Privacy Policy
Last updated: 31/12/2025
This Privacy Policy describes how PicoKeys (“we”, “us”, or “our”) collects, uses, and protects personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).
1. Data Controller
The data controller responsible for the processing of personal data is:
PicoKeys
Email: [email protected]
2. Personal Data We Collect
We only collect personal data that is strictly necessary to provide our services.
Depending on how you interact with PicoKeys, this may include:
- Email address (used for license delivery, recovery, and support)
- Purchase information (via Stripe, such as payment status and transaction identifiers)
- License identifiers and technical usage data related to license activation
- IP address (used temporarily for security, fraud prevention, and rate limiting)
- Device registration status (whether a license has been used to register a device)
- Billing information, where provided during checkout, such as name, country, billing address, VAT/tax information, and invoice details
We do not collect:
- passwords
- personal profiles
- precise location data
- unnecessary identifying information
3. Purpose of Processing
Personal data is processed for the following purposes:
- To deliver digital licenses and software
- To manage license activation and device registration
- To provide download links and license recovery
- To process payments and refunds
- To comply with legal and accounting obligations
- To prevent abuse, fraud, and unauthorized use
- To provide customer support
Personal data is never used for advertising or profiling.
4. Legal Basis for Processing
Under GDPR, we process personal data based on one or more of the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR):
processing necessary to deliver the purchased license and software. - Legal obligation (Article 6(1)(c) GDPR):
compliance with accounting and tax regulations. - Legitimate interest (Article 6(1)(f) GDPR):
fraud prevention, security, and service integrity. - Consent (Article 6(1)(a) GDPR), where explicitly required.
5. Payment Processing
Payments are processed by Stripe. Depending on the processing activity, Stripe may act as an independent data controller or as a data processor in accordance with its own terms and data protection documentation.
We do not store credit card numbers or full payment card details on our servers.
6. Data Retention
Personal data is retained only for as long as necessary for the purposes described above:
- License and activation records are retained for as long as necessary to provide the purchased license, prevent abuse, verify license status, and handle support or refund requests.
- Purchase, invoice, accounting, and tax records are retained for the period required by applicable tax and accounting laws.
- Temporary tokens, session data, and security-related logs are retained only for the time necessary for security, fraud prevention, troubleshooting, and rate limiting, unless a longer retention period is required to investigate abuse or comply with legal obligations.
- Support communications are retained for as long as necessary to handle the request and maintain a record of the issue.
When personal data is no longer necessary, it will be deleted or anonymized.
7. Data Sharing
We do not sell, rent, or share personal data with third parties, except where strictly necessary:
- Payment processing (Stripe)
- Email delivery services (for transactional emails only)
- Legal or regulatory authorities, when required by law
- Hosting, infrastructure, database, and security providers used to operate the website, license server, and related services
All processors are subject to appropriate data protection agreements.
8. International Data Transfers
Some service providers used by PicoKeys, including payment, hosting, email, security, or infrastructure providers, may process personal data outside the European Economic Area.
Where such transfers occur, PicoKeys relies on appropriate safeguards under GDPR, such as adequacy decisions, Standard Contractual Clauses, or equivalent legal mechanisms.
9. Data Subject Rights
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure (“right to be forgotten”), where applicable
- Restrict or object to processing
- Data portability, where applicable
Requests can be sent to: [email protected]
We may require verification of identity before processing a request.
You also have the right to lodge a complaint with a competent data protection supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).
10. Security Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- Secure storage and access controls
- Encryption of sensitive data
- Limited access to personal data
- Monitoring and abuse prevention mechanisms
No system is completely secure, but we take reasonable steps to protect your data.
11. Automated Decision-Making
PicoKeys does not use personal data for automated decision-making, profiling, or advertising.
12. Cookies
Our website may use essential cookies required for basic functionality.
We do not use tracking or advertising cookies without explicit consent.
13. Changes to This Policy
This Privacy Policy may be updated from time to time.
The version in effect at the time of data collection will apply.
14. Contact
For any questions regarding this Privacy Policy or personal data processing, please contact:
PicoKeys is a registered European Union trade mark.