Privacy Policy

Last updated: 2026-07-01

This page is a template provided for convenience only. It is not legal advice and should be reviewed by qualified counsel before you rely on it.

Overview

This Privacy Policy explains how Pico Sign, a digital-signage platform available at picosign.ai, collects, uses, and protects information when you use our dashboard, create an account, and operate the signage service. It applies to account holders and to visitors of our website.

Pico Sign is the operator of this service. [CONFIRM WITH COUNSEL: legal entity and registered address.]

Information we collect

Account identity. When you sign up with an email and password, we collect your email address and any display name you provide. When you sign in with Google or Microsoft, we receive your account email, name, profile picture, and account ID from that provider.

Content you upload. We store the media (images and video), playlists, and screen or player configuration you create to display on your signage.

Usage and device data. We collect log data such as IP address, browser and device information, and the status of your connected screens and players.

Cookies. We use a session cookie (Supabase authentication), a NEXT_LOCALE cookie (your language preference), and a theme cookie (light or dark mode). We do not currently use any analytics or advertising trackers.

How we use information

We use the information above to authenticate you and secure your account, to operate the signage service, to store your media and deliver it to your screens, to provide support, and to send you service-related communications. We do not sell your personal data, and we do not use it for advertising.

Google user data

When you sign in with Google, we receive your Google account email, name, profile picture, and Google account ID. We use this data only to create and authenticate your Pico Sign account. It is stored in our authentication provider (Supabase) and is not shared beyond the subprocessors listed in this policy.

Pico Sign's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. We do not sell or transfer Google user data to third parties, use it for advertising, allow humans to read it except as permitted, or use it to determine creditworthiness or for lending purposes.

Legal bases for processing

Where the GDPR or similar laws apply, we process personal data to perform our contract with you (providing the service), for our legitimate interests (securing and improving the service), with your consent (for cookies where required), and to comply with legal obligations. Our home jurisdiction is Japan and its data-protection law (the APPI). [CONFIRM WITH COUNSEL.] We address GDPR, UK GDPR, and CCPA/CPRA obligations where they apply to you.

How we share information

We share data with the subprocessors that run our service: Supabase (database and authentication), Google (OAuth sign-in and Cloud Storage for media), Microsoft (OAuth sign-in), and Vercel (hosting). We also plan to use Google Cloud Run for realtime features. We do not sell your data or share it for advertising. We may disclose information where required for legal or security reasons, or in connection with a merger or acquisition.

International data transfers

Media is stored in Google Cloud Storage in the asia-northeast1 region (Japan). Our subprocessors may process data in countries other than your own. Where required, we rely on appropriate safeguards such as standard contractual clauses. [CONFIRM WITH COUNSEL.]

Data retention

We retain your account information and content for as long as your account is active. When you close your account or request deletion, we delete or anonymize your personal data, subject to limited backup and log-retention windows and to any legal obligations to retain it.

Security

We protect your data using encryption in transit and access controls, and we rely on the infrastructure security of Supabase, Google, and Vercel. No method of transmission or storage is completely secure, but we work to protect your information and will handle any breach in accordance with applicable law.

Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your data, to object to or restrict processing, to withdraw consent, and to lodge a complaint with a supervisory authority. To exercise any of these rights, including deleting your account and its associated data, contact us at support@picosign.ai and we will respond as required by law.

Cookies and similar technologies

We use only the cookies necessary to run the service: a session cookie for authentication, a NEXT_LOCALE cookie for your language, and a theme cookie for your display preference. You can control cookies through your browser settings, though disabling essential cookies may prevent you from signing in.

Children's privacy

Our service is not directed to children, and we do not knowingly collect personal data from anyone under the age of 16. [CONFIRM WITH COUNSEL: applicable age threshold.] If you believe a child has provided us with personal data, please contact us and we will delete it.

Signage content may contain personal data

The media our customers upload may depict identifiable people. In that case, the customer is the controller of that content and Pico Sign acts as a processor on the customer's behalf. The customer is responsible for having a lawful basis and any necessary consents or notices for individuals who are depicted in, or shown on, public screens.

Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new effective date, and for material changes we will provide a more prominent notice where appropriate.

Contact us

If you have questions about this policy or your data, contact us at support@picosign.ai. [PLACEHOLDER: confirm this inbox exists or replace it.] Operator: Pico Sign. [CONFIRM WITH COUNSEL: legal entity, address, and any EU/UK representative or DPO.]