Privacy policy

piXme s.r.o. places great emphasis on protecting the privacy and personal data of our users. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the European Union's General Data Protection Regulation (GDPR).

1. Data Controller

The controller of your personal data is the company responsible for its processing in accordance with applicable legislation:

piXme s.r.o.
Registered office: J. Mikulku 2968/7, 963 01 Krupina, Slovak Republic
Company ID: 54909473
Tax ID: 2121820195
Email: pixme@pixme.pro
Phone: +421 908 519 314

2. Purpose and Legal Basis for Processing

We primarily process your personal data on the basis of contract performance (Article 6(1)(b) GDPR), which arises from your use of our piXme SaaS application and your acceptance of our terms. Data processing is necessary for the provision and administration of our services.

Specifically, we process your data for the purpose of:

Creating and managing your user account in the piXme SaaS application.
Identifying your organization's administrator within the system.
Ensuring the technical functionality, stability, and security of the service.
Communicating with you regarding service provision (e.g., system notifications, technical support).

In certain cases, we may also process your data based on our legitimate interest (Article 6(1)(f) GDPR), for example, for the purposes of system security, fraud prevention, and improving our services. In such cases, we always carefully balance our interests against your rights and freedoms.

If we process your data for another purpose that requires your consent (e.g., for marketing communications), we will inform you separately and request your consent.

3. Categories of Personal Data Processed

For the purposes of providing and administering our service, we process the following categories of personal data:

Name and Surname: Used to identify your user account and the organization's administrator within the system.
Email Address: Used for login, communication with you (e.g., password recovery, service notifications), and for the technical security of the service's functionality. It is important that the email address is functional and current.
Organization Name: Information about the legal entity for which the account is managed.
IP Address: Recorded for security purposes, access identification, and fraud prevention.
Service Usage Data: Technical information about interaction with the service (e.g., login times, features used), which helps us ensure functionality and improve the user experience.

4. Processing Method and Security Measures

The security of your personal data is our highest priority. We implement and regularly update appropriate technical and organizational measures to protect your data from unauthorized access, alteration, loss, destruction, or other misuse.

Our key security measures include:

Data Encryption: Your personal data is encrypted both in transit (using modern SSL/TLS certificates that secure communication between you and our servers) and at rest (data at rest is encrypted at the storage level using industry standards).
Pseudonymization and Separate Data Storage:
- Name, surname, and email address are stored in encrypted form, separately from the main user profiles. These data are linked to your user account only by an identifier.
- The purpose of this separate storage and encryption is to reduce the risk of identification in the event of unauthorized access to one of the databases and to increase the overall security of your personal data.
Password Security (Hashing): Your passwords are not stored in readable form. Instead, we store their hash, which is a one-way cryptographic digest. This means that even if there was access to the password database, an attacker would not obtain your actual password, which significantly increases the security of your login credentials. When logging in, the system generates a hash from the password you entered and compares it with the stored hash.
Access Control: Access to personal data is strictly limited to authorized employees who need it to perform their work duties. We use an access rights system, strong authentication, and the principle of least privilege.
Access Logging: All access to sensitive data and important system events are logged and monitored to detect and respond to any unusual activities.
Regular Backups: Your data is regularly and securely backed up to prevent its loss in the event of a technical malfunction or other unforeseen event.
Physical Server Security: Our servers are located in secure data centers within the European Union/EEA with strict physical access measures (e.g., biometric verification, CCTV surveillance) and continuous monitoring.

5. Data Processing with Artificial Intelligence (AI) and Third Parties

"To enhance and enrich the functionalities of the piXme service, as well as to ensure its efficiency and security, we utilize advanced artificial intelligence (AI) tools from external providers. These tools help us automate processes and provide you with better results. Below are details on how and why we use AI and what data is processed in the process.

5.1 Photo Processing using Microsoft Azure AI Vision

Our service analyzes uploaded photos to automate the generation of metadata, descriptions, and tags for better filtering and searching, as well as for detecting undesirable content in accordance with our Terms and Conditions.

Processing Intermediary: Microsoft Ireland Operations Limited, based in Ireland, acts as our data processor.
Purpose of Processing: Automatic analysis of visual content of photos for the purpose of identifying objects, scenes, generating keywords, descriptions, and tags (in Slovak and English), as well as for content moderation and ensuring compliance with our Terms and Conditions. This analysis serves to facilitate searching and managing your photos within the piXme service.
Data Residency and Transfer: To ensure compliance with applicable European data protection legislation (GDPR), data is processed exclusively in Microsoft Azure data centers located within the European Union (EU). All data transfers within the EU are secured and comply with GDPR.
Data Retention: Photos are processed temporarily within the Azure AI Vision system and are automatically deleted after analysis is complete, usually within 48 hours. Microsoft does not use your images or videos to train its foundational models.
Legal Basis: The processing of your photos through Microsoft Azure AI Vision is necessary for the performance of the contract with you and the provision of key functionalities of our photo bank, such as automatic categorization, tagging, and content searching.

5.2 Text Data Processing using OpenAI (ChatGPT API)

To improve the functionality of our service and facilitate working with text content (e.g., from PDF documents), we use artificial intelligence tools from OpenAI to generate titles and summarize texts.

Processing Intermediary: OpenAI, L.L.C., based in the United States of America (USA), acts as our data processor.
Purpose of Processing: Automatic generation of titles and summarization of text content from documents, with the aim of increasing efficiency and clarity in managing your documents in the piXme service.
Data Residency and Transfer to USA: Text data may be transferred and processed in the United States of America (USA). The transfer of personal data to the USA takes place on the basis of the Data Privacy Framework (DPF), of which OpenAI is a certified participant. For more information on OpenAI's certification under the DPF, please visit the official Data Privacy Framework website https://www.dataprivacyframework.gov/.
Data Retention: Input and output from the OpenAI API are standardly retained for a maximum of 30 days for the purpose of providing the service and monitoring abuse. After 30 days, data is removed from our systems, unless we request 'Zero Data Retention' (ZDR) for legitimate use cases. OpenAI does not, by default, use API data to train its foundational models.
Legal Basis: The processing of text data using OpenAI is necessary for the performance of the contract with you and the provision of additional functionalities of our service, such as automatic title generation and document summarization.
Option to Disable Text Summarization: We understand that some users may prefer that their text data not be processed for summarization using AI. Therefore, you have the option to disable the text summarization function from documents in your user account settings. Disabling this function will not affect the basic use of our photo bank service, but the AI functions for title generation and text summarization will not be available to you. If you disable this function, your texts will not be sent to OpenAI for summarization."

6. Storage, Backup, and External Infrastructure Providers

"For the secure and reliable storage and backup of your files, photos, and other data, the piXme service utilizes cloud infrastructure from reputable providers.

Cloud Service Providers: We currently use services from:
- Hetzner Online GmbH (Hetzner Storage Box/S3 Object Storage)
- Backblaze, Inc. (Backblaze B2 Cloud Storage)
- DigitalOcean, LLC (DigitalOcean Spaces Object Storage)
Data Residency: All user data is stored exclusively on servers located in data centers within the European Union (EU), which ensures full compliance with the GDPR regulation. We have concluded corresponding Data Processing Addendums (DPA) with each cloud service provider, guaranteeing adherence to GDPR standards and the protection of your data.
Data Backup: Data is regularly backed up on multiple geographically independent servers to ensure maximum protection against loss and high availability.
Security: To protect data, we implement modern cryptographic methods including data encryption in transit and at rest and strict access control to systems, in accordance with the highest security standards of our cloud service providers."

7. Data Retention Period

We process your personal data for the duration of your use of our service and the contractual relationship. Upon termination of your use of our services, your personal data will be:

Immediately deleted or anonymized, unless there is another legal basis or statutory obligation for their further retention.
Data necessary for fulfilling our legal obligations (e.g., tax and accounting regulations) will be retained for the period required by relevant legal regulations.
Data necessary for defending our legal claims (e.g., in case of litigation) may be retained for the limitation period.

8. Recipients of Personal Data

Your personal data may be disclosed to the following categories of recipients:

Processors: Third parties who process personal data on our behalf and according to our instructions. These mainly include:
- Providers of hosting services and server maintenance.
- Providers of system maintenance and support.
- Providers of website and application analytics tools (if used and GDPR compliant).
- Providers of communication services (e.g., email services for system notifications).
All our processors are contractually bound to adhere to strict personal data protection standards and GDPR compliance.
Public Authorities: In case of a legal obligation, we may provide your personal data to public authorities (e.g., courts, police, regulatory authorities).

9. Your Rights

As a data subject, you have the following rights under GDPR, which you can exercise at any time through the contacts listed in point 8:

Right of Access: You have the right to obtain confirmation as to whether or not your personal data is being processed, and, where that is the case, access to the personal data and information about their processing.
Right to Rectification: You have the right to request that we rectify inaccurate or incomplete personal data concerning you without undue delay.
Right to Erasure ("Right to be Forgotten"): Under certain conditions (e.g., if the data are no longer necessary for the purpose for which they were collected, or if you withdraw consent and there is no other legal basis), you have the right to request the erasure of your personal data.
Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data (e.g., if you contest the accuracy of the data or if the processing is unlawful).
Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller, where technically feasible.
Right to Object: Under certain conditions (e.g., if we process your data based on legitimate interest), you have the right to object to the processing of your personal data.
Right to Lodge a Complaint: If you believe that the processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic (Hraničná 12, 820 07 Bratislava 27, +421 2 323 13 214, statny.dozor@pdp.gov.sk, www.uoou.sk).

10. Contact

To exercise your rights listed in point 7 or for any questions regarding the processing of your personal data, please contact us:

Email: gdpr@pixme.pro
Postal address: J. Mikulku 2968/7, 963 01 Krupina, Slovak Republic

11. Automated Decision-Making and Profiling

Our company does not use automated individual decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you.

12. Transfer of Data to Third Countries

We do not transfer your personal data to countries outside the European Union (EU) or the European Economic Area (EEA). All your data is processed and stored within the EU/EEA, ensuring a high standard of data protection.

Last updated: 10.6. 2025