your personal data when that processing is based on our legitimate interests (GDPR Art. 6(1)(f)).
We currently rely on legitimate interests only for: (a) service security and fraud prevention — including rate-limiting, anomalous-session signal analysis, and MFA enrollment nudges; and (b) pre-flight marketing groundwork in the absence of explicit consent — preserved for the scenario in which we later offer marketing communications in the EEA, which are disabled today (activation is gated by TASK-36-E1).
To exercise the right to object, contact our Data Protection Officer at cvoalliance@cvoalliance.com.br or use the in-app privacy center. Upon receipt of the objection, we will stop the processing in question, unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing is required for the establishment, exercise, or defense of legal claims — in which case we will explain in writing why processing continues.
When the objection concerns processing for direct-marketing purposes (including any associated profiling), processing will stop without a further balancing assessment (GDPR Art. 21(2)-(3)).
We will notify account owners by email and by in-app alerts before material changes take effect.
When the policy version advances, the app prompts re-acceptance of the terms on the next authenticated access via a blocking dialog; until you accept, you may leave via the "Sign out" option without recording acceptance. Transition flow details live in `docs/PRIVACY_POLICY_V2_MIGRATION.md`.
The "Last updated" date at the top of this page reflects the most recent revision.
For questions, to exercise your rights, or to file complaints, contact the DPO: cvoalliance@cvoalliance.com.br.
You may also petition the Brazilian National Data Protection Authority (ANPD) if you believe your rights have been infringed.